rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

sssd-2.5.2-1: Rebase to latest upstream release

Browse Source
This commit is contained in:
Pavel Březina 2021-07-13 11:28:31 +02:00
parent d6f7b5cf84
commit 279a6d02b9
13 changed files with 10 additions and 637 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -93,3 +93,4 @@ sssd-1.2.91.tar.gz
/sssd-2.4.2.tar.gz
/sssd-2.5.0.tar.gz
/sssd-2.5.1.tar.gz
/sssd-2.5.2.tar.gz

34
0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch
View File

@ -1,34 +0,0 @@
From c6cd2fe3f75638e8920b049ea05282f4072e9f05 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 14 Jun 2021 21:25:23 +0200
Subject: [PATCH 02/16] krb5_child: reduce log severity in sss_send_pac() in
case PAC responder isn't running.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/krb5/krb5_child.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 713e90f833c40b8da864b42c2f6be02894abf35b..4e55d9a3746c297499ad577075b59f027815ee12 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -223,7 +223,10 @@ static errno_t sss_send_pac(krb5_authdata **pac_authdata)
ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data,
NULL, NULL, &errnop);
- if (ret != NSS_STATUS_SUCCESS || errnop != 0) {
+ if (ret == NSS_STATUS_UNAVAIL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "failed to contact PAC responder\n");
+ return EIO;
+ } else if (ret != NSS_STATUS_SUCCESS || errnop != 0) {
DEBUG(SSSDBG_OP_FAILURE, "sss_pac_make_request failed [%d][%d].\n",
ret, errnop);
return EIO;
--
2.20.1

31
0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch
View File

@ -1,31 +0,0 @@
From 0eccee18822e60393c8a4a9b99a3c80d2b1275d9 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 14 Jun 2021 21:47:52 +0200
Subject: [PATCH 03/16] secrets: reduce log severity in local_db_create() in
case entry already exists since this is expected during normal oprations.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/secrets/secrets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
index 6e99e291dd355cc69b0d872f53624ca3446e18ad..f12b615f8ac8f929969d328db41876070ccc75c5 100644
--- a/src/util/secrets/secrets.c
+++ b/src/util/secrets/secrets.c
@@ -476,7 +476,7 @@ static int local_db_create(struct sss_sec_req *req)
ret = ldb_add(req->sctx->ldb, msg);
if (ret != LDB_SUCCESS) {
if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
- DEBUG(SSSDBG_OP_FAILURE,
+ DEBUG(SSSDBG_FUNC_DATA,
"Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
--
2.20.1

70
0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch
View File

@ -1,70 +0,0 @@
From 624e3fe75116e15c48e9b9455ef0abd2f1256140 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 14 Jun 2021 21:56:16 +0200
Subject: [PATCH 04/16] KCM: use SSSDBG_MINOR_FAILURE for
ERR_KCM_OP_NOT_IMPLEMENTED
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/kcm/kcmsrv_cmd.c | 13 +++++++++----
src/responder/kcm/kcmsrv_ops.c | 2 +-
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
index 3ad17ef431bb3d42b39f56d04c97acfc25f06d2f..49518920bf8213d6c7a55f6c07aca11cbd86c406 100644
--- a/src/responder/kcm/kcmsrv_cmd.c
+++ b/src/responder/kcm/kcmsrv_cmd.c
@@ -195,7 +195,7 @@ static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf,
op_io->op = kcm_get_opt(be16toh(opcode_be));
if (op_io->op == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_MINOR_FAILURE,
"Did not find a KCM operation handler for the requested opcode\n");
return ERR_KCM_OP_NOT_IMPLEMENTED;
}
@@ -312,7 +312,8 @@ static void kcm_reply_error(struct cli_ctx *cctx,
errno_t ret;
krb5_error_code kerr;
- DEBUG(SSSDBG_OP_FAILURE,
+ DEBUG(retcode == ERR_KCM_OP_NOT_IMPLEMENTED ?
+ SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
"KCM operation returns failure [%d]: %s\n",
retcode, sss_strerror(retcode));
kerr = sss2krb5_error(retcode);
@@ -405,8 +406,12 @@ static void kcm_cmd_request_done(struct tevent_req *req)
&req_ctx->op_io.reply);
talloc_free(req);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret));
+ if (ret == ERR_KCM_OP_NOT_IMPLEMENTED) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "%s\n", sss_strerror(ret));
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret));
+ }
kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf);
return;
}
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index a8f49cedb0ce373e45a7f187ae87a82979c1a8c1..f7f80d85023d6ab3fdbf68078cd97594beb95e48 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -122,7 +122,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx,
}
if (op->fn_send == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_MINOR_FAILURE,
"KCM op %s has no handler\n", kcm_opt_name(op));
ret = ERR_KCM_OP_NOT_IMPLEMENTED;
goto immediate;
--
2.20.1

