rpms
/
sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sssd-2.7.3-4.el8

This commit is contained in:
CentOS Sources 2022-11-08 02:01:19 -05:00 committed by Stepan Oksanichenko
parent c7a1fcfb51
commit 6559c78444
22 changed files with 1272 additions and 2243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.6.2.tar.gz
SOURCES/sssd-2.7.3.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz

51
SOURCES/0001-Makefile-remove-unneeded-dependency.patch Normal file
View File

@ -0,0 +1,51 @@
From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 21 Jul 2022 20:16:32 +0200
Subject: [PATCH] Makefile: remove unneeded dependency
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f)
---
Makefile.am | 4 ----
1 file changed, 4 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 669a0fc56..92d046888 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \
$(KRB5_CFLAGS) \
$(UUID_CFLAGS) \
$(CURL_CFLAGS) \
- $(JANSSON_CFLAGS) \
$(NULL)
sssd_kcm_LDADD = \
$(LIBADD_DL) \
$(KRB5_LIBS) \
- $(JANSSON_LIBS) \
$(SSSD_LIBS) \
$(UUID_LIBS) \
$(SYSTEMD_DAEMON_LIBS) \
@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \
$(UUID_CFLAGS) \
$(NULL)
test_kcm_marshalling_LDADD = \
- $(JANSSON_LIBS) \
$(UUID_LIBS) \
$(KRB5_LIBS) \
$(CMOCKA_LIBS) \
@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \
test_kcm_renewals_LDADD = \
$(LIBADD_DL) \
$(UUID_LIBS) \
- $(JANSSON_LIBS) \
$(KRB5_LIBS) \
$(CARES_LIBS) \
$(CMOCKA_LIBS) \
--
2.37.1

33
SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
View File

@ -1,33 +0,0 @@
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 4 Jan 2022 10:11:49 +0100
Subject: [PATCH] ipa: fix reply socket of selinux_child
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
the reply socket of selinux_child from stdout to stderr while switching
from exec_child to exec_child_ex. This patch returns the original
behavior.
Resolves: https://github.com/SSSD/sssd/issues/5939
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ipa/ipa_selinux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 6f885c0fd..2e0593dd7 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
if (pid == 0) { /* child */
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
- false, STDIN_FILENO, STDERR_FILENO);
+ false, STDIN_FILENO, STDOUT_FILENO);
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
ret, sss_strerror(ret));
return ret;
--
2.26.3

