From 104d122fd9710841ab21f33a6c3b10fa034da041 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Wed, 20 May 2020 12:55:34 +0200 Subject: [PATCH] sssd-2.3.0-1: Rebase to latest upstream release --- .gitignore | 1 + ...uild-failure-against-samba-4.12.0rc1.patch | 53 --- ...avoid-endian-issues-in-network-tests.patch | 38 ++ ...rb5-1.18-for-building-the-PAC-plugin.patch | 29 -- ...-config-check-command-error-messages.patch | 35 -- ...special-regex-characters-in-man-page.patch | 42 -- 0005-ldap_child-do-not-try-PKINIT.patch | 98 ---- ...tchdog-fixed-watchdog-implementation.patch | 52 --- ...roviders-krb5-got-rid-of-unused-code.patch | 56 --- ...-got-rid-of-duplicating-SIGTERM-hand.patch | 84 ---- ...il-server-improved-debug-at-shutdown.patch | 32 -- ...h-fixed-double-free-in-sss_ptr_hash_.patch | 52 --- ...andomness-to-ldap-connection-timeout.patch | 195 -------- ...oleans-for-ad_inherit_opts_if_needed.patch | 55 --- 0013-ad-add-ad_use_ldaps.patch | 438 ------------------ ...ldap-add-new-option-ldap_sasl_maxssf.patch | 199 -------- 0015-ad-set-min-and-max-ssf-for-ldaps.patch | 91 ---- ...t-try-to-refresh-domains-from-other-.patch | 36 -- ...nable-LDAP-time-format-compatibility.patch | 52 --- 0018-sbus_server-stylistic-rename.patch | 43 -- ...-t-keep-empty-sss_ptr_hash_delete_da.patch | 91 ---- ...sss_ptr_hash_delete-fix-optimization.patch | 62 --- ...sss_ptr_hash-removed-redundant-check.patch | 35 -- 0022-sss_ptr_hash-fixed-memory-leak.patch | 53 --- 0023-sss_ptr_hash-internal-refactoring.patch | 366 --------------- 0024-TESTS-added-sss_ptr_hash-unit-test.patch | 266 ----------- ...-if-card-is-present-in-wait_for_card.patch | 86 ---- ...nly-require-UID-0-for-private-socket.patch | 37 -- ...s-Collision-with-external-nss-symbol.patch | 74 --- sources | 2 +- sssd.spec | 40 +- 31 files changed, 49 insertions(+), 2744 deletions(-) delete mode 100644 0001-Fix-build-failure-against-samba-4.12.0rc1.patch create mode 100644 0001-test-avoid-endian-issues-in-network-tests.patch delete mode 100644 0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch delete mode 100644 0003-INI-sssctl-config-check-command-error-messages.patch delete mode 100644 0004-certmap-mention-special-regex-characters-in-man-page.patch delete mode 100644 0005-ldap_child-do-not-try-PKINIT.patch delete mode 100644 0006-util-watchdog-fixed-watchdog-implementation.patch delete mode 100644 0007-providers-krb5-got-rid-of-unused-code.patch delete mode 100644 0008-data_provider_be-got-rid-of-duplicating-SIGTERM-hand.patch delete mode 100644 0009-util-server-improved-debug-at-shutdown.patch delete mode 100644 0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch delete mode 100644 0011-sdap-Add-randomness-to-ldap-connection-timeout.patch delete mode 100644 0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch delete mode 100644 0013-ad-add-ad_use_ldaps.patch delete mode 100644 0014-ldap-add-new-option-ldap_sasl_maxssf.patch delete mode 100644 0015-ad-set-min-and-max-ssf-for-ldaps.patch delete mode 100644 0016-BE_REFRESH-Do-not-try-to-refresh-domains-from-other-.patch delete mode 100644 0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch delete mode 100644 0018-sbus_server-stylistic-rename.patch delete mode 100644 0019-sss_ptr_hash-don-t-keep-empty-sss_ptr_hash_delete_da.patch delete mode 100644 0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch delete mode 100644 0021-sss_ptr_hash-removed-redundant-check.patch delete mode 100644 0022-sss_ptr_hash-fixed-memory-leak.patch delete mode 100644 0023-sss_ptr_hash-internal-refactoring.patch delete mode 100644 0024-TESTS-added-sss_ptr_hash-unit-test.patch delete mode 100644 0025-p11_child-check-if-card-is-present-in-wait_for_card.patch delete mode 100644 0026-PAM-client-only-require-UID-0-for-private-socket.patch delete mode 100644 0027-nss-Collision-with-external-nss-symbol.patch diff --git a/.gitignore b/.gitignore index 0b21d2f..2bed1b1 100644 --- a/.gitignore +++ b/.gitignore @@ -86,3 +86,4 @@ sssd-1.2.91.tar.gz /sssd-2.2.1.tar.gz /sssd-2.2.2.tar.gz /sssd-2.2.3.tar.gz +/sssd-2.3.0.tar.gz diff --git a/0001-Fix-build-failure-against-samba-4.12.0rc1.patch b/0001-Fix-build-failure-against-samba-4.12.0rc1.patch deleted file mode 100644 index 5be3f41..0000000 --- a/0001-Fix-build-failure-against-samba-4.12.0rc1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 24 Jan 2020 15:17:39 +0100 -Subject: [PATCH] Fix build failure against samba 4.12.0rc1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The ndr_pull_get_switch() function was dropped, but it was just a wrapper -around the ndr_token_peek() function, so we can use this approach on both -old and new versions of libndr. - -Signed-off-by: Stephen Gallagher - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index d57303349..8f405aa62 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, - union security_ace_object_type *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); -@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, - union security_ace_object_inherited_type *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); -@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, - union security_ace_object_ctr *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); --- -2.20.1 - diff --git a/0001-test-avoid-endian-issues-in-network-tests.patch b/0001-test-avoid-endian-issues-in-network-tests.patch new file mode 100644 index 0000000..6fdb819 --- /dev/null +++ b/0001-test-avoid-endian-issues-in-network-tests.patch @@ -0,0 +1,38 @@ +From 88a0c39b341098f92725458b2055faaaf2bbad5b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 20 May 2020 12:07:13 +0200 +Subject: [PATCH] test: avoid endian issues in network tests + +--- + src/tests/cmocka/test_nss_srv.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c +index 2c91d0a23fe4ce6e66fee70da7501b0ec5f0feb8..3cd7809cf001f5f8ac68fcd191e05660b40cd267 100644 +--- a/src/tests/cmocka/test_nss_srv.c ++++ b/src/tests/cmocka/test_nss_srv.c +@@ -35,6 +35,7 @@ + #include "util/util_sss_idmap.h" + #include "util/crypto/sss_crypto.h" + #include "util/crypto/nss/nss_util.h" ++#include "util/sss_endian.h" + #include "db/sysdb_private.h" /* new_subdomain() */ + #include "db/sysdb_iphosts.h" + #include "db/sysdb_ipnetworks.h" +@@ -5308,7 +5309,13 @@ struct netent test_netent = { + .n_name = discard_const("test_network"), + .n_aliases = discard_const(test_netent_aliases), + .n_addrtype = AF_INET, ++#if (__BYTE_ORDER == __LITTLE_ENDIAN) + .n_net = 0x04030201 /* 1.2.3.4 */ ++#elif (__BYTE_ORDER == __BIG_ENDIAN) ++ .n_net = 0x01020304 /* 1.2.3.4 */ ++#else ++ #error "unknow endianess" ++#endif + }; + + static void mock_input_netbyname(const char *name) +-- +2.20.1 + diff --git a/0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch b/0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch deleted file mode 100644 index 5c40402..0000000 --- a/0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 399ee9d1af9cca4026ce50c58ce25c45a30c85c2 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 1 Feb 2020 17:39:07 +0000 -Subject: [PATCH] BUILD: Accept krb5 1.18 for building the PAC plugin - -Merges: https://pagure.io/SSSD/sssd/pull-request/4152 - -Reviewed-by: Sumit Bose ---- - src/external/pac_responder.m4 | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4 -index dc986a1b8..114d8470f 100644 ---- a/src/external/pac_responder.m4 -+++ b/src/external/pac_responder.m4 -@@ -19,7 +19,8 @@ then - Kerberos\ 5\ release\ 1.14* | \ - Kerberos\ 5\ release\ 1.15* | \ - Kerberos\ 5\ release\ 1.16* | \ -- Kerberos\ 5\ release\ 1.17*) -+ Kerberos\ 5\ release\ 1.17* | \ -+ Kerberos\ 5\ release\ 1.18*) - krb5_version_ok=yes - AC_MSG_RESULT([yes]) - ;; --- -2.20.1 - diff --git a/0003-INI-sssctl-config-check-command-error-messages.patch b/0003-INI-sssctl-config-check-command-error-messages.patch deleted file mode 100644 index 124b9be..0000000 --- a/0003-INI-sssctl-config-check-command-error-messages.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001 -From: Tomas Halman -Date: Tue, 10 Dec 2019 16:30:32 +0100 -Subject: [PATCH] INI: sssctl config-check command error messages -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case of parsing error sssctl config-check command does not give -proper error messages with line number. With this patch the error -message is printed again. - -Resolves: -https://pagure.io/SSSD/sssd/issue/4129 - -Reviewed-by: Michal Židek ---- - src/util/sss_ini.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index e3699805d..5d91602cd 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - - ret = sss_ini_parse(self); - if (ret != EOK) { -+ sss_ini_config_print_errors(self->error_list); - DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); - return ERR_INI_PARSE_FAILED; - } --- -2.20.1 - diff --git a/0004-certmap-mention-special-regex-characters-in-man-page.patch b/0004-certmap-mention-special-regex-characters-in-man-page.patch deleted file mode 100644 index 1eee827..0000000 --- a/0004-certmap-mention-special-regex-characters-in-man-page.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 12 Dec 2019 13:10:16 +0100 -Subject: [PATCH] certmap: mention special regex characters in man page -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since some of the matching rules use regular expressions some characters -must be escaped so that they can be used a ordinary characters in the -rules. - -Related to https://pagure.io/SSSD/sssd/issue/4127 - -Reviewed-by: Michal Židek ---- - src/man/sss-certmap.5.xml | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml -index db258d14a..10343625e 100644 ---- a/src/man/sss-certmap.5.xml -+++ b/src/man/sss-certmap.5.xml -@@ -92,6 +92,15 @@ - - Example: <SUBJECT>.*,DC=MY,DC=DOMAIN - -+ -+ Please note that the characters "^.[$()|*+?{\" have a -+ special meaning in regular expressions and must be -+ escaped with the help of the '\' character so that they -+ are matched as ordinary characters. -+ -+ -+ Example: <SUBJECT>^CN=.* \(Admin\),DC=MY,DC=DOMAIN$ -+ - - - --- -2.20.1 - diff --git a/0005-ldap_child-do-not-try-PKINIT.patch b/0005-ldap_child-do-not-try-PKINIT.patch deleted file mode 100644 index c0d5c51..0000000 --- a/0005-ldap_child-do-not-try-PKINIT.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 6 Dec 2019 12:29:49 +0100 -Subject: [PATCH] ldap_child: do not try PKINIT - -if the PKINIT plugin is installed and pkinit_identities is set in -/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only -wants to authenticate with a keytab. As a result ldap_child might try to -access a Smartcard which is either not allowed at all or might cause -unexpected delays. - -To avoid this the current patch sets pkinit_identities for LDAP child -explicitly to make the PKINIT plugin fail because if installed libkrb5 -will always use it. - -It turned out the setting pre-authentication options requires some -internal flags to be set and krb5_get_init_creds_opt_alloc() must be -used to initialize the options struct. - -Related to https://pagure.io/SSSD/sssd/issue/4126 - -Reviewed-by: Alexey Tikhonov ---- - src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++-------- - 1 file changed, 22 insertions(+), 8 deletions(-) - -diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c -index 408d64db4..b081df90f 100644 ---- a/src/providers/ldap/ldap_child.c -+++ b/src/providers/ldap/ldap_child.c -@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, - krb5_ccache ccache = NULL; - krb5_principal kprinc; - krb5_creds my_creds; -- krb5_get_init_creds_opt options; -+ krb5_get_init_creds_opt *options = NULL; - krb5_error_code krberr; - krb5_timestamp kdc_time_offset; - int canonicalize = 0; -@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, - } - - memset(&my_creds, 0, sizeof(my_creds)); -- memset(&options, 0, sizeof(options)); - -- krb5_get_init_creds_opt_set_address_list(&options, NULL); -- krb5_get_init_creds_opt_set_forwardable(&options, 0); -- krb5_get_init_creds_opt_set_proxiable(&options, 0); -- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); -+ krberr = krb5_get_init_creds_opt_alloc(context, &options); -+ if (krberr != 0) { -+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n"); -+ goto done; -+ } -+ -+ krb5_get_init_creds_opt_set_address_list(options, NULL); -+ krb5_get_init_creds_opt_set_forwardable(options, 0); -+ krb5_get_init_creds_opt_set_proxiable(options, 0); -+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime); -+ krberr = krb5_get_init_creds_opt_set_pa(context, options, -+ "X509_user_identity", ""); -+ if (krberr != 0) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n", -+ krberr); -+ } -+ - - tmp_str = getenv("KRB5_CANONICALIZE"); - if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { - DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n"); - canonicalize = 1; - } -- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); -+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize); - - ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", - DB_PATH, realm_name); -@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, - } - - krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, -- keytab, 0, NULL, &options); -+ keytab, 0, NULL, options); - if (krberr != 0) { - DEBUG(SSSDBG_OP_FAILURE, - "krb5_get_init_creds_keytab() failed: %d\n", krberr); -@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, - *expire_time_out = my_creds.times.endtime - kdc_time_offset; - - done: -+ krb5_get_init_creds_opt_free(context, options); - if (krberr != 0) { - if (*_krb5_msg == NULL) { - /* no custom error message provided hence get one from libkrb5 */ --- -2.20.1 - diff --git a/0006-util-watchdog-fixed-watchdog-implementation.patch b/0006-util-watchdog-fixed-watchdog-implementation.patch deleted file mode 100644 index 55e38db..0000000 --- a/0006-util-watchdog-fixed-watchdog-implementation.