diff --git a/.gitignore b/.gitignore index 28058ba..c5f5d01 100644 --- a/.gitignore +++ b/.gitignore @@ -93,3 +93,4 @@ sssd-1.2.91.tar.gz /sssd-2.4.2.tar.gz /sssd-2.5.0.tar.gz /sssd-2.5.1.tar.gz +/sssd-2.5.2.tar.gz diff --git a/0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch b/0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch deleted file mode 100644 index d569dfa..0000000 --- a/0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c6cd2fe3f75638e8920b049ea05282f4072e9f05 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 14 Jun 2021 21:25:23 +0200 -Subject: [PATCH 02/16] krb5_child: reduce log severity in sss_send_pac() in - case PAC responder isn't running. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/providers/krb5/krb5_child.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 713e90f833c40b8da864b42c2f6be02894abf35b..4e55d9a3746c297499ad577075b59f027815ee12 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -223,7 +223,10 @@ static errno_t sss_send_pac(krb5_authdata **pac_authdata) - - ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data, - NULL, NULL, &errnop); -- if (ret != NSS_STATUS_SUCCESS || errnop != 0) { -+ if (ret == NSS_STATUS_UNAVAIL) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "failed to contact PAC responder\n"); -+ return EIO; -+ } else if (ret != NSS_STATUS_SUCCESS || errnop != 0) { - DEBUG(SSSDBG_OP_FAILURE, "sss_pac_make_request failed [%d][%d].\n", - ret, errnop); - return EIO; --- -2.20.1 - diff --git a/0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch b/0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch deleted file mode 100644 index 15432ae..0000000 --- a/0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 0eccee18822e60393c8a4a9b99a3c80d2b1275d9 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 14 Jun 2021 21:47:52 +0200 -Subject: [PATCH 03/16] secrets: reduce log severity in local_db_create() in - case entry already exists since this is expected during normal oprations. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/util/secrets/secrets.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c -index 6e99e291dd355cc69b0d872f53624ca3446e18ad..f12b615f8ac8f929969d328db41876070ccc75c5 100644 ---- a/src/util/secrets/secrets.c -+++ b/src/util/secrets/secrets.c -@@ -476,7 +476,7 @@ static int local_db_create(struct sss_sec_req *req) - ret = ldb_add(req->sctx->ldb, msg); - if (ret != LDB_SUCCESS) { - if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) { -- DEBUG(SSSDBG_OP_FAILURE, -+ DEBUG(SSSDBG_FUNC_DATA, - "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn)); - } else { - DEBUG(SSSDBG_CRIT_FAILURE, --- -2.20.1 - diff --git a/0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch b/0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch deleted file mode 100644 index 44e1d46..0000000 --- a/0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 624e3fe75116e15c48e9b9455ef0abd2f1256140 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 14 Jun 2021 21:56:16 +0200 -Subject: [PATCH 04/16] KCM: use SSSDBG_MINOR_FAILURE for - ERR_KCM_OP_NOT_IMPLEMENTED -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/responder/kcm/kcmsrv_cmd.c | 13 +++++++++---- - src/responder/kcm/kcmsrv_ops.c | 2 +- - 2 files changed, 10 insertions(+), 5 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c -index 3ad17ef431bb3d42b39f56d04c97acfc25f06d2f..49518920bf8213d6c7a55f6c07aca11cbd86c406 100644 ---- a/src/responder/kcm/kcmsrv_cmd.c -+++ b/src/responder/kcm/kcmsrv_cmd.c -@@ -195,7 +195,7 @@ static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf, - - op_io->op = kcm_get_opt(be16toh(opcode_be)); - if (op_io->op == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_MINOR_FAILURE, - "Did not find a KCM operation handler for the requested opcode\n"); - return ERR_KCM_OP_NOT_IMPLEMENTED; - } -@@ -312,7 +312,8 @@ static void kcm_reply_error(struct cli_ctx *cctx, - errno_t ret; - krb5_error_code kerr; - -- DEBUG(SSSDBG_OP_FAILURE, -+ DEBUG(retcode == ERR_KCM_OP_NOT_IMPLEMENTED ? -+ SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE, - "KCM operation returns failure [%d]: %s\n", - retcode, sss_strerror(retcode)); - kerr = sss2krb5_error(retcode); -@@ -405,8 +406,12 @@ static void kcm_cmd_request_done(struct tevent_req *req) - &req_ctx->op_io.reply); - talloc_free(req); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -- "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret)); -+ if (ret == ERR_KCM_OP_NOT_IMPLEMENTED) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "%s\n", sss_strerror(ret)); -+ } else { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret)); -+ } - kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf); - return; - } -diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c -index a8f49cedb0ce373e45a7f187ae87a82979c1a8c1..f7f80d85023d6ab3fdbf68078cd97594beb95e48 100644 ---- a/src/responder/kcm/kcmsrv_ops.c -+++ b/src/responder/kcm/kcmsrv_ops.c -@@ -122,7 +122,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, - } - - if (op->fn_send == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, -+ DEBUG(SSSDBG_MINOR_FAILURE, - "KCM op %s has no handler\n", kcm_opt_name(op)); - ret = ERR_KCM_OP_NOT_IMPLEMENTED; - goto immediate; --- -2.20.1 - diff --git a/0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch b/0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch deleted file mode 100644 index 3c8be80..0000000 --- a/0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 0646917cd826e14663691a2252be9853563331d2 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 14 Jun 2021 22:04:21 +0200 -Subject: [PATCH 05/16] KCM: reduce log severity in sec_get() in case entry not - found -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/responder/kcm/kcmsrv_ccache_secdb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c -index 6c8c35b865543fd47a13149a49a3be34aab31649..4631bfea09316b47a8c8b5aa6580f60536edea5b 100644 ---- a/src/responder/kcm/kcmsrv_ccache_secdb.c -+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c -@@ -58,7 +58,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, - - ret = sss_sec_get(tmp_ctx, req, &data, &len, &datatype); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -+ DEBUG(SSSDBG_MINOR_FAILURE, - "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } --- -2.20.1 - diff --git a/0005-Fix-minor-typos-in-docs.patch b/0005-Fix-minor-typos-in-docs.patch deleted file mode 100644 index 4dfbb5d..0000000 --- a/0005-Fix-minor-typos-in-docs.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b04742485dfb18d23b08f040710944d9d6e29c56 Mon Sep 17 00:00:00 2001 -From: Yuri Chornoivan -Date: Thu, 10 Jun 2021 14:46:00 +0300 -Subject: [PATCH 06/16] Fix minor typos in docs - -Reviewed-by: Pawel Polawski ---- - src/man/pam_sss_gss.8.xml | 4 ++-- - src/man/sssd-sudo.5.xml | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml -index a83369de288b1638fd63d3de8448e705bad881b5..5cde974902afddfedb8bc8934164152e8dcc0944 100644 ---- a/src/man/pam_sss_gss.8.xml -+++ b/src/man/pam_sss_gss.8.xml -@@ -71,7 +71,7 @@ - for more details on these options. - - -- Some Kerberos deployments allow to assocate authentication -+ Some Kerberos deployments allow to associate authentication - indicators with a particular pre-authentication