import sssd-2.7.3-4.el8
This commit is contained in:
parent
c7a1fcfb51
commit
6559c78444
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/sssd-2.6.2.tar.gz
|
||||
SOURCES/sssd-2.7.3.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
|
||||
0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz
|
||||
|
51
SOURCES/0001-Makefile-remove-unneeded-dependency.patch
Normal file
51
SOURCES/0001-Makefile-remove-unneeded-dependency.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 20:16:32 +0200
|
||||
Subject: [PATCH] Makefile: remove unneeded dependency
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f)
|
||||
---
|
||||
Makefile.am | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 669a0fc56..92d046888 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \
|
||||
$(KRB5_CFLAGS) \
|
||||
$(UUID_CFLAGS) \
|
||||
$(CURL_CFLAGS) \
|
||||
- $(JANSSON_CFLAGS) \
|
||||
$(NULL)
|
||||
sssd_kcm_LDADD = \
|
||||
$(LIBADD_DL) \
|
||||
$(KRB5_LIBS) \
|
||||
- $(JANSSON_LIBS) \
|
||||
$(SSSD_LIBS) \
|
||||
$(UUID_LIBS) \
|
||||
$(SYSTEMD_DAEMON_LIBS) \
|
||||
@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \
|
||||
$(UUID_CFLAGS) \
|
||||
$(NULL)
|
||||
test_kcm_marshalling_LDADD = \
|
||||
- $(JANSSON_LIBS) \
|
||||
$(UUID_LIBS) \
|
||||
$(KRB5_LIBS) \
|
||||
$(CMOCKA_LIBS) \
|
||||
@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \
|
||||
test_kcm_renewals_LDADD = \
|
||||
$(LIBADD_DL) \
|
||||
$(UUID_LIBS) \
|
||||
- $(JANSSON_LIBS) \
|
||||
$(KRB5_LIBS) \
|
||||
$(CARES_LIBS) \
|
||||
$(CMOCKA_LIBS) \
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 4 Jan 2022 10:11:49 +0100
|
||||
Subject: [PATCH] ipa: fix reply socket of selinux_child
|
||||
|
||||
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
|
||||
the reply socket of selinux_child from stdout to stderr while switching
|
||||
from exec_child to exec_child_ex. This patch returns the original
|
||||
behavior.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5939
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_selinux.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
||||
index 6f885c0fd..2e0593dd7 100644
|
||||
--- a/src/providers/ipa/ipa_selinux.c
|
||||
+++ b/src/providers/ipa/ipa_selinux.c
|
||||
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
|
||||
if (pid == 0) { /* child */
|
||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
|
||||
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
|
||||
- false, STDIN_FILENO, STDERR_FILENO);
|
||||
+ false, STDIN_FILENO, STDOUT_FILENO);
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,155 @@
|
||||
From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 29 Jul 2022 14:57:20 +0200
|
||||
Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it
|
||||
should survive context destruction / re-initialization
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911)
|
||||
---
|
||||
src/sss_client/nss_mc.h | 4 ++--
|
||||
src/sss_client/nss_mc_common.c | 10 ++++++++--
|
||||
src/sss_client/nss_mc_group.c | 5 +++++
|
||||
src/sss_client/nss_mc_initgr.c | 5 +++++
|
||||
src/sss_client/nss_mc_passwd.c | 5 +++++
|
||||
src/sss_client/nss_mc_sid.c | 5 +++++
|
||||
6 files changed, 30 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
|
||||
index b66e8f09f..de1496ccc 100644
|
||||
--- a/src/sss_client/nss_mc.h
|
||||
+++ b/src/sss_client/nss_mc.h
|
||||
@@ -48,7 +48,7 @@ enum sss_mc_state {
|
||||
struct sss_cli_mc_ctx {
|
||||
enum sss_mc_state initialized;
|
||||
#if HAVE_PTHREAD
|
||||
- pthread_mutex_t mutex;
|
||||
+ pthread_mutex_t *mutex;
|
||||
#endif
|
||||
int fd;
|
||||
|
||||
@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx {
|
||||
};
|
||||
|
||||
#if HAVE_PTHREAD
|
||||
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
#else
|
||||
#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
#endif
|
||||
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
|
||||
index c73a93a9a..f38a4a85a 100644
|
||||
--- a/src/sss_client/nss_mc_common.c
|
||||
+++ b/src/sss_client/nss_mc_common.c
|
||||
@@ -58,14 +58,14 @@ do { \
|
||||
static void sss_mt_lock(struct sss_cli_mc_ctx *ctx)
|
||||
{
|
||||
#if HAVE_PTHREAD
|
||||
- pthread_mutex_lock(&ctx->mutex);
|
||||
+ pthread_mutex_lock(ctx->mutex);
|
||||
#endif
|
||||
}
|
||||
|
||||
static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx)
|
||||
{
|
||||
#if HAVE_PTHREAD
|
||||
- pthread_mutex_unlock(&ctx->mutex);
|
||||
+ pthread_mutex_unlock(ctx->mutex);
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
|
||||
{
|
||||
uint32_t active_threads = ctx->active_threads;
|
||||
+#if HAVE_PTHREAD
|
||||
+ pthread_mutex_t *mutex = ctx->mutex;
|
||||
+#endif
|
||||
|
||||
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
|
||||
munmap(ctx->mmap_base, ctx->mmap_size);
|
||||
@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
|
||||
|
||||
/* restore count of active threads */
|
||||
ctx->active_threads = active_threads;
|
||||
+#if HAVE_PTHREAD
|
||||
+ ctx->mutex = mutex;
|
||||
+#endif
|
||||
}
|
||||
|
||||
static errno_t sss_nss_mc_init_ctx(const char *name,
|
||||
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
|
||||
index 2ea40c435..d4f2a82ab 100644
|
||||
--- a/src/sss_client/nss_mc_group.c
|
||||
+++ b/src/sss_client/nss_mc_group.c
|
||||
@@ -29,7 +29,12 @@
|
||||
#include "nss_mc.h"
|
||||
#include "shared/safealign.h"
|
||||
|
||||
+#if HAVE_PTHREAD
|
||||
+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex);
|
||||
+#else
|
||||
static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
|
||||
+#endif
|
||||
|
||||
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
|
||||
struct group *result,
|
||||
diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c
|
||||
index b05946263..bd7282935 100644
|
||||
--- a/src/sss_client/nss_mc_initgr.c
|
||||
+++ b/src/sss_client/nss_mc_initgr.c
|
||||
@@ -32,7 +32,12 @@
|
||||
#include "nss_mc.h"
|
||||
#include "shared/safealign.h"
|
||||
|
||||
+#if HAVE_PTHREAD
|
||||
+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex);
|
||||
+#else
|
||||
static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
|
||||
+#endif
|
||||
|
||||
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
|
||||
long int *start, long int *size,
|
||||
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
|
||||
index 01c6801da..256d48444 100644
|
||||
--- a/src/sss_client/nss_mc_passwd.c
|
||||
+++ b/src/sss_client/nss_mc_passwd.c
|
||||
@@ -28,7 +28,12 @@
|
||||
#include <time.h>
|
||||
#include "nss_mc.h"
|
||||
|
||||
+#if HAVE_PTHREAD
|
||||
+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex);
|
||||
+#else
|
||||
static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
|
||||
+#endif
|
||||
|
||||
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
|
||||
struct passwd *result,
|
||||
diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c
|
||||
index af7d7bbd5..52e684da5 100644
|
||||
--- a/src/sss_client/nss_mc_sid.c
|
||||
+++ b/src/sss_client/nss_mc_sid.c
|
||||
@@ -30,7 +30,12 @@
|
||||
#include "util/mmap_cache.h"
|
||||
#include "idmap/sss_nss_idmap.h"
|
||||
|
||||
+#if HAVE_PTHREAD
|
||||
+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex);
|
||||
+#else
|
||||
static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
|
||||
+#endif
|
||||
|
||||
static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type,
|
||||
char **sid, uint32_t *type,
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,42 +0,0 @@
|
||||
From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 16 Dec 2021 11:14:18 +0100
|
||||
Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the forest root is not part of the return trusted domain objects
|
||||
from the local domain controller we generate an object for further
|
||||
processing. During this processing it is expected that the 'cn'
|
||||
attribute is set and contains the name of the forest root. So far this
|
||||
attribute was missing and it is now added by this patch.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5926
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 0353de76f..0c3f8ac31 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
|
||||
+ state->forest);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
|
||||
&id_val.data, &id_val.length);
|
||||
if (err != IDMAP_SUCCESS) {
|
||||
--
|
||||
2.26.3
|
||||
|
36
SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
Normal file
36
SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 1 Aug 2022 09:54:51 -0400
|
||||
Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Skip calling cache_req_data_set_hybrid_lookup() when hybrid data
|
||||
is NULL for certain NSS request types (e.g. Service by Name).
