import sssd-2.6.2-3.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
4d5a159fd8
commit
562beb1a29
|
|
@ -1 +1 @@
|
|||
SOURCES/sssd-2.5.2.tar.gz
|
||||
SOURCES/sssd-2.6.2.tar.gz
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
680a282289fdfc6e27562e0ac82933ccd1f9574e SOURCES/sssd-2.5.2.tar.gz
|
||||
c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,277 +0,0 @@
|
|||
From 3861960837b996d959af504a937a03963dc21d62 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 18 Jun 2021 13:17:19 +0200
|
||||
Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
|
||||
user supplied command
|
||||
|
||||
A flaw was found in SSSD, where the sssctl command was vulnerable
|
||||
to shell command injection via the logs-fetch and cache-expire
|
||||
subcommands. This flaw allows an attacker to trick the root user
|
||||
into running a specially crafted sssctl command, such as via sudo,
|
||||
to gain root access. The highest threat from this vulnerability is
|
||||
to confidentiality, integrity, as well as system availability.
|
||||
|
||||
:fixes: CVE-2021-3621
|
||||
---
|
||||
src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
|
||||
src/tools/sssctl/sssctl.h | 2 +-
|
||||
src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
|
||||
src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
|
||||
4 files changed, 73 insertions(+), 57 deletions(-)
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
|
||||
index 2997dbf96..8adaf3091 100644
|
||||
--- a/src/tools/sssctl/sssctl.c
|
||||
+++ b/src/tools/sssctl/sssctl.c
|
||||
@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
|
||||
return SSSCTL_PROMPT_ERROR;
|
||||
}
|
||||
|
||||
-errno_t sssctl_run_command(const char *command)
|
||||
+errno_t sssctl_run_command(const char *const argv[])
|
||||
{
|
||||
int ret;
|
||||
+ int wstatus;
|
||||
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
|
||||
|
||||
- ret = system(command);
|
||||
+ ret = fork();
|
||||
if (ret == -1) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
|
||||
ERROR("Error while executing external command\n");
|
||||
return EFAULT;
|
||||
- } else if (WEXITSTATUS(ret) != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
|
||||
- command, WEXITSTATUS(ret));
|
||||
+ }
|
||||
+
|
||||
+ if (ret == 0) {
|
||||
+ /* cast is safe - see
|
||||
+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
|
||||
+ "The statement about argv[] and envp[] being constants ... "
|
||||
+ */
|
||||
+ execvp(argv[0], discard_const_p(char * const, argv));
|
||||
ERROR("Error while executing external command\n");
|
||||
- return EIO;
|
||||
+ _exit(1);
|
||||
+ } else {
|
||||
+ if (waitpid(ret, &wstatus, 0) == -1) {
|
||||
+ ERROR("Error while executing external command '%s'\n", argv[0]);
|
||||
+ return EFAULT;
|
||||
+ } else if (WEXITSTATUS(wstatus) != 0) {
|
||||
+ ERROR("Command '%s' failed with [%d]\n",
|
||||
+ argv[0], WEXITSTATUS(wstatus));
|
||||
+ return EIO;
|
||||
+ }
|
||||
}
|
||||
|
||||
return EOK;
|
||||
@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
|
||||
#elif defined(HAVE_SERVICE)
|
||||
switch (action) {
|
||||
case SSSCTL_SVC_START:
|
||||
- return sssctl_run_command(SERVICE_PATH" sssd start");
|
||||
+ return sssctl_run_command(
|
||||
+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
|
||||
case SSSCTL_SVC_STOP:
|
||||
- return sssctl_run_command(SERVICE_PATH" sssd stop");
|
||||
+ return sssctl_run_command(
|
||||
+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
|
||||
case SSSCTL_SVC_RESTART:
|
||||
- return sssctl_run_command(SERVICE_PATH" sssd restart");
|
||||
+ return sssctl_run_command(
|
||||
+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
|
||||
index 0115b2457..599ef6519 100644
|
||||
--- a/src/tools/sssctl/sssctl.h
|
||||
+++ b/src/tools/sssctl/sssctl.h
|
||||
@@ -47,7 +47,7 @@ enum sssctl_prompt_result
|
||||
sssctl_prompt(const char *message,
|
||||
enum sssctl_prompt_result defval);
|
||||
|
||||
-errno_t sssctl_run_command(const char *command);
|
||||
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
|
||||
bool sssctl_start_sssd(bool force);
|
||||
bool sssctl_stop_sssd(bool force);
|
||||
bool sssctl_restart_sssd(bool force);
|
||||
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
|
||||
index 8d79b977f..bf2291341 100644
|
||||
--- a/src/tools/sssctl/sssctl_data.c
|
||||
+++ b/src/tools/sssctl/sssctl_data.c
|
||||
@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
|
||||
}
|
||||
}
|
||||
|
||||
- ret = sssctl_run_command("sss_override user-export "
|
||||
- SSS_BACKUP_USER_OVERRIDES);
|
||||
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
|
||||
+ SSS_BACKUP_USER_OVERRIDES, NULL});
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to export user overrides\n");
|
||||
return ret;
|
||||
}
|
||||
|
||||
- ret = sssctl_run_command("sss_override group-export "
|
||||
- SSS_BACKUP_GROUP_OVERRIDES);
|
||||
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
|
||||
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to export group overrides\n");
|
||||
return ret;
|
||||
@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
|
||||
}
|
||||
|
||||
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
|
||||
- ret = sssctl_run_command("sss_override user-import "
|
||||
- SSS_BACKUP_USER_OVERRIDES);
|
||||
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
|
||||
+ SSS_BACKUP_USER_OVERRIDES, NULL});
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to import user overrides\n");
|
||||
return ret;
|
||||
@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
|
||||
}
|
||||
|
||||
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
|
||||
- ret = sssctl_run_command("sss_override group-import "
|
||||
- SSS_BACKUP_GROUP_OVERRIDES);
|
||||
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
|
||||
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to import group overrides\n");
|
||||
return ret;
|
||||
@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
|
||||
void *pvt)
|
||||
{
|
||||
errno_t ret;
|
||||
- char *cmd_args = NULL;
|
||||
- const char *cachecmd = SSS_CACHE;
|
||||
- char *cmd = NULL;
|
||||
- int i;
|
||||
-
|
||||
- if (cmdline->argc == 0) {
|
||||
- ret = sssctl_run_command(cachecmd);
|
||||
- goto done;
|
||||
- }
|
||||
|
||||
- cmd_args = talloc_strdup(tool_ctx, "");
|
||||
- if (cmd_args == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ const char **args = talloc_array_size(tool_ctx,
|
||||
+ sizeof(char *),
|
||||
+ cmdline->argc + 2);