method used to - obtain the ticket granting ticket by the user. - pam_sss_gss.so allows to enforce presence of -@@ -199,7 +199,7 @@ auth sufficient pam_sss_gss.so - - 3. Authentication does not work and syslog contains "No Kerberos - credentials available": You don't have any credentials that can be -- used to obtain the required service ticket. Use kinit or autheticate -+ used to obtain the required service ticket. Use kinit or authenticate - over SSSD to acquire those credentials. - - -diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml -index 3ad89dde3c167cce6d58f0b306b7cf6c6fc17e0c..87645204062255924ef3441a76f3798cc161c953 100644 ---- a/src/man/sssd-sudo.5.xml -+++ b/src/man/sssd-sudo.5.xml -@@ -215,7 +215,7 @@ ldap_sudo_search_base = ou=sudoers,dc=example,dc=com - SSSD uses different kinds of mechanisms with more or less complex - LDAP filters to keep the cached sudo rules up to date. The default - configuration is set to values that should satisfy most of our -- users, but the following paragraps contains few tips on how to fine -+ users, but the following paragraphs contain few tips on how to fine- - tune the configuration to your requirements. - - --- -2.20.1 - diff --git a/0006-KCM-Unset-_SSS_LOOPS.patch b/0006-KCM-Unset-_SSS_LOOPS.patch deleted file mode 100644 index 9d30979..0000000 --- a/0006-KCM-Unset-_SSS_LOOPS.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 2a3fb3bdbac5dd7294a2ec6f27346ae18355241a Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Thu, 10 Jun 2021 09:37:52 -0400 -Subject: [PATCH 07/16] KCM: Unset _SSS_LOOPS - -Since sssd_kcm is working independently of other SSSD components, -especially the nss responder, and the kcm client side in libkrb5 of -course does not check for _SSS_LOOPS to protect sssd_kcm from calling -into itself the variable is not needed. - -This allows repeated getpwuid() calls in KCM renewals code to succeed. - -Reviewed-by: Alexey Tikhonov ---- - src/responder/kcm/kcm.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c -index 9be56b0b84b92f0cc6213509df1afc780dd1da28..09578c0cbac09a25f3ca56b19b89e7015d1b4298 100644 ---- a/src/responder/kcm/kcm.c -+++ b/src/responder/kcm/kcm.c -@@ -268,6 +268,12 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx, - kctx->rctx = rctx; - kctx->rctx->pvt_ctx = kctx; - -+ /* KCM operates independently, getpw* recursion is not a concern */ -+ ret = unsetenv("_SSS_LOOPS"); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS"); -+ } -+ - ret = kcm_get_config(kctx); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting KCM config\n"); --- -2.20.1 - diff --git a/0007-kcm-terminate-client-on-bad-message.patch b/0007-kcm-terminate-client-on-bad-message.patch deleted file mode 100644 index 3496241..0000000 --- a/0007-kcm-terminate-client-on-bad-message.patch +++ /dev/null @@ -1,59 +0,0 @@ -From a6e5d53a358f3871d8ae646b252250d215d09883 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 16 Jun 2021 15:28:28 +0200 -Subject: [PATCH 13/16] kcm: terminate client on bad message - -The debug message clearly says that the original intention was to -abort the client, not send an error message. - -We may end up in a state where we get into an infinit loop, fo example -when the client send an message that indicates 0 lenght, but there is -actually more data written. In this case, we never read the rest of the -message but the file descriptor is still readable so the fd handler gets -fired again and again. - -More information can be seen in relevant FreeIPA ticket: -https://pagure.io/freeipa/issue/8877 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pawel Polawski ---- - src/responder/kcm/kcmsrv_cmd.