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7)
|
||||
---
|
||||
src/responder/nss/nss_get_object.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
|
||||
index 9762d6bfe..5a2e7e9bd 100644
|
||||
--- a/src/responder/nss/nss_get_object.c
|
||||
+++ b/src/responder/nss/nss_get_object.c
|
||||
@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx,
|
||||
input_name);
|
||||
}
|
||||
|
||||
- cache_req_data_set_hybrid_lookup(hybrid_data, true);
|
||||
+ if (hybrid_data != NULL) {
|
||||
+ cache_req_data_set_hybrid_lookup(hybrid_data, true);
|
||||
+ }
|
||||
|
||||
return hybrid_data;
|
||||
}
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,140 +0,0 @@
|
||||
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Thu, 13 Jan 2022 11:28:30 +0100
|
||||
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD and IPA providers use a common fo_server object for LDAP and
|
||||
Kerberos, which is created with the LDAP data. This means that due to
|
||||
the changes introduced in
|
||||
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
|
||||
the port in use for the Kerberos requests would be the one specified for
|
||||
LDAP, usually the default one (389).
|
||||
|
||||
In order to avoid that, AD and IPA providers shouldn't change the
|
||||
Kerberos port with the one provided for LDAP.
|
||||
|
||||
:fixes: A critical regression that prevented authentication of users via
|
||||
AD and IPA providers was fixed. LDAP port was reused for Kerberos
|
||||
communication and this provider would send incomprehensible information
|
||||
to this port.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5947
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_common.c | 1 +
|
||||
src/providers/ipa/ipa_common.c | 1 +
|
||||
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
|
||||
src/providers/krb5/krb5_common.h | 1 +
|
||||
4 files changed, 23 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index e263444c5..1ca5f8e3a 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
ad_krb5info_file_filter);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
|
||||
index 1509cb1ce..e6c1f9aa4 100644
|
||||
--- a/src/providers/ipa/ipa_common.c
|
||||
+++ b/src/providers/ipa/ipa_common.c
|
||||
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||
index 719ce6a12..5ffa20809 100644
|
||||
--- a/src/providers/krb5/krb5_common.c
|
||||
+++ b/src/providers/krb5/krb5_common.c
|
||||
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *))
|
||||
{
|
||||
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
if (filter == NULL || filter(server) == false) {
|
||||
address = fo_server_address_or_name(tmp_ctx, server);
|
||||
if (address) {
|
||||
- port = fo_get_server_port(server);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(server);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
continue;
|
||||
}
|
||||
|
||||
- port = fo_get_server_port(item);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(item);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(krb5_service,
|
||||
server,
|
||||
+ false,
|
||||
krb5_service->name,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
||||
index 151f446d1..2fd39a751 100644
|
||||
--- a/src/providers/krb5/krb5_common.h
|
||||
+++ b/src/providers/krb5/krb5_common.h
|
||||
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *));
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
30
SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch
Normal file
30
SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Thu, 14 Jul 2022 11:21:04 -0400
|
||||
Subject: [PATCH] Analyzer: Fix escaping raw fstring
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19)
|
||||
---
|
||||
src/tools/analyzer/modules/request.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
|
||||
index b8dd9b25c..935e13adc 100644
|
||||
--- a/src/tools/analyzer/modules/request.py
|
||||
+++ b/src/tools/analyzer/modules/request.py
|
||||
@@ -243,8 +243,8 @@ class RequestAnalyzer:
|
||||
be_results = False
|
||||
component = source.Component.NSS
|
||||
resp = "nss"
|
||||
- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]']
|
||||
- pattern.append(rf"\[CID#{cid}\\]")
|
||||
+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
|
||||
+ pattern.append(rf"\[CID#{cid}\]")
|
||||
|
||||
if args.pam:
|
||||
component = source.Component.PAM
|
||||
--
|
||||
2.37.1
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,34 @@
|
||||
From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 16 Aug 2022 21:48:43 +0200
|
||||
Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f)
|
||||
---
|
||||
src/sss_client/nss_mc.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
|
||||
index de1496ccc..0f88521e9 100644
|
||||
--- a/src/sss_client/nss_mc.h
|
||||
+++ b/src/sss_client/nss_mc.h
|
||||
@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx {
|
||||
};
|
||||
|
||||
#if HAVE_PTHREAD
|
||||
-#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
#else
|
||||
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
#endif
|
||||
|
||||
errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,432 +0,0 @@
|
||||
From 37f90057792a0b4543f34684ed9a240fe8e869c1 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 11 Apr 2022 22:48:19 +0200
|
||||
Subject: [PATCH 5/6] Revert "usertools: force local user for sssd process
|
||||
user"
|
||||
|
||||
This reverts commit 9c447dc85853116c035bbc2f9e3b8553a65be621.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6107
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
Makefile.am | 3 -
|
||||
src/tests/cwrap/Makefile.am | 8 +--
|
||||
src/tests/cwrap/common_mock_nss_dl_load.c | 77 -----------------------
|
||||
src/tests/cwrap/common_mock_nss_dl_load.h | 30 ---------
|
||||
src/tests/cwrap/test_responder_common.c | 7 ---
|
||||
src/tests/cwrap/test_usertools.c | 6 --
|
||||
src/util/nss_dl_load.c | 13 +---
|
||||
src/util/nss_dl_load.h | 3 -
|
||||
src/util/nss_dl_load_extra.c | 40 ------------
|
||||
src/util/usertools.c | 32 +++-------
|
||||
10 files changed, 12 insertions(+), 207 deletions(-)
|
||||
delete mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
|
||||
delete mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
|
||||
delete mode 100644 src/util/nss_dl_load_extra.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 1121a3fb2..e0dd5220c 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -888,7 +888,6 @@ dist_noinst_HEADERS = \
|
||||
src/tests/cmocka/test_expire_common.h \
|
||||
src/tests/cmocka/test_sdap_access.h \
|
||||
src/tests/cmocka/data_provider/mock_dp.h \
|
||||
- src/tests/cwrap/common_mock_nss_dl_load.h \
|
||||
src/sss_client/pam_message.h \
|
||||
src/sss_client/ssh/sss_ssh_client.h \
|
||||
src/sss_client/sudo/sss_sudo.h \
|
||||
@@ -1271,8 +1270,6 @@ libsss_util_la_SOURCES = \
|
||||
src/util/sss_regexp.c \
|
||||
src/util/sss_chain_id_tevent.c \
|
||||
src/util/sss_chain_id.c \
|
||||
- src/util/nss_dl_load.c \
|
||||
- src/util/nss_dl_load_extra.c \
|
||||
$(NULL)
|
||||
libsss_util_la_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
||||
index 4ac24a492..f25d2e3c6 100644
|
||||
--- a/src/tests/cwrap/Makefile.am
|
||||
+++ b/src/tests/cwrap/Makefile.am
|
||||
@@ -142,17 +142,15 @@ endif
|
||||
|
||||
usertools_tests_SOURCES = \
|
||||
test_usertools.c \
|
||||
- common_mock_nss_dl_load.c \
|
||||
- ../../../src/util/usertools.c \
|
||||
$(NULL)
|
||||
usertools_tests_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
$(NULL)
|
||||
usertools_tests_LDADD = \
|
||||
- $(LIBADD_DL) \
|
||||
$(CMOCKA_LIBS) \
|
||||
$(POPT_LIBS) \
|
||||
$(TALLOC_LIBS) \
|
||||
+ $(abs_top_builddir)/libsss_util.la \
|
||||
$(abs_top_builddir)/libsss_debug.la \
|
||||
$(abs_top_builddir)/libsss_test_common.la \
|
||||
$(NULL)
|
||||
@@ -162,10 +160,9 @@ endif
|
||||
|
||||
responder_common_tests_SOURCES =\
|
||||
test_responder_common.c \
|
||||
- common_mock_nss_dl_load.c \
|
||||
$(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
../../../src/responder/common/negcache_files.c \
|
||||
- ../../../src/util/usertools.c \
|
||||
+ ../../../src/util/nss_dl_load.c \
|
||||
../../../src/responder/common/negcache.c \
|
||||
../../../src/responder/common/responder_common.c \
|
||||
../../../src/responder/common/responder_packet.c \
|
||||
@@ -183,6 +180,7 @@ responder_common_tests_LDADD = \
|
||||
$(SSSD_LIBS) \
|
||||
$(SELINUX_LIBS) \
|
||||
$(SYSTEMD_DAEMON_LIBS) \
|
||||
+ $(abs_top_builddir)/libsss_util.la \
|
||||
$(abs_top_builddir)/libsss_debug.la \
|
||||
$(abs_top_builddir)/libsss_test_common.la \
|
||||
$(abs_top_builddir)/libsss_iface.la \
|
||||
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
|
||||
deleted file mode 100644
|
||||
index 72f6c39ac..000000000
|
||||
--- a/src/tests/cwrap/common_mock_nss_dl_load.c
|
||||
+++ /dev/null
|
||||
@@ -1,77 +0,0 @@
|
||||
-/*
|
||||
- Authors:
|
||||
- Iker Pedrosa <ipedrosa@redhat.com>
|
||||
-
|
||||
- Copyright (C) 2021 Red Hat
|
||||
-
|
||||
- SSSD tests: Fake nss dl load
|
||||
-
|
||||
- This program is free software; you can redistribute it and/or modify
|
||||
- it under the terms of the GNU General Public License as published by
|
||||
- the Free Software Foundation; either version 3 of the License, or
|
||||
- (at your option) any later version.
|
||||
-
|
||||
- This program is distributed in the hope that it will be useful,
|
||||
- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- GNU General Public License for more details.