155
SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch Normal file
View File

@ -0,0 +1,155 @@
From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 29 Jul 2022 14:57:20 +0200
Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it
should survive context destruction / re-initialization
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911)
---
src/sss_client/nss_mc.h | 4 ++--
src/sss_client/nss_mc_common.c | 10 ++++++++--
src/sss_client/nss_mc_group.c | 5 +++++
src/sss_client/nss_mc_initgr.c | 5 +++++
src/sss_client/nss_mc_passwd.c | 5 +++++
src/sss_client/nss_mc_sid.c | 5 +++++
6 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
index b66e8f09f..de1496ccc 100644
--- a/src/sss_client/nss_mc.h
+++ b/src/sss_client/nss_mc.h
@@ -48,7 +48,7 @@ enum sss_mc_state {
struct sss_cli_mc_ctx {
enum sss_mc_state initialized;
#if HAVE_PTHREAD
- pthread_mutex_t mutex;
+ pthread_mutex_t *mutex;
#endif
int fd;
@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx {
};
#if HAVE_PTHREAD
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#else
#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#endif
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index c73a93a9a..f38a4a85a 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -58,14 +58,14 @@ do { \
static void sss_mt_lock(struct sss_cli_mc_ctx *ctx)
{
#if HAVE_PTHREAD
- pthread_mutex_lock(&ctx->mutex);
+ pthread_mutex_lock(ctx->mutex);
#endif
}
static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx)
{
#if HAVE_PTHREAD
- pthread_mutex_unlock(&ctx->mutex);
+ pthread_mutex_unlock(ctx->mutex);
#endif
}
@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
{
uint32_t active_threads = ctx->active_threads;
+#if HAVE_PTHREAD
+ pthread_mutex_t *mutex = ctx->mutex;
+#endif
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
munmap(ctx->mmap_base, ctx->mmap_size);
@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
/* restore count of active threads */
ctx->active_threads = active_threads;
+#if HAVE_PTHREAD
+ ctx->mutex = mutex;
+#endif
}
static errno_t sss_nss_mc_init_ctx(const char *name,
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
index 2ea40c435..d4f2a82ab 100644
--- a/src/sss_client/nss_mc_group.c
+++ b/src/sss_client/nss_mc_group.c
@@ -29,7 +29,12 @@
#include "nss_mc.h"
#include "shared/safealign.h"
+#if HAVE_PTHREAD
+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex);
+#else
static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
+#endif
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
struct group *result,
diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c
index b05946263..bd7282935 100644
--- a/src/sss_client/nss_mc_initgr.c
+++ b/src/sss_client/nss_mc_initgr.c
@@ -32,7 +32,12 @@
#include "nss_mc.h"
#include "shared/safealign.h"
+#if HAVE_PTHREAD
+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex);
+#else
static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
+#endif
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
long int *start, long int *size,
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
index 01c6801da..256d48444 100644
--- a/src/sss_client/nss_mc_passwd.c
+++ b/src/sss_client/nss_mc_passwd.c
@@ -28,7 +28,12 @@
#include <time.h>
#include "nss_mc.h"
+#if HAVE_PTHREAD
+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex);
+#else
static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
+#endif
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
struct passwd *result,
diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c
index af7d7bbd5..52e684da5 100644
--- a/src/sss_client/nss_mc_sid.c
+++ b/src/sss_client/nss_mc_sid.c
@@ -30,7 +30,12 @@
#include "util/mmap_cache.h"
#include "idmap/sss_nss_idmap.h"
+#if HAVE_PTHREAD
+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex);
+#else
static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
+#endif
static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type,
char **sid, uint32_t *type,
--
2.37.1

42
SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch
View File

@ -1,42 +0,0 @@
From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Dec 2021 11:14:18 +0100
Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the forest root is not part of the return trusted domain objects
from the local domain controller we generate an object for further
processing. During this processing it is expected that the 'cn'
attribute is set and contains the name of the forest root. So far this
attribute was missing and it is now added by this patch.
Resolves: https://github.com/SSSD/sssd/issues/5926
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 0353de76f..0c3f8ac31 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
goto done;
}
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
+ state->forest);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
+ goto done;
+ }
+
err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
&id_val.data, &id_val.length);
if (err != IDMAP_SUCCESS) {
--
2.26.3

36
SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch Normal file
View File

@ -0,0 +1,36 @@
From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 1 Aug 2022 09:54:51 -0400
Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Skip calling cache_req_data_set_hybrid_lookup() when hybrid data
is NULL for certain NSS request types (e.g. Service by Name).
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7)
---
src/responder/nss/nss_get_object.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
index 9762d6bfe..5a2e7e9bd 100644
--- a/src/responder/nss/nss_get_object.c
+++ b/src/responder/nss/nss_get_object.c
@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx,
input_name);
}
- cache_req_data_set_hybrid_lookup(hybrid_data, true);
+ if (hybrid_data != NULL) {
+ cache_req_data_set_hybrid_lookup(hybrid_data, true);
+ }
return hybrid_data;
}
--
2.37.1