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c -index 49518920bf8213d6c7a55f6c07aca11cbd86c406..9b27bbdcc4805238641ef7f9c6158a6ed784fbcc 100644 ---- a/src/responder/kcm/kcmsrv_cmd.c -+++ b/src/responder/kcm/kcmsrv_cmd.c -@@ -548,7 +548,8 @@ static void kcm_recv(struct cli_ctx *cctx) - DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to parse data (%d, %s), aborting client\n", - ret, sss_strerror(ret)); -- goto fail; -+ talloc_free(cctx); -+ return; - } - - /* do not read anymore, client is done sending */ -@@ -559,15 +560,13 @@ static void kcm_recv(struct cli_ctx *cctx) - DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to dispatch KCM operation [%d]: %s\n", - ret, sss_strerror(ret)); -- goto fail; -+ /* Fail with reply */ -+ kcm_reply_error(cctx, ret, &req->repbuf); -+ return; - } - - /* Dispatched request resumes in kcm_cmd_request_done */ - return; -- --fail: -- /* Fail with reply */ -- kcm_reply_error(cctx, ret, &req->repbuf); - } - - static int kcm_send_data(struct cli_ctx *cctx) --- -2.20.1 - diff --git a/0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch b/0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch deleted file mode 100644 index f5e3c06..0000000 --- a/0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch +++ /dev/null @@ -1,198 +0,0 @@ -From 8dba7476922856e3a0f6cb935570df47b51917f1 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 18 Jun 2021 21:56:53 +0200 -Subject: [PATCH 14/16] DEBUG: don't reset debug_timestamps/microseconds to - DEFAULT in `_sss_debug_init()`. - -Otherwise `server_setup()` skips reading config settings. - -Reviewed-by: Pawel Polawski ---- - src/tests/cmocka/test_child_common.c | 2 +- - src/tests/debug-tests.c | 26 +++++++++++++------------- - src/util/debug.c | 14 +++----------- - src/util/debug.h | 8 ++++++-- - src/util/server.c | 8 ++++---- - 5 files changed, 27 insertions(+), 31 deletions(-) - -diff --git a/src/tests/cmocka/test_child_common.c b/src/tests/cmocka/test_child_common.c -index 87cae3405575a0c6d2f746359518766c20acb346..9fb26412f3e6c2553e477f72f40f0fd6a156cdab 100644 ---- a/src/tests/cmocka/test_child_common.c -+++ b/src/tests/cmocka/test_child_common.c -@@ -163,7 +163,7 @@ static void extra_args_test(struct child_test_ctx *child_tctx, - child_pid = fork(); - assert_int_not_equal(child_pid, -1); - if (child_pid == 0) { -- debug_timestamps = 1; -+ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED; - - exec_child_ex(child_tctx, - child_tctx->pipefd_to_child, -diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c -index e27fee45785a8a042922e14d562b4b6846bb8cd9..68a1fb7795ff9c247a3c5706ca479905ce55134c 100644 ---- a/src/tests/debug-tests.c -+++ b/src/tests/debug-tests.c -@@ -194,7 +194,7 @@ int test_helper_debug_check_message(int level) - } - msg[fsize] = '\0'; - -- if (debug_timestamps == 1) { -+ if (debug_timestamps == SSSDBG_TIMESTAMP_ENABLED) { - int time_hour = 0; - int time_min = 0; - int time_sec = 0; -@@ -344,8 +344,8 @@ START_TEST(test_debug_is_set_single_no_timestamp) - SSSDBG_TRACE_LDB - }; - -- debug_timestamps = 0; -- debug_microseconds = 0; -+ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; -+ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; - debug_prg_name = "sssd"; - sss_set_logger(sss_logger_str[FILES_LOGGER]); - -@@ -384,8 +384,8 @@ START_TEST(test_debug_is_set_single_timestamp) - SSSDBG_TRACE_LDB - }; - -- debug_timestamps = 1; -- debug_microseconds = 0; -+ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED; -+ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; - debug_prg_name = "sssd"; - sss_set_logger(sss_logger_str[FILES_LOGGER]); - -@@ -428,8 +428,8 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds) - SSSDBG_TRACE_LDB - }; - -- debug_timestamps = 1; -- debug_microseconds = 1; -+ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED; -+ debug_microseconds = SSSDBG_MICROSECONDS_ENABLED; - debug_prg_name = "sssd"; - sss_set_logger(sss_logger_str[FILES_LOGGER]); - -@@ -473,8 +473,8 @@ START_TEST(test_debug_is_notset_no_timestamp) - SSSDBG_TRACE_LDB - }; - -- debug_timestamps = 0; -- debug_microseconds = 0; -+ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; -+ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; - debug_prg_name = "sssd"; - sss_set_logger(sss_logger_str[FILES_LOGGER]); - -@@ -515,8 +515,8 @@ START_TEST(test_debug_is_notset_timestamp) - SSSDBG_TRACE_LDB - }; - -- debug_timestamps = 0; -- debug_microseconds = 0; -+ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; -+ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; - debug_prg_name = "sssd"; - sss_set_logger(sss_logger_str[FILES_LOGGER]); - -@@ -557,8 +557,8 @@ START_TEST(test_debug_is_notset_timestamp_microseconds) - SSSDBG_TRACE_LDB - }; - -- debug_timestamps = 0; -- debug_microseconds = 1; -+ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; -+ debug_microseconds = SSSDBG_MICROSECONDS_ENABLED; - debug_prg_name = "sssd"; - sss_set_logger(sss_logger_str[FILES_LOGGER]); - -diff --git a/src/util/debug.c b/src/util/debug.c -index f87e85812aa243deab4683ad7d7712d527daa4a2..6f12344374ef104bde1ddd9b738270ce961d5893 100644 ---- a/src/util/debug.c -+++ b/src/util/debug.c -@@ -103,14 +103,6 @@ void _sss_debug_init(int dbg_lvl, const char *logger) - debug_level = SSSDBG_UNRESOLVED; - } - -- if (debug_timestamps == SSSDBG_TIMESTAMP_UNRESOLVED) { -- debug_timestamps = SSSDBG_TIMESTAMP_DEFAULT; -- } -- -- if (debug_microseconds == SSSDBG_MICROSECONDS_UNRESOLVED) { -- debug_microseconds = SSSDBG_MICROSECONDS_DEFAULT; -- } -- - sss_set_logger(logger); - - /* if 'FILES_LOGGER' is requested then open log file, if it wasn't -@@ -305,8 +297,8 @@ void sss_vdebug_fn(const char *file, - } - #endif - -- if (debug_timestamps) { -- if (debug_microseconds) { -+ if (debug_timestamps == SSSDBG_TIMESTAMP_ENABLED) { -+ if (debug_microseconds == SSSDBG_MICROSECONDS_ENABLED) { - gettimeofday(&tv, NULL); - t = tv.tv_sec; - } else { -@@ -320,7 +312,7 @@ void sss_vdebug_fn(const char *file, - tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, - tm.tm_hour, tm.tm_min, tm.tm_sec); - } -- if (debug_microseconds) { -+ if (debug_microseconds == SSSDBG_MICROSECONDS_ENABLED) { - sss_debug_backtrace_printf(level, "%s:%.6ld): ", - last_time_str, tv.tv_usec); - } else { -diff --git a/src/util/debug.h b/src/util/debug.h -index 97564d43e2f2e0d88ccb1e88365f6d7aaf401e81..9d3499dbdfee95931b6004b9a5ec1b9832ce1b1c 100644 ---- a/src/util/debug.h -+++ b/src/util/debug.h -@@ -29,10 +29,14 @@ - #include "util/util_errors.h" - - #define SSSDBG_TIMESTAMP_UNRESOLVED -1 --#define SSSDBG_TIMESTAMP_DEFAULT 1 -+#define SSSDBG_TIMESTAMP_DISABLED 0 -+#define SSSDBG_TIMESTAMP_ENABLED 1 -+#define SSSDBG_TIMESTAMP_DEFAULT SSSDBG_TIMESTAMP_ENABLED - - #define SSSDBG_MICROSECONDS_UNRESOLVED -1 --#define SSSDBG_MICROSECONDS_DEFAULT 0 -+#define SSSDBG_MICROSECONDS_DISABLED 0 -+#define SSSDBG_MICROSECONDS_ENABLED 1 -+#define SSSDBG_MICROSECONDS_DEFAULT SSSDBG_MICROSECONDS_DISABLED - - - enum sss_logger_t { -diff --git a/src/util/server.c b/src/util/server.c -index b6f450a798b84e22e493f3a32d5289e20f3fc280..4fe29f96b8176c236fc35052265dbf6974678608 100644 ---- a/src/util/server.c -+++ b/src/util/server.c -@@ -624,8 +624,8 @@ int server_setup(const char *name, int