|
||||
-
|
||||
- You should have received a copy of the GNU General Public License
|
||||
- along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
-*/
|
||||
-
|
||||
-#include <sys/types.h>
|
||||
-#include <sys/stat.h>
|
||||
-#include <errno.h>
|
||||
-#include <stddef.h>
|
||||
-
|
||||
-#include "common_mock_nss_dl_load.h"
|
||||
-
|
||||
-
|
||||
-static enum nss_status
|
||||
-mock_getpwnam_r(const char *name, struct passwd *result,
|
||||
- char *buffer, size_t buflen, int *errnop)
|
||||
-{
|
||||
- void *pwd_pointer = NULL;
|
||||
- int rc;
|
||||
-
|
||||
- rc = getpwnam_r(name, result, buffer, buflen, (struct passwd **)&pwd_pointer);
|
||||
- if (rc == 0 && pwd_pointer == result) {
|
||||
- *errnop = 0;
|
||||
- return NSS_STATUS_SUCCESS;
|
||||
- } else if (rc == 0 && (pwd_pointer == NULL)) {
|
||||
- *errnop = ENOENT;
|
||||
- return NSS_STATUS_NOTFOUND;
|
||||
- } else {
|
||||
- *errnop = rc;
|
||||
- return NSS_STATUS_UNAVAIL;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-static enum nss_status
|
||||
-mock_getpwuid_r(uid_t uid, struct passwd *result,
|
||||
- char *buffer, size_t buflen, int *errnop)
|
||||
-{
|
||||
- void *pwd_pointer = NULL;
|
||||
- int rc;
|
||||
-
|
||||
- rc = getpwuid_r(uid, result, buffer, buflen, (struct passwd **)&pwd_pointer);
|
||||
- if (rc == 0 && pwd_pointer == result) {
|
||||
- *errnop = 0;
|
||||
- return NSS_STATUS_SUCCESS;
|
||||
- } else if (rc == 0 && (pwd_pointer == NULL)) {
|
||||
- *errnop = ENOENT;
|
||||
- return NSS_STATUS_NOTFOUND;
|
||||
- } else {
|
||||
- *errnop = rc;
|
||||
- return NSS_STATUS_UNAVAIL;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-errno_t mock_sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
|
||||
-{
|
||||
- ops->getpwnam_r = mock_getpwnam_r;
|
||||
- ops->getpwuid_r = mock_getpwuid_r;
|
||||
-
|
||||
- return EOK;
|
||||
-}
|
||||
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.h b/src/tests/cwrap/common_mock_nss_dl_load.h
|
||||
deleted file mode 100644
|
||||
index 6db411450..000000000
|
||||
--- a/src/tests/cwrap/common_mock_nss_dl_load.h
|
||||
+++ /dev/null
|
||||
@@ -1,30 +0,0 @@
|
||||
-/*
|
||||
- Authors:
|
||||
- Iker Pedrosa <ipedrosa@redhat.com>
|
||||
-
|
||||
- Copyright (C) 2021 Red Hat
|
||||
-
|
||||
- SSSD tests: Fake nss dl load
|
||||
-
|
||||
- This program is free software; you can redistribute it and/or modify
|
||||
- it under the terms of the GNU General Public License as published by
|
||||
- the Free Software Foundation; either version 3 of the License, or
|
||||
- (at your option) any later version.
|
||||
-
|
||||
- This program is distributed in the hope that it will be useful,
|
||||
- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- GNU General Public License for more details.
|
||||
-
|
||||
- You should have received a copy of the GNU General Public License
|
||||
- along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
-*/
|
||||
-
|
||||
-#ifndef __COMMON_MOCK_NSS_DL_LOAD_H_
|
||||
-#define __COMMON_MOCK_NSS_DL_LOAD_H_
|
||||
-
|
||||
-#include "util/nss_dl_load.h"
|
||||
-
|
||||
-errno_t mock_sss_load_nss_pw_symbols(struct sss_nss_ops *ops);
|
||||
-
|
||||
-#endif /* __COMMON_MOCK_NSS_DL_LOAD_H_ */
|
||||
diff --git a/src/tests/cwrap/test_responder_common.c b/src/tests/cwrap/test_responder_common.c
|
||||
index 571e95d36..11cc3abd8 100644
|
||||
--- a/src/tests/cwrap/test_responder_common.c
|
||||
+++ b/src/tests/cwrap/test_responder_common.c
|
||||
@@ -29,13 +29,6 @@
|
||||
#include "util/util.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "tests/cmocka/common_mock.h"
|
||||
-#include "tests/cwrap/common_mock_nss_dl_load.h"
|
||||
-
|
||||
-
|
||||
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
|
||||
-{
|
||||
- return mock_sss_load_nss_pw_symbols(ops);
|
||||
-}
|
||||
|
||||
/* Just to satisfy dependencies */
|
||||
struct cli_protocol_version *register_cli_protocol_version(void)
|
||||
diff --git a/src/tests/cwrap/test_usertools.c b/src/tests/cwrap/test_usertools.c
|
||||
index eb30a540c..f61ae83e2 100644
|
||||
--- a/src/tests/cwrap/test_usertools.c
|
||||
+++ b/src/tests/cwrap/test_usertools.c
|
||||
@@ -27,12 +27,6 @@
|
||||
#include <popt.h>
|
||||
#include "util/util.h"
|
||||
#include "tests/cmocka/common_mock.h"
|
||||
-#include "tests/cwrap/common_mock_nss_dl_load.h"
|
||||
-
|
||||
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
|
||||
-{
|
||||
- return mock_sss_load_nss_pw_symbols(ops);
|
||||
-}
|
||||
|
||||
void test_get_user_num(void **state)
|
||||
{
|
||||
diff --git a/src/util/nss_dl_load.c b/src/util/nss_dl_load.c
|
||||
index 379ccfa65..442108307 100644
|
||||
--- a/src/util/nss_dl_load.c
|
||||
+++ b/src/util/nss_dl_load.c
|
||||
@@ -48,16 +48,6 @@ static void *proxy_dlsym(void *handle,
|
||||
return funcptr;
|
||||
}
|
||||
|
||||
-static void sss_close_handle(struct sss_nss_ops *ops, const char *libname)
|
||||
-{
|
||||
- if (dlclose(ops->dl_handle) != 0) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Error closing the handle for the '%s' library, error: %s.\n",
|
||||
- libname, dlerror());
|
||||
- }
|
||||
-
|
||||
- ops->dl_handle = NULL;
|
||||
-}
|
||||
|
||||
errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
|
||||
struct sss_nss_symbols *syms, size_t nsyms)
|
||||
@@ -82,7 +72,7 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
|
||||
|
||||
for (i = 0; i < nsyms; i++) {
|
||||
*(syms[i].fptr) = proxy_dlsym(ops->dl_handle, syms[i].fname,
|
||||
- libname);
|
||||
+ libname);
|
||||
|
||||
if (*(syms[i].fptr) == NULL) {
|
||||
if (syms[i].mandatory) {
|
||||
@@ -90,7 +80,6 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
|
||||
"mandatory symbol '%s', error: %s.\n", libpath,
|
||||
syms[i].fname, dlerror());
|
||||
ret = ELIBBAD;
|
||||
- sss_close_handle(ops, libname);
|
||||
goto out;
|
||||
} else {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Library '%s' did not provide "
|
||||
diff --git a/src/util/nss_dl_load.h b/src/util/nss_dl_load.h
|
||||
index 07c04e091..f1e882b96 100644
|
||||
--- a/src/util/nss_dl_load.h
|
||||
+++ b/src/util/nss_dl_load.h
|
||||
@@ -23,8 +23,6 @@
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <netdb.h>
|
||||
-#include <stdbool.h>
|
||||
-
|
||||
#include "util/util_errors.h"
|
||||
#include "sss_client/nss_compat.h"
|
||||
|
||||
@@ -120,6 +118,5 @@ struct sss_nss_symbols {
|
||||
errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
|
||||
struct sss_nss_symbols *syms, size_t nsyms);
|
||||
|
||||
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops);
|
||||
|
||||
#endif /* __SSSD_NSS_DL_LOAD_H__ */
|
||||
diff --git a/src/util/nss_dl_load_extra.c b/src/util/nss_dl_load_extra.c
|
||||
deleted file mode 100644
|
||||
index 162957025..000000000
|
||||
--- a/src/util/nss_dl_load_extra.c
|
||||
+++ /dev/null
|
||||
@@ -1,40 +0,0 @@
|
||||
-/*
|
||||
- SSSD
|
||||
-
|
||||
- nss_dl_load_extra.c
|
||||
-
|
||||
- Authors:
|
||||
- Sumit Bose <sbose@redhat.com>
|
||||
- Iker Pedrosa <ipedrosa@redhat.com>
|
||||
-
|
||||
- Copyright (C) 2021 Red Hat
|
||||
-
|
||||
- This program is free software; you can redistribute it and/or modify
|
||||
- it under the terms of the GNU General Public License as published by
|
||||
- the Free Software Foundation; either version 3 of the License, or
|
||||
- (at your option) any later version.
|
||||
-
|
||||
- This program is distributed in the hope that it will be useful,
|
||||
- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- GNU General Public License for more details.