|
||||
+ if (!args) {
|
||||
+ return ENOMEM;
|
||||
}
|
||||
+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
|
||||
+ args[0] = SSS_CACHE;
|
||||
+ args[cmdline->argc + 1] = NULL;
|
||||
|
||||
- for (i = 0; i < cmdline->argc; i++) {
|
||||
- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
|
||||
- if (i != cmdline->argc - 1) {
|
||||
- cmd_args = talloc_strdup_append(cmd_args, " ");
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
|
||||
- if (cmd == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = sssctl_run_command(cmd);
|
||||
-
|
||||
-done:
|
||||
- talloc_free(cmd_args);
|
||||
- talloc_free(cmd);
|
||||
+ ret = sssctl_run_command(args);
|
||||
|
||||
+ talloc_free(args);
|
||||
return ret;
|
||||
}
|
||||
diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
|
||||
index 9ff2be05b..ebb2c4571 100644
|
||||
--- a/src/tools/sssctl/sssctl_logs.c
|
||||
+++ b/src/tools/sssctl/sssctl_logs.c
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <ldb.h>
|
||||
#include <popt.h>
|
||||
#include <stdio.h>
|
||||
+#include <glob.h>
|
||||
|
||||
#include "util/util.h"
|
||||
#include "tools/common/sss_process.h"
|
||||
@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
|
||||
{
|
||||
struct sssctl_logs_opts opts = {0};
|
||||
errno_t ret;
|
||||
+ glob_t globbuf;
|
||||
|
||||
/* Parse command line. */
|
||||
struct poptOption options[] = {
|
||||
@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
|
||||
|
||||
sss_signal(SIGHUP);
|
||||
} else {
|
||||
+ globbuf.gl_offs = 4;
|
||||
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
|
||||
+ if (ret != 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
|
||||
+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
|
||||
+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
|
||||
+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
|
||||
+
|
||||
PRINT("Truncating log files...\n");
|
||||
- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
|
||||
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
|
||||
+ globfree(&globbuf);
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to truncate log files\n");
|
||||
return ret;
|
||||
@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
|
||||
void *pvt)
|
||||
{
|
||||
const char *file;
|
||||
- const char *cmd;
|
||||
errno_t ret;
|
||||
+ glob_t globbuf;
|
||||
|
||||
/* Parse command line. */
|
||||
ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
|
||||
@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
|
||||
- if (cmd == NULL) {
|
||||
- ERROR("Out of memory!");
|
||||
+ globbuf.gl_offs = 3;
|
||||
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
|
||||
+ if (ret != 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
|
||||
+ return ret;
|
||||
}
|
||||
+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
|
||||
+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
|
||||
+ globbuf.gl_pathv[2] = discard_const_p(char, file);
|
||||
|
||||
PRINT("Archiving log files into %s...\n", file);
|
||||
- ret = sssctl_run_command(cmd);
|
||||
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
|
||||
+ globfree(&globbuf);
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to archive log files\n");
|
||||
return ret;
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 4 Jan 2022 10:11:49 +0100
|
||||
Subject: [PATCH] ipa: fix reply socket of selinux_child
|
||||
|
||||
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
|
||||
the reply socket of selinux_child from stdout to stderr while switching
|
||||
from exec_child to exec_child_ex. This patch returns the original
|
||||
behavior.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5939
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_selinux.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
||||
index 6f885c0fd..2e0593dd7 100644
|
||||
--- a/src/providers/ipa/ipa_selinux.c
|
||||
+++ b/src/providers/ipa/ipa_selinux.c
|
||||
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
|
||||
if (pid == 0) { /* child */
|
||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
|
||||
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
|
||||
- false, STDIN_FILENO, STDERR_FILENO);
|
||||
+ false, STDIN_FILENO, STDOUT_FILENO);
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
--
|
||||
2.26.3
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,187 +0,0 @@
|
|||
From 4c48c4a7792961cf8a228c76975ac370d32904e1 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 6 Oct 2021 13:03:27 +0200
|
||||
Subject: [PATCH] ad: filter trusted domains
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The fix for https://github.com/SSSD/sssd/issues/5528 might discover
|
||||
domains which are not trusted (one-way trust) or are from a different
|
||||
forest (direct trust). Both should be ignored because they are not
|
||||
trusted or can currently not be handled properly. This patch filters out
|
||||
those domains.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5819
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 104 +++++++++++++++++++++++++++++--
|
||||
1 file changed, 99 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 3eb49c93f..ac463026f 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -46,6 +46,7 @@
|
||||
#define AD_AT_TRUST_PARTNER "trustPartner"
|
||||
#define AD_AT_TRUST_ATTRS "trustAttributes"
|
||||
#define AD_AT_DOMAIN_NAME "cn"
|
||||
+#define AD_AT_TRUST_DIRECTION "trustDirection"
|
||||
|
||||
/* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
|
||||
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
|
||||
@@ -69,6 +70,12 @@
|
||||
/* do not refresh more often than every 5 seconds for now */
|
||||
#define AD_SUBDOMAIN_REFRESH_LIMIT 5
|
||||
|
||||
+/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */
|
||||
+#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x00000020
|
||||
+
|
||||
+/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */
|
||||
+#define TRUST_DIRECTION_OUTBOUND 0x00000002
|
||||
+
|
||||
static void
|
||||
ad_disable_gc(struct ad_options *ad_options)
|
||||
{
|
||||
@@ -646,6 +653,85 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+/* When reading trusted domains from the local DC we are basically interested
|
||||
+ * in domains from the local forest we are trusting, i.e. users from this
|
||||
+ * domain can connect to us. To not unnecessarily bloat the list of domains
|
||||
+ * and make multi-domain searches slow we filter domains from other forest and
|
||||
+ * domains we do not trust.