31
0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch
View File

@ -1,31 +0,0 @@
From 0646917cd826e14663691a2252be9853563331d2 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 14 Jun 2021 22:04:21 +0200
Subject: [PATCH 05/16] KCM: reduce log severity in sec_get() in case entry not
found
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_secdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
index 6c8c35b865543fd47a13149a49a3be34aab31649..4631bfea09316b47a8c8b5aa6580f60536edea5b 100644
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
@@ -58,7 +58,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
ret = sss_sec_get(tmp_ctx, req, &data, &len, &datatype);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
+ DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
--
2.20.1

49
0005-Fix-minor-typos-in-docs.patch
View File

@ -1,49 +0,0 @@
From b04742485dfb18d23b08f040710944d9d6e29c56 Mon Sep 17 00:00:00 2001
From: Yuri Chornoivan <yurchor@ukr.net>
Date: Thu, 10 Jun 2021 14:46:00 +0300
Subject: [PATCH 06/16] Fix minor typos in docs
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/man/pam_sss_gss.8.xml | 4 ++--
src/man/sssd-sudo.5.xml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml
index a83369de288b1638fd63d3de8448e705bad881b5..5cde974902afddfedb8bc8934164152e8dcc0944 100644
--- a/src/man/pam_sss_gss.8.xml
+++ b/src/man/pam_sss_gss.8.xml
@@ -71,7 +71,7 @@
</citerefentry> for more details on these options.
</para>
<para>
- Some Kerberos deployments allow to assocate authentication
+ Some Kerberos deployments allow to associate authentication
indicators with a particular pre-authentication method used to
obtain the ticket granting ticket by the user.
<command>pam_sss_gss.so</command> allows to enforce presence of
@@ -199,7 +199,7 @@ auth sufficient pam_sss_gss.so
<para>
3. Authentication does not work and syslog contains "No Kerberos
credentials available": You don't have any credentials that can be
- used to obtain the required service ticket. Use kinit or autheticate
+ used to obtain the required service ticket. Use kinit or authenticate
over SSSD to acquire those credentials.
</para>
<para>
diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml
index 3ad89dde3c167cce6d58f0b306b7cf6c6fc17e0c..87645204062255924ef3441a76f3798cc161c953 100644
--- a/src/man/sssd-sudo.5.xml
+++ b/src/man/sssd-sudo.5.xml
@@ -215,7 +215,7 @@ ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
SSSD uses different kinds of mechanisms with more or less complex
LDAP filters to keep the cached sudo rules up to date. The default
configuration is set to values that should satisfy most of our
- users, but the following paragraps contains few tips on how to fine
+ users, but the following paragraphs contain few tips on how to fine-
tune the configuration to your requirements.
</para>
<para>
--
2.20.1

37
0006-KCM-Unset-_SSS_LOOPS.patch
View File

@ -1,37 +0,0 @@
From 2a3fb3bdbac5dd7294a2ec6f27346ae18355241a Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Thu, 10 Jun 2021 09:37:52 -0400
Subject: [PATCH 07/16] KCM: Unset _SSS_LOOPS
Since sssd_kcm is working independently of other SSSD components,
especially the nss responder, and the kcm client side in libkrb5 of
course does not check for _SSS_LOOPS to protect sssd_kcm from calling
into itself the variable is not needed.
This allows repeated getpwuid() calls in KCM renewals code to succeed.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/kcm/kcm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
index 9be56b0b84b92f0cc6213509df1afc780dd1da28..09578c0cbac09a25f3ca56b19b89e7015d1b4298 100644
--- a/src/responder/kcm/kcm.c
+++ b/src/responder/kcm/kcm.c
@@ -268,6 +268,12 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx,
kctx->rctx = rctx;
kctx->rctx->pvt_ctx = kctx;
+ /* KCM operates independently, getpw* recursion is not a concern */
+ ret = unsetenv("_SSS_LOOPS");
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS");
+ }
+
ret = kcm_get_config(kctx);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting KCM config\n");
--
2.20.1