|
||||
-
|
||||
- You should have received a copy of the GNU General Public License
|
||||
- along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
-*/
|
||||
-
|
||||
-#include "util/nss_dl_load.h"
|
||||
-
|
||||
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
|
||||
-{
|
||||
- errno_t ret;
|
||||
- struct sss_nss_symbols syms[] = {
|
||||
- {(void*)&ops->getpwnam_r, true, "getpwnam_r" },
|
||||
- {(void*)&ops->getpwuid_r, true, "getpwuid_r" }
|
||||
- };
|
||||
- size_t nsyms = sizeof(syms) / sizeof(struct sss_nss_symbols);
|
||||
-
|
||||
- ret = sss_load_nss_symbols(ops, "files", syms, nsyms);
|
||||
-
|
||||
- return ret;
|
||||
-}
|
||||
diff --git a/src/util/usertools.c b/src/util/usertools.c
|
||||
index 33315a798..511fb2d5d 100644
|
||||
--- a/src/util/usertools.c
|
||||
+++ b/src/util/usertools.c
|
||||
@@ -27,14 +27,12 @@
|
||||
|
||||
#include "db/sysdb.h"
|
||||
#include "confdb/confdb.h"
|
||||
-#include "util/nss_dl_load.h"
|
||||
#include "util/strtonum.h"
|
||||
#include "util/util.h"
|
||||
#include "util/safe-format-string.h"
|
||||
#include "responder/common/responder.h"
|
||||
|
||||
#define NAME_DOMAIN_PATTERN_OPTIONS (SSS_REGEXP_DUPNAMES | SSS_REGEXP_EXTENDED)
|
||||
-#define NSS_BUFFER_SIZE 16384
|
||||
|
||||
/* Function returns given realm name as new uppercase string */
|
||||
char *get_uppercase_realm(TALLOC_CTX *memctx, const char *name)
|
||||
@@ -568,23 +566,10 @@ sss_fqname(char *str, size_t size, struct sss_names_ctx *nctx,
|
||||
|
||||
errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid)
|
||||
{
|
||||
- static struct sss_nss_ops nss_ops;
|
||||
uid_t uid;
|
||||
errno_t ret;
|
||||
char *endptr;
|
||||
- struct passwd pwd = { 0 };
|
||||
- int errnop = 0;
|
||||
- enum nss_status status;
|
||||
- static char s_nss_buffer[NSS_BUFFER_SIZE];
|
||||
-
|
||||
- if (!nss_ops.dl_handle) {
|
||||
- ret = sss_load_nss_pw_symbols(&nss_ops);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Unable to load NSS symbols [%d]: %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
- return ret;
|
||||
- }
|
||||
- }
|
||||
+ struct passwd *pwd;
|
||||
|
||||
/* Try if it's an ID first */
|
||||
uid = strtouint32(input, &endptr, 10);
|
||||
@@ -596,27 +581,26 @@ errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid)
|
||||
return ret;
|
||||
}
|
||||
|
||||
- status = nss_ops.getpwnam_r(input, &pwd, s_nss_buffer, NSS_BUFFER_SIZE, &errnop);
|
||||
+ /* Nope, maybe a username? */
|
||||
+ pwd = getpwnam(input);
|
||||
} else {
|
||||
- status = nss_ops.getpwuid_r(uid, &pwd, s_nss_buffer, NSS_BUFFER_SIZE, &errnop);
|
||||
+ pwd = getpwuid(uid);
|
||||
}
|
||||
|
||||
- if (status != NSS_STATUS_SUCCESS) {
|
||||
+ if (pwd == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"[%s] is neither a valid UID nor a user name which could be "
|
||||
- "resolved by getpwnam() [%d][%s]. status returned [%d]\n",
|
||||
- input, errnop, strerror(errnop), status);
|
||||
+ "resolved by getpwnam().\n", input);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
if (_uid) {
|
||||
- *_uid = pwd.pw_uid;
|
||||
+ *_uid = pwd->pw_uid;
|
||||
}
|
||||
|
||||
if (_gid) {
|
||||
- *_gid = pwd.pw_gid;
|
||||
+ *_gid = pwd->pw_gid;
|
||||
}
|
||||
-
|
||||
return EOK;
|
||||
}
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,78 @@
|
||||
From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 16 Aug 2022 21:51:03 +0200
|
||||
Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be
|
||||
touched
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL`
|
||||
was creating a possibility for a race.
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757)
|
||||
---
|
||||
src/sss_client/nss_mc.h | 4 +++-
|
||||
src/sss_client/nss_mc_common.c | 20 ++++++++++----------
|
||||
2 files changed, 13 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
|
||||
index 0f88521e9..9ab2736fa 100644
|
||||
--- a/src/sss_client/nss_mc.h
|
||||
+++ b/src/sss_client/nss_mc.h
|
||||
@@ -44,7 +44,9 @@ enum sss_mc_state {
|
||||
RECYCLED,
|
||||
};
|
||||
|
||||
-/* common stuff */
|
||||
+/* In the case this structure is extended, don't forget to update
|
||||
+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`.
|
||||
+ */
|
||||
struct sss_cli_mc_ctx {
|
||||
enum sss_mc_state initialized;
|
||||
#if HAVE_PTHREAD
|
||||
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
|
||||
index f38a4a85a..3128861bf 100644
|
||||
--- a/src/sss_client/nss_mc_common.c
|
||||
+++ b/src/sss_client/nss_mc_common.c
|
||||
@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||
|
||||
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
|
||||
{
|
||||
- uint32_t active_threads = ctx->active_threads;
|
||||
-#if HAVE_PTHREAD
|
||||
- pthread_mutex_t *mutex = ctx->mutex;
|
||||
-#endif
|
||||
|
||||
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
|
||||
munmap(ctx->mmap_base, ctx->mmap_size);
|
||||
}
|
||||
+ ctx->mmap_base = NULL;
|
||||
+ ctx->mmap_size = 0;
|
||||
+
|
||||
if (ctx->fd != -1) {
|
||||
close(ctx->fd);
|
||||
}
|
||||
- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
|
||||
ctx->fd = -1;
|
||||
|
||||
- /* restore count of active threads */
|
||||
- ctx->active_threads = active_threads;
|
||||
-#if HAVE_PTHREAD
|
||||
- ctx->mutex = mutex;
|
||||
-#endif
|
||||
+ ctx->seed = 0;
|
||||
+ ctx->data_table = NULL;
|
||||
+ ctx->dt_size = 0;
|
||||
+ ctx->hash_table = NULL;
|
||||
+ ctx->ht_size = 0;
|
||||
+ ctx->initialized = UNINITIALIZED;
|
||||
+ /* `mutex` and `active_threads` should be left intact */
|
||||
}
|
||||
|
||||
static errno_t sss_nss_mc_init_ctx(const char *name,
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,62 +0,0 @@
|
||||
From 3c6218aa91026e066e793ee26333ea64fd6bc50e Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 11 Apr 2022 22:49:30 +0200
|
||||
Subject: [PATCH 6/6] Revert "man: sssd.conf and sssd-ifp clarify user option"
|
||||
|
||||
This reverts commit 3d25724dc63dffb6d734790e58b1647e3a64e84f.
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/man/sssd-ifp.5.xml | 5 -----
|
||||
src/man/sssd.conf.5.xml | 11 -----------
|
||||
2 files changed, 16 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ifp.5.xml b/src/man/sssd-ifp.5.xml
|
||||
index d3080537a..1c35d58a8 100644
|
||||
--- a/src/man/sssd-ifp.5.xml
|
||||
+++ b/src/man/sssd-ifp.5.xml
|
||||
@@ -71,11 +71,6 @@
|
||||
responder. User names are resolved to UIDs at
|
||||
startup.
|
||||
</para>
|
||||
- <para>
|
||||
- Local user names are required, i.e. accessible via
|
||||
- <quote>files</quote> service of
|
||||
- <filename>nsswitch.conf</filename>.
|
||||
- </para>
|
||||
<para>
|
||||
Default: 0 (only the root user is allowed to access
|
||||
the InfoPipe responder)
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index b6c5912f9..1b8ea7398 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -423,12 +423,6 @@
|
||||
responder.
|
||||
</phrase>
|
||||
</para>
|
||||
- <para>
|
||||
- Both a user name and a uid can be used but the
|
||||
- user should be a local one, i.e. accessible via
|
||||
- <quote>files</quote> service of
|
||||
- <filename>nsswitch.conf</filename>.
|
||||
- </para>
|
||||
<para>
|
||||
Default: not set, process will run as root
|
||||
</para>
|
||||
@@ -2168,11 +2162,6 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
responder. User names are resolved to UIDs at
|
||||
startup.
|
||||
</para>
|
||||
- <para>
|
||||
- Local user names are required, i.e. accessible via
|
||||
- <quote>files</quote> service of
|
||||
- <filename>nsswitch.conf</filename>.