|
||||
+ * In future we might add config options to broaden the scope and allow more
|
||||
+ * domains.
|
||||
+ * If ad_filter_domains() returns successfully with EOK in input array is not
|
||||
+ * valid anymore and should be freed by the caller. */
|
||||
+static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx,
|
||||
+ struct sysdb_attrs **subdomains,
|
||||
+ size_t num_subdomains,
|
||||
+ struct sysdb_attrs ***_sd_out,
|
||||
+ size_t *_num_sd_out)
|
||||
+{
|
||||
+ int ret;
|
||||
+ size_t c;
|
||||
+ uint32_t tmp_uint32_t;
|
||||
+ const char *value;
|
||||
+ struct sysdb_attrs **sd_out;
|
||||
+ size_t num_sd_out = 0;
|
||||
+
|
||||
+ sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *,
|
||||
+ num_subdomains + 1);
|
||||
+ if (sd_out == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to allocate memory for sub-domain list.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ for (c = 0; c < num_subdomains; c++) {
|
||||
+ ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER,
|
||||
+ &value);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
|
||||
+ talloc_free(sd_out);
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ /* Ignore direct trusts to domains from other forests
|
||||
+ * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not
|
||||
+ * trust (TRUST_DIRECTION_OUTBOUND is not set) */
|
||||
+
|
||||
+ tmp_uint32_t = 0;
|
||||
+ ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS,
|
||||
+ &tmp_uint32_t);
|
||||
+ if (ret != EOK
|
||||
+ || (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) {
|
||||
+ DEBUG(SSSDBG_FUNC_DATA,
|
||||
+ "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n",
|
||||
+ value);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ tmp_uint32_t = 0;
|
||||
+ ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION,
|
||||
+ &tmp_uint32_t);
|
||||
+ if (ret != EOK
|
||||
+ || (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) {
|
||||
+ DEBUG(SSSDBG_FUNC_DATA,
|
||||
+ "TRUST_DIRECTION_OUTBOUND not set for [%s].\n",
|
||||
+ value);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ sd_out[num_sd_out] = subdomains[c];
|
||||
+ num_sd_out++;
|
||||
+ }
|
||||
+
|
||||
+ for (c = 0; c < num_sd_out; c++) {
|
||||
+ sd_out[c] = talloc_steal(sd_out, sd_out[c]);
|
||||
+ }
|
||||
+
|
||||
+ *_sd_out = sd_out;
|
||||
+ *_num_sd_out = num_sd_out;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/* How many times we keep a domain not found during searches before it will be
|
||||
* removed. */
|
||||
#define MAX_NOT_FOUND 6
|
||||
@@ -1125,7 +1211,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)
|
||||
errno_t ret;
|
||||
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
|
||||
AD_AT_SID, AD_AT_TRUST_TYPE,
|
||||
- AD_AT_TRUST_ATTRS, NULL };
|
||||
+ AD_AT_TRUST_ATTRS, AD_AT_TRUST_DIRECTION, NULL };
|
||||
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct ad_get_slave_domain_state);
|
||||
@@ -1333,7 +1419,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||
struct sdap_options *opts;
|
||||
errno_t ret;
|
||||
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
|
||||
- AD_AT_SID, AD_AT_TRUST_TYPE,
|
||||
+ AD_AT_SID, AD_AT_TRUST_TYPE, AD_AT_TRUST_DIRECTION,
|
||||
AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL };
|
||||
|
||||
req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state);
|
||||
@@ -1411,13 +1497,15 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
struct ad_get_root_domain_state *state;
|
||||
errno_t ret;
|
||||
bool has_changes = false;
|
||||
+ struct sysdb_attrs **unfiltered_reply;
|
||||
+ size_t unfiltered_reply_count;
|
||||
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct ad_get_root_domain_state);
|
||||
|
||||
ret = sdap_search_bases_return_first_recv(subreq, state,
|
||||
- &state->reply_count,
|
||||
- &state->reply);
|
||||
+ &unfiltered_reply_count,
|
||||
+ &unfiltered_reply);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information "
|
||||
@@ -1425,7 +1513,13 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- find_domain(state->reply_count, state->reply, state->forest);
|
||||
+ ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count,
|
||||
+ &state->reply, &state->reply_count);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to filter list of returned domains.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
if (state->reply_count == 0
|
||||
|| find_domain(state->reply_count, state->reply,
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -0,0 +1,140 @@
|
|||
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Thu, 13 Jan 2022 11:28:30 +0100
|
||||
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD and IPA providers use a common fo_server object for LDAP and
|
||||
Kerberos, which is created with the LDAP data. This means that due to
|
||||
the changes introduced in
|
||||
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
|
||||
the port in use for the Kerberos requests would be the one specified for
|
||||
LDAP, usually the default one (389).
|
||||
|
||||
In order to avoid that, AD and IPA providers shouldn't change the
|
||||
Kerberos port with the one provided for LDAP.