140
SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
View File

@ -1,140 +0,0 @@
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Thu, 13 Jan 2022 11:28:30 +0100
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AD and IPA providers use a common fo_server object for LDAP and
Kerberos, which is created with the LDAP data. This means that due to
the changes introduced in
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
the port in use for the Kerberos requests would be the one specified for
LDAP, usually the default one (389).
In order to avoid that, AD and IPA providers shouldn't change the
Kerberos port with the one provided for LDAP.
:fixes: A critical regression that prevented authentication of users via
AD and IPA providers was fixed. LDAP port was reused for Kerberos
communication and this provider would send incomprehensible information
to this port.
Resolves: https://github.com/SSSD/sssd/issues/5947
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_common.c | 1 +
src/providers/ipa/ipa_common.c | 1 +
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
src/providers/krb5/krb5_common.h | 1 +
4 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index e263444c5..1ca5f8e3a 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
if (service->krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(service->krb5_service,
server,
+ true,
SSS_KRB5KDC_FO_SRV,
ad_krb5info_file_filter);
if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 1509cb1ce..e6c1f9aa4 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
if (service->krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(service->krb5_service,
server,
+ true,
SSS_KRB5KDC_FO_SRV,
NULL);
if (ret != EOK) {
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 719ce6a12..5ffa20809 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
struct fo_server *server,
+ bool force_default_port,
const char *service,
bool (*filter)(struct fo_server *))
{
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
if (filter == NULL || filter(server) == false) {
address = fo_server_address_or_name(tmp_ctx, server);
if (address) {
- port = fo_get_server_port(server);
- if (port != 0) {
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
- if (address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
- talloc_free(tmp_ctx);
- return ENOMEM;
+ if (!force_default_port) {
+ port = fo_get_server_port(server);
+ if (port != 0) {
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+ if (address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
}
}
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
continue;
}
- port = fo_get_server_port(item);
- if (port != 0) {
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
- if (address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
- talloc_free(tmp_ctx);
- return ENOMEM;
+ if (!force_default_port) {
+ port = fo_get_server_port(item);
+ if (port != 0) {
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+ if (address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
}
}
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
if (krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(krb5_service,
server,
+ false,
krb5_service->name,
NULL);
if (ret != EOK) {
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 151f446d1..2fd39a751 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
struct fo_server *server,
+ bool force_default_port,
const char *service,
bool (*filter)(struct fo_server *));
--
2.26.3

30
SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch Normal file
View File

@ -0,0 +1,30 @@
From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Thu, 14 Jul 2022 11:21:04 -0400
Subject: [PATCH] Analyzer: Fix escaping raw fstring
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19)
---
src/tools/analyzer/modules/request.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
index b8dd9b25c..935e13adc 100644
--- a/src/tools/analyzer/modules/request.py
+++ b/src/tools/analyzer/modules/request.py
@@ -243,8 +243,8 @@ class RequestAnalyzer:
be_results = False
component = source.Component.NSS
resp = "nss"
- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]']
- pattern.append(rf"\[CID#{cid}\\]")
+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
+ pattern.append(rf"\[CID#{cid}\]")
if args.pam:
component = source.Component.PAM
--
2.37.1

1249
SOURCES/0004-po-update-translations.patch
View File

File diff suppressed because it is too large Load Diff

34
SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch Normal file
View File

@ -0,0 +1,34 @@
From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 Aug 2022 21:48:43 +0200
Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f)
---
src/sss_client/nss_mc.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
index de1496ccc..0f88521e9 100644
--- a/src/sss_client/nss_mc.h
+++ b/src/sss_client/nss_mc.h
@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx {
};
#if HAVE_PTHREAD
-#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#else
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#endif
errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
--
2.37.1