|
||||
- </para>
|
||||
<para>
|
||||
Default: 0 (only the root user is allowed to access
|
||||
the PAC responder)
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,33 @@
|
||||
From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 16:17:59 -0400
|
||||
Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup
|
||||
|
||||
Fixes an issue when the sssctl analyzer option is
|
||||
used on systems where SSSD is not running or configured. This is
|
||||
an expected use case when using --logdir option to analyze external
|
||||
log files.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6298
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/tools/sssctl/sssctl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
|
||||
index 3816125ad..f18689f9f 100644
|
||||
--- a/src/tools/sssctl/sssctl.c
|
||||
+++ b/src/tools/sssctl/sssctl.c
|
||||
@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
|
||||
SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
|
||||
SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
|
||||
SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
|
||||
- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze),
|
||||
+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
|
||||
#ifdef HAVE_LIBINI_CONFIG_V1_3
|
||||
SSS_TOOL_DELIMITER("Configuration files tools:"),
|
||||
SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,175 +0,0 @@
|
||||
From 51e92297157562511baf8902777f02a4aa2e70e6 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 15 Mar 2022 11:36:45 +0100
|
||||
Subject: [PATCH] ad: use right sdap_domain in ad_domain_info_send
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Originally ad_domain_info_send() was only called when there was only a
|
||||
single domain available and hence only a single sdap_domain struct with
|
||||
the search bases in the sdap_domain list. Since ad_domain_info_send() is
|
||||
now called at other times as well the right sdap_domain struct must be
|
||||
selected so that the right search bases are used.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6063
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_domain_info.c | 10 +++++-
|
||||
src/providers/ldap/ldap_common.h | 3 ++
|
||||
src/providers/ldap/sdap_domain.c | 21 ++++++++++++
|
||||
src/tests/cmocka/test_search_bases.c | 48 +++++++++++++++++++++++++++-
|
||||
4 files changed, 80 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
|
||||
index 52b2e2442..f3a82a198 100644
|
||||
--- a/src/providers/ad/ad_domain_info.c
|
||||
+++ b/src/providers/ad/ad_domain_info.c
|
||||
@@ -181,6 +181,7 @@ struct ad_domain_info_state {
|
||||
struct sdap_id_op *id_op;
|
||||
struct sdap_id_ctx *id_ctx;
|
||||
struct sdap_options *opts;
|
||||
+ struct sdap_domain *sdom;
|
||||
|
||||
const char *dom_name;
|
||||
int base_iter;
|
||||
@@ -215,6 +216,13 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
|
||||
state->id_ctx = conn->id_ctx;
|
||||
state->opts = conn->id_ctx->opts;
|
||||
state->dom_name = dom_name;
|
||||
+ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
|
||||
+ if (state->sdom == NULL || state->sdom->search_bases == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto immediate;
|
||||
+ }
|
||||
+
|
||||
|
||||
ret = ad_domain_info_next(req);
|
||||
if (ret != EOK && ret != EAGAIN) {
|
||||
@@ -243,7 +251,7 @@ ad_domain_info_next(struct tevent_req *req)
|
||||
struct ad_domain_info_state *state =
|
||||
tevent_req_data(req, struct ad_domain_info_state);
|
||||
|
||||
- base = state->opts->sdom->search_bases[state->base_iter];
|
||||
+ base = state->sdom->search_bases[state->base_iter];
|
||||
if (base == NULL) {
|
||||
return EOK;
|
||||
}
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index c78338b5d..426ee68df 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -391,6 +391,9 @@ sdap_domain_remove(struct sdap_options *opts,
|
||||
struct sdap_domain *sdap_domain_get(struct sdap_options *opts,
|
||||
struct sss_domain_info *dom);
|
||||
|
||||
+struct sdap_domain *sdap_domain_get_by_name(struct sdap_options *opts,
|
||||
+ const char *dom_name);
|
||||
+
|
||||
struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts,
|
||||
const char *dn);
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
|
||||
index fa6e9340d..1785dd20d 100644
|
||||
--- a/src/providers/ldap/sdap_domain.c
|
||||
+++ b/src/providers/ldap/sdap_domain.c
|
||||
@@ -44,6 +44,27 @@ sdap_domain_get(struct sdap_options *opts,
|
||||
return sditer;
|
||||
}
|
||||
|
||||
+struct sdap_domain *
|
||||
+sdap_domain_get_by_name(struct sdap_options *opts,
|
||||
+ const char *dom_name)
|
||||
+{
|
||||
+ struct sdap_domain *sditer = NULL;
|
||||
+
|
||||
+ if (dom_name == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Missing domain name.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ DLIST_FOR_EACH(sditer, opts->sdom) {
|
||||
+ if (sditer->dom->name != NULL
|
||||
+ && strcasecmp(sditer->dom->name, dom_name) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return sditer;
|
||||
+}
|
||||
+
|
||||
struct sdap_domain *
|
||||
sdap_domain_get_by_dn(struct sdap_options *opts,
|
||||
const char *dn)
|
||||
diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c
|
||||
index 109fa04bf..3276cf118 100644
|
||||
--- a/src/tests/cmocka/test_search_bases.c
|
||||
+++ b/src/tests/cmocka/test_search_bases.c
|
||||
@@ -176,6 +176,51 @@ void test_get_by_dn_fail(void **state)
|
||||
do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS);
|
||||
}
|
||||
|
||||
+void test_sdap_domain_get_by_name(void **state)
|
||||
+{
|
||||
+ struct sdap_options *opts;
|
||||
+ struct sss_domain_info dom1 = { 0 };
|
||||
+ dom1.name = discard_const("dom1");
|
||||
+ struct sss_domain_info dom2 = { 0 };
|
||||
+ dom2.name = discard_const("dom2");
|
||||
+ struct sss_domain_info dom3 = { 0 };
|
||||
+ dom3.name = discard_const("dom3");
|
||||
+ int ret;
|
||||
+ struct sdap_domain *sdom;
|
||||
+
|
||||
+ opts = talloc_zero(NULL, struct sdap_options);
|
||||
+ assert_non_null(opts);
|
||||
+
|
||||
+ ret = sdap_domain_add(opts, &dom1, NULL);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sdap_domain_add(opts, &dom2, NULL);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sdap_domain_add(opts, &dom3, NULL);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, NULL);
|
||||
+ assert_null(sdom);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, "abc");
|
||||
+ assert_null(sdom);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, "dom1");
|
||||
+ assert_non_null(sdom);
|
||||
+ assert_ptr_equal(sdom->dom, &dom1);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, "dom2");
|
||||
+ assert_non_null(sdom);
|
||||
+ assert_ptr_equal(sdom->dom, &dom2);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, "dom3");
|
||||
+ assert_non_null(sdom);
|
||||
+ assert_ptr_equal(sdom->dom, &dom3);
|
||||
+
|
||||
+ talloc_free(opts);
|
||||
+}
|
||||
+
|
||||
int main(void)
|
||||
{
|
||||
const struct CMUnitTest tests[] = {
|
||||
@@ -183,7 +228,8 @@ int main(void)
|
||||
cmocka_unit_test(test_search_bases_success),
|
||||
cmocka_unit_test(test_get_by_dn_fail),
|
||||
cmocka_unit_test(test_get_by_dn),
|
||||
- cmocka_unit_test(test_get_by_dn2)
|
||||
+ cmocka_unit_test(test_get_by_dn2),
|
||||
+ cmocka_unit_test(test_sdap_domain_get_by_name)
|
||||
};
|
||||
|
||||
return cmocka_run_group_tests(tests, NULL, NULL);
|
||||
--
|
||||
2.34.3
|
||||
|
297
SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch
Normal file
297
SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch
Normal file
@ -0,0 +1,297 @@
|
||||
From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Fri, 19 Aug 2022 09:50:22 -0400
|
||||
Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Client ID is not stored properly to match requests
|
||||
when parallel requests are made to client SSSD
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6307
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 5 +++--
|
||||
.../plugins/cache_req_autofs_entry_by_name.c | 3 ++-
|
||||
.../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++-
|
||||
.../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++-
|
||||
.../plugins/cache_req_ssh_host_id_by_name.c | 3 ++-
|
||||
src/responder/common/responder.h | 2 +-
|
||||
src/responder/common/responder_common.c | 12 +++++++-----
|
||||
src/responder/common/responder_dp.c | 5 +++--
|
||||
src/responder/common/responder_get_domains.c | 3 ++-
|
||||
src/responder/pam/pamsrv_cmd.c | 4 ++--
|
||||
10 files changed, 26 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index 4dd45b038..bc65bae71 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <errno.h>
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "responder/common/cache_req/cache_req_private.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
state->first_iteration = true;
|
||||
|
||||
- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n",
|
||||
- rctx->client_id_num, cr->reqname);
|
||||
+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n",
|
||||
+ sss_chain_id_get(), cr->reqname);
|
||||
|
||||
ret = cache_req_is_well_known_object(state, cr, &result);
|
||||
if (ret == EOK) {
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
index 788b6708c..b2b0a06eb 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include "db/sysdb.h"
|
||||
#include "db/sysdb_autofs.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
|
||||
@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
||||
be_conn->bus_name, SSS_BUS_PATH,
|
||||
0, data->name.name,
|
||||
data->autofs_entry_name,
|
||||
- cr->rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
}
|
||||
|
||||
bool
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
index 5d82641cc..23b11b1cd 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include "db/sysdb.h"
|
||||
#include "db/sysdb_autofs.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
|
||||
@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
||||
return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
|
||||
be_conn->bus_name, SSS_BUS_PATH,
|
||||
0, data->name.name,
|
||||
- cr->rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
}
|
||||
|
||||
bool
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
index 29f289723..18c08ca39 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include "db/sysdb.h"
|
||||
#include "db/sysdb_autofs.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
|
||||