|
||||
|
||||
:fixes: A critical regression that prevented authentication of users via
|
||||
AD and IPA providers was fixed. LDAP port was reused for Kerberos
|
||||
communication and this provider would send incomprehensible information
|
||||
to this port.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5947
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_common.c | 1 +
|
||||
src/providers/ipa/ipa_common.c | 1 +
|
||||
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
|
||||
src/providers/krb5/krb5_common.h | 1 +
|
||||
4 files changed, 23 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index e263444c5..1ca5f8e3a 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
ad_krb5info_file_filter);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
|
||||
index 1509cb1ce..e6c1f9aa4 100644
|
||||
--- a/src/providers/ipa/ipa_common.c
|
||||
+++ b/src/providers/ipa/ipa_common.c
|
||||
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||
index 719ce6a12..5ffa20809 100644
|
||||
--- a/src/providers/krb5/krb5_common.c
|
||||
+++ b/src/providers/krb5/krb5_common.c
|
||||
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *))
|
||||
{
|
||||
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
if (filter == NULL || filter(server) == false) {
|
||||
address = fo_server_address_or_name(tmp_ctx, server);
|
||||
if (address) {
|
||||
- port = fo_get_server_port(server);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(server);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
continue;
|
||||
}
|
||||
|
||||
- port = fo_get_server_port(item);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(item);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(krb5_service,
|
||||
server,
|
||||
+ false,
|
||||
krb5_service->name,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
||||
index 151f446d1..2fd39a751 100644
|
||||
--- a/src/providers/krb5/krb5_common.h
|
||||
+++ b/src/providers/krb5/krb5_common.h
|
||||
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *));
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From bb94a18f0f0cba1e9fb5abf78b995d69e5f3c559 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 18 Oct 2021 12:29:06 +0200
|
||||
Subject: [PATCH] cache_req: return success for autofs when ENOENT is returned
|
||||
from provider
|
||||
|
||||
The receive function should return true if data provider lookup was
|
||||
successfull and false if there was an error. "Not found" result is
|
||||
considered a successful lookup, only failure to perform a search
|
||||
should result in false return code.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5832
|
||||
|
||||
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||
---
|
||||
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +-
|
||||
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +-
|
||||
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
index 0dc6a585a..788b6708c 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
@@ -97,7 +97,7 @@ cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq,
|
||||
|
||||
ret = sbus_call_dp_autofs_GetEntry_recv(subreq);
|
||||
|
||||
- if (ret == ERR_MISSING_DP_TARGET) {
|
||||
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
|
||||
ret = EOK;
|
||||
}
|
||||
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
index 6a665c58e..5d82641cc 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
@@ -93,7 +93,7 @@ cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq,
|
||||
|
||||
ret = sbus_call_dp_autofs_GetMap_recv(subreq);
|
||||
|
||||
- if (ret == ERR_MISSING_DP_TARGET) {
|
||||
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
|
||||
ret = EOK;
|
||||
}
|
||||
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
index 46776b980..29f289723 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
@@ -125,7 +125,7 @@ cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq,
|
||||
|
||||
ret = sbus_call_dp_autofs_Enumerate_recv(subreq);
|
||||
|
||||
- if (ret == ERR_MISSING_DP_TARGET) {
|
||||
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
|
||||
ret = EOK;
|
||||
}
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,81 +0,0 @@
|
|||
From 01ff8155baea989c42664985ea939cb93beb31e7 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 1 Oct 2021 18:01:21 +0200
|
||||
Subject: [PATCH] MONITOR: reduce logs severity around signalling and
|
||||
termination of services to avoid useless in those cases backtraces
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/monitor/monitor.c | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index 42def7451..b5fee7e7a 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -655,7 +655,7 @@ static int service_signal(struct mt_svc *svc,
|
||||
* order a service to reload that hasn't started
|
||||
* yet.
|
||||
*/
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
"Could not signal service [%s].\n", svc->name);
|
||||
return EIO;
|
||||
}
|
||||
@@ -684,8 +684,8 @@ static void service_signal_done(struct tevent_req *req)
|
||||
return;
|
||||
}
|
||||
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Unable to signal service [%d]: %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(ret == ENOENT ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
|
||||
+ "Unable to signal service [%d]: %s\n", ret, sss_strerror(ret));
|
||||
}
|
||||
|
||||
static int service_signal_dns_reload(struct mt_svc *svc)
|
||||
@@ -1363,14 +1363,14 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
|
||||
}
|
||||
|
||||
killed = false;
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
"Terminating [%s][%d]\n", svc->name, svc->pid);
|
||||
do {
|
||||
errno = 0;
|
||||
kret = kill(-svc->pid, SIGTERM);
|
||||
if (kret < 0) {
|
||||
error = errno;
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n",
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "Couldn't terminate [%s][%d]: [%s]\n",
|
||||
svc->name, svc->pid, strerror(error));
|
||||
}
|
||||
|
||||
@@ -1384,7 +1384,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
|
||||
if (error == ECHILD) {
|
||||
killed = true;
|
||||
} else if (error != EINTR) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
"[%d][%s] while waiting for [%s]\n",
|
||||
error, strerror(error), svc->name);
|
||||
/* Forcibly kill this child */
|
||||
@@ -1394,13 +1394,13 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
|
||||
} else if (pid != 0) {
|
||||
error = 0;
|
||||
if (WIFEXITED(status)) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
"Child [%s] exited gracefully\n", svc->name);
|
||||
} else if (WIFSIGNALED(status)) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
"Child [%s] terminated with a signal\n", svc->name);
|
||||
} else {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
"Child [%s] did not exit cleanly\n", svc->name);
|
||||
/* Forcibly kill this child */
|
||||
kill(-svc->pid, SIGKILL);
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -1,145 +0,0 @@
|
|||
From bb8da4303851642318b626aad507ab7c39f6a80d Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 1 Nov 2021 20:09:02 +0100
|
||||
Subject: [PATCH] DEBUG: avoid backtrace dups.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In case the same error(s) is repeated again and again repeating the same
|
||||
backtrace doesn't add much value. In this case let's add just a note.