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 2c13d8bd00f1e8ff30e9fc81f183f6450303ac30 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 11 Dec 2019 18:42:49 +0100 -Subject: [PATCH] util/watchdog: fixed watchdog implementation - -In case watchdog detected locked process and this process was parent -process it just sent SIGTERM to the whole group of processes, including -itself. -This handling was wrong: generic `server_setup()` installs custom -libtevent handler for SIGTERM signal so this signal is only processed -in the context of tevent mainloop. But if tevent mainloop is stuck -(exactly the case that triggers WD) then event is not processed -and this made watchdog useless. -`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do -unconditional `_exit()` after optionally sending a signal to the group. - -Resolves: https://pagure.io/SSSD/sssd/issue/4089 - -Reviewed-by: Sumit Bose ---- - src/util/util_watchdog.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c -index a07275b19..38c248271 100644 ---- a/src/util/util_watchdog.c -+++ b/src/util/util_watchdog.c -@@ -54,9 +54,8 @@ static void watchdog_detect_timeshift(void) - if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) { - if (getpid() == getpgrp()) { - kill(-getpgrp(), SIGTERM); -- } else { -- _exit(1); - } -+ _exit(1); - } - } - } -@@ -75,9 +74,8 @@ static void watchdog_handler(int sig) - if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) { - if (getpid() == getpgrp()) { - kill(-getpgrp(), SIGTERM); -- } else { -- _exit(1); - } -+ _exit(1); - } - } - --- -2.20.1 - diff --git a/0007-providers-krb5-got-rid-of-unused-code.patch b/0007-providers-krb5-got-rid-of-unused-code.patch deleted file mode 100644 index 0d6fd45..0000000 --- a/0007-providers-krb5-got-rid-of-unused-code.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 1d4a7ffdcf8b303a40058db49d5e1be4bfb8271a Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 9 Dec 2019 17:20:28 +0100 -Subject: [PATCH 7/9] providers/krb5: got rid of unused code -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Michal Židek ---- - src/providers/krb5/krb5_common.c | 10 ---------- - src/providers/krb5/krb5_common.h | 7 ------- - 2 files changed, 17 deletions(-) - -diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c -index bfda561c1..5c11c347b 100644 ---- a/src/providers/krb5/krb5_common.c -+++ b/src/providers/krb5/krb5_common.c -@@ -1133,16 +1133,6 @@ void remove_krb5_info_files_callback(void *pvt) - talloc_free(ctx); - } - --void krb5_finalize(struct tevent_context *ev, -- struct tevent_signal *se, -- int signum, -- int count, -- void *siginfo, -- void *private_data) --{ -- orderly_shutdown(0); --} -- - errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, - struct sss_domain_info *dom, const char *username, - const char *user_dom, char **_upn) -diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h -index cc9313115..493d12e5f 100644 ---- a/src/providers/krb5/krb5_common.h -+++ b/src/providers/krb5/krb5_common.h -@@ -196,13 +196,6 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, - - void remove_krb5_info_files_callback(void *pvt); - --void krb5_finalize(struct tevent_context *ev, -- struct tevent_signal *se, -- int signum, -- int count, -- void *siginfo, -- void *private_data); -- - errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm); - - errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, --- -2.20.1 - diff --git a/0008-data_provider_be-got-rid-of-duplicating-SIGTERM-hand.patch b/0008-data_provider_be-got-rid-of-duplicating-SIGTERM-hand.patch deleted file mode 100644 index a57b30b..0000000 --- a/0008-data_provider_be-got-rid-of-duplicating-SIGTERM-hand.patch +++ /dev/null @@ -1,84 +0,0 @@ -From e41e9b37e4d3fcd8544fb6c591dafbaef0954438 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 9 Dec 2019 17:48:14 +0100 -Subject: [PATCH 8/9] data_provider_be: got rid of duplicating SIGTERM handler -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It was wrong to install two libtevent SIGTERM handlers both of which did -orderly_shutdown()->exit(). Naturally only one of the handlers was executed -(as process was terminated with exit()) and libtevent docs doesn't say -anything about order of execution. But chances are, be_process_finalize() -was executed first so default_quit() was not executed and main_ctx was not -freed. - -Moreover there is just no reason to have separate be_process_finalize() -at all: default server handler default_quit() frees main_ctx. And be_ctx -is linked to main_ctx so will be freed by default handler as well. - -Resolves: https://pagure.io/SSSD/sssd/issue/4088 - -Reviewed-by: Michal Židek ---- - src/providers/data_provider_be.c | 37 -------------------------------- - 1 file changed, 37 deletions(-) - -diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c -index cfcf0268d..ce00231ff 100644 ---- a/src/providers/data_provider_be.c -+++ b/src/providers/data_provider_be.c -@@ -445,36 +445,6 @@ be_register_monitor_iface(struct sbus_connection *conn, struct be_ctx *be_ctx) - return sbus_connection_add_path_map(be_ctx->mon_conn, paths); - } - --static void be_process_finalize(struct tevent_context *ev, -- struct tevent_signal *se, -- int signum, -- int count, -- void *siginfo, -- void *private_data) --{ -- struct be_ctx *be_ctx; -- -- be_ctx = talloc_get_type(private_data, struct be_ctx); -- talloc_free(be_ctx); -- orderly_shutdown(0); --} -- --static errno_t be_process_install_sigterm_handler(struct be_ctx *be_ctx) --{ -- struct tevent_signal *sige; -- -- BlockSignals(false, SIGTERM); -- -- sige = tevent_add_signal(be_ctx->ev, be_ctx, SIGTERM, SA_SIGINFO, -- be_process_finalize, be_ctx); -- if (sige == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n"); -- return ENOMEM; -- } -- -- return EOK; --} -- - static void dp_initialized(struct tevent_req *req); - - errno_t be_process_init(TALLOC_CTX *mem_ctx, -@@ -566,13 +536,6 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx, - goto done; - } - -- /* Install signal handler */ -- ret = be_process_install_sigterm_handler(be_ctx); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "be_install_sigterm_handler failed.\n"); -- goto done; -- } -- - req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid); - if (req == NULL) { - ret = ENOMEM; --- -2.20.1 - diff --git a/0009-util-server-improved-debug-at-shutdown.patch b/0009-util-server-improved-debug-at-shutdown.patch deleted file mode 100644 index edf634e..0000000 --- a/0009-util-server-improved-debug-at-shutdown.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3f52de891cba55230730602d41c3811cf1b17d96 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 9 Dec 2019 18:26:56 +0100 -Subject: [PATCH 9/9] util/server: improved debug at shutdown -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Relates: https://pagure.io/SSSD/sssd/issue/4088 - -Reviewed-by: Michal Židek ---- - src/util/server.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/util/server.c b/src/util/server.c -index ee57ac128..33524066e 100644 ---- a/src/util/server.c -+++ b/src/util/server.c -@@ -242,7 +242,8 @@ void orderly_shutdown(int status) - kill(-getpgrp(), SIGTERM); - } - #endif -- if (status == 0) sss_log(SSS_LOG_INFO, "Shutting down"); -+ DEBUG(SSSDBG_IMPORTANT_INFO, "Shutting down (status = %d)", status); -+ sss_log(SSS_LOG_INFO, "Shutting down (status = %d)", status); - exit(status); - } - --- -2.20.1 - diff --git a/0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch b/0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch deleted file mode 100644 index 4370350..0000000 --- a/0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 26e33b1984cce3549df170f58f8221201ad54cfd Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 7 Jan 2020 16:29:05 +0100 -Subject: [PATCH] util/sss_ptr_hash: fixed double free in - sss_ptr_hash_delete_cb() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead -to freeing of value->ptr and thus to destruction of value->spy that is -attached to value->ptr. -In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() -> -hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive -execution hash entry was actually deleted and value was freed. -When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried -to free value again => double free. - -To prevent this bug value and hence spy are now freed before execution of -data->callback(value->ptr). - -Resolves: https://pagure.io/SSSD/sssd/issue/4135 - -Reviewed-by: Pavel Březina ---- - src/util/sss_ptr_hash.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c -index c7403ffa6..8f9762cb9 100644 ---- a/src/util/sss_ptr_hash.c -+++ b/src/util/sss_ptr_hash.c -@@ -154,13 +154,13 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, - callback_entry.value.type = HASH_VALUE_PTR; - callback_entry.value.ptr = value->ptr; - -+ /* Free value, this also will disable spy */ -+ talloc_free(value); -+ - /* Switch to the input value and call custom callback. */ - if (data->callback != NULL) { - data->callback(&callback_entry, deltype, data->pvt); - } -- -- /* Free value. */ -- talloc_free(value); - } - - hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, --- -2.20.1 - diff --git a/0011-sdap-Add-randomness-to-ldap-connection-timeout.patch b/0011-sdap-Add-randomness-to-ldap-connection-timeout.patch deleted file mode 100644 index 212ff00..0000000 --- a/0011-sdap-Add-randomness-to-ldap-connection-timeout.patch +++ /dev/null @@ -1,195 +0,0 @@ -From bd201746f8cf0e95615b3e98868555451b5e66b8 Mon Sep 17 00:00:00 2001 -From: Tomas Halman -Date: Mon, 2 Dec 2019 11:11:52 +0100 -Subject: [PATCH] sdap: Add randomness to ldap connection timeout - -In case of mass deployment, mass registration of IPA clients roughly on -the same time leads to regular CPU load spikes on IPA servers, the load -spikes are caused by all/most clients refreshing their LDAP connections -(ldap_connection_expire_timeout) every 15 minutes. - -This patch introduces new random value (from 0 up to -ldap_connection_expire_offset) that is added to the timeout. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3630 - -Reviewed-by: Alexey Tikhonov ---- - src/config/cfg_rules.ini | 1 + - src/config/etc/sssd.api.d/sssd-ad.conf | 1 + - src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + - src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + - src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++ - src/providers/ad/ad_opts.c | 1 + - src/providers/ipa/ipa_opts.c | 1 + - src/providers/ldap/ldap_opts.c | 1 + - src/providers/ldap/sdap.h | 1 + - src/providers/ldap/sdap_async_connection.c | 12 ++++++++++++ - 10 files changed, 39 insertions(+) - -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 8c73c89ac..c56d5a668 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -600,6 +600,7 @@ option = ldap_chpass_dns_service_name - option = ldap_chpass_update_last_change - option = ldap_chpass_uri - option = ldap_connection_expire_timeout -+option = ldap_connection_expire_offset - option = ldap_default_authtok - option = ldap_default_authtok_type - option = ldap_default_bind_dn -diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf -index 80e329b3b..aaa0b2345 100644 ---- a/src/config/etc/sssd.api.d/sssd-ad.conf -+++ b/src/config/etc/sssd.api.d/sssd-ad.conf -@@ -58,6 +58,7 @@ ldap_deref = str, None, false - ldap_page_size = int, None, false - ldap_deref_threshold = int, None, false - ldap_connection_expire_timeout = int, None, false -+ldap_connection_expire_offset = int, None, false - ldap_disable_paging = bool, None, false - krb5_confd_path = str, None, false - wildcard_limit = int, None, false -diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf -index e2d46db75..7ed153d36 100644 ---- a/src/config/etc/sssd.api.d/sssd-ipa.conf -+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf -@@ -52,6 +52,7 @@ ldap_deref = str, None, false - ldap_page_size = int, None, false - ldap_deref_threshold = int, None, false - ldap_connection_expire_timeout = int, None, false -+ldap_connection_expire_offset = int, None, false - ldap_disable_paging = bool, None, false - krb5_confd_path = str, None, false - wildcard_limit = int, None, false -diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf -index 01c1d7f12..4f73e901e 100644 ---- a/src/config/etc/sssd.api.d/sssd-ldap.conf -+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf -@@ -36,6 +36,7 @@ ldap_deref_threshold = int, None, false - ldap_sasl_canonicalize = bool, None, false - ldap_sasl_minssf = int, None, false - ldap_connection_expire_timeout = int, None, false -+ldap_connection_expire_offset = int, None, false - ldap_disable_paging = bool, None, false - ldap_disable_range_retrieval = bool, None, false - wildcard_limit = int, None, false -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index 6d1ae23ec..f8bb973c7 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -509,12 +509,31 @@ - the two values (this value vs. the TGT lifetime) - will be used. - -+ -+ This timeout can be extended of a random -+ value specified by -+ ldap_connection_expire_offset -+ - - Default: 900 (15 minutes) - - - - -+ -+ ldap_connection_expire_offset (integer) -+ -+ -+ Random offset between 0 and configured value -+ is added to -+ ldap_connection_expire_timeout. -+ -+ -+ Default: 0 -+ -+ -+ -+ - - ldap_page_size (integer) - -diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c -index cd568e466..1293219ee 100644 ---- a/src/providers/ad/ad_opts.c -+++ b/src/providers/ad/ad_opts.c -@@ -137,6 +137,7 @@ struct dp_option ad_def_ldap_opts[] = { - { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, - { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, -+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, - { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, - { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, -diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c -index 7974cb8ea..4fafa073d 100644 ---- a/src/providers/ipa/ipa_opts.c -+++ b/src/providers/ipa/ipa_opts.c -@@ -147,6 +147,7 @@ struct dp_option ipa_def_ldap_opts[] = { - { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, - { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, -+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, - { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, - { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, -diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c -index a20ec0d86..ffd0c6baa 100644 ---- a/src/providers/ldap/ldap_opts.c -+++ b/src/providers/ldap/ldap_opts.c -@@ -107,6 +107,7 @@ struct dp_option default_basic_opts[] = { - { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, - { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, -+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, - { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, - { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index d0a19a660..f27b3c480 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -221,6 +221,7 @@ enum sdap_basic_opt { - SDAP_DEREF_THRESHOLD, - SDAP_SASL_CANONICALIZE, - SDAP_EXPIRE_TIMEOUT, -+ SDAP_EXPIRE_OFFSET, - SDAP_DISABLE_PAGING, - SDAP_IDMAP_LOWER, - SDAP_IDMAP_UPPER, -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index 0260cba6f..7438d14a7 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -1803,6 +1803,8 @@ static void sdap_cli_auth_step(struct tevent_req *req) - struct tevent_req *subreq; - time_t now; - int expire_timeout; -+ int expire_offset; -+ - const char *sasl_mech = dp_opt_get_string(state->opts->basic, - SDAP_SASL_MECH); - const char *user_dn = dp_opt_get_string(state->opts->basic, -@@ -1832,6 +1834,16 @@ static void sdap_cli_auth_step(struct tevent_req *req) - */ - now = time(NULL); - expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT); -+ expire_offset = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_OFFSET); -+ if (expire_offset > 0) { -+ expire_timeout += sss_rand() % (expire_offset + 1); -+ } else if (expire_offset < 0) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "Negative value [%d] of ldap_connection_expire_offset " -+ "is not allowed.\n", -+ expire_offset); -+ } -+ - DEBUG(SSSDBG_CONF_SETTINGS, "expire timeout is %d\n", expire_timeout); - if (!state->sh->expire_time - || (state->sh->expire_time > (now + expire_timeout))) { --- -2.20.1 - diff --git a/0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch b/0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch deleted file mode 100644 index ebe3fd5..0000000 --- a/0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 090cf77a0fd5f300a753667658af3ed763a88e83 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 26 Sep 2019 20:24:34 +0200 -Subject: [PATCH 12/15] ad: allow booleans for ad_inherit_opts_if_needed() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently ad_inherit_opts_if_needed() can only handle strings. With this -patch it can handle boolean options as well. - -Related to https://pagure.io/SSSD/sssd/issue/4131 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_common.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index 5540066d4..600e3ceb2 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -1479,9 +1479,26 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts, - const char *parent_val = NULL; - char *dummy = NULL; - char *option_list[2] = { NULL, NULL }; -- -- parent_val = dp_opt_get_cstring(parent_opts, opt_id); -- if (parent_val != NULL) { -+ bool is_default = true; -+ -+ switch (parent_opts[opt_id].type) { -+ case DP_OPT_STRING: -+ parent_val = dp_opt_get_cstring(parent_opts, opt_id); -+ break; -+ case DP_OPT_BOOL: -+ /* For booleans it is hard to say if the option is set or not since -+ * both possible values are valid ones. So we check if the value is -+ * different from the default and skip if it is the default. In this -+ * case the sub-domain option would either be the default as well or -+ * manully set and in both cases we do not have to change it. */ -+ is_default = (parent_opts[opt_id].val.boolean -+ == parent_opts[opt_id].def_val.boolean); -+ break; -+ default: -+ DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n"); -+ } -+ -+ if (parent_val != NULL || !is_default) { - ret = confdb_get_string(cdb, NULL, subdom_conf_path, - parent_opts[opt_id].opt_name, NULL, &dummy); - if (ret != EOK) { --- -2.20.1 - diff --git a/0013-ad-add-ad_use_ldaps.patch b/0013-ad-add-ad_use_ldaps.patch deleted file mode 100644 index 4b23943..0000000 --- a/0013-ad-add-ad_use_ldaps.patch +++ /dev/null @@ -1,438 +0,0 @@ -From da0be382d95f0bdbc6ad5ccb68503456c2ee858b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 26 Sep 2019 20:27:09 +0200 -Subject: [PATCH 11/13] ad: add ad_use_ldaps -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -With this new boolean option the AD provider should only use the LDAPS -port 636 and the Global Catalog port 3629 which is TLS protected as -well. - -Related to https://pagure.io/SSSD/sssd/issue/4131 - -Reviewed-by: Pavel Březina ---- - src/config/SSSDConfig/__init__.py.in | 1 + - src/config/cfg_rules.ini | 1 + - src/config/etc/sssd.api.d/sssd-ad.conf | 1 + - src/man/sssd-ad.5.xml | 20 +++++++++++++++++++ - src/providers/ad/ad_common.c | 24 +++++++++++++++++++---- - src/providers/ad/ad_common.h | 8 +++++++- - src/providers/ad/ad_init.c | 8 +++++++- - src/providers/ad/ad_opts.c | 1 + - src/providers/ad/ad_srv.c | 16 ++++++++++++--- - src/providers/ad/ad_srv.h | 3 ++- - src/providers/ad/ad_subdomains.c | 21 ++++++++++++++++++-- - src/providers/ipa/ipa_subdomains_server.c | 4 ++-- - 12 files changed, 94 insertions(+), 14 deletions(-) - -diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in -index eba89b461..84631862a 100644 ---- a/src/config/SSSDConfig/__init__.py.in -+++ b/src/config/SSSDConfig/__init__.py.in -@@ -252,6 +252,7 @@ option_strings = { - 'ad_site' : _('a particular site to be used by the client'), - 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), - 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), -+ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'), - - # [provider/krb5] - 'krb5_kdcip' : _('Kerberos server address'), -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index c56d5a668..1034a1fd6 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -464,6 +464,7 @@ option = ad_machine_account_password_renewal_opts - option = ad_maximum_machine_account_password_age - option = ad_server - option = ad_site -+option = ad_use_ldaps - - # IPA provider specific options - option = ipa_anchor_uuid -diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf -index aaa0b2345..a2af72603 100644 ---- a/src/config/etc/sssd.api.d/sssd-ad.conf -+++ b/src/config/etc/sssd.api.d/sssd-ad.conf -@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false - ad_site = str, None, false - ad_maximum_machine_account_password_age = int, None, false - ad_machine_account_password_renewal_opts = str, None, false -+ad_use_ldaps = bool, None, false - ldap_uri = str, None, false - ldap_backup_uri = str, None, false - ldap_search_base = str, None, false -diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml -index fdcb4e4b9..ade56cd6d 100644 ---- a/src/man/sssd-ad.5.xml -+++ b/src/man/sssd-ad.5.xml -@@ -1015,6 +1015,26 @@ ad_gpo_map_deny = +my_pam_service - - - -+ -+ ad_use_ldaps (bool) -+ -+ -+ By default SSSD uses the plain LDAP port 389 and the -+ Global Catalog port 3628. If this option is set to -+ True SSSD will use the LDAPS port 636 and Global -+ Catalog port 3629 with LDAPS protection. Since AD -+ does not allow to have multiple encryption layers on -+ a single connection and we still want to use -+ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication -+ the SASL security property maxssf is set to 0 (zero) -+ for those connections. -+ -+ -+ Default: False -+ -+ -+ -+ - - dyndns_update (boolean) - -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index 600e3ceb2..a2369166a 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -729,6 +729,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, - const char *ad_gc_service, - const char *ad_domain, - bool use_kdcinfo, -+ bool ad_use_ldaps, - size_t n_lookahead_primary, - size_t n_lookahead_backup, - struct ad_service **_service) -@@ -746,6 +747,16 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, - goto done; - } - -+ if (ad_use_ldaps) { -+ service->ldap_scheme = "ldaps"; -+ service->port = LDAPS_PORT; -+ service->gc_port = AD_GC_LDAPS_PORT; -+ } else { -+ service->ldap_scheme = "ldap"; -+ service->port = LDAP_PORT; -+ service->gc_port = AD_GC_PORT; -+ } -+ - service->sdap = talloc_zero(service, struct sdap_service); - service->gc = talloc_zero(service, struct sdap_service); - if (!service->sdap || !service->gc) { -@@ -927,7 +938,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server) - goto done; - } - -- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name); -+ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme, -+ srv_name); - if (!new_uri) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n"); - ret = ENOMEM; -@@ -935,7 +947,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server) - } - DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri); - -- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT); -+ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port); - if (sockaddr == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n"); - ret = EIO; -@@ -951,8 +963,12 @@ ad_resolve_callback(void *private_data, struct fo_server *server) - talloc_zfree(service->gc->uri); - talloc_zfree(service->gc->sockaddr); - if (sdata && sdata->gc) { -- new_port = fo_get_server_port(server); -- new_port = (new_port == 0) ? AD_GC_PORT : new_port; -+ if (service->gc_port == AD_GC_LDAPS_PORT) { -+ new_port = service->gc_port; -+ } else { -+ new_port = fo_get_server_port(server); -+ new_port = (new_port == 0) ? service->gc_port : new_port; -+ } - - service->gc->uri = talloc_asprintf(service->gc, "%s:%d", - new_uri, new_port); -diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h -index 75f11de2e..820e06124 100644 ---- a/src/providers/ad/ad_common.h -+++ b/src/providers/ad/ad_common.h -@@ -29,7 +29,8 @@ - #define AD_SERVICE_NAME "AD" - #define AD_GC_SERVICE_NAME "AD_GC" - /* The port the Global Catalog runs on */ --#define AD_GC_PORT 3268 -+#define AD_GC_PORT 3268 -+#define AD_GC_LDAPS_PORT 3269 - - #define AD_AT_OBJECT_SID "objectSID" - #define AD_AT_DNS_DOMAIN "DnsDomain" -@@ -67,6 +68,7 @@ enum ad_basic_opt { - AD_KRB5_CONFD_PATH, - AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, - AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, -+ AD_USE_LDAPS, - - AD_OPTS_BASIC /* opts counter */ - }; -@@ -82,6 +84,9 @@ struct ad_service { - struct sdap_service *sdap; - struct sdap_service *gc; - struct krb5_service *krb5_service; -+ const char *ldap_scheme; -+ int port; -+ int gc_port; - }; - - struct ad_options { -@@ -147,6 +152,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, - const char *ad_gc_service, - const char *ad_domain, - bool use_kdcinfo, -+ bool ad_use_ldaps, - size_t n_lookahead_primary, - size_t n_lookahead_backup, - struct ad_service **_service); -diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c -index 290d5b5c1..2b4b9e2e7 100644 ---- a/src/providers/ad/ad_init.c -+++ b/src/providers/ad/ad_init.c -@@ -138,6 +138,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx, - char *ad_servers = NULL; - char *ad_backup_servers = NULL; - char *ad_realm; -+ bool ad_use_ldaps = false; - errno_t ret; - - ad_sasl_initialize(); -@@ -154,12 +155,14 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx, - ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER); - ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); - ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM); -+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); - - /* Set up the failover service */ - ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, - ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME, - dp_opt_get_string(ad_options->basic, AD_DOMAIN), - false, /* will be set in ad_get_auth_options() */ -+ ad_use_ldaps, - (size_t) -1, - (size_t) -1, - &ad_options->service); -@@ -184,11 +187,13 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx, - const char *ad_site_override; - bool sites_enabled; - errno_t ret; -+ bool ad_use_ldaps; - - hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME); - ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN); - ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); - sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES); -+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); - - - if (!sites_enabled) { -@@ -205,7 +210,8 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx, - srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, - default_host_dbs, ad_options->id, - hostname, ad_domain, -- ad_site_override); -+ ad_site_override, -+ ad_use_ldaps); - if (srv_ctx == NULL) { - DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); - return ENOMEM; -diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c -index 1293219ee..30f9b62fd 100644 ---- a/src/providers/ad/ad_opts.c -+++ b/src/providers/ad/ad_opts.c -@@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = { - { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, - { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, - { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, -+ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - DP_OPTION_TERMINATOR - }; - -diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c -index 5fd25f60e..ca15d3715 100644 ---- a/src/providers/ad/ad_srv.c -+++ b/src/providers/ad/ad_srv.c -@@ -244,6 +244,7 @@ struct ad_get_client_site_state { - enum host_database *host_db; - struct sdap_options *opts; - const char *ad_domain; -+ bool ad_use_ldaps; - struct fo_server_info *dcs; - size_t num_dcs; - size_t dc_index; -@@ -264,6 +265,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx, - enum host_database *host_db, - struct sdap_options *opts, - const char *ad_domain, -+ bool ad_use_ldaps, - struct fo_server_info *dcs, - size_t num_dcs) - { -@@ -288,6 +290,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx, - state->host_db = host_db; - state->opts = opts; - state->ad_domain = ad_domain; -+ state->ad_use_ldaps = ad_use_ldaps; - state->dcs = dcs; - state->num_dcs = num_dcs; - -@@ -331,8 +334,11 @@ static errno_t ad_get_client_site_next_dc(struct tevent_req *req) - subreq = sdap_connect_host_send(state, state->ev, state->opts, - state->be_res->resolv, - state->be_res->family_order, -- state->host_db, "ldap", state->dc.host, -- state->dc.port, false); -+ state->host_db, -+ state->ad_use_ldaps ? "ldaps" : "ldap", -+ state->dc.host, -+ state->ad_use_ldaps ? 636 : state->dc.port, -+ false); - if (subreq == NULL) { - ret = ENOMEM; - goto done; -@@ -491,6 +497,7 @@ struct ad_srv_plugin_ctx { - const char *ad_domain; - const char *ad_site_override; - const char *current_site; -+ bool ad_use_ldaps; - }; - - struct ad_srv_plugin_ctx * -@@ -501,7 +508,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, - struct sdap_options *opts, - const char *hostname, - const char *ad_domain, -- const char *ad_site_override) -+ const char *ad_site_override, -+ bool ad_use_ldaps) - { - struct ad_srv_plugin_ctx *ctx = NULL; - errno_t ret; -@@ -515,6 +523,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, - ctx->be_res = be_res; - ctx->host_dbs = host_dbs; - ctx->opts = opts; -+ ctx->ad_use_ldaps = ad_use_ldaps; - - ctx->hostname = talloc_strdup(ctx, hostname); - if (ctx->hostname == NULL) { -@@ -714,6 +723,7 @@ static void ad_srv_plugin_dcs_done(struct tevent_req *subreq) - state->ctx->host_dbs, - state->ctx->opts, - state->discovery_domain, -+ state->ctx->ad_use_ldaps, - dcs, num_dcs); - if (subreq == NULL) { - ret = ENOMEM; -diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h -index e553d594d..8e410ec26 100644 ---- a/src/providers/ad/ad_srv.h -+++ b/src/providers/ad/ad_srv.h -@@ -31,7 +31,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, - struct sdap_options *opts, - const char *hostname, - const char *ad_domain, -- const char *ad_site_override); -+ const char *ad_site_override, -+ bool ad_use_ldaps); - - struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 2ce34489f..d8c201437 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -282,6 +282,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, - bool use_kdcinfo = false; - size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT; - size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT; -+ bool ad_use_ldaps = false; - - realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM); - hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME); -@@ -312,6 +313,21 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, - return ENOMEM; - } - -+ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic, -+ ad_options->basic, -+ be_ctx->cdb, subdom_conf_path, -+ AD_USE_LDAPS); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to inherit option [%s] to sub-domain [%s]. " -+ "This error is ignored but might cause issues or unexpected " -+ "behavior later on.\n", -+ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name, -+ subdom->name); -+ -+ return ret; -+ } -+ - ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, - ad_options->id->basic, - be_ctx->cdb, subdom_conf_path, -@@ -344,6 +360,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, - - servers = dp_opt_get_string(ad_options->basic, AD_SERVER); - backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); -+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS); - - if (id_ctx->ad_options->auth_ctx != NULL - && id_ctx->ad_options->auth_ctx->opts != NULL) { -@@ -362,7 +379,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, - - ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers, - subdom->realm, service_name, gc_service_name, -- subdom->name, use_kdcinfo, -+ subdom->name, use_kdcinfo, ad_use_ldaps, - n_lookahead_primary, - n_lookahead_backup, - &ad_options->service); -@@ -386,7 +403,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, - ad_id_ctx->ad_options->id, - hostname, - ad_domain, -- ad_site_override); -+ ad_site_override, ad_use_ldaps); - if (srv_ctx == NULL) { - DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); - return ENOMEM; -diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c -index fd998877b..9aebf72a5 100644 ---- a/src/providers/ipa/ipa_subdomains_server.c -+++ b/src/providers/ipa/ipa_subdomains_server.c -@@ -319,7 +319,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, - ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, - subdom->realm, - service_name, gc_service_name, -- subdom->name, use_kdcinfo, -+ subdom->name, use_kdcinfo, false, - n_lookahead_primary, n_lookahead_backup, - &ad_options->service); - if (ret != EOK) { -@@ -344,7 +344,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, - ad_id_ctx->ad_options->id, - id_ctx->server_mode->hostname, - ad_domain, -- ad_site_override); -+ ad_site_override, false); - if (srv_ctx == NULL) { - DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); - return ENOMEM; --- -2.20.1 - diff --git a/0014-ldap-add-new-option-ldap_sasl_maxssf.patch b/0014-ldap-add-new-option-ldap_sasl_maxssf.patch deleted file mode 100644 index 3659564..0000000 --- a/0014-ldap-add-new-option-ldap_sasl_maxssf.patch +++ /dev/null @@ -1,199 +0,0 @@ -From 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 27 Sep 2019 11:49:59 +0200 -Subject: [PATCH 14/15] ldap: add new option ldap_sasl_maxssf -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There is already the ldap_sasl_minssf option. To be able to control the -maximal security strength factor (ssf) e.g. when using SASL together -with TLS the option ldap_sasl_maxssf is added as well. - -Related to https://pagure.io/SSSD/sssd/issue/4131 - -Reviewed-by: Pavel Březina ---- - src/config/SSSDConfig/__init__.py.in | 1 + - src/config/cfg_rules.ini | 1 + - src/config/etc/sssd.api.d/sssd-ad.conf | 1 + - src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + - src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + - src/man/sssd-ldap.5.xml | 16 ++++++++++++++++ - src/providers/ad/ad_opts.c | 1 + - src/providers/ipa/ipa_opts.c | 1 + - src/providers/ldap/ldap_opts.c | 1 + - src/providers/ldap/sdap.h | 1 + - src/providers/ldap/sdap_async_connection.c | 14 ++++++++++++++ - 11 files changed, 39 insertions(+) - -diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in -index 6c2a1ce44..b3035fcff 100644 ---- a/src/config/SSSDConfig/__init__.py.in -+++ b/src/config/SSSDConfig/__init__.py.in -@@ -306,6 +306,7 @@ option_strings = { - 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), - 'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'), - 'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'), -+ 'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'), - 'ldap_krb5_keytab' : _('Kerberos service keytab'), - 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), - 'ldap_referrals' : _('Follow LDAP referrals'), -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 478ca9eb4..286443be4 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -665,6 +665,7 @@ option = ldap_sasl_authid - option = ldap_sasl_canonicalize - option = ldap_sasl_mech - option = ldap_sasl_minssf -+option = ldap_sasl_maxssf - option = ldap_schema - option = ldap_pwmodify_mode - option = ldap_search_base -diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf -index 51cdad536..4d10e69d7 100644 ---- a/src/config/etc/sssd.api.d/sssd-ad.conf -+++ b/src/config/etc/sssd.api.d/sssd-ad.conf -@@ -42,6 +42,7 @@ ldap_tls_reqcert = str, None, false - ldap_sasl_mech = str, None, false - ldap_sasl_authid = str, None, false - ldap_sasl_minssf = int, None, false -+ldap_sasl_maxssf = int, None, false - krb5_kdcip = str, None, false - krb5_server = str, None, false - krb5_backup_server = str, None, false -diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf -index 7ed153d36..839f9f471 100644 ---- a/src/config/etc/sssd.api.d/sssd-ipa.conf -+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf -@@ -32,6 +32,7 @@ ldap_tls_reqcert = str, None, false - ldap_sasl_mech = str, None, false - ldap_sasl_authid = str, None, false - ldap_sasl_minssf = int, None, false -+ldap_sasl_maxssf = int, None, false - krb5_kdcip = str, None, false - krb5_server = str, None, false - krb5_backup_server = str, None, false -diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf -index 4f73e901e..6db9828b9 100644 ---- a/src/config/etc/sssd.api.d/sssd-ldap.conf -+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf -@@ -35,6 +35,7 @@ ldap_page_size = int, None, false - ldap_deref_threshold = int, None, false - ldap_sasl_canonicalize = bool, None, false - ldap_sasl_minssf = int, None, false -+ldap_sasl_maxssf = int, None, false - ldap_connection_expire_timeout = int, None, false - ldap_connection_expire_offset = int, None, false - ldap_disable_paging = bool, None, false -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index f8bb973c7..0dc675410 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -612,6 +612,22 @@ - - - -+ -+ ldap_sasl_maxssf (integer) -+ -+ -+ When communicating with an LDAP server using SASL, -+ specify the maximal security level necessary to -+ establish the connection. The values of this -+ option are defined by OpenLDAP. -+ -+ -+ Default: Use the system default (usually specified -+ by ldap.conf) -+ -+ -+ -+ - - ldap_deref_threshold (integer) - -diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c -index 26420d655..e9a3dd6ef 100644 ---- a/src/providers/ad/ad_opts.c -+++ b/src/providers/ad/ad_opts.c -@@ -106,6 +106,7 @@ struct dp_option ad_def_ldap_opts[] = { - { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, -+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, - { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - /* use the same parm name as the krb5 module so we set it only once */ -diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c -index 4fafa073d..55de6e600 100644 ---- a/src/providers/ipa/ipa_opts.c -+++ b/src/providers/ipa/ipa_opts.c -@@ -114,6 +114,7 @@ struct dp_option ipa_def_ldap_opts[] = { - { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER }, -+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, - { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - /* use the same parm name as the krb5 module so we set it only once */ -diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c -index ffd0c6baa..d1b4e98ad 100644 ---- a/src/providers/ldap/ldap_opts.c -+++ b/src/providers/ldap/ldap_opts.c -@@ -74,6 +74,7 @@ struct dp_option default_basic_opts[] = { - { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, -+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, - { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - /* use the same parm name as the krb5 module so we set it only once */ -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index f27b3c480..808a2c400 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -192,6 +192,7 @@ enum sdap_basic_opt { - SDAP_SASL_AUTHID, - SDAP_SASL_REALM, - SDAP_SASL_MINSSF, -+ SDAP_SASL_MAXSSF, - SDAP_KRB5_KEYTAB, - SDAP_KRB5_KINIT, - SDAP_KRB5_KDC, -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index 7438d14a7..5f69cedcc 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -148,6 +148,8 @@ static void sdap_sys_connect_done(struct tevent_req *subreq) - const char *sasl_mech; - int sasl_minssf; - ber_len_t ber_sasl_minssf; -+ int sasl_maxssf; -+ ber_len_t ber_sasl_maxssf; - - ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd); - talloc_zfree(subreq); -@@ -291,6 +293,18 @@ static void sdap_sys_connect_done(struct tevent_req *subreq) - goto fail; - } - } -+ -+ sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF); -+ if (sasl_maxssf >= 0) { -+ ber_sasl_maxssf = (ber_len_t)sasl_maxssf; -+ lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX, -+ &ber_sasl_maxssf); -+ if (lret != LDAP_OPT_SUCCESS) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option " -+ "to %d\n", sasl_maxssf); -+ goto fail; -+ } -+ } - } - - /* if we do not use start_tls the connection is not really connected yet --- -2.20.1 - diff --git a/0015-ad-set-min-and-max-ssf-for-ldaps.patch b/0015-ad-set-min-and-max-ssf-for-ldaps.patch deleted file mode 100644 index c4a3003..0000000 --- a/0015-ad-set-min-and-max-ssf-for-ldaps.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 24387e19f065e6a585b1120d5568cb4df271d102 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 27 Sep 2019 13:45:13 +0200 -Subject: [PATCH 15/15] ad: set min and max ssf for ldaps -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -AD does not allow to use encryption in the TLS and SASL layer at the -same time. To be able to use ldaps this patch sets min and max ssf to 0 -if ldaps should be used. - -Related to https://pagure.io/SSSD/sssd/issue/4131 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_common.c | 21 +++++++++++++++++++++ - src/providers/ad/ad_common.h | 2 ++ - src/providers/ad/ad_subdomains.c | 4 ++++ - 3 files changed, 27 insertions(+) - -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index a2369166a..51300f5b2 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -1021,6 +1021,23 @@ done: - return; - } - -+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts) -+{ -+ int ret; -+ -+ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n"); -+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to set SASL minssf for ldaps usage, ignored.\n"); -+ } -+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to set SASL maxssf for ldaps usage, ignored.\n"); -+ } -+} -+ - static errno_t - ad_set_sdap_options(struct ad_options *ad_opts, - struct sdap_options *id_opts) -@@ -1079,6 +1096,10 @@ ad_set_sdap_options(struct ad_options *ad_opts, - goto done; - } - -+ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) { -+ ad_set_ssf_for_ldaps(id_opts); -+ } -+ - /* Warn if the user is doing something silly like overriding the schema - * with the AD provider - */ -diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h -index 44da58fa0..8b7a86102 100644 ---- a/src/providers/ad/ad_common.h -+++ b/src/providers/ad/ad_common.h -@@ -182,6 +182,8 @@ errno_t - ad_get_dyndns_options(struct be_ctx *be_ctx, - struct ad_options *ad_opts); - -+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts); -+ - struct ad_id_ctx * - ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx); - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index d8c201437..a9c6b9f28 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -328,6 +328,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, - return ret; - } - -+ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) { -+ ad_set_ssf_for_ldaps(ad_options->id); -+ } -+ - ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic, - ad_options->id->basic, - be_ctx->cdb, subdom_conf_path, --- -2.20.1 - diff --git a/0016-BE_REFRESH-Do-not-try-to-refresh-domains-from-other-.patch b/0016-BE_REFRESH-Do-not-try-to-refresh-domains-from-other-.patch deleted file mode 100644 index d470f4e..0000000 --- a/0016-BE_REFRESH-Do-not-try-to-refresh-domains-from-other-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 007d5b79b7aef67dd843ed9a3b65095faaeb580f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Wed, 22 Jan 2020 09:43:21 +0000 -Subject: [PATCH] BE_REFRESH: Do not try to refresh domains from other backends - -We cannot refresh domains from different sssd_be processes. -We can refresh just subdomains - -Resolves: -https://pagure.io/SSSD/sssd/issue/4142 - -Merges: https://pagure.io/SSSD/sssd/pull-request/4139 - -Reviewed-by: Sumit Bose ---- - src/providers/be_refresh.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c -index 6cce38390..5e43571ce 100644 ---- a/src/providers/be_refresh.c -+++ b/src/providers/be_refresh.c -@@ -385,6 +385,10 @@ static errno_t be_refresh_step(struct tevent_req *req) - if (state->index == BE_REFRESH_TYPE_SENTINEL) { - state->domain = get_next_domain(state->domain, - SSS_GND_DESCEND); -+ /* we can update just subdomains */ -+ if (state->domain != NULL && !IS_SUBDOMAIN(state->domain)) { -+ break; -+ } - state->index = 0; - continue; - } --- -2.20.1 - diff --git a/0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch b/0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch deleted file mode 100644 index e373bee..0000000 --- a/0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 58a67cd38b8be9bef45ce70588763d851840dd65 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= -Date: Tue, 3 Dec 2019 04:13:53 +0100 -Subject: [PATCH] sysdb_sudo: Enable LDAP time format compatibility -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -LDAP specification allows to ommit seconds and minutes -in time border definition. In that case they defaults to zeros. -Current sssd.sudo implementation requires precision up to -seconds in time definition. This commit allows to lower -the precision up to hours. - -Resolves: -https://pagure.io/SSSD/sssd/issue/4118 - -Reviewed-by: Pavel Březina ---- - src/db/sysdb_sudo.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c -index 59d6824c0..18088b017 100644 ---- a/src/db/sysdb_sudo.c -+++ b/src/db/sysdb_sudo.c -@@ -55,6 +55,22 @@ static errno_t sysdb_sudo_convert_time(const char *str, time_t *unix_time) - "%Y%m%d%H%M%S.0%z", - "%Y%m%d%H%M%S,0Z", - "%Y%m%d%H%M%S,0%z", -+ /* LDAP specification says that minutes and seconds -+ might be omitted and in that case these are meant -+ to be treated as zeros [1]. -+ */ -+ "%Y%m%d%H%MZ", /* Discard seconds */ -+ "%Y%m%d%H%M%z", -+ "%Y%m%d%H%M.0Z", -+ "%Y%m%d%H%M.0%z", -+ "%Y%m%d%H%M,0Z", -+ "%Y%m%d%H%M,0%z", -+ "%Y%m%d%HZ", /* Discard minutes and seconds*/ -+ "%Y%m%d%H%z", -+ "%Y%m%d%H.0Z", -+ "%Y%m%d%H.0%z", -+ "%Y%m%d%H,0Z", -+ "%Y%m%d%H,0%z", - NULL}; - - for (format = formats; *format != NULL; format++) { --- -2.20.1 - diff --git a/0018-sbus_server-stylistic-rename.patch b/0018-sbus_server-stylistic-rename.patch deleted file mode 100644 index 0d96af5..0000000 --- a/0018-sbus_server-stylistic-rename.patch +++ /dev/null @@ -1,43 +0,0 @@ -From faa5dbf6f716bd4ac0a3020a28a1ee6fbf74654a Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 23 Jan 2020 17:22:28 +0100 -Subject: [PATCH 18/24] sbus_server: stylistic rename -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Renamed sbus_server_name_remove_from_table() to -sbus_server_name_remove_from_table_cb() to keep naming consistent -with other functions used as `hash_delete_callback` argument of -sss_ptr_hash_create() - -Reviewed-by: Pavel Březina ---- - src/sbus/server/sbus_server.