@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
|
||||
return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
|
||||
be_conn->bus_name, SSS_BUS_PATH,
|
||||
0, data->name.name,
|
||||
- cr->rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
}
|
||||
|
||||
bool
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
|
||||
index a8b8f47a8..29f52f10d 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
|
||||
@@ -23,6 +23,7 @@
|
||||
|
||||
#include "db/sysdb_ssh.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
|
||||
@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
||||
return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn,
|
||||
be_conn->bus_name, SSS_BUS_PATH,
|
||||
0, data->name.name, data->alias,
|
||||
- cr->rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
}
|
||||
|
||||
static bool
|
||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
||||
index 5cb79e3e6..259b3ff13 100644
|
||||
--- a/src/responder/common/responder.h
|
||||
+++ b/src/responder/common/responder.h
|
||||
@@ -165,13 +165,13 @@ struct cli_ctx {
|
||||
|
||||
struct cli_creds *creds;
|
||||
char *cmd_line;
|
||||
- uint64_t old_chain_id;
|
||||
|
||||
void *protocol_ctx;
|
||||
void *state_ctx;
|
||||
|
||||
struct tevent_timer *idle;
|
||||
time_t last_request_time;
|
||||
+ uint32_t client_id_num;
|
||||
};
|
||||
|
||||
struct sss_cmd_table {
|
||||
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
|
||||
index 6e3b61ef0..a4ba8ea71 100644
|
||||
--- a/src/responder/common/responder_common.c
|
||||
+++ b/src/responder/common/responder_common.c
|
||||
@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev,
|
||||
"Failed to close fd [%d]: [%s]\n",
|
||||
ctx->cfd, strerror(ret));
|
||||
}
|
||||
- /* Restore the original chain id */
|
||||
- sss_chain_id_set(ctx->old_chain_id);
|
||||
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
"Terminated client [%p][%d]\n",
|
||||
@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev,
|
||||
int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd;
|
||||
|
||||
rctx->client_id_num++;
|
||||
-
|
||||
if (accept_ctx->is_private) {
|
||||
ret = stat(rctx->priv_sock_name, &stat_buf);
|
||||
if (ret == -1) {
|
||||
@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev,
|
||||
|
||||
talloc_set_destructor(cctx, cli_ctx_destructor);
|
||||
|
||||
+ cctx->client_id_num = rctx->client_id_num;
|
||||
+
|
||||
len = sizeof(cctx->addr);
|
||||
cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
|
||||
if (cctx->cfd == -1) {
|
||||
@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev,
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
"[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n",
|
||||
- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
|
||||
+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
|
||||
cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : "");
|
||||
|
||||
return;
|
||||
@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr,
|
||||
uint16_t flags)
|
||||
{
|
||||
errno_t ret;
|
||||
+ uint64_t old_chain_id;
|
||||
struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx);
|
||||
|
||||
/* Always reset the responder idle timer on any activity */
|
||||
@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr,
|
||||
}
|
||||
|
||||
/* Set the chain id */
|
||||
- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num);
|
||||
+ old_chain_id = sss_chain_id_set(cctx->client_id_num);
|
||||
|
||||
if (flags & TEVENT_FD_READ) {
|
||||
recv_fn(cctx);
|
||||
@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr,
|
||||
send_fn(cctx);
|
||||
return;
|
||||
}
|
||||
+ /* Restore the original chain id */
|
||||
+ sss_chain_id_set(old_chain_id);
|
||||
}
|
||||
|
||||
int sss_connection_setup(struct cli_ctx *cctx)
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index d549e02d3..4b4770da1 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <sys/time.h>
|
||||
#include <time.h>
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "responder/common/responder_packet.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "providers/data_provider.h"
|
||||
@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn,
|
||||
be_conn->bus_name, SSS_BUS_PATH, dp_flags,
|
||||
entry_type, filter, dom->name, extra,
|
||||
- rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
|
||||
ret = ENOMEM;
|
||||
@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx,
|
||||
SSS_BUS_PATH,
|
||||
dp_flags, entry_type,
|
||||
filter_type, filter_value,
|
||||
- rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
|
||||
ret = ENOMEM;
|
||||
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
|
||||
index 918124756..aeff28d73 100644
|
||||
--- a/src/responder/common/responder_get_domains.c
|
||||
+++ b/src/responder/common/responder_get_domains.c
|
||||
@@ -19,6 +19,7 @@
|
||||
*/
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "db/sysdb.h"
|
||||
@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx,
|
||||
be_conn->bus_name,
|
||||
SSS_BUS_PATH, dp_flags,
|
||||
entry_type, filter,
|
||||
- rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
|
||||
ret = ENOMEM;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index cb0e1b82f..1695554fc 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
||||
}
|
||||
preq->cctx = cctx;
|
||||
preq->cert_auth_local = false;
|
||||
- preq->client_id_num = pctx->rctx->client_id_num;
|
||||
+ preq->client_id_num = cctx->client_id_num;
|
||||
|
||||
preq->pd = create_pam_data(preq);
|
||||
if (!preq->pd) {
|
||||
@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
||||
|
||||
pd->cmd = pam_cmd;
|
||||
pd->priv = cctx->priv;
|
||||
- pd->client_id_num = pctx->rctx->client_id_num;
|
||||
+ pd->client_id_num = cctx->client_id_num;
|
||||
|
||||
ret = pam_forwarder_parse_data(cctx, pd);
|
||||
if (ret == EAGAIN) {
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,58 +0,0 @@
|
||||
From 80ffa314c669feaaffe487d8ea5004c149d948c8 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 23 May 2022 09:05:43 +0200
|
||||
Subject: [PATCH] ad: add fallback in ad_domain_info_send()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed
|
||||
ad_domain_info_send() to handle multiple domains by searching for the
|
||||
matching sdap_domain data. Unfortunately it assumed that the configured
|
||||
name and the DNS domain name are always matching. This is true for all
|
||||
sub-domains discovered at runtime by DNS lookups but might not be true
|
||||
for the domain configured in sssd.conf. Since the configured domain is
|
||||
the first in the list of sdap_domain data it will be used as a fallback
|
||||
in case no data could be found by name.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6170
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e)
|
||||
---
|
||||
src/providers/ad/ad_domain_info.c | 17 ++++++++++++++++-
|
||||
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
|
||||
index f3a82a198..9583c74b9 100644
|
||||
--- a/src/providers/ad/ad_domain_info.c
|
||||
+++ b/src/providers/ad/ad_domain_info.c
|
||||
@@ -217,8 +217,23 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
|
||||
state->opts = conn->id_ctx->opts;
|
||||
state->dom_name = dom_name;
|
||||
state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
|
||||
+ /* The first domain in the list is the domain configured in sssd.conf and
|
||||
+ * here it might be possible that the domain name from the config file and
|
||||
+ * the DNS domain name do not match. All other sub-domains are discovered
|
||||
+ * at runtime with the help of DNS lookups so it is expected that the
|
||||
+ * names matches. Hence it makes sense to fall back to the first entry in
|
||||
+ * the list if no matching domain was found since it is most probably
|
||||
+ * related to the configured domain. */
|
||||
+ if (state->sdom == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "No internal domain data found for [%s], "
|
||||
+ "falling back to first domain.\n",
|
||||
+ state->dom_name);
|
||||
+ state->sdom = state->opts->sdom;
|
||||
+ }
|
||||
if (state->sdom == NULL || state->sdom->search_bases == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Missing internal domain data for domain [%s].\n",
|
||||
+ state->dom_name);
|
||||
ret = EINVAL;
|
||||
goto immediate;
|
||||
}
|
||||
--
|
||||
2.34.3
|
||||
|
185
SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch
Normal file
185
SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch
Normal file
@ -0,0 +1,185 @@
|
||||
From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Fri, 19 Aug 2022 14:44:11 -0400
|
||||
Subject: [PATCH 9/9] Analyzer: support parallel requests parsing
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Analyzer code(primarily the list verbose command) needs
|
||||
changes to handle parsing the necessary lines from
|
||||
NSS/PAM log files when multiple intermixed/parallel
|
||||
client requests are sent to SSSD.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6307
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/tools/analyzer/modules/request.py | 119 +++++++++++++++-----------
|
||||
1 file changed, 67 insertions(+), 52 deletions(-)
|
||||
|
||||
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
|
||||
index 935e13adc..b9fe3caf8 100644
|
||||
--- a/src/tools/analyzer/modules/request.py
|
||||
+++ b/src/tools/analyzer/modules/request.py
|
||||
@@ -16,7 +16,6 @@ class RequestAnalyzer:
|
||||
"""
|
||||
module_parser = None
|
||||
consumed_logs = []
|
||||
- done = ""
|
||||
list_opts = [
|
||||
Option('--verbose', 'Verbose output', bool, '-v'),
|
||||
Option('--pam', 'Filter only PAM requests', bool),
|
||||
@@ -149,58 +148,74 @@ class RequestAnalyzer:
|
||||
print(line)
|
||||
return found_results
|
||||
|
||||
- def print_formatted(self, line, verbose):
|
||||
+ def print_formatted_verbose(self, source, patterns):
|
||||
+ """
|
||||
+ Parse line and print formatted verbose list_requests output
|
||||
+
|
||||
+ Args:
|
||||
+ source (Reader): source Reader object
|
||||
+ patterns (list): List of regex patterns to use for
|
||||
+ matching lines
|
||||
+ """
|
||||
+ # Get CID number, and print the basic line first
|
||||
+ for line in self.matched_line(source, patterns):
|
||||
+ cid = self.print_formatted(line)
|
||||
+
|
||||
+ # Loop through each line with this CID number to extract and
|
||||
+ # print the verbose data needed