|
||||
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
---
|
||||
src/util/debug.c | 4 +--
|
||||
src/util/debug_backtrace.c | 51 +++++++++++++++++++++++++++++++++++---
|
||||
2 files changed, 50 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/util/debug.c b/src/util/debug.c
|
||||
index 7c03fb7df..953123718 100644
|
||||
--- a/src/util/debug.c
|
||||
+++ b/src/util/debug.c
|
||||
@@ -42,7 +42,7 @@
|
||||
void sss_debug_backtrace_init(void);
|
||||
void sss_debug_backtrace_vprintf(int level, const char *format, va_list ap);
|
||||
void sss_debug_backtrace_printf(int level, const char *format, ...);
|
||||
-void sss_debug_backtrace_endmsg(int level);
|
||||
+void sss_debug_backtrace_endmsg(const char *file, long line, int level);
|
||||
|
||||
const char *debug_prg_name = "sssd";
|
||||
|
||||
@@ -359,7 +359,7 @@ void sss_vdebug_fn(const char *file,
|
||||
if (flags & APPEND_LINE_FEED) {
|
||||
sss_debug_backtrace_printf(level, "\n");
|
||||
}
|
||||
- sss_debug_backtrace_endmsg(level);
|
||||
+ sss_debug_backtrace_endmsg(file, line, level);
|
||||
}
|
||||
|
||||
void sss_debug_fn(const char *file,
|
||||
diff --git a/src/util/debug_backtrace.c b/src/util/debug_backtrace.c
|
||||
index d99325ab6..e376f815b 100644
|
||||
--- a/src/util/debug_backtrace.c
|
||||
+++ b/src/util/debug_backtrace.c
|
||||
@@ -30,6 +30,9 @@ extern FILE *_sss_debug_file;
|
||||
static const unsigned SSS_DEBUG_BACKTRACE_DEFAULT_SIZE = 100*1024; /* bytes */
|
||||
static const unsigned SSS_DEBUG_BACKTRACE_LEVEL = SSSDBG_BE_FO;
|
||||
|
||||
+/* Size of locations history to keep to avoid duplicating backtraces */
|
||||
+#define SSS_DEBUG_BACKTRACE_LOCATIONS 5
|
||||
+
|
||||
|
||||
/* -->
|
||||
* ring buffer = [*******t...\n............e000]
|
||||
@@ -46,12 +49,21 @@ static struct {
|
||||
char *buffer; /* buffer start */
|
||||
char *end; /* end data border */
|
||||
char *tail; /* tail of "current" message */
|
||||
+
|
||||
+ /* locations where last backtraces happened */
|
||||
+ struct {
|
||||
+ const char *file;
|
||||
+ long line;
|
||||
+ } locations[SSS_DEBUG_BACKTRACE_LOCATIONS];
|
||||
+ unsigned last_location_idx;
|
||||
} _bt;
|
||||
|
||||
|
||||
static inline bool _all_levels_enabled(void);
|
||||
static inline bool _backtrace_is_enabled(int level);
|
||||
static inline bool _is_trigger_level(int level);
|
||||
+static void _store_location(const char *file, long line);
|
||||
+static bool _is_recent_location(const char *file, long line);
|
||||
static void _backtrace_vprintf(const char *format, va_list ap);
|
||||
static void _backtrace_printf(const char *format, ...);
|
||||
static void _backtrace_dump(void);
|
||||
@@ -75,6 +87,8 @@ void sss_debug_backtrace_init(void)
|
||||
_bt.enabled = true;
|
||||
_bt.initialized = true;
|
||||
|
||||
+ /* locations[] & last_location_idx are zero-initialized */
|
||||
+
|
||||
_backtrace_printf(" * ");
|
||||
}
|
||||
|
||||
@@ -116,7 +130,7 @@ void sss_debug_backtrace_printf(int level, const char *format, ...)
|
||||
}
|
||||
|
||||
|
||||
-void sss_debug_backtrace_endmsg(int level)
|
||||
+void sss_debug_backtrace_endmsg(const char *file, long line, int level)
|
||||
{
|
||||
if (DEBUG_IS_SET(level)) {
|
||||
_debug_fflush();
|
||||
@@ -124,7 +138,16 @@ void sss_debug_backtrace_endmsg(int level)
|
||||
|
||||
if (_backtrace_is_enabled(level)) {
|
||||
if (_is_trigger_level(level)) {
|
||||
- _backtrace_dump();
|
||||
+ if (!_is_recent_location(file, line)) {
|
||||
+ _backtrace_dump();
|
||||
+ _store_location(file, line);
|
||||
+ } else {
|
||||
+ fprintf(_sss_debug_file ? _sss_debug_file : stderr,
|
||||
+ " * ... skipping repetitive backtrace ...\n");
|
||||
+ /* and reset */
|
||||
+ _bt.end = _bt.buffer;
|
||||
+ _bt.tail = _bt.buffer;
|
||||
+ }
|
||||
}
|
||||
_backtrace_printf(" * ");
|
||||
}
|
||||
@@ -191,7 +214,29 @@ static inline bool _backtrace_is_enabled(int level)
|
||||
}
|
||||
|
||||
|
||||
- /* prints to buffer */
|
||||
+static void _store_location(const char *file, long line)
|
||||
+{
|
||||
+ _bt.last_location_idx = (_bt.last_location_idx + 1) % SSS_DEBUG_BACKTRACE_LOCATIONS;
|
||||
+ /* __FILE__ is a character string literal with static storage duration. */
|
||||
+ _bt.locations[_bt.last_location_idx].file = file;
|
||||
+ _bt.locations[_bt.last_location_idx].line = line;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static bool _is_recent_location(const char *file, long line)
|
||||
+{
|
||||
+ for (unsigned idx = 0; idx < SSS_DEBUG_BACKTRACE_LOCATIONS; ++idx) {
|
||||
+ if ((line == _bt.locations[idx].line) &&
|
||||
+ (_bt.locations[idx].file != NULL) &&
|
||||
+ (strcmp(file, _bt.locations[idx].file) == 0)) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ }
|
||||
+ return false;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+/* prints to buffer */
|
||||
static void _backtrace_vprintf(const char *format, va_list ap)
|
||||
{
|
||||
int buff_tail_size = _bt.size - (_bt.tail - _bt.buffer);
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -1,131 +0,0 @@
|
|||
From 26654d3e5f5882dd1681116cb49228d108351d48 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 12 Aug 2021 09:27:57 +0200
|
||||
Subject: [PATCH] cache_req: cache_first fix for fully-qualified names
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
With commit b572871236a7f9059d375a5ab1bff8cbfd519956 "cache_req:
|
||||
introduce cache_behavior enumeration" the processing of cache and
|
||||
backend lookups was refactored. Unfortunately this introduce an issue
|
||||
when looking up users or groups with a fully-qualified name and the
|
||||
'cache_first = True' option is set.