59
0007-kcm-terminate-client-on-bad-message.patch
View File

@ -1,59 +0,0 @@
From a6e5d53a358f3871d8ae646b252250d215d09883 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 16 Jun 2021 15:28:28 +0200
Subject: [PATCH 13/16] kcm: terminate client on bad message
The debug message clearly says that the original intention was to
abort the client, not send an error message.
We may end up in a state where we get into an infinit loop, fo example
when the client send an message that indicates 0 lenght, but there is
actually more data written. In this case, we never read the rest of the
message but the file descriptor is still readable so the fd handler gets
fired again and again.
More information can be seen in relevant FreeIPA ticket:
https://pagure.io/freeipa/issue/8877
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/responder/kcm/kcmsrv_cmd.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
index 49518920bf8213d6c7a55f6c07aca11cbd86c406..9b27bbdcc4805238641ef7f9c6158a6ed784fbcc 100644
--- a/src/responder/kcm/kcmsrv_cmd.c
+++ b/src/responder/kcm/kcmsrv_cmd.c
@@ -548,7 +548,8 @@ static void kcm_recv(struct cli_ctx *cctx)
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to parse data (%d, %s), aborting client\n",
ret, sss_strerror(ret));
- goto fail;
+ talloc_free(cctx);
+ return;
}
/* do not read anymore, client is done sending */
@@ -559,15 +560,13 @@ static void kcm_recv(struct cli_ctx *cctx)
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to dispatch KCM operation [%d]: %s\n",
ret, sss_strerror(ret));
- goto fail;
+ /* Fail with reply */
+ kcm_reply_error(cctx, ret, &req->repbuf);
+ return;
}
/* Dispatched request resumes in kcm_cmd_request_done */
return;
-
-fail:
- /* Fail with reply */
- kcm_reply_error(cctx, ret, &req->repbuf);
}
static int kcm_send_data(struct cli_ctx *cctx)
--
2.20.1