flags, - "[%s]\n", ret, strerror(ret)); - return ret; - } -- if (dt) debug_timestamps = 1; -- else debug_timestamps = 0; -+ if (dt) debug_timestamps = SSSDBG_TIMESTAMP_ENABLED; -+ else debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; - } - - /* same for debug microseconds */ -@@ -639,8 +639,8 @@ int server_setup(const char *name, int flags, - "[%s]\n", ret, strerror(ret)); - return ret; - } -- if (dm) debug_microseconds = 1; -- else debug_microseconds = 0; -+ if (dm) debug_microseconds = SSSDBG_MICROSECONDS_ENABLED; -+ else debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; - } - - ret = confdb_get_bool(ctx->confdb_ctx, conf_entry, --- -2.20.1 - diff --git a/0009-SSSD-Log-invalid_argument-msg-mod.patch b/0009-SSSD-Log-invalid_argument-msg-mod.patch deleted file mode 100644 index c826b68..0000000 --- a/0009-SSSD-Log-invalid_argument-msg-mod.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 89a40e77a1477a3957f4ddc47890eaecbc4d5c7c Mon Sep 17 00:00:00 2001 -From: Deepak Das -Date: Sat, 19 Jun 2021 17:51:21 +0530 -Subject: [PATCH 15/16] SSSD Log: invalid_argument msg mod - -Improve invalid argument msg with additional information - -Resolves: https://github.com/SSSD/sssd/issues/5578 - -Reviewed-by: Pawel Polawski ---- - src/providers/ad/ad_gpo.c | 15 ++++++++++++--- - src/providers/ldap/sdap_idmap.c | 19 +++++++++++++++---- - 2 files changed, 27 insertions(+), 7 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 4ef6a7219c71d8beb60ef2bd1093955d6015ce04..b2df3e998bbbb882d585177e0fa896aa532bb0b5 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -4742,9 +4742,18 @@ static void gpo_cse_done(struct tevent_req *subreq) - ret = ad_gpo_parse_gpo_child_response(state->buf, state->len, - &sysvol_gpt_version, &child_result); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n", -- ret, sss_strerror(ret)); -+ if (ret == EINVAL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "ad_gpo_parse_gpo_child_response failed: [%d][%s]. " -+ "Broken GPO data received from AD. Check AD child logs for " -+ "more information.\n", -+ ret, sss_strerror(ret)); -+ } else { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n", -+ ret, sss_strerror(ret)); -+ } -+ - tevent_req_error(req, ret); - return; - } else if (child_result != 0){ -diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c -index 22ed9d301aa6722374dab36ad3580625fb8f67d8..3795ed69a58ed7f779e0694cf6f76d812f44a3d1 100644 ---- a/src/providers/ldap/sdap_idmap.c -+++ b/src/providers/ldap/sdap_idmap.c -@@ -270,10 +270,21 @@ sdap_idmap_init(TALLOC_CTX *mem_ctx, - ret = sdap_idmap_add_domain(idmap_ctx, dom_name, - sid_str, slice_num); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Could not add domain [%s][%s][%"SPRIid"] " -- "to ID map: [%s]\n", -- dom_name, sid_str, slice_num, strerror(ret)); -+ if (ret == EINVAL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Could not add domain [%s][%s][%"SPRIid"] " -+ "to ID map: [%s] " -+ "Unexpected ID map configuration. Check ID map related " -+ "parameters in sssd.conf and remove the sssd cache if " -+ "some of these parameters were changed recently.\n", -+ dom_name, sid_str, slice_num, strerror(ret)); -+ } else { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Could not add domain [%s][%s][%"SPRIid"] " -+ "to ID map: [%s]\n", -+ dom_name, sid_str, slice_num, strerror(ret)); -+ } -+ - goto done; - } - } --- -2.20.1 - diff --git a/0010-KCM-removed-unneeded-assignment.patch b/0010-KCM-removed-unneeded-assignment.patch deleted file mode 100644 index fcce55a..0000000 --- a/0010-KCM-removed-unneeded-assignment.