|
||||
|
||||
In the old code the case when a domain name is available was handle
|
||||
before the cache_first first option was evaluated and cache_req was
|
||||
instructed to first look in the cache and then call the backend if the
|
||||
object is not available or expired, i.e. the default behavior. Since
|
||||
only a single domain is involved this is in agreement with 'cache_first
|
||||
= True' and only a single iteration is needed.
|
||||
|
||||
In the new code the cache_first option is evaluated before the presence
|
||||
of a domain name is checked and as a result even for single domain
|
||||
searches the first cache_req iteration is only looking at the cache and
|
||||
will not call the backend. This means the now for searches with a
|
||||
fully-qualified name a second iteration is needed if the object was not
|
||||
found in the cache.
|
||||
|
||||
Unfortunately the old exit condition that if a domain name is present
|
||||
only a single iteration is needed is still present in the new code which
|
||||
effectively makes requests with fully-qualified named only search the
|
||||
cache and never call the backends. This patch removes the exit condition
|
||||
and does a second iteration for fully-qualified names as well if
|
||||
'cache_first = True' is set.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5744
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 3 +-
|
||||
src/tests/cmocka/test_responder_cache_req.c | 53 +++++++++++++++++++++
|
||||
2 files changed, 54 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index 750d655c1..56ec077f3 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -1331,8 +1331,7 @@ static errno_t cache_req_select_domains(struct tevent_req *req,
|
||||
|
||||
state = tevent_req_data(req, struct cache_req_state);
|
||||
|
||||
- if ((state->cr->cache_behavior != CACHE_REQ_CACHE_FIRST)
|
||||
- || (domain_name != NULL)) {
|
||||
+ if (state->cr->cache_behavior != CACHE_REQ_CACHE_FIRST) {
|
||||
|
||||
if (!state->first_iteration) {
|
||||
/* We're done here. */
|
||||
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
|
||||
index 5cf7660e7..27a525f6e 100644
|
||||
--- a/src/tests/cmocka/test_responder_cache_req.c
|
||||
+++ b/src/tests/cmocka/test_responder_cache_req.c
|
||||
@@ -992,6 +992,56 @@ void test_user_by_name_missing_notfound(void **state)
|
||||
assert_true(test_ctx->dp_called);
|
||||
}
|
||||
|
||||
+void test_user_by_name_missing_notfound_cache_first(void **state)
|
||||
+{
|
||||
+ struct cache_req_test_ctx *test_ctx = NULL;
|
||||
+
|
||||
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
||||
+ test_ctx->rctx->cache_first = true;
|
||||
+
|
||||
+ /* Mock values. */
|
||||
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
|
||||
+ mock_account_recv_simple();
|
||||
+ mock_parse_inp(users[0].short_name, NULL, ERR_OK);
|
||||
+
|
||||
+ /* Test. */
|
||||
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
|
||||
+ assert_true(test_ctx->dp_called);
|
||||
+}
|
||||
+
|
||||
+void test_user_by_name_missing_notfound_full_name(void **state)
|
||||
+{
|
||||
+ struct cache_req_test_ctx *test_ctx = NULL;
|
||||
+
|
||||
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
||||
+
|
||||
+ /* Mock values. */
|
||||
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
|
||||
+ mock_account_recv_simple();
|
||||
+ mock_parse_inp(users[0].short_name, TEST_DOM_NAME, ERR_OK);
|
||||
+
|
||||
+ /* Test. */
|
||||
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
|
||||
+ assert_true(test_ctx->dp_called);
|
||||
+}
|
||||
+
|
||||
+void test_user_by_name_missing_notfound_cache_first_full_name(void **state)
|
||||
+{
|
||||
+ struct cache_req_test_ctx *test_ctx = NULL;
|
||||
+
|
||||
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
||||
+ test_ctx->rctx->cache_first = true;
|
||||
+
|
||||
+ /* Mock values. */
|
||||
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
|
||||
+ mock_account_recv_simple();
|
||||
+ mock_parse_inp(users[0].short_name, TEST_DOM_NAME, ERR_OK);
|
||||
+
|
||||
+ /* Test. */
|
||||
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
|
||||
+ assert_true(test_ctx->dp_called);
|
||||
+}
|
||||
+
|
||||
void test_user_by_name_multiple_domains_requested_domains_found(void **state)
|
||||
{
|
||||
struct cache_req_test_ctx *test_ctx = NULL;
|
||||
@@ -4255,6 +4305,9 @@ int main(int argc, const char *argv[])
|
||||
new_single_domain_test(user_by_name_ncache),
|
||||
new_single_domain_test(user_by_name_missing_found),
|
||||
new_single_domain_test(user_by_name_missing_notfound),
|
||||
+ new_single_domain_test(user_by_name_missing_notfound_cache_first),
|
||||
+ new_single_domain_test(user_by_name_missing_notfound_full_name),
|
||||
+ new_single_domain_test(user_by_name_missing_notfound_cache_first_full_name),
|
||||
new_multi_domain_test(user_by_name_multiple_domains_found),
|
||||
new_multi_domain_test(user_by_name_multiple_domains_notfound),
|
||||
new_multi_domain_test(user_by_name_multiple_domains_parse),
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -1,111 +0,0 @@
|
|||
From a56b8d1aaf030fea196b65545dfe207ea10bdf50 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 3 Dec 2021 13:38:44 +0100
|
||||
Subject: [PATCH] utils: ignore systemd and sd-pam process in
|
||||
get_active_uid_linux()
|
||||
|
||||
We iterate processes in /proc to get the list of active users (users
|
||||
that has any process running). However, recent change in systemd makes
|
||||
systemd and sd-pam process ligner for few more seconds when the user has
|
||||
logged out which breaks the no-session functionality in pam responder.