198
0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch
View File

@ -1,198 +0,0 @@
From 8dba7476922856e3a0f6cb935570df47b51917f1 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 18 Jun 2021 21:56:53 +0200
Subject: [PATCH 14/16] DEBUG: don't reset debug_timestamps/microseconds to
DEFAULT in `_sss_debug_init()`.
Otherwise `server_setup()` skips reading config settings.
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/tests/cmocka/test_child_common.c | 2 +-
src/tests/debug-tests.c | 26 +++++++++++++-------------
src/util/debug.c | 14 +++-----------
src/util/debug.h | 8 ++++++--
src/util/server.c | 8 ++++----
5 files changed, 27 insertions(+), 31 deletions(-)
diff --git a/src/tests/cmocka/test_child_common.c b/src/tests/cmocka/test_child_common.c
index 87cae3405575a0c6d2f746359518766c20acb346..9fb26412f3e6c2553e477f72f40f0fd6a156cdab 100644
--- a/src/tests/cmocka/test_child_common.c
+++ b/src/tests/cmocka/test_child_common.c
@@ -163,7 +163,7 @@ static void extra_args_test(struct child_test_ctx *child_tctx,
child_pid = fork();
assert_int_not_equal(child_pid, -1);
if (child_pid == 0) {
- debug_timestamps = 1;
+ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED;
exec_child_ex(child_tctx,
child_tctx->pipefd_to_child,
diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c
index e27fee45785a8a042922e14d562b4b6846bb8cd9..68a1fb7795ff9c247a3c5706ca479905ce55134c 100644
--- a/src/tests/debug-tests.c
+++ b/src/tests/debug-tests.c
@@ -194,7 +194,7 @@ int test_helper_debug_check_message(int level)
}
msg[fsize] = '\0';
- if (debug_timestamps == 1) {
+ if (debug_timestamps == SSSDBG_TIMESTAMP_ENABLED) {
int time_hour = 0;
int time_min = 0;
int time_sec = 0;
@@ -344,8 +344,8 @@ START_TEST(test_debug_is_set_single_no_timestamp)
SSSDBG_TRACE_LDB
};
- debug_timestamps = 0;
- debug_microseconds = 0;
+ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED;
+ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED;
debug_prg_name = "sssd";
sss_set_logger(sss_logger_str[FILES_LOGGER]);
@@ -384,8 +384,8 @@ START_TEST(test_debug_is_set_single_timestamp)
SSSDBG_TRACE_LDB
};
- debug_timestamps = 1;
- debug_microseconds = 0;
+ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED;
+ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED;
debug_prg_name = "sssd";
sss_set_logger(sss_logger_str[FILES_LOGGER]);
@@ -428,8 +428,8 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
SSSDBG_TRACE_LDB
};
- debug_timestamps = 1;
- debug_microseconds = 1;
+ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED;
+ debug_microseconds = SSSDBG_MICROSECONDS_ENABLED;
debug_prg_name = "sssd";
sss_set_logger(sss_logger_str[FILES_LOGGER]);
@@ -473,8 +473,8 @@ START_TEST(test_debug_is_notset_no_timestamp)
SSSDBG_TRACE_LDB
};
- debug_timestamps = 0;
- debug_microseconds = 0;
+ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED;
+ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED;
debug_prg_name = "sssd";
sss_set_logger(sss_logger_str[FILES_LOGGER]);
@@ -515,8 +515,8 @@ START_TEST(test_debug_is_notset_timestamp)
SSSDBG_TRACE_LDB
};
- debug_timestamps = 0;
- debug_microseconds = 0;
+ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED;
+ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED;
debug_prg_name = "sssd";
sss_set_logger(sss_logger_str[FILES_LOGGER]);
@@ -557,8 +557,8 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
SSSDBG_TRACE_LDB
};
- debug_timestamps = 0;
- debug_microseconds = 1;
+ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED;
+ debug_microseconds = SSSDBG_MICROSECONDS_ENABLED;
debug_prg_name = "sssd";
sss_set_logger(sss_logger_str[FILES_LOGGER]);
diff --git a/src/util/debug.c b/src/util/debug.c
index f87e85812aa243deab4683ad7d7712d527daa4a2..6f12344374ef104bde1ddd9b738270ce961d5893 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -103,14 +103,6 @@ void _sss_debug_init(int dbg_lvl, const char *logger)
debug_level = SSSDBG_UNRESOLVED;
}
- if (debug_timestamps == SSSDBG_TIMESTAMP_UNRESOLVED) {
- debug_timestamps = SSSDBG_TIMESTAMP_DEFAULT;
- }
-
- if (debug_microseconds == SSSDBG_MICROSECONDS_UNRESOLVED) {
- debug_microseconds = SSSDBG_MICROSECONDS_DEFAULT;
- }
-
sss_set_logger(logger);
/* if 'FILES_LOGGER' is requested then open log file, if it wasn't
@@ -305,8 +297,8 @@ void sss_vdebug_fn(const char *file,
}
#endif
- if (debug_timestamps) {
- if (debug_microseconds) {
+ if (debug_timestamps == SSSDBG_TIMESTAMP_ENABLED) {
+ if (debug_microseconds == SSSDBG_MICROSECONDS_ENABLED) {
gettimeofday(&tv, NULL);
t = tv.tv_sec;
} else {
@@ -320,7 +312,7 @@ void sss_vdebug_fn(const char *file,
tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
tm.tm_hour, tm.tm_min, tm.tm_sec);
}
- if (debug_microseconds) {
+ if (debug_microseconds == SSSDBG_MICROSECONDS_ENABLED) {
sss_debug_backtrace_printf(level, "%s:%.6ld): ",
last_time_str, tv.tv_usec);
} else {
diff --git a/src/util/debug.h b/src/util/debug.h
index 97564d43e2f2e0d88ccb1e88365f6d7aaf401e81..9d3499dbdfee95931b6004b9a5ec1b9832ce1b1c 100644
--- a/src/util/debug.h
+++ b/src/util/debug.h
@@ -29,10 +29,14 @@
#include "util/util_errors.h"
#define SSSDBG_TIMESTAMP_UNRESOLVED -1
-#define SSSDBG_TIMESTAMP_DEFAULT 1
+#define SSSDBG_TIMESTAMP_DISABLED 0
+#define SSSDBG_TIMESTAMP_ENABLED 1
+#define SSSDBG_TIMESTAMP_DEFAULT SSSDBG_TIMESTAMP_ENABLED
#define SSSDBG_MICROSECONDS_UNRESOLVED -1
-#define SSSDBG_MICROSECONDS_DEFAULT 0
+#define SSSDBG_MICROSECONDS_DISABLED 0
+#define SSSDBG_MICROSECONDS_ENABLED 1
+#define SSSDBG_MICROSECONDS_DEFAULT SSSDBG_MICROSECONDS_DISABLED
enum sss_logger_t {
diff --git a/src/util/server.c b/src/util/server.c
index b6f450a798b84e22e493f3a32d5289e20f3fc280..4fe29f96b8176c236fc35052265dbf6974678608 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -624,8 +624,8 @@ int server_setup(const char *name, int flags,
"[%s]\n", ret, strerror(ret));
return ret;
}
- if (dt) debug_timestamps = 1;
- else debug_timestamps = 0;
+ if (dt) debug_timestamps = SSSDBG_TIMESTAMP_ENABLED;
+ else debug_timestamps = SSSDBG_TIMESTAMP_DISABLED;
}
/* same for debug microseconds */
@@ -639,8 +639,8 @@ int server_setup(const char *name, int flags,
"[%s]\n", ret, strerror(ret));
return ret;
}
- if (dm) debug_microseconds = 1;
- else debug_microseconds = 0;
+ if (dm) debug_microseconds = SSSDBG_MICROSECONDS_ENABLED;
+ else debug_microseconds = SSSDBG_MICROSECONDS_DISABLED;
}
ret = confdb_get_bool(ctx->confdb_ctx, conf_entry,
--
2.20.1