432
SOURCES/0005-Revert-usertools-force-local-user-for-sssd-process-u.patch
View File

@ -1,432 +0,0 @@
From 37f90057792a0b4543f34684ed9a240fe8e869c1 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 11 Apr 2022 22:48:19 +0200
Subject: [PATCH 5/6] Revert "usertools: force local user for sssd process
user"
This reverts commit 9c447dc85853116c035bbc2f9e3b8553a65be621.
Resolves: https://github.com/SSSD/sssd/issues/6107
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
Makefile.am | 3 -
src/tests/cwrap/Makefile.am | 8 +--
src/tests/cwrap/common_mock_nss_dl_load.c | 77 -----------------------
src/tests/cwrap/common_mock_nss_dl_load.h | 30 ---------
src/tests/cwrap/test_responder_common.c | 7 ---
src/tests/cwrap/test_usertools.c | 6 --
src/util/nss_dl_load.c | 13 +---
src/util/nss_dl_load.h | 3 -
src/util/nss_dl_load_extra.c | 40 ------------
src/util/usertools.c | 32 +++-------
10 files changed, 12 insertions(+), 207 deletions(-)
delete mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
delete mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
delete mode 100644 src/util/nss_dl_load_extra.c
diff --git a/Makefile.am b/Makefile.am
index 1121a3fb2..e0dd5220c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -888,7 +888,6 @@ dist_noinst_HEADERS = \
src/tests/cmocka/test_expire_common.h \
src/tests/cmocka/test_sdap_access.h \
src/tests/cmocka/data_provider/mock_dp.h \
- src/tests/cwrap/common_mock_nss_dl_load.h \
src/sss_client/pam_message.h \
src/sss_client/ssh/sss_ssh_client.h \
src/sss_client/sudo/sss_sudo.h \
@@ -1271,8 +1270,6 @@ libsss_util_la_SOURCES = \
src/util/sss_regexp.c \
src/util/sss_chain_id_tevent.c \
src/util/sss_chain_id.c \
- src/util/nss_dl_load.c \
- src/util/nss_dl_load_extra.c \
$(NULL)
libsss_util_la_CFLAGS = \
$(AM_CFLAGS) \
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 4ac24a492..f25d2e3c6 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -142,17 +142,15 @@ endif
usertools_tests_SOURCES = \
test_usertools.c \
- common_mock_nss_dl_load.c \
- ../../../src/util/usertools.c \
$(NULL)
usertools_tests_CFLAGS = \
$(AM_CFLAGS) \
$(NULL)
usertools_tests_LDADD = \
- $(LIBADD_DL) \
$(CMOCKA_LIBS) \
$(POPT_LIBS) \
$(TALLOC_LIBS) \
+ $(abs_top_builddir)/libsss_util.la \
$(abs_top_builddir)/libsss_debug.la \
$(abs_top_builddir)/libsss_test_common.la \
$(NULL)
@@ -162,10 +160,9 @@ endif
responder_common_tests_SOURCES =\
test_responder_common.c \
- common_mock_nss_dl_load.c \
$(SSSD_RESPONDER_IFACE_OBJ) \
../../../src/responder/common/negcache_files.c \
- ../../../src/util/usertools.c \
+ ../../../src/util/nss_dl_load.c \
../../../src/responder/common/negcache.c \
../../../src/responder/common/responder_common.c \
../../../src/responder/common/responder_packet.c \
@@ -183,6 +180,7 @@ responder_common_tests_LDADD = \
$(SSSD_LIBS) \
$(SELINUX_LIBS) \
$(SYSTEMD_DAEMON_LIBS) \
+ $(abs_top_builddir)/libsss_util.la \
$(abs_top_builddir)/libsss_debug.la \
$(abs_top_builddir)/libsss_test_common.la \
$(abs_top_builddir)/libsss_iface.la \
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
deleted file mode 100644
index 72f6c39ac..000000000
--- a/src/tests/cwrap/common_mock_nss_dl_load.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- Authors:
- Iker Pedrosa <ipedrosa@redhat.com>
-
- Copyright (C) 2021 Red Hat
-
- SSSD tests: Fake nss dl load
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <stddef.h>
-
-#include "common_mock_nss_dl_load.h"
-
-
-static enum nss_status
-mock_getpwnam_r(const char *name, struct passwd *result,
- char *buffer, size_t buflen, int *errnop)
-{
- void *pwd_pointer = NULL;
- int rc;
-