|
||||
|
||||
If user is logged in, another process then systemd and sd-pam must be
|
||||
running. Therefore we can just ignore these from the list.
|
||||
|
||||
```
|
||||
admin 351997 0.4 0.0 22648 14636 ? Ss 13:25 0:00 /usr/lib/systemd/systemd --user
|
||||
admin 351999 0.0 0.0 201464 7756 ? S 13:25 0:00 (sd-pam)
|
||||
```
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5900
|
||||
|
||||
:fixes: Quick log out and log in did not correctly refresh
|
||||
user's initgroups in `no_session` PAM schema due to lingering
|
||||
systemd processes.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/util/find_uid.c | 31 +++++++++++++++++++++++++++++--
|
||||
1 file changed, 29 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/util/find_uid.c b/src/util/find_uid.c
|
||||
index 38e8f6164..1b506dfc3 100644
|
||||
--- a/src/util/find_uid.c
|
||||
+++ b/src/util/find_uid.c
|
||||
@@ -58,7 +58,7 @@ static void hash_talloc_free(void *ptr, void *pvt)
|
||||
talloc_free(ptr);
|
||||
}
|
||||
|
||||
-static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
|
||||
+static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid, bool *is_systemd)
|
||||
{
|
||||
int ret;
|
||||
char path[PATHLEN];
|
||||
@@ -138,6 +138,7 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
|
||||
"close failed [%d][%s].\n", error, strerror(error));
|
||||
}
|
||||
|
||||
+ /* Get uid */
|
||||
p = strstr(buf, "\nUid:\t");
|
||||
if (p != NULL) {
|
||||
p += 6;
|
||||
@@ -165,6 +166,24 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
+ /* Get process name. */
|
||||
+ p = strstr(buf, "Name:\t");
|
||||
+ if (p == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "format error\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ p += 6;
|
||||
+ e = strchr(p,'\n');
|
||||
+ if (e == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "format error\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ if (strncmp(p, "systemd", e-p) == 0 || strncmp(p, "(sd-pam)", e-p) == 0) {
|
||||
+ *is_systemd = true;
|
||||
+ } else {
|
||||
+ *is_systemd = false;
|
||||
+ }
|
||||
+
|
||||
*uid = num;
|
||||
|
||||
return EOK;
|
||||
@@ -215,6 +234,7 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
|
||||
struct dirent *dirent;
|
||||
int ret, err;
|
||||
pid_t pid = -1;
|
||||
+ bool is_systemd;
|
||||
uid_t uid;
|
||||
|
||||
hash_key_t key;
|
||||
@@ -238,7 +258,7 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = get_uid_from_pid(pid, &uid);
|
||||
+ ret = get_uid_from_pid(pid, &uid, &is_systemd);
|
||||
if (ret != EOK) {
|
||||
/* Most probably this /proc entry disappeared.
|
||||
Anyway, just skip it.
|
||||
@@ -248,6 +268,13 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
|
||||
continue;
|
||||
}
|
||||
|
||||
+ if (is_systemd) {
|
||||
+ /* Systemd process may linger for a while even when user.
|
||||
+ * is logged out. Lets ignore it and focus only
|
||||
+ * on non-systemd processes. */
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
if (table != NULL) {
|
||||
key.type = HASH_KEY_ULONG;
|
||||
key.ul = (unsigned long) uid;
|
||||
--
|
||||
2.26.3
|
||||
|
||||
104
SPECS/sssd.spec
104
SPECS/sssd.spec
|
|
@ -18,8 +18,8 @@
|
|||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
Name: sssd
|
||||
Version: 2.5.2
|
||||
Release: 2%{?dist}.4
|
||||
Version: 2.6.2
|
||||
Release: 3%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
|
|
@ -27,15 +27,10 @@ URL: https://github.com/SSSD/sssd
|
|||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
|
||||
Patch0002: 0002-po-update-translations.patch
|
||||
Patch0003: 0003-ad-filter-trusted-domains.patch
|
||||
Patch0004: 0004-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch
|
||||
Patch0005: 0005-MONITOR-reduce-logs-severity-around-signalling-and-t.patch
|
||||
Patch0006: 0006-DEBUG-avoid-backtrace-dups.patch
|
||||
Patch0007: 0007-cache_req-cache_first-fix-for-fully-qualified-names.patch
|
||||
Patch0008: 0008-utils-ignore-systemd-and-sd-pam-process-in-get_activ.patch
|
||||
Patch0009: 0009-ad-add-required-cn-attribute-to-subdomain-object.patch
|
||||
Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
|
||||
Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
|
||||
Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
|
||||
Patch0004: 0004-po-update-translations.patch
|
||||
|
||||
### Downstream Patches ###
|
||||
|
||||
|
|
@ -83,7 +78,7 @@ BuildRequires: openldap-devel
|
|||
BuildRequires: pam-devel
|
||||
BuildRequires: nss-devel
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: pcre2-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: libxml2
|
||||
BuildRequires: docbook-style-xsl
|
||||
|
|
@ -101,7 +96,6 @@ BuildRequires: gettext-devel
|
|||
BuildRequires: pkgconfig
|
||||
BuildRequires: diffstat
|
||||
BuildRequires: findutils
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: selinux-policy-targeted
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: uid_wrapper
|
||||
|
|
@ -123,8 +117,10 @@ BuildRequires: libsmbclient-devel
|
|||
BuildRequires: samba-winbind
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: gdm-pam-extensions-devel
|
||||
BuildRequires: libunistring-devel
|
||||
BuildRequires: shadow-utils-subid-devel
|
||||
BuildRequires: po4a
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
|
|
@ -219,13 +215,12 @@ Requires: libsss_simpleifp = %{version}-%{release}
|
|||
Requires: python3-sss = %{version}-%{release}
|
||||
Requires: python3-sssdconfig = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
# for logger=journald support with sss_analyze
|
||||
Requires: python3-systemd
|
||||
Recommends: sssd-dbus
|
||||
|
||||
%description tools
|
||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
|
||||
Also provides several other administrative tools:
|
||||
Provides several administrative tools:
|
||||
* sss_debuglevel to change the debug level on the fly
|
||||
* sss_seed which pre-creates a user entry for use in kickstarts
|
||||
* sss_obfuscate for generating an obfuscated LDAP password
|
||||
|
|
@ -249,11 +244,8 @@ Requires: sssd-common = %{version}-%{release}
|
|||
%{?python_provide:%python_provide python3-sss}
|
||||
|
||||
%description -n python3-sss
|
||||
Provides python3 module for manipulating users, groups, and nested groups in
|
||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
|
||||
Also provides several other useful python3 bindings:
|
||||
* function for retrieving list of groups user belongs to.