74
0009-SSSD-Log-invalid_argument-msg-mod.patch
View File

@ -1,74 +0,0 @@
From 89a40e77a1477a3957f4ddc47890eaecbc4d5c7c Mon Sep 17 00:00:00 2001
From: Deepak Das <ddas@redhat.com>
Date: Sat, 19 Jun 2021 17:51:21 +0530
Subject: [PATCH 15/16] SSSD Log: invalid_argument msg mod
Improve invalid argument msg with additional information
Resolves: https://github.com/SSSD/sssd/issues/5578
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/providers/ad/ad_gpo.c | 15 ++++++++++++---
src/providers/ldap/sdap_idmap.c | 19 +++++++++++++++----
2 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 4ef6a7219c71d8beb60ef2bd1093955d6015ce04..b2df3e998bbbb882d585177e0fa896aa532bb0b5 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -4742,9 +4742,18 @@ static void gpo_cse_done(struct tevent_req *subreq)
ret = ad_gpo_parse_gpo_child_response(state->buf, state->len,
&sysvol_gpt_version, &child_result);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n",
- ret, sss_strerror(ret));
+ if (ret == EINVAL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "ad_gpo_parse_gpo_child_response failed: [%d][%s]. "
+ "Broken GPO data received from AD. Check AD child logs for "
+ "more information.\n",
+ ret, sss_strerror(ret));
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n",
+ ret, sss_strerror(ret));
+ }
+
tevent_req_error(req, ret);
return;
} else if (child_result != 0){
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
index 22ed9d301aa6722374dab36ad3580625fb8f67d8..3795ed69a58ed7f779e0694cf6f76d812f44a3d1 100644
--- a/src/providers/ldap/sdap_idmap.c
+++ b/src/providers/ldap/sdap_idmap.c
@@ -270,10 +270,21 @@ sdap_idmap_init(TALLOC_CTX *mem_ctx,
ret = sdap_idmap_add_domain(idmap_ctx, dom_name,
sid_str, slice_num);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not add domain [%s][%s][%"SPRIid"] "
- "to ID map: [%s]\n",
- dom_name, sid_str, slice_num, strerror(ret));
+ if (ret == EINVAL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not add domain [%s][%s][%"SPRIid"] "
+ "to ID map: [%s] "
+ "Unexpected ID map configuration. Check ID map related "
+ "parameters in sssd.conf and remove the sssd cache if "
+ "some of these parameters were changed recently.\n",
+ dom_name, sid_str, slice_num, strerror(ret));
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not add domain [%s][%s][%"SPRIid"] "
+ "to ID map: [%s]\n",
+ dom_name, sid_str, slice_num, strerror(ret));
+ }
+
goto done;
}
}
--
2.20.1