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sbus/server/sbus_server.c b/src/sbus/server/sbus_server.c -index 5405dae56..2b9327051 100644 ---- a/src/sbus/server/sbus_server.c -+++ b/src/sbus/server/sbus_server.c -@@ -584,7 +584,7 @@ sbus_server_name_lost(struct sbus_server *server, - } - - static void --sbus_server_name_remove_from_table(hash_entry_t *item, -+sbus_server_name_remove_from_table_cb(hash_entry_t *item, - hash_destroy_enum type, - void *pvt) - { -@@ -676,7 +676,7 @@ sbus_server_create(TALLOC_CTX *mem_ctx, - } - - sbus_server->names = sss_ptr_hash_create(sbus_server, -- sbus_server_name_remove_from_table, sbus_server); -+ sbus_server_name_remove_from_table_cb, sbus_server); - if (sbus_server->names == NULL) { - ret = ENOMEM; - goto done; --- -2.20.1 - diff --git a/0019-sss_ptr_hash-don-t-keep-empty-sss_ptr_hash_delete_da.patch b/0019-sss_ptr_hash-don-t-keep-empty-sss_ptr_hash_delete_da.patch deleted file mode 100644 index 2b4cae9..0000000 --- a/0019-sss_ptr_hash-don-t-keep-empty-sss_ptr_hash_delete_da.patch +++ /dev/null @@ -1,91 +0,0 @@ -From adc7730a4e1b9721c93863a1b283457e9c02a3c5 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 23 Jan 2020 17:55:24 +0100 -Subject: [PATCH 19/24] sss_ptr_hash: don't keep empty sss_ptr_hash_delete_data -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There is no need to allocate memory for `sss_ptr_hash_delete_data` -if table user doesn't provide custom delete callback. - -Reviewed-by: Pavel Březina ---- - src/util/sss_ptr_hash.c | 36 ++++++++++++++++++++---------------- - 1 file changed, 20 insertions(+), 16 deletions(-) - -diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c -index 8f9762cb9..f8addec1e 100644 ---- a/src/util/sss_ptr_hash.c -+++ b/src/util/sss_ptr_hash.c -@@ -138,12 +138,6 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, - struct sss_ptr_hash_value *value; - struct hash_entry_t callback_entry; - -- data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data); -- if (data == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n"); -- return; -- } -- - value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value); - if (value == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n"); -@@ -157,8 +151,14 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, - /* Free value, this also will disable spy */ - talloc_free(value); - -- /* Switch to the input value and call custom callback. */ -- if (data->callback != NULL) { -+ if (pvt != NULL) { -+ /* Switch to the input value and call custom callback. */ -+ data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data); -+ if (data == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n"); -+ return; -+ } -+ - data->callback(&callback_entry, deltype, data->pvt); - } - } -@@ -167,17 +167,19 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, - hash_delete_callback *del_cb, - void *del_cb_pvt) - { -- struct sss_ptr_hash_delete_data *data; -+ struct sss_ptr_hash_delete_data *data = NULL; - hash_table_t *table; - errno_t ret; - -- data = talloc_zero(NULL, struct sss_ptr_hash_delete_data); -- if (data == NULL) { -- return NULL; -- } -+ if (del_cb != NULL) { -+ data = talloc_zero(NULL, struct sss_ptr_hash_delete_data); -+ if (data == NULL) { -+ return NULL; -+ } - -- data->callback = del_cb; -- data->pvt = del_cb_pvt; -+ data->callback = del_cb; -+ data->pvt = del_cb_pvt; -+ } - - ret = sss_hash_create_ex(mem_ctx, 10, &table, 0, 0, 0, 0, - sss_ptr_hash_delete_cb, data); -@@ -188,7 +190,9 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, - return NULL; - } - -- talloc_steal(table, data); -+ if (data != NULL) { -+ talloc_steal(table, data); -+ } - - return table; - } --- -2.20.1 - diff --git a/0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch b/0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch deleted file mode 100644 index 8ba4b16..0000000 --- a/0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch +++ /dev/null @@ -1,62 +0,0 @@ -From d0eb88089b059bfe2da3bd1a3797b89d69119c29 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 23 Jan 2020 19:00:27 +0100 -Subject: [PATCH 20/24] sss_ptr_hash: sss_ptr_hash_delete fix/optimization -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - - - no reason to skip hash_delete() just because sss_ptr_hash_lookup_internal() -failed - - avoid excessive lookup if it is not required to free payload - -Reviewed-by: Pavel Březina ---- - src/util/sss_ptr_hash.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c -index f8addec1e..7326244e6 100644 ---- a/src/util/sss_ptr_hash.c -+++ b/src/util/sss_ptr_hash.c -@@ -331,20 +331,21 @@ void sss_ptr_hash_delete(hash_table_t *table, - struct sss_ptr_hash_value *value; - hash_key_t table_key; - int hret; -- void *ptr; -+ void *payload; - - if (table == NULL || key == NULL) { - return; - } - -- value = sss_ptr_hash_lookup_internal(table, key); -- if (value == NULL) { -- /* Value not found. */ -- return; -+ if (free_value) { -+ value = sss_ptr_hash_lookup_internal(table, key); -+ if (value == NULL) { -+ free_value = false; -+ } else { -+ payload = value->ptr; -+ } - } - -- ptr = value->ptr; -- - table_key.type = HASH_KEY_STRING; - table_key.str = discard_const_p(char, key); - -@@ -357,7 +358,7 @@ void sss_ptr_hash_delete(hash_table_t *table, - - /* Also free the original value if requested. */ - if (free_value) { -- talloc_free(ptr); -+ talloc_free(payload); - } - - return; --- -2.20.1 - diff --git a/0021-sss_ptr_hash-removed-redundant-check.patch b/0021-sss_ptr_hash-removed-redundant-check.patch deleted file mode 100644 index ac841f0..0000000 --- a/0021-sss_ptr_hash-removed-redundant-check.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8cc2ce4e9060a71d441a377008fb2f567baa5d92 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 23 Jan 2020 20:07:41 +0100 -Subject: [PATCH 21/24] sss_ptr_hash: removed redundant check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -`sss_ptr_hash_check_type()` call would take care of this case. - -Reviewed-by: Pavel Březina ---- - src/util/sss_ptr_hash.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c -index 7326244e6..bf111a613 100644 ---- a/src/util/sss_ptr_hash.c -+++ b/src/util/sss_ptr_hash.c -@@ -268,12 +268,6 @@ sss_ptr_hash_lookup_internal(hash_table_t *table, - return NULL; - } - -- /* This may happen if we are in delete callback -- * and we try to search the hash table. */ -- if (table_value.ptr == NULL) { -- return NULL; -- } -- - if (!sss_ptr_hash_check_type(table_value.ptr, "struct sss_ptr_hash_value")) { - return NULL; - } --- -2.20.1 - diff --git a/0022-sss_ptr_hash-fixed-memory-leak.patch b/0022-sss_ptr_hash-fixed-memory-leak.patch deleted file mode 100644 index 04f8da3..0000000 --- a/0022-sss_ptr_hash-fixed-memory-leak.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 4bc0c2c7833dd643fc1137daf6519670c05c3736 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 23 Jan 2020 21:11:16 +0100 -Subject: [PATCH 22/24] sss_ptr_hash: fixed memory leak -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case `override` check was failed in _sss_ptr_hash_add() -`value` was leaking. -Fixed to do `override` check before value allocation. - -Reviewed-by: Pavel Březina ---- - src/util/sss_ptr_hash.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c -index bf111a613..114b6edeb 100644 ---- a/src/util/sss_ptr_hash.c -+++ b/src/util/sss_ptr_hash.c -@@ -217,21 +217,21 @@ errno_t _sss_ptr_hash_add(hash_table_t *table, - return ERR_INVALID_DATA_TYPE; - } - -+ table_key.type = HASH_KEY_STRING; -+ table_key.str = discard_const_p(char, key); -+ -+ if (override == false && hash_has_key(table, &table_key)) { -+ return EEXIST; -+ } -+ - value = sss_ptr_hash_value_create(table, key, talloc_ptr); - if (value == NULL) { - return ENOMEM; - } - -- table_key.type = HASH_KEY_STRING; -- table_key.str = discard_const_p(char, key); -- - table_value.type = HASH_VALUE_PTR; - table_value.ptr = value; - -- if (override == false && hash_has_key(table, &table_key)) { -- return EEXIST; -- } -- - hret = hash_enter(table, &table_key, &table_value); - if (hret != HASH_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add key %s!\n", key); --- -2.20.1 - diff --git a/0023-sss_ptr_hash-internal-refactoring.patch b/0023-sss_ptr_hash-internal-refactoring.patch deleted file mode 100644 index 25a58ac..0000000 --- a/0023-sss_ptr_hash-internal-refactoring.patch +++ /dev/null @@ -1,366 +0,0 @@ -From 0bb1289252eec972ea26721a92adc7db47383f76 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 24 Jan 2020 23:57:39 +0100 -Subject: [PATCH 23/24] sss_ptr_hash: internal refactoring -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -sss_ptr_hash code was refactored: - - got rid of a "spy" to make logic cleaner - - table got destructor to wipe its content - - described some usage limitation in the documentation - -And resolves: https://pagure.io/SSSD/sssd/issue/4135 - -Reviewed-by: Pavel Březina ---- - src/util/sss_ptr_hash.c | 183 +++++++++++++++++----------------------- - src/util/sss_ptr_hash.h | 17 +++- - 2 files changed, 91 insertions(+), 109 deletions(-) - -diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c -index 114b6edeb..6409236c7 100644 ---- a/src/util/sss_ptr_hash.c -+++ b/src/util/sss_ptr_hash.c -@@ -39,67 +39,35 @@ static bool sss_ptr_hash_check_type(void *ptr, const char *type) - return true; - } - -+static int sss_ptr_hash_table_destructor(hash_table_t *table) -+{ -+ sss_ptr_hash_delete_all(table, false); -+ return 0; -+} -+ - struct sss_ptr_hash_delete_data { - hash_delete_callback *callback; - void *pvt; - }; - - struct sss_ptr_hash_value { -- struct sss_ptr_hash_spy *spy; -- void *ptr; --}; -- --struct sss_ptr_hash_spy { -- struct sss_ptr_hash_value *value; - hash_table_t *table; - const char *key; -+ void *payload; - }; - --static int --sss_ptr_hash_spy_destructor(struct sss_ptr_hash_spy *spy) --{ -- spy->value->spy = NULL; -- -- /* This results in removing entry from hash table and freeing the value. */ -- sss_ptr_hash_delete(spy->table, spy->key, false); -- -- return 0; --} -- --static struct sss_ptr_hash_spy * --sss_ptr_hash_spy_create(TALLOC_CTX *mem_ctx, -- hash_table_t *table, -- const char *key, -- struct sss_ptr_hash_value *value) --{ -- struct sss_ptr_hash_spy *spy; -- -- spy = talloc_zero(mem_ctx, struct sss_ptr_hash_spy); -- if (spy == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); -- return NULL; -- } -- -- spy->key = talloc_strdup(spy, key); -- if (spy->key == NULL) { -- talloc_free(spy); -- return NULL; -- } -- -- spy->table = table; -- spy->value = value; -- talloc_set_destructor(spy, sss_ptr_hash_spy_destructor); -- -- return spy; --} -- - static int - sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value) - { -- if (value->spy != NULL) { -- /* Disable spy destructor and free it. */ -- talloc_set_destructor(value->spy, NULL); -- talloc_zfree(value->spy); -+ hash_key_t table_key; -+ -+ if (value->table && value->key) { -+ table_key.type = HASH_KEY_STRING; -+ table_key.str = discard_const_p(char, value->key); -+ if (hash_delete(value->table, &table_key) != HASH_SUCCESS) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "failed to delete entry with key '%s'\n", value->key); -+ } - } - - return 0; -@@ -112,18 +80,19 @@ sss_ptr_hash_value_create(hash_table_t *table, - { - struct sss_ptr_hash_value *value; - -- value = talloc_zero(table, struct sss_ptr_hash_value); -+ value = talloc_zero(talloc_ptr, struct sss_ptr_hash_value); - if (value == NULL) { - return NULL; - } - -- value->spy = sss_ptr_hash_spy_create(talloc_ptr, table, key, value); -- if (value->spy == NULL) { -+ value->key = talloc_strdup(value, key); -+ if (value->key == NULL) { - talloc_free(value); - return NULL; - } - -- value->ptr = talloc_ptr; -+ value->table = table; -+ value->payload = talloc_ptr; - talloc_set_destructor(value, sss_ptr_hash_value_destructor); - - return value; -@@ -138,29 +107,31 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, - struct sss_ptr_hash_value *value; - struct hash_entry_t callback_entry; - -+ if (pvt == NULL) { -+ return; -+ } -+ - value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value); - if (value == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n"); - return; - } - -+ /* Switch to the input value and call custom callback. */ -+ data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data); -+ if (data == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n"); -+ return; -+ } -+ - callback_entry.key = item->key; - callback_entry.value.type = HASH_VALUE_PTR; -- callback_entry.value.ptr = value->ptr; -- -- /* Free value, this also will disable spy */ -- talloc_free(value); -- -- if (pvt != NULL) { -- /* Switch to the input value and call custom callback. */ -- data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data); -- if (data == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n"); -- return; -- } -- -- data->callback(&callback_entry, deltype, data->pvt); -- } -+ callback_entry.value.ptr = value->payload; -+ /* Even if execution is already in the context of -+ * talloc_free(payload) -> talloc_free(value) -> ... -+ * there still might be legitimate reasons to execute callback. -+ */ -+ data->callback(&callback_entry, deltype, data->pvt); - } - - hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, -@@ -194,6 +165,8 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, - talloc_steal(table, data); - } - -+ talloc_set_destructor(table, sss_ptr_hash_table_destructor); -+ - return table; - } - -@@ -282,15 +255,15 @@ void *_sss_ptr_hash_lookup(hash_table_t *table, - struct sss_ptr_hash_value *value; - - value = sss_ptr_hash_lookup_internal(table, key); -- if (value == NULL || value->ptr == NULL) { -+ if (value == NULL || value->payload == NULL) { - return NULL; - } - -- if (!sss_ptr_hash_check_type(value->ptr, type)) { -+ if (!sss_ptr_hash_check_type(value->payload, type)) { - return NULL; - } - -- return value->ptr; -+ return value->payload; - } - - void *_sss_ptr_get_value(hash_value_t *table_value, -@@ -311,11 +284,11 @@ void *_sss_ptr_get_value(hash_value_t *table_value, - - value = table_value->ptr; - -- if (!sss_ptr_hash_check_type(value->ptr, type)) { -+ if (!sss_ptr_hash_check_type(value->payload, type)) { - return NULL; - } - -- return value->ptr; -+ return value->payload; - } - - void sss_ptr_hash_delete(hash_table_t *table, -@@ -323,74 +296,70 @@ void sss_ptr_hash_delete(hash_table_t *table, - bool free_value) - { - struct sss_ptr_hash_value *value; -- hash_key_t table_key; -- int hret; -- void *payload; -+ void *payload = NULL; - - if (table == NULL || key == NULL) { - return; - } - -- if (free_value) { -- value = sss_ptr_hash_lookup_internal(table, key); -- if (value == NULL) { -- free_value = false; -- } else { -- payload = value->ptr; -- } -- } -- -- table_key.type = HASH_KEY_STRING; -- table_key.str = discard_const_p(char, key); -- -- /* Delete table entry. This will free value and spy in delete callback. */ -- hret = hash_delete(table, &table_key); -- if (hret != HASH_SUCCESS && hret != HASH_ERROR_KEY_NOT_FOUND) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to remove key from table [%d]\n", -- hret); -+ value = sss_ptr_hash_lookup_internal(table, key); -+ if (value == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unable to remove key '%s' from table\n", key); -+ return; - } - -- /* Also free the original value if requested. */ - if (free_value) { -- talloc_free(payload); -+ payload = value->payload; - } - -+ talloc_free(value); /* this will call hash_delete() in value d-tor */ -+ -+ talloc_free(payload); /* it is safe to call talloc_free(NULL) */ -+ - return; - } - - void sss_ptr_hash_delete_all(hash_table_t *table, - bool free_values) - { -+ hash_value_t *content; - struct sss_ptr_hash_value *value; -- hash_value_t *values; -+ void *payload = NULL; - unsigned long count; - unsigned long i; - int hret; -- void *ptr; - - if (table == NULL) { - return; - } - -- hret = hash_values(table, &count, &values); -+ hret = hash_values(table, &count, &content); - if (hret != HASH_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get values [%d]\n", hret); - return; - } - -- for (i = 0; i < count; i++) { -- value = values[i].ptr; -- ptr = value->ptr; -- -- /* This will remove the entry from hash table and free value. */ -- talloc_free(value->spy); -- -- if (free_values) { -- /* Also free the original value. */ -- talloc_free(ptr); -+ for (i = 0; i < count; ++i) { -+ if ((content[i].type == HASH_VALUE_PTR) && -+ sss_ptr_hash_check_type(content[i].ptr, -+ "struct sss_ptr_hash_value")) { -+ value = content[i].ptr; -+ if (free_values) { -+ payload = value->payload; -+ } -+ talloc_free(value); -+ if (free_values) { -+ talloc_free(payload); /* it's safe to call talloc_free(NULL) */ -+ } -+ } else { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unexpected type of table content, skipping"); - } - } - -+ talloc_free(content); -+ - return; - } - -diff --git a/src/util/sss_ptr_hash.h b/src/util/sss_ptr_hash.h -index 56bb19a65..0889b171a 100644 ---- a/src/util/sss_ptr_hash.h -+++ b/src/util/sss_ptr_hash.h -@@ -28,7 +28,19 @@ - - /** - * Create a new hash table with string key and talloc pointer value with -- * possible delete callback. -+ * possible custom delete callback @del_cb. -+ * Table will have destructor setup to wipe content. -+ * Never call hash_destroy(table) and hash_delete() explicitly but rather -+ * use talloc_free(table) and sss_ptr_hash_delete(). -+ * -+ * A notes about @del_cb: -+ * - this callback must never modify hash table (i.e. add/del entries); -+ * - this callback is triggered when value is either explicitly removed -+ * from the table or simply freed (latter leads to removal of an entry -+ * from the table); -+ * - this callback is also triggered for every entry when table is freed -+ * entirely. In this case (deltype == HASH_TABLE_DESTROY) any table -+ * lookups / iteration are forbidden as table might be already invalidated. - */ - hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, - hash_delete_callback *del_cb, -@@ -41,7 +53,8 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, - * the value is overridden. Otherwise EEXIST error is returned. - * - * If talloc_ptr is freed the key and value are automatically -- * removed from the hash table. -+ * removed from the hash table (del_cb that was set up during -+ * table creation is executed as a first step of this removal). - * - * @return EOK If the <@key, @talloc_ptr> pair was inserted. - * @return EEXIST If @key already exists and @override is false. --- -2.20.1 - diff --git a/0024-TESTS-added-sss_ptr_hash-unit-test.patch b/0024-TESTS-added-sss_ptr_hash-unit-test.patch deleted file mode 100644 index 0fd4f63..0000000 --- a/0024-TESTS-added-sss_ptr_hash-unit-test.patch +++ /dev/null @@ -1,266 +0,0 @@ -From 88b23bf50dd1c12413f3314639de2c3909bd9098 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 28 Jan 2020 19:26:08 +0100 -Subject: [PATCH 24/24] TESTS: added sss_ptr_hash unit test -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina ---- - Makefile.am | 1 + - src/tests/cmocka/test_sss_ptr_hash.c | 193 +++++++++++++++++++++++++++ - src/tests/cmocka/test_utils.c | 9 ++ - src/tests/cmocka/test_utils.h | 6 + - 4 files changed, 209 insertions(+) - create mode 100644 src/tests/cmocka/test_sss_ptr_hash.c - -diff --git a/Makefile.am b/Makefile.am -index 57ba51356..c991f2aa0 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -3054,6 +3054,7 @@ test_ipa_idmap_LDADD = \ - test_utils_SOURCES = \ - src/tests/cmocka/test_utils.c \ - src/tests/cmocka/test_string_utils.c \ -+ src/tests/cmocka/test_sss_ptr_hash.c \ - src/p11_child/p11_child_common_utils.c \ - $(NULL) - if BUILD_SSH -diff --git a/src/tests/cmocka/test_sss_ptr_hash.c b/src/tests/cmocka/test_sss_ptr_hash.c -new file mode 100644 -index 000000000..1458238f5 ---- /dev/null -+++ b/src/tests/cmocka/test_sss_ptr_hash.c -@@ -0,0 +1,193 @@ -+/* -+ Copyright (C) 2020 Red Hat -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "tests/cmocka/common_mock.h" -+#include "util/sss_ptr_hash.h" -+ -+static const int MAX_ENTRIES_AMOUNT = 5; -+ -+static void populate_table(hash_table_t *table, int **payloads) -+{ -+ char key[2] = {'z', 0}; -+ -+ for (int i = 0; i < MAX_ENTRIES_AMOUNT; ++i) { -+ payloads[i] = talloc_zero(global_talloc_context, int); -+ assert_non_null(payloads[i]); -+ *payloads[i] = i; -+ key[0] = '0'+(char)i; -+ assert_int_equal(sss_ptr_hash_add(table, key, payloads[i], int), 0); -+ } -+ -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT); -+} -+ -+static void free_payload_cb(hash_entry_t *item, hash_destroy_enum type, void *pvt) -+{ -+ int *counter; -+ -+ assert_non_null(item); -+ assert_non_null(item->value.ptr); -+ talloc_zfree(item->value.ptr); -+ -+ assert_non_null(pvt); -+ counter = (int *)pvt; -+ (*counter)++; -+} -+ -+void test_sss_ptr_hash_with_free_cb(void **state) -+{ -+ hash_table_t *table; -+ int free_counter = 0; -+ int *payloads[MAX_ENTRIES_AMOUNT]; -+ -+ table = sss_ptr_hash_create(global_talloc_context, -+ free_payload_cb, -+ &free_counter); -+ assert_non_null(table); -+ -+ populate_table(table, payloads); -+ -+ /* check explicit removal from the hash */ -+ sss_ptr_hash_delete(table, "1", false); -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1); -+ assert_int_equal(free_counter, 1); -+ -+ /* check implicit removal triggered by payload deletion */ -+ talloc_free(payloads[3]); -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2); -+ assert_int_equal(free_counter, 2); -+ -+ /* try to remove non existent entry */ -+ sss_ptr_hash_delete(table, "q", false); -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2); -+ assert_int_equal(free_counter, 2); -+ -+ /* clear all */ -+ sss_ptr_hash_delete_all(table, false); -+ assert_int_equal((int)hash_count(table), 0); -+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT); -+ -+ /* check that table is still operable */ -+ populate_table(table, payloads); -+ sss_ptr_hash_delete(table, "2", false); -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1); -+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT+1); -+ -+ talloc_free(table); -+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT*2); -+} -+ -+struct table_wrapper -+{ -+ hash_table_t **table; -+}; -+ -+static void lookup_cb(hash_entry_t *item, hash_destroy_enum type, void *pvt) -+{ -+ hash_table_t *table; -+ hash_key_t *keys; -+ unsigned long count; -+ int *value = NULL; -+ int sum = 0; -+ -+ assert_non_null(pvt); -+ table = *((struct table_wrapper *)pvt)->table; -+ assert_non_null(table); -+ -+ if (type == HASH_TABLE_DESTROY) { -+ /* table is being destroyed */ -+ return; -+ } -+ -+ assert_int_equal(hash_keys(table, &count, &keys), HASH_SUCCESS); -+ for (unsigned int i = 0; i < count; ++i) { -+ assert_int_equal(keys[i].type, HASH_KEY_STRING); -+ value = sss_ptr_hash_lookup(table, keys[i].c_str, int); -+ assert_non_null(value); -+ sum += *value; -+ } -+ DEBUG(SSSDBG_TRACE_ALL, "sum of all values = %d\n", sum); -+ talloc_free(keys); -+} -+ -+/* main difference with `test_sss_ptr_hash_with_free_cb()` -+ * is that table cb here doesn't delete payload so -+ * this is requested via `free_value(s)` arg -+ */ -+void test_sss_ptr_hash_with_lookup_cb(void **state) -+{ -+ hash_table_t *table; -+ struct table_wrapper wrapper; -+ int *payloads[MAX_ENTRIES_AMOUNT]; -+ -+ wrapper.table = &table; -+ table = sss_ptr_hash_create(global_talloc_context, -+ lookup_cb, -+ &wrapper); -+ assert_non_null(table); -+ -+ populate_table(table, payloads); -+ -+ /* check explicit removal from the hash */ -+ sss_ptr_hash_delete(table, "2", true); -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1); -+ -+ /* check implicit removal triggered by payload deletion */ -+ talloc_free(payloads[0]); -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2); -+ -+ /* clear all */ -+ sss_ptr_hash_delete_all(table, true); -+ assert_int_equal((int)hash_count(table), 0); -+ /* teardown function shall verify there are no leaks -+ * on global_talloc_context and so that payloads[] were freed -+ */ -+ -+ /* check that table is still operable */ -+ populate_table(table, payloads); -+ -+ talloc_free(table); -+ /* d-tor triggers hash_destroy() but since cb here