|
||||
Provides python3 bindings:
|
||||
* function for retrieving list of groups user belongs to
|
||||
* class for obfuscation of passwords
|
||||
|
||||
%package -n python3-sss-murmur
|
||||
|
|
@ -587,6 +579,7 @@ autoreconf -ivf
|
|||
--disable-rpath \
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
--with-subid \
|
||||
--enable-sss-default-nss-plugin \
|
||||
--enable-files-domain \
|
||||
--without-python2-bindings \
|
||||
|
|
@ -607,6 +600,7 @@ unset CK_TIMEOUT_MULTIPLIER
|
|||
|
||||
%install
|
||||
|
||||
%py3_shebang_fix src/tools/analyzer/sss_analyze
|
||||
sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate
|
||||
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
|
|
@ -627,6 +621,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
|
|||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||
|
||||
# krb5 configuration snippet
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
|
||||
# Create directory for cifs-idmap alternative
|
||||
# Otherwise this directory could not be owned by sssd-client
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
|
||||
|
|
@ -858,6 +856,9 @@ done
|
|||
%license COPYING
|
||||
%{_libdir}/%{name}/libsss_krb5.so
|
||||
%{_mandir}/man5/sssd-krb5.5*
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
%dir %{_datadir}/sssd/krb5-snippets
|
||||
%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
|
||||
|
||||
%files common-pac
|
||||
%defattr(-,root,root,-)
|
||||
|
|
@ -911,6 +912,7 @@ done
|
|||
%defattr(-,root,root,-)
|
||||
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
%{_libdir}/libnss_sss.so.2
|
||||
%{_libdir}/libsubid_sss.so
|
||||
%{_libdir}/security/pam_sss.so
|
||||
%{_libdir}/security/pam_sss_gss.so
|
||||
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
||||
|
|
@ -945,6 +947,8 @@ done
|
|||
%{_sbindir}/sss_debuglevel
|
||||
%{_sbindir}/sss_seed
|
||||
%{_sbindir}/sssctl
|
||||
%{_libexecdir}/%{servicename}/sss_analyze
|
||||
%{python3_sitelib}/sssd/
|
||||
%{_mandir}/man8/sss_obfuscate.8*
|
||||
%{_mandir}/man8/sss_override.8*
|
||||
%{_mandir}/man8/sss_debuglevel.8*
|
||||
|
|
@ -1043,7 +1047,6 @@ done
|
|||
%{_unitdir}/sssd-kcm.socket
|
||||
%{_unitdir}/sssd-kcm.service
|
||||
%{_mandir}/man8/sssd-kcm.8*
|
||||
%{_libdir}/%{name}/libsss_secrets.so
|
||||
|
||||
%pre ipa
|
||||
getent group sssd >/dev/null || groupadd -r sssd
|
||||
|
|
@ -1154,21 +1157,50 @@ fi
|
|||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.4
|
||||
- Resolves: rhbz#2030651 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries [rhel-8.5.0.z]
|
||||
- Resolves: rhbz#2035285 - AD Domain in the AD Forest Missing after sssd latest update [rhel-8.5.0.z]
|
||||
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
|
||||
- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
|
||||
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
|
||||
- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
|
||||
- Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update
|
||||
- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
|
||||
|
||||
* Tue Dec 07 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.3
|
||||
- Resolves: rhbz#2028828 - pam responder does not call initgroups to refresh the user entry [rhel-8.5.0.z]
|
||||
* Tue Jan 04 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
|
||||
- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)
|
||||
|
||||
* Mon Nov 29 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.2
|
||||
- Resolves: rhbz#2018440 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) [rhel-8.5.0.z]
|
||||
- Resolves: rhbz#2016923 - autofs lookups for unknown mounts are delayed for 50s [rhel-8.5.0.z]
|
||||
- Resolves: rhbz#2021499 - Make backtrace less "chatty" (avoid duplicate backtraces) [rhel-8.5.0.z]
|
||||
- Resolves: rhbz#2013379 - Lookup with fully-qualified name does not work with 'cache_first = True' [rhel-8.5.0.z]
|
||||
* Mon Dec 27 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
|
||||
- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
|
||||
- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files
|
||||
- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
|
||||
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
|
||||
- Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf
|
||||
- Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name
|
||||
- Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry
|
||||
- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
|
||||
- Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon).
|
||||
- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
|
||||
- Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders
|
||||
- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
|
||||
|
||||
* Mon Oct 18 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.1
|
||||
- Resolves: rhbz#2014460 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing [rhel-8.5.0.z]
|
||||
* Fri Nov 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-2
|
||||
- Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
|
||||
|
||||
* Mon Nov 15 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-1
|
||||
- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
|
||||
- Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
|
||||
- Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator
|
||||
- Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed
|
||||
- Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb
|
||||
- Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces)
|
||||
- Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
|
||||
- Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD
|
||||
- Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline
|
||||
- Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True'
|
||||
- Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s
|
||||
- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
|
||||
- Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication.
|
||||
- Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA
|
||||
- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
|
||||
- Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing
|
||||
|
||||
* Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
|
||||
- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]
|
||||
|
|
|
|||
Loading…
Reference in New Issue