|
||||
+ verbose_patterns = ["(cache_req_send|cache_req_process_input|"
|
||||
+ "cache_req_search_send)"]
|
||||
+ for cidline in self.matched_line(source, verbose_patterns):
|
||||
+ plugin = ""
|
||||
+ name = ""
|
||||
+ id = ""
|
||||
+
|
||||
+ # skip any lines not pertaining to this CID
|
||||
+ if f"CID#{cid}]" not in cidline:
|
||||
+ continue
|
||||
+ if "refreshed" in cidline:
|
||||
+ continue
|
||||
+ # CR Plugin name
|
||||
+ if re.search("cache_req_send", cidline):
|
||||
+ plugin = cidline.split('\'')[1]
|
||||
+ # CR Input name
|
||||
+ elif re.search("cache_req_process_input", cidline):
|
||||
+ name = cidline.rsplit('[')[-1]
|
||||
+ # CR Input id
|
||||
+ elif re.search("cache_req_search_send", cidline):
|
||||
+ id = cidline.rsplit()[-1]
|
||||
+
|
||||
+ if plugin:
|
||||
+ print(" - " + plugin)
|
||||
+ if name:
|
||||
+ print(" - " + name[:-2])
|
||||
+ if (id and ("UID" in cidline or "GID" in cidline)):
|
||||
+ print(" - " + id)
|
||||
+
|
||||
+ def print_formatted(self, line):
|
||||
"""
|
||||
Parse line and print formatted list_requests output
|
||||
|
||||
Args:
|
||||
line (str): line to parse
|
||||
- verbose (bool): If true, enable verbose output
|
||||
+ Returns:
|
||||
+ Client ID from printed line, 0 otherwise
|
||||
"""
|
||||
- plugin = ""
|
||||
- name = ""
|
||||
- id = ""
|
||||
-
|
||||
# exclude backtrace logs
|
||||
if line.startswith(' * '):
|
||||
- return
|
||||
- fields = line.split("[")
|
||||
- cr_field = fields[3][7:]
|
||||
- cr = cr_field.split(":")[0][4:]
|
||||
+ return 0
|
||||
if "refreshed" in line:
|
||||
- return
|
||||
- # CR Plugin name
|
||||
- if re.search("cache_req_send", line):
|
||||
- plugin = line.split('\'')[1]
|
||||
- # CR Input name
|
||||
- elif re.search("cache_req_process_input", line):
|
||||
- name = line.rsplit('[')[-1]
|
||||
- # CR Input id
|
||||
- elif re.search("cache_req_search_send", line):
|
||||
- id = line.rsplit()[-1]
|
||||
- # CID and client process name
|
||||
- else:
|
||||
- ts = line.split(")")[0]
|
||||
- ts = ts[1:]
|
||||
- fields = line.split("[")
|
||||
- cid = fields[3][4:-9]
|
||||
- cmd = fields[4][4:-1]
|
||||
- uid = fields[5][4:-1]
|
||||
- if not uid.isnumeric():
|
||||
- uid = fields[6][4:-1]
|
||||
- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
|
||||
-
|
||||
- if verbose:
|
||||
- if plugin:
|
||||
- print(" - " + plugin)
|
||||
- if name:
|
||||
- if cr not in self.done:
|
||||
- print(" - " + name[:-2])
|
||||
- self.done = cr
|
||||
- if id:
|
||||
- if cr not in self.done:
|
||||
- print(" - " + id)
|
||||
- self.done = cr
|
||||
+ return 0
|
||||
+ ts = line.split(")")[0]
|
||||
+ ts = ts[1:]
|
||||
+ fields = line.split("[")
|
||||
+ cid = fields[3][4:-9]
|
||||
+ cmd = fields[4][4:-1]
|
||||
+ uid = fields[5][4:-1]
|
||||
+ if not uid.isnumeric():
|
||||
+ uid = fields[6][4:-1]
|
||||
+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
|
||||
+ return cid
|
||||
|
||||
def list_requests(self, args):
|
||||
"""
|
||||
@@ -215,20 +230,20 @@ class RequestAnalyzer:
|
||||
# Log messages matching the following regex patterns contain
|
||||
# the useful info we need to produce list output
|
||||
patterns = [r'\[cmd']
|
||||
- patterns.append("(cache_req_send|cache_req_process_input|"
|
||||
- "cache_req_search_send)")
|
||||
if args.pam:
|
||||
component = source.Component.PAM
|
||||
resp = "pam"
|
||||
|
||||
logger.info(f"******** Listing {resp} client requests ********")
|
||||
source.set_component(component, False)
|
||||
- self.done = ""
|
||||
- for line in self.matched_line(source, patterns):
|
||||
- if isinstance(source, Journald):
|
||||
- print(line)
|
||||
- else:
|
||||
- self.print_formatted(line, args.verbose)
|
||||
+ if args.verbose:
|
||||
+ self.print_formatted_verbose(source, patterns)
|
||||
+ else:
|
||||
+ for line in self.matched_line(source, patterns):
|
||||
+ if isinstance(source, Journald):
|
||||
+ print(line)
|
||||
+ else:
|
||||
+ self.print_formatted(line)
|
||||
|
||||
def track_request(self, args):
|
||||
"""
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,34 +0,0 @@
|
||||
From 0eae7db9e06645ef88d0cf15672770776293edb5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 23 May 2022 11:05:01 +0200
|
||||
Subject: [PATCH] pam_sss_gss: KRB5CCNAME may be NULL
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6180
|
||||
|
||||
:fixes: A regression in pam_sss_gss module causing a failure if
|
||||
KRB5CCNAME environment variable was not set was fixed.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 9aad30711a5928f0e8a3627305b6449291de507f)
|
||||
---
|
||||
src/sss_client/pam_sss_gss.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
|
||||
index 51047efc3..77a58e4cf 100644
|
||||
--- a/src/sss_client/pam_sss_gss.c
|
||||
+++ b/src/sss_client/pam_sss_gss.c
|
||||
@@ -492,7 +492,8 @@ static errno_t sss_cli_getenv(const char *variable_name, char **_value)
|
||||
{
|
||||
char *value = getenv(variable_name);
|
||||
if (value == NULL) {
|
||||
- return ENOENT;
|
||||
+ *_value = NULL;
|
||||
+ return EOK;
|
||||
}
|
||||
|
||||
*_value = strdup(value);
|
||||
--
|
||||
2.34.3
|
||||
|
295
SOURCES/0010-CLIENT-fix-client-fd-leak.patch
Normal file
295
SOURCES/0010-CLIENT-fix-client-fd-leak.patch
Normal file
@ -0,0 +1,295 @@
|
||||
From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 18:10:46 +0200
|
||||
Subject: [PATCH] CLIENT: fix client fd leak
|
||||
|
||||
- close client socket at thread exit
|
||||
- only build lock-free client support if libc has required
|
||||
functionality for a proper cleanup
|
||||
- use proper mechanisms to init lock_mode only once
|
||||
|
||||
:relnote:Lock-free client support will be only built if libc
|
||||
provides `pthread_key_create()` and `pthread_once()`. For glibc
|
||||
this means version 2.34+
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb)
|
||||
---
|
||||
configure.ac | 29 +++++++++--
|
||||
src/man/Makefile.am | 5 +-
|
||||
src/man/sssd.8.xml | 2 +-
|
||||
src/sss_client/common.c | 83 +++++++++++++++++++-------------
|
||||
src/sss_client/idmap/common_ex.c | 4 ++
|
||||
5 files changed, 84 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 93bd93b85..5a05de41e 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
|
||||
m4_include([src/build_macros.m4])
|
||||
BUILD_WITH_SHARED_BUILD_DIR
|
||||
|
||||
-AC_COMPILE_IFELSE(
|
||||
+
|
||||
+SAVE_LIBS=$LIBS
|
||||
+LIBS=
|
||||
+AC_LINK_IFELSE(
|
||||
[AC_LANG_PROGRAM([[#include <pthread.h>]],
|
||||
[[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
|
||||
- (void) m; /* unused */
|
||||
+ pthread_mutex_lock(&m);
|
||||
+ pthread_mutex_unlock(&m);
|
||||
]])],
|
||||
[AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.])
|
||||
HAVE_PTHREAD=1
|
||||
],
|
||||
- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])])
|
||||
+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])])
|
||||
+LIBS=$SAVE_LIBS
|
||||
+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
|
||||
|
||||
|
||||
-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
|
||||
+SAVE_LIBS=$LIBS
|
||||
+LIBS=
|
||||
+AC_LINK_IFELSE(
|
||||
+ [AC_LANG_PROGRAM([[#include <pthread.h>]],
|
||||
+ [[static pthread_key_t k;
|
||||
+ static pthread_once_t f = PTHREAD_ONCE_INIT;
|
||||
+ pthread_once(&f, NULL);
|
||||
+ pthread_key_create(&k, NULL);
|
||||
+ ]])],
|
||||
+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.])
|
||||
+ HAVE_PTHREAD_EXT=1
|
||||
+ ],
|
||||
+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])])
|
||||
+LIBS=$SAVE_LIBS
|
||||
+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"])
|
||||
+
|
||||
|
||||
# Check library for the timer_create function
|
||||
SAVE_LIBS=$LIBS
|
||||
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
|
||||
index 93dd14819..063ff1bf0 100644
|
||||
--- a/src/man/Makefile.am
|
||||
+++ b/src/man/Makefile.am
|
||||
@@ -46,9 +46,12 @@ endif
|
||||
if BUILD_KCM_RENEWAL
|
||||
KCM_RENEWAL_CONDS = ;enable_kcm_renewal
|
||||
endif
|
||||
+if BUILD_LOCKFREE_CLIENT
|
||||
+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support
|
||||
+endif
|
||||
|
||||
|
||||
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)
|
||||
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)
|
||||
|
||||
|
||||
#Special Rules:
|
||||
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
|
||||
index df07b7f29..5f507c631 100644
|
||||
--- a/src/man/sssd.8.xml
|
||||
+++ b/src/man/sssd.8.xml
|
||||
@@ -240,7 +240,7 @@
|
||||
If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
|
||||
client applications will not use the fast in-memory cache.
|
||||
</para>
|
||||
- <para>
|
||||
+ <para condition="enable_lockfree_support">
|
||||
If the environment variable SSS_LOCKFREE is set to "NO", requests
|
||||
from multiple threads of a single application will be serialized.
|
||||
</para>
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 29c751a50..d762dff49 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -35,7 +35,6 @@
|
||||
#include <stdlib.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
-#include <stdatomic.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <poll.h>
|
||||
@@ -62,8 +61,15 @@
|
||||
|
||||
/* common functions */
|
||||
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+static pthread_key_t sss_sd_key;
|
||||
+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
|
||||
static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
|
||||
static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
|
||||
+#else
|
||||
+static int sss_cli_sd = -1; /* the sss client socket descriptor */
|
||||
+static struct stat sss_cli_sb; /* the sss client stat buffer */
|
||||
+#endif
|
||||
|
||||
#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
|
||||
__attribute__((destructor))
|
||||
@@ -76,6 +82,18 @@ void sss_cli_close_socket(void)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+static void sss_at_thread_exit(void *v)
|
||||
+{
|
||||
+ sss_cli_close_socket();
|
||||
+}
|
||||
+
|
||||
+static void init_sd_key(void)
|
||||
+{
|
||||
+ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Requests:
|
||||
*
|
||||
* byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
|
||||
@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
|
||||
return -1;
|
||||
}
|
||||
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
|
||||
+
|
||||
+ /* It actually doesn't matter what value to set for a key.