doesn free payload -+ * this should be done manually -+ */ -+ for (int i = 0; i < MAX_ENTRIES_AMOUNT; ++i) { -+ talloc_free(payloads[i]); -+ } -+} -+ -+/* Just smoke test to verify that absence of cb doesn't break anything */ -+void test_sss_ptr_hash_without_cb(void **state) -+{ -+ hash_table_t *table; -+ int *payloads[MAX_ENTRIES_AMOUNT]; -+ -+ table = sss_ptr_hash_create(global_talloc_context, NULL, NULL); -+ assert_non_null(table); -+ -+ populate_table(table, payloads); -+ -+ sss_ptr_hash_delete(table, "4", true); -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1); -+ -+ talloc_free(payloads[1]); -+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2); -+ -+ sss_ptr_hash_delete_all(table, true); -+ assert_int_equal((int)hash_count(table), 0); -+ -+ talloc_free(table); -+} -diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c -index 666f32903..c5eda4dd2 100644 ---- a/src/tests/cmocka/test_utils.c -+++ b/src/tests/cmocka/test_utils.c -@@ -2055,6 +2055,15 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_sss_get_domain_mappings_content, - setup_dom_list_with_subdomains, - teardown_dom_list), -+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_free_cb, -+ setup_leak_tests, -+ teardown_leak_tests), -+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_lookup_cb, -+ setup_leak_tests, -+ teardown_leak_tests), -+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_without_cb, -+ setup_leak_tests, -+ teardown_leak_tests), - }; - - /* Set debug level to invalid value so we can decide if -d 0 was used. */ -diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h -index e93e0da25..44b9479f9 100644 ---- a/src/tests/cmocka/test_utils.h -+++ b/src/tests/cmocka/test_utils.h -@@ -33,4 +33,10 @@ void test_guid_blob_to_string_buf(void **state); - void test_get_last_x_chars(void **state); - void test_concatenate_string_array(void **state); - -+/* from src/tests/cmocka/test_sss_ptr_hash.c */ -+void test_sss_ptr_hash_with_free_cb(void **state); -+void test_sss_ptr_hash_with_lookup_cb(void **state); -+void test_sss_ptr_hash_without_cb(void **state); -+ -+ - #endif /* __TESTS__CMOCKA__TEST_UTILS_H__ */ --- -2.20.1 - diff --git a/0025-p11_child-check-if-card-is-present-in-wait_for_card.patch b/0025-p11_child-check-if-card-is-present-in-wait_for_card.patch deleted file mode 100644 index 700b896..0000000 --- a/0025-p11_child-check-if-card-is-present-in-wait_for_card.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 7b647338a40d701c6a5bb51c48c10a31a6b72699 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 30 Jan 2020 13:14:14 +0100 -Subject: [PATCH 25/26] p11_child: check if card is present in wait_for_card() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Some implementations of C_WaitForSlotEvent() might return even if no -card was inserted. So it has to be checked if a card is really present. - -Resolves: https://pagure.io/SSSD/sssd/issue/4159 - -Reviewed-by: Pavel Březina ---- - src/p11_child/p11_child_openssl.c | 47 ++++++++++++++++--------------- - 1 file changed, 25 insertions(+), 22 deletions(-) - -diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c -index 56601b117..295715612 100644 ---- a/src/p11_child/p11_child_openssl.c -+++ b/src/p11_child/p11_child_openssl.c -@@ -1546,35 +1546,38 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id) - CK_RV rv; - CK_SLOT_INFO info; - -- rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL); -- if (rv != CKR_OK) { -- if (rv != CKR_FUNCTION_NOT_SUPPORTED) { -+ do { -+ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL); -+ if (rv != CKR_OK && rv != CKR_FUNCTION_NOT_SUPPORTED) { - DEBUG(SSSDBG_OP_FAILURE, - "C_WaitForSlotEvent failed [%lu][%s].\n", - rv, p11_kit_strerror(rv)); - return EIO; - } - -- /* Poor man's wait */ -- do { -+ if (rv == CKR_FUNCTION_NOT_SUPPORTED) { -+ /* Poor man's wait */ - sleep(10); -- rv = module->C_GetSlotInfo(*slot_id, &info); -- if (rv != CKR_OK) { -- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n"); -- return EIO; -- } -- DEBUG(SSSDBG_TRACE_ALL, -- "Description [%s] Manufacturer [%s] flags [%lu] " -- "removable [%s] token present [%s].\n", -- info.slotDescription, info.manufacturerID, info.flags, -- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false", -- (info.flags & CKF_TOKEN_PRESENT) ? "true": "false"); -- if ((info.flags & CKF_REMOVABLE_DEVICE) -- && (info.flags & CKF_TOKEN_PRESENT)) { -- break; -- } -- } while (true); -- } -+ } -+ -+ rv = module->C_GetSlotInfo(*slot_id, &info); -+ if (rv != CKR_OK) { -+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n"); -+ return EIO; -+ } -+ DEBUG(SSSDBG_TRACE_ALL, -+ "Description [%s] Manufacturer [%s] flags [%lu] " -+ "removable [%s] token present [%s].\n", -+ info.slotDescription, info.manufacturerID, info.flags, -+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false", -+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false"); -+ -+ /* Check if really a token is present */ -+ if ((info.flags & CKF_REMOVABLE_DEVICE) -+ && (info.flags & CKF_TOKEN_PRESENT)) { -+ break; -+ } -+ } while (true); - - return EOK; - } --- -2.20.1 - diff --git a/0026-PAM-client-only-require-UID-0-for-private-socket.patch b/0026-PAM-client-only-require-UID-0-for-private-socket.patch deleted file mode 100644 index dfb240c..0000000 --- a/0026-PAM-client-only-require-UID-0-for-private-socket.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 37780b895199bab991edae6b1eeb91b7b3966bcf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 6 Feb 2020 14:50:23 +0100 -Subject: [PATCH 26/26] PAM client: only require UID 0 for private socket -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Some privileged services like e.g. gdm might only call with UID 0 but -with a different GID. This patch removes the GID 0 requirement to access -to private PAM socket so that e.g. gdm can use the wait-for-card option. - -Resolves: https://pagure.io/SSSD/sssd/issue/4159 - -Reviewed-by: Pavel Březina ---- - src/sss_client/common.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 270ca8b54..902438c86 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -910,8 +910,8 @@ int sss_pam_make_request(enum sss_cli_command cmd, - goto out; - } - -- /* only root shall use the privileged pipe */ -- if (getuid() == 0 && getgid() == 0) { -+ /* only UID 0 shall use the privileged pipe */ -+ if (getuid() == 0) { - socket_name = SSS_PAM_PRIV_SOCKET_NAME; - errno = 0; - statret = stat(socket_name, &stat_buf); --- -2.20.1 - diff --git a/0027-nss-Collision-with-external-nss-symbol.patch b/0027-nss-Collision-with-external-nss-symbol.patch deleted file mode 100644 index f4654ed..0000000 --- a/0027-nss-Collision-with-external-nss-symbol.patch +++ /dev/null @@ -1,74 +0,0 @@ -From fe9eeb51be06059721e873f77092b1e9ba08e6c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Thu, 27 Feb 2020 06:50:40 +0100 -Subject: [PATCH] nss: Collision with external nss symbol -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -One of our internal static function names started -to collide with external nss symbol. Additional -sss_ suffix was added to avoid the collision. - -This is needed to unblock Fedora Rawhide's -SSSD build. - -Reviewed-by: Pavel Březina ---- - src/responder/nss/nss_cmd.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c -index 356aea156..02706c4b9 100644 ---- a/src/responder/nss/nss_cmd.c -+++ b/src/responder/nss/nss_cmd.c -@@ -731,11 +731,13 @@ done: - talloc_free(cmd_ctx); - } - --static void nss_setnetgrent_done(struct tevent_req *subreq); -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq); - --static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, -- enum cache_req_type type, -- nss_protocol_fill_packet_fn fill_fn) -+/* This function's name started to collide with external nss symbol, -+ * so it has additional sss_* prefix unlike other functions here. */ -+static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, -+ enum cache_req_type type, -+ nss_protocol_fill_packet_fn fill_fn) - { - struct nss_ctx *nss_ctx; - struct nss_state_ctx *state_ctx; -@@ -777,7 +779,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, - goto done; - } - -- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); -+ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); - - ret = EOK; - -@@ -790,7 +792,7 @@ done: - return EOK; - } - --static void nss_setnetgrent_done(struct tevent_req *subreq) -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq) - { - struct nss_cmd_ctx *cmd_ctx; - errno_t ret; -@@ -1040,8 +1042,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) - - static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) - { -- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -- nss_protocol_fill_setnetgrent); -+ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -+ nss_protocol_fill_setnetgrent); - } - - static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) --- -2.20.1 - diff --git a/sources b/sources index b7ad9a1..190e60e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.2.3.tar.gz) = b61d52a53e26e8efa9cb799fc6efc2314bf9d174d3cacfe591a4ca77530637591eacc0dc70c0555252e04a9617e8b134b1ab2d9b0f7351b4228e7b61499e6a10 +SHA512 (sssd-2.3.0.tar.gz) = 72fc69018c4b8a71198f4a82e89d49d7a5c513e9291deff2f8e0e132cbd67341a8fa89598d28fcc1d785497526c9eeffe9b261c751524ee0e553badf0f748d59 diff --git a/sssd.spec b/sssd.spec index d23c9d9..ee5bea0 100644 --- a/sssd.spec +++ b/sssd.spec @@ -35,41 +35,15 @@ %endif Name: sssd -Version: 2.2.3 -Release: 14%{?dist} +Version: 2.3.0 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPLv3+ -URL: https://pagure.io/SSSD/sssd/ -Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz +URL: https://gihub.com/SSSD/sssd/ +Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_3_0/sssd-2.3.0.tar.gz ### Patches ### -Patch0001: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch -Patch0002: 0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch -Patch0003: 0003-INI-sssctl-config-check-command-error-messages.patch -Patch0004: 0004-certmap-mention-special-regex-characters-in-man-page.patch -Patch0005: 0005-ldap_child-do-not-try-PKINIT.patch -Patch0006: 0006-util-watchdog-fixed-watchdog-implementation.patch -Patch0007: 0007-providers-krb5-got-rid-of-unused-code.patch -Patch0008: 0008-data_provider_be-got-rid-of-duplicating-SIGTERM-hand.patch -Patch0009: 0009-util-server-improved-debug-at-shutdown.patch -Patch0010: 0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch -Patch0011: 0011-sdap-Add-randomness-to-ldap-connection-timeout.patch -Patch0012: 0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch -Patch0013: 0013-ad-add-ad_use_ldaps.patch -Patch0014: 0014-ldap-add-new-option-ldap_sasl_maxssf.patch -Patch0015: 0015-ad-set-min-and-max-ssf-for-ldaps.patch -Patch0016: 0016-BE_REFRESH-Do-not-try-to-refresh-domains-from-other-.patch -Patch0017: 0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch -Patch0018: 0018-sbus_server-stylistic-rename.patch -Patch0019: 0019-sss_ptr_hash-don-t-keep-empty-sss_ptr_hash_delete_da.patch -Patch0020: 0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch -Patch0021: 0021-sss_ptr_hash-removed-redundant-check.patch -Patch0022: 0022-sss_ptr_hash-fixed-memory-leak.patch -Patch0023: 0023-sss_ptr_hash-internal-refactoring.patch -Patch0024: 0024-TESTS-added-sss_ptr_hash-unit-test.patch -Patch0025: 0025-p11_child-check-if-card-is-present-in-wait_for_card.patch -Patch0026: 0026-PAM-client-only-require-UID-0-for-private-socket.patch -Patch0027: 0027-nss-Collision-with-external-nss-symbol.patch +Patch0001: 0001-test-avoid-endian-issues-in-network-tests.patch ### Downstream only patches ### Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -563,6 +537,7 @@ autoreconf -ivf %endif --enable-sss-default-nss-plugin \ --enable-files-domain \ + --enable-gss-spnego-for-zero-maxssf \ %{?with_cifs_utils_plugin_option} \ %{?enable_systemtap_opt} @@ -1099,6 +1074,9 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Wed May 20 2020 Pavel Březina - 2.3.0-1 +- Rebase to SSSD 2.3.0 + * Fri Feb 28 2020 Michal Židek - 2.2.3-14 - Resolves: rhbz#1800567 - sssd fail to build in Fedora rawhide