- rc = getpwnam_r(name, result, buffer, buflen, (struct passwd **)&pwd_pointer);
- if (rc == 0 && pwd_pointer == result) {
- *errnop = 0;
- return NSS_STATUS_SUCCESS;
- } else if (rc == 0 && (pwd_pointer == NULL)) {
- *errnop = ENOENT;
- return NSS_STATUS_NOTFOUND;
- } else {
- *errnop = rc;
- return NSS_STATUS_UNAVAIL;
- }
-}
-
-static enum nss_status
-mock_getpwuid_r(uid_t uid, struct passwd *result,
- char *buffer, size_t buflen, int *errnop)
-{
- void *pwd_pointer = NULL;
- int rc;
-
- rc = getpwuid_r(uid, result, buffer, buflen, (struct passwd **)&pwd_pointer);
- if (rc == 0 && pwd_pointer == result) {
- *errnop = 0;
- return NSS_STATUS_SUCCESS;
- } else if (rc == 0 && (pwd_pointer == NULL)) {
- *errnop = ENOENT;
- return NSS_STATUS_NOTFOUND;
- } else {
- *errnop = rc;
- return NSS_STATUS_UNAVAIL;
- }
-}
-
-errno_t mock_sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
-{
- ops->getpwnam_r = mock_getpwnam_r;
- ops->getpwuid_r = mock_getpwuid_r;
-
- return EOK;
-}
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.h b/src/tests/cwrap/common_mock_nss_dl_load.h
deleted file mode 100644
index 6db411450..000000000
--- a/src/tests/cwrap/common_mock_nss_dl_load.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- Authors:
- Iker Pedrosa <ipedrosa@redhat.com>
-
- Copyright (C) 2021 Red Hat
-
- SSSD tests: Fake nss dl load
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#ifndef __COMMON_MOCK_NSS_DL_LOAD_H_
-#define __COMMON_MOCK_NSS_DL_LOAD_H_
-
-#include "util/nss_dl_load.h"
-
-errno_t mock_sss_load_nss_pw_symbols(struct sss_nss_ops *ops);
-
-#endif /* __COMMON_MOCK_NSS_DL_LOAD_H_ */
diff --git a/src/tests/cwrap/test_responder_common.c b/src/tests/cwrap/test_responder_common.c
index 571e95d36..11cc3abd8 100644
--- a/src/tests/cwrap/test_responder_common.c
+++ b/src/tests/cwrap/test_responder_common.c
@@ -29,13 +29,6 @@
#include "util/util.h"
#include "responder/common/responder.h"
#include "tests/cmocka/common_mock.h"
-#include "tests/cwrap/common_mock_nss_dl_load.h"
-
-
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
-{
- return mock_sss_load_nss_pw_symbols(ops);
-}
/* Just to satisfy dependencies */
struct cli_protocol_version *register_cli_protocol_version(void)
diff --git a/src/tests/cwrap/test_usertools.c b/src/tests/cwrap/test_usertools.c
index eb30a540c..f61ae83e2 100644
--- a/src/tests/cwrap/test_usertools.c
+++ b/src/tests/cwrap/test_usertools.c
@@ -27,12 +27,6 @@
#include <popt.h>
#include "util/util.h"
#include "tests/cmocka/common_mock.h"
-#include "tests/cwrap/common_mock_nss_dl_load.h"
-
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
-{
- return mock_sss_load_nss_pw_symbols(ops);
-}
void test_get_user_num(void **state)
{
diff --git a/src/util/nss_dl_load.c b/src/util/nss_dl_load.c
index 379ccfa65..442108307 100644
--- a/src/util/nss_dl_load.c
+++ b/src/util/nss_dl_load.c
@@ -48,16 +48,6 @@ static void *proxy_dlsym(void *handle,
return funcptr;
}
-static void sss_close_handle(struct sss_nss_ops *ops, const char *libname)
-{
- if (dlclose(ops->dl_handle) != 0) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Error closing the handle for the '%s' library, error: %s.\n",
- libname, dlerror());
- }
-
- ops->dl_handle = NULL;
-}
errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
struct sss_nss_symbols *syms, size_t nsyms)
@@ -82,7 +72,7 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
for (i = 0; i < nsyms; i++) {
*(syms[i].fptr) = proxy_dlsym(ops->dl_handle, syms[i].fname,
- libname);
+ libname);
if (*(syms[i].fptr) == NULL) {
if (syms[i].mandatory) {
@@ -90,7 +80,6 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