|
||||
+ * The only important thing: key must be non-NULL to ensure
|
||||
+ * destructor is executed at thread exit.
|
||||
+ */
|
||||
+ pthread_setspecific(sss_sd_key, &sss_cli_sd);
|
||||
+#endif
|
||||
+
|
||||
/* set as non-blocking, close on exec, and make sure standard
|
||||
* descriptors are not used */
|
||||
sd = make_safe_fd(sd);
|
||||
@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len)
|
||||
}
|
||||
|
||||
#if HAVE_PTHREAD
|
||||
-bool sss_is_lockfree_mode(void)
|
||||
+
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+static bool sss_lock_free = true;
|
||||
+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT;
|
||||
+
|
||||
+static void init_lock_mode(void)
|
||||
{
|
||||
- const char *env = NULL;
|
||||
- enum {
|
||||
- MODE_UNDEF,
|
||||
- MODE_LOCKING,
|
||||
- MODE_LOCKFREE
|
||||
- };
|
||||
- static atomic_int mode = MODE_UNDEF;
|
||||
-
|
||||
- if (mode == MODE_UNDEF) {
|
||||
- env = getenv("SSS_LOCKFREE");
|
||||
- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
|
||||
- mode = MODE_LOCKING;
|
||||
- } else {
|
||||
- mode = MODE_LOCKFREE;
|
||||
- }
|
||||
+ const char *env = getenv("SSS_LOCKFREE");
|
||||
+
|
||||
+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
|
||||
+ sss_lock_free = false;
|
||||
}
|
||||
+}
|
||||
|
||||
- return (mode == MODE_LOCKFREE);
|
||||
+bool sss_is_lockfree_mode(void)
|
||||
+{
|
||||
+ pthread_once(&sss_lock_mode_initialized, init_lock_mode);
|
||||
+ return sss_lock_free;
|
||||
}
|
||||
+#endif
|
||||
|
||||
struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
|
||||
-
|
||||
static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
|
||||
-
|
||||
-static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
|
||||
-
|
||||
static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
|
||||
|
||||
static void sss_mt_lock(struct sss_mutex *m)
|
||||
{
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
if (sss_is_lockfree_mode()) {
|
||||
return;
|
||||
}
|
||||
+#endif
|
||||
|
||||
pthread_mutex_lock(&m->mtx);
|
||||
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
|
||||
@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m)
|
||||
|
||||
static void sss_mt_unlock(struct sss_mutex *m)
|
||||
{
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
if (sss_is_lockfree_mode()) {
|
||||
return;
|
||||
}
|
||||
+#endif
|
||||
|
||||
pthread_setcancelstate(m->old_cancel_state, NULL);
|
||||
pthread_mutex_unlock(&m->mtx);
|
||||
@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void)
|
||||
sss_mt_unlock(&sss_nss_mtx);
|
||||
}
|
||||
|
||||
-/* NSS mutex wrappers */
|
||||
+/* PAM mutex wrappers */
|
||||
void sss_pam_lock(void)
|
||||
{
|
||||
sss_mt_lock(&sss_pam_mtx);
|
||||
@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void)
|
||||
sss_mt_unlock(&sss_pam_mtx);
|
||||
}
|
||||
|
||||
-/* NSS mutex wrappers */
|
||||
-void sss_nss_mc_lock(void)
|
||||
-{
|
||||
- sss_mt_lock(&sss_nss_mc_mtx);
|
||||
-}
|
||||
-void sss_nss_mc_unlock(void)
|
||||
-{
|
||||
- sss_mt_unlock(&sss_nss_mc_mtx);
|
||||
-}
|
||||
-
|
||||
/* PAC mutex wrappers */
|
||||
void sss_pac_lock(void)
|
||||
{
|
||||
diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c
|
||||
index 4f454cd63..8c4894fd9 100644
|
||||
--- a/src/sss_client/idmap/common_ex.c
|
||||
+++ b/src/sss_client/idmap/common_ex.c
|
||||
@@ -28,7 +28,9 @@
|
||||
#include "common_private.h"
|
||||
|
||||
extern struct sss_mutex sss_nss_mtx;
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
bool sss_is_lockfree_mode(void);
|
||||
+#endif
|
||||
|
||||
#define SEC_FROM_MSEC(ms) ((ms) / 1000)
|
||||
#define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
|
||||
@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime)
|
||||
{
|
||||
int ret;
|
||||
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
if (sss_is_lockfree_mode()) {
|
||||
return 0;
|
||||
}
|
||||
+#endif
|
||||
|
||||
ret = pthread_mutex_timedlock(&m->mtx, endtime);
|
||||
if (ret != 0) {
|
||||
--
|
||||
2.37.1
|
||||
|
@ -18,8 +18,8 @@
|
||||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
Name: sssd
|
||||
Version: 2.6.2
|
||||
Release: 4%{?dist}.1
|
||||
Version: 2.7.3
|
||||
Release: 4%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -27,15 +27,16 @@ URL: https://github.com/SSSD/sssd
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
|
||||
Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
|
||||
Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
|
||||
Patch0004: 0004-po-update-translations.patch
|
||||
Patch0005: 0005-Revert-usertools-force-local-user-for-sssd-process-u.patch
|
||||
Patch0006: 0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch
|
||||
Patch0007: 0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch
|
||||
Patch0008: 0008-ad-add-fallback-in-ad_domain_info_send.patch
|
||||
Patch0009: 0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch
|
||||
Patch0001: 0001-Makefile-remove-unneeded-dependency.patch
|
||||
Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
|
||||
Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
|
||||
Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch
|
||||
Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
|
||||
Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
|
||||
Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
|
||||
Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
|
||||
Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
|
||||
Patch0010: 0010-CLIENT-fix-client-fd-leak.patch
|
||||
|
||||
### Downstream Patches ###
|
||||
|
||||
@ -109,6 +110,9 @@ BuildRequires: pam_wrapper
|
||||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: libjose-devel
|
||||
BuildRequires: softhsm >= 2.1.0
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssh
|
||||
@ -541,6 +545,16 @@ Requires: krb5-libs >= 1.18.2-11
|
||||
An implementation of a Kerberos KCM server. Use this package if you want to
|
||||
use the KCM: Kerberos credentials cache.
|
||||
|
||||
%package idp
|
||||
Summary: Kerberos plugins and OIDC helper for external identity providers.
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
%description idp
|
||||
This package provides Kerberos plugins that are required to enable
|
||||
authentication against external identity providers. Additionally a helper
|
||||
program to handle the OAuth 2.0 Device Authorization Grant is provided.
|
||||
|
||||
%prep
|
||||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||||
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
||||
@ -626,6 +640,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||
|
||||
# Enable krb5 idp plugins by default (when sssd-idp package is installed)
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||
|
||||
# krb5 configuration snippet
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
@ -932,6 +950,7 @@ done
|
||||
%{_mandir}/man8/pam_sss.8*
|
||||
%{_mandir}/man8/pam_sss_gss.8*
|
||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||
%{_mandir}/man8/sssd_krb5_localauth_plugin.8*
|
||||
|
||||
%files -n libsss_sudo
|
||||
%defattr(-,root,root,-)
|
||||
@ -1053,6 +1072,12 @@ done
|
||||
%{_unitdir}/sssd-kcm.service
|
||||
%{_mandir}/man8/sssd-kcm.8*
|
||||
|
||||
%files idp
|
||||
%{_libexecdir}/%{servicename}/oidc_child
|
||||
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
|
||||
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||
|
||||
%pre ipa
|
||||
getent group sssd >/dev/null || groupadd -r sssd
|
||||
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
|
||||
@ -1162,12 +1187,47 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Thu Jun 2 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4.1
|
||||
- Resolves: rhbz#2072958 - Use right sdap_domain in ad_domain_info_send [rhel-8.6.0.z]
|
||||
- Resolves: rhbz#2089244 - pam_sss_gss ceased to work after upgrade to 8.6 [rhel-8.6.0.z]
|
||||
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
|
||||
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
|
||||
|
||||
* Thu Apr 21 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4
|
||||
- Resolves: rhbz#2074648 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop [rhel-8.6.0.z]
|
||||
* Tue Aug 23 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-3
|
||||
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
|
||||
- Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured
|
||||
- Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend
|
||||
|
||||
* Wed Aug 10 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-2
|
||||
- Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases
|
||||
- Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs
|
||||
- Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL
|
||||
|
||||
* Wed Jul 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-1
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization
|
||||
|
||||
* Mon Jun 20 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.2-1
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets
|
||||
- Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file
|
||||
- Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6
|
||||
- Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf
|
||||
- Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP
|
||||
- Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect
|
||||
- Resolves: rhbz#2098617 - Harden kerberos ticket validation
|
||||
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
|
||||
|
||||
* Wed May 18 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-2
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
|
||||
- Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
|
||||
- Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
|
||||
- Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname()
|
||||
- Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd
|
||||
- Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
|
||||
- Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send
|
||||
- Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker
|
||||
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
|
||||
- Resolves: rhbz#2087745 - 2FA prompting setting ineffective
|
||||
- Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language
|
||||
|
||||
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
|
||||
- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
|
||||
|
Loading…
Reference in New Issue
Block a user