39
0010-KCM-removed-unneeded-assignment.patch
View File

@ -1,39 +0,0 @@
From 71301ccf8aa54f7272e7ef8009402db622fe8cd9 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 22 Jun 2021 10:29:44 +0200
Subject: [PATCH 16/16] KCM: removed unneeded assignment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes following warning:
```
Error: CLANG_WARNING:
sssd-2.5.1/src/responder/kcm/kcm_renew.c:481:9: warning[deadcode.DeadStores]: Value stored to 'ret' is never read
# 479| ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx);
# 480| if (ctx == NULL) {
# 481|-> ret = ENOMEM;
# 482| DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n");
# 483| return;
```
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/kcm/kcm_renew.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/responder/kcm/kcm_renew.c b/src/responder/kcm/kcm_renew.c
index c619ed0a8de3b000db61866d21cb8b71764c0ac0..684d08be6affdf5e4acbd4b04b5a61f154c152cc 100644
--- a/src/responder/kcm/kcm_renew.c
+++ b/src/responder/kcm/kcm_renew.c
@@ -478,7 +478,6 @@ static void kcm_renew_tgt(struct tevent_context *ev,
ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx);
if (ctx == NULL) {
- ret = ENOMEM;
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n");
return;
}
--
2.20.1

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-2.5.1.tar.gz) = 7441df3b5f1cc1eadb0c6853b048d780ecb36761876aaeb26b9a2d87729211d3ceeae01085dc3ec4fd1c5328f951c8abe854b1d01d91fae25466f930fe16e44a
SHA512 (sssd-2.5.2.tar.gz) = a9bac7b2cc23022dce3bcda314c9c26a0a0914c448f6d5a51c5ba18670f04c1fd1a94cb20173235b6285df1dcc9251cb6b3f3e71a220037b4eb66668e6f33c48

22
sssd.spec
View File

@ -26,26 +26,15 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd
Version: 2.5.1
Release: 2%{?dist}
Version: 2.5.2
Release: 1%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/2.5.1/sssd-2.5.1.tar.gz
Source0: https://github.com/SSSD/sssd/releases/download/2.5.2/sssd-2.5.2.tar.gz
### Patches ###
Patch0001: 0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch
Patch0002: 0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch
Patch0003: 0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch
Patch0004: 0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch
Patch0005: 0005-Fix-minor-typos-in-docs.patch
Patch0006: 0006-KCM-Unset-_SSS_LOOPS.patch
Patch0007: 0007-kcm-terminate-client-on-bad-message.patch
Patch0008: 0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch
Patch0009: 0009-SSSD-Log-invalid_argument-msg-mod.patch
Patch0010: 0010-KCM-removed-unneeded-assignment.patch
### Dependencies ###
Requires: sssd-ad = %{version}-%{release}
@ -148,6 +137,7 @@ License: GPLv3+
# Requires
# due to ABI changes in 1.1.30/1.2.0
Requires: libldb >= %{ldb_version}
Requires: libtevent >= 0.11.0
Requires: sssd-client%{?_isa} = %{version}-%{release}
Recommends: libsss_sudo = %{version}-%{release}
Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
@ -477,6 +467,7 @@ Library to map certificates to users based on rules
Summary: An implementation of a Kerberos KCM server
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
Requires: krb5-libs >= 1.19.1
%{?systemd_requires}
%description kcm
@ -1009,6 +1000,9 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Tue Jul 13 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.2-1
- Rebase to SSSD 2.5.2
* Thu Jun 24 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-2
- Multiple small fixes to reduce size of log files with debug_backtrace on
- Fix a corner case bug in KCM renewals that makes user lookup in the daemon fail