"mandatory symbol '%s', error: %s.\n", libpath,
syms[i].fname, dlerror());
ret = ELIBBAD;
- sss_close_handle(ops, libname);
goto out;
} else {
DEBUG(SSSDBG_OP_FAILURE, "Library '%s' did not provide "
diff --git a/src/util/nss_dl_load.h b/src/util/nss_dl_load.h
index 07c04e091..f1e882b96 100644
--- a/src/util/nss_dl_load.h
+++ b/src/util/nss_dl_load.h
@@ -23,8 +23,6 @@
#include <pwd.h>
#include <grp.h>
#include <netdb.h>
-#include <stdbool.h>
-
#include "util/util_errors.h"
#include "sss_client/nss_compat.h"
@@ -120,6 +118,5 @@ struct sss_nss_symbols {
errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
struct sss_nss_symbols *syms, size_t nsyms);
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops);
#endif /* __SSSD_NSS_DL_LOAD_H__ */
diff --git a/src/util/nss_dl_load_extra.c b/src/util/nss_dl_load_extra.c
deleted file mode 100644
index 162957025..000000000
--- a/src/util/nss_dl_load_extra.c
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- SSSD
-
- nss_dl_load_extra.c
-
- Authors:
- Sumit Bose <sbose@redhat.com>
- Iker Pedrosa <ipedrosa@redhat.com>
-
- Copyright (C) 2021 Red Hat
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "util/nss_dl_load.h"
-
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
-{
- errno_t ret;
- struct sss_nss_symbols syms[] = {
- {(void*)&ops->getpwnam_r, true, "getpwnam_r" },
- {(void*)&ops->getpwuid_r, true, "getpwuid_r" }
- };
- size_t nsyms = sizeof(syms) / sizeof(struct sss_nss_symbols);
-
- ret = sss_load_nss_symbols(ops, "files", syms, nsyms);
-
- return ret;
-}
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 33315a798..511fb2d5d 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -27,14 +27,12 @@
#include "db/sysdb.h"
#include "confdb/confdb.h"
-#include "util/nss_dl_load.h"
#include "util/strtonum.h"
#include "util/util.h"
#include "util/safe-format-string.h"
#include "responder/common/responder.h"
#define NAME_DOMAIN_PATTERN_OPTIONS (SSS_REGEXP_DUPNAMES | SSS_REGEXP_EXTENDED)
-#define NSS_BUFFER_SIZE 16384
/* Function returns given realm name as new uppercase string */
char *get_uppercase_realm(TALLOC_CTX *memctx, const char *name)
@@ -568,23 +566,10 @@ sss_fqname(char *str, size_t size, struct sss_names_ctx *nctx,
errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid)
{
- static struct sss_nss_ops nss_ops;
uid_t uid;
errno_t ret;
char *endptr;
- struct passwd pwd = { 0 };
- int errnop = 0;
- enum nss_status status;
- static char s_nss_buffer[NSS_BUFFER_SIZE];
-
- if (!nss_ops.dl_handle) {
- ret = sss_load_nss_pw_symbols(&nss_ops);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Unable to load NSS symbols [%d]: %s\n",
- ret, sss_strerror(ret));
- return ret;
- }
- }
+ struct passwd *pwd;
/* Try if it's an ID first */
uid = strtouint32(input, &endptr, 10);
@@ -596,27 +581,26 @@ errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid)
return ret;
}
- status = nss_ops.getpwnam_r(input, &pwd, s_nss_buffer, NSS_BUFFER_SIZE, &errnop);
+ /* Nope, maybe a username? */
+ pwd = getpwnam(input);
} else {
- status = nss_ops.getpwuid_r(uid, &pwd, s_nss_buffer, NSS_BUFFER_SIZE, &errnop);
+ pwd = getpwuid(uid);
}
- if (status != NSS_STATUS_SUCCESS) {
+ if (pwd == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
"[%s] is neither a valid UID nor a user name which could be "
- "resolved by getpwnam() [%d][%s]. status returned [%d]\n",
- input, errnop, strerror(errnop), status);
+ "resolved by getpwnam().\n", input);
return EINVAL;
}
if (_uid) {
- *_uid = pwd.pw_uid;
+ *_uid = pwd->pw_uid;
}
if (_gid) {
- *_gid = pwd.pw_gid;
+ *_gid = pwd->pw_gid;
}
-
return EOK;
}
--
2.26.3