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 71301ccf8aa54f7272e7ef8009402db622fe8cd9 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 22 Jun 2021 10:29:44 +0200 -Subject: [PATCH 16/16] KCM: removed unneeded assignment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes following warning: -``` -Error: CLANG_WARNING: -sssd-2.5.1/src/responder/kcm/kcm_renew.c:481:9: warning[deadcode.DeadStores]: Value stored to 'ret' is never read - # 479| ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx); - # 480| if (ctx == NULL) { - # 481|-> ret = ENOMEM; - # 482| DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n"); - # 483| return; -``` - -Reviewed-by: Pavel Březina ---- - src/responder/kcm/kcm_renew.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/responder/kcm/kcm_renew.c b/src/responder/kcm/kcm_renew.c -index c619ed0a8de3b000db61866d21cb8b71764c0ac0..684d08be6affdf5e4acbd4b04b5a61f154c152cc 100644 ---- a/src/responder/kcm/kcm_renew.c -+++ b/src/responder/kcm/kcm_renew.c -@@ -478,7 +478,6 @@ static void kcm_renew_tgt(struct tevent_context *ev, - - ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx); - if (ctx == NULL) { -- ret = ENOMEM; - DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n"); - return; - } --- -2.20.1 - diff --git a/sources b/sources index 44c7e0f..ae755ee 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.5.1.tar.gz) = 7441df3b5f1cc1eadb0c6853b048d780ecb36761876aaeb26b9a2d87729211d3ceeae01085dc3ec4fd1c5328f951c8abe854b1d01d91fae25466f930fe16e44a +SHA512 (sssd-2.5.2.tar.gz) = a9bac7b2cc23022dce3bcda314c9c26a0a0914c448f6d5a51c5ba18670f04c1fd1a94cb20173235b6285df1dcc9251cb6b3f3e71a220037b4eb66668e6f33c48 diff --git a/sssd.spec b/sssd.spec index be05839..fad67c3 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,26 +26,15 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.5.1 -Release: 2%{?dist} +Version: 2.5.2 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ -Source0: https://github.com/SSSD/sssd/releases/download/2.5.1/sssd-2.5.1.tar.gz +Source0: https://github.com/SSSD/sssd/releases/download/2.5.2/sssd-2.5.2.tar.gz ### Patches ### -Patch0001: 0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch -Patch0002: 0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch -Patch0003: 0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch -Patch0004: 0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch -Patch0005: 0005-Fix-minor-typos-in-docs.patch -Patch0006: 0006-KCM-Unset-_SSS_LOOPS.patch -Patch0007: 0007-kcm-terminate-client-on-bad-message.patch -Patch0008: 0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch -Patch0009: 0009-SSSD-Log-invalid_argument-msg-mod.patch -Patch0010: 0010-KCM-removed-unneeded-assignment.patch - ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -148,6 +137,7 @@ License: GPLv3+ # Requires # due to ABI changes in 1.1.30/1.2.0 Requires: libldb >= %{ldb_version} +Requires: libtevent >= 0.11.0 Requires: sssd-client%{?_isa} = %{version}-%{release} Recommends: libsss_sudo = %{version}-%{release} Recommends: libsss_autofs%{?_isa} = %{version}-%{release} @@ -477,6 +467,7 @@ Library to map certificates to users based on rules Summary: An implementation of a Kerberos KCM server License: GPLv3+ Requires: sssd-common = %{version}-%{release} +Requires: krb5-libs >= 1.19.1 %{?systemd_requires} %description kcm @@ -1009,6 +1000,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Tue Jul 13 2021 Pavel Březina - 2.5.2-1 +- Rebase to SSSD 2.5.2 + * Thu Jun 24 2021 Pavel Březina - 2.5.1-2 - Multiple small fixes to reduce size of log files with debug_backtrace on - Fix a corner case bug in KCM renewals that makes user lookup in the daemon fail