78
SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch Normal file
View File

@ -0,0 +1,78 @@
From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 Aug 2022 21:51:03 +0200
Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be
touched
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL`
was creating a possibility for a race.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757)
---
src/sss_client/nss_mc.h | 4 +++-
src/sss_client/nss_mc_common.c | 20 ++++++++++----------
2 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
index 0f88521e9..9ab2736fa 100644
--- a/src/sss_client/nss_mc.h
+++ b/src/sss_client/nss_mc.h
@@ -44,7 +44,9 @@ enum sss_mc_state {
RECYCLED,
};
-/* common stuff */
+/* In the case this structure is extended, don't forget to update
+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`.
+ */
struct sss_cli_mc_ctx {
enum sss_mc_state initialized;
#if HAVE_PTHREAD
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index f38a4a85a..3128861bf 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
{
- uint32_t active_threads = ctx->active_threads;
-#if HAVE_PTHREAD
- pthread_mutex_t *mutex = ctx->mutex;
-#endif
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
munmap(ctx->mmap_base, ctx->mmap_size);
}
+ ctx->mmap_base = NULL;
+ ctx->mmap_size = 0;
+
if (ctx->fd != -1) {
close(ctx->fd);
}
- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
ctx->fd = -1;
- /* restore count of active threads */
- ctx->active_threads = active_threads;
-#if HAVE_PTHREAD
- ctx->mutex = mutex;
-#endif
+ ctx->seed = 0;
+ ctx->data_table = NULL;
+ ctx->dt_size = 0;
+ ctx->hash_table = NULL;
+ ctx->ht_size = 0;
+ ctx->initialized = UNINITIALIZED;
+ /* `mutex` and `active_threads` should be left intact */
}
static errno_t sss_nss_mc_init_ctx(const char *name,
--
2.37.1

62
SOURCES/0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch
View File

@ -1,62 +0,0 @@
From 3c6218aa91026e066e793ee26333ea64fd6bc50e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 11 Apr 2022 22:49:30 +0200
Subject: [PATCH 6/6] Revert "man: sssd.conf and sssd-ifp clarify user option"
This reverts commit 3d25724dc63dffb6d734790e58b1647e3a64e84f.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/man/sssd-ifp.5.xml | 5 -----
src/man/sssd.conf.5.xml | 11 -----------
2 files changed, 16 deletions(-)
diff --git a/src/man/sssd-ifp.5.xml b/src/man/sssd-ifp.5.xml
index d3080537a..1c35d58a8 100644
--- a/src/man/sssd-ifp.5.xml
+++ b/src/man/sssd-ifp.5.xml
@@ -71,11 +71,6 @@
responder. User names are resolved to UIDs at
startup.
</para>
- <para>
- Local user names are required, i.e. accessible via
- <quote>files</quote> service of
- <filename>nsswitch.conf</filename>.
- </para>
<para>
Default: 0 (only the root user is allowed to access
the InfoPipe responder)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index b6c5912f9..1b8ea7398 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -423,12 +423,6 @@
responder.
</phrase>
</para>
- <para>
- Both a user name and a uid can be used but the
- user should be a local one, i.e. accessible via
- <quote>files</quote> service of
- <filename>nsswitch.conf</filename>.
- </para>
<para>
Default: not set, process will run as root
</para>
@@ -2168,11 +2162,6 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
responder. User names are resolved to UIDs at
startup.
</para>
- <para>
- Local user names are required, i.e. accessible via
- <quote>files</quote> service of
- <filename>nsswitch.conf</filename>.
- </para>
<para>
Default: 0 (only the root user is allowed to access
the PAC responder)
--
2.26.3

33
SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch Normal file
View File

@ -0,0 +1,33 @@
From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 15 Aug 2022 16:17:59 -0400
Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup
Fixes an issue when the sssctl analyzer option is
used on systems where SSSD is not running or configured. This is
an expected use case when using --logdir option to analyze external
log files.
Resolves: https://github.com/SSSD/sssd/issues/6298
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tools/sssctl/sssctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index 3816125ad..f18689f9f 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze),
+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
#ifdef HAVE_LIBINI_CONFIG_V1_3
SSS_TOOL_DELIMITER("Configuration files tools:"),
SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
--
2.37.1

175
SOURCES/0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch
View File

@ -1,175 +0,0 @@
From 51e92297157562511baf8902777f02a4aa2e70e6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 15 Mar 2022 11:36:45 +0100
Subject: [PATCH] ad: use right sdap_domain in ad_domain_info_send
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Originally ad_domain_info_send() was only called when there was only a
single domain available and hence only a single sdap_domain struct with
the search bases in the sdap_domain list. Since ad_domain_info_send() is
now called at other times as well the right sdap_domain struct must be
selected so that the right search bases are used.
Resolves: https://github.com/SSSD/sssd/issues/6063
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_domain_info.c | 10 +++++-
src/providers/ldap/ldap_common.h | 3 ++
src/providers/ldap/sdap_domain.c | 21 ++++++++++++
src/tests/cmocka/test_search_bases.c | 48 +++++++++++++++++++++++++++-
4 files changed, 80 insertions(+), 2 deletions(-)
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
index 52b2e2442..f3a82a198 100644
--- a/src/providers/ad/ad_domain_info.c
+++ b/src/providers/ad/ad_domain_info.c
@@ -181,6 +181,7 @@ struct ad_domain_info_state {
struct sdap_id_op *id_op;
struct sdap_id_ctx *id_ctx;
struct sdap_options *opts;
+ struct sdap_domain *sdom;
const char *dom_name;
int base_iter;
@@ -215,6 +216,13 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
state->id_ctx = conn->id_ctx;
state->opts = conn->id_ctx->opts;
state->dom_name = dom_name;
+ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
+ if (state->sdom == NULL || state->sdom->search_bases == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
+ ret = EINVAL;
+ goto immediate;
+ }
+
ret = ad_domain_info_next(req);
if (ret != EOK && ret != EAGAIN) {
@@ -243,7 +251,7 @@ ad_domain_info_next(struct tevent_req *req)
struct ad_domain_info_state *state =
tevent_req_data(req, struct ad_domain_info_state);
- base = state->opts->sdom->search_bases[state->base_iter];
+ base = state->sdom->search_bases[state->base_iter];
if (base == NULL) {
return EOK;
}
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index c78338b5d..426ee68df 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -391,6 +391,9 @@ sdap_domain_remove(struct sdap_options *opts,
struct sdap_domain *sdap_domain_get(struct sdap_options *opts,
struct sss_domain_info *dom);
+struct sdap_domain *sdap_domain_get_by_name(struct sdap_options *opts,
+ const char *dom_name);
+
struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts,
const char *dn);
diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
index fa6e9340d..1785dd20d 100644
--- a/src/providers/ldap/sdap_domain.c
+++ b/src/providers/ldap/sdap_domain.c
@@ -44,6 +44,27 @@ sdap_domain_get(struct sdap_options *opts,
return sditer;
}
+struct sdap_domain *
+sdap_domain_get_by_name(struct sdap_options *opts,
+ const char *dom_name)
+{
+ struct sdap_domain *sditer = NULL;
+
+ if (dom_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Missing domain name.\n");
+ return NULL;
+ }
+
+ DLIST_FOR_EACH(sditer, opts->sdom) {
+ if (sditer->dom->name != NULL
+ && strcasecmp(sditer->dom->name, dom_name) == 0) {
+ break;
+ }
+ }
+
+ return sditer;
+}
+
struct sdap_domain *
sdap_domain_get_by_dn(struct sdap_options *opts,
const char *dn)
diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c
index 109fa04bf..3276cf118 100644
--- a/src/tests/cmocka/test_search_bases.c
+++ b/src/tests/cmocka/test_search_bases.c
@@ -176,6 +176,51 @@ void test_get_by_dn_fail(void **state)
do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS);
}
+void test_sdap_domain_get_by_name(void **state)
+{
+ struct sdap_options *opts;
+ struct sss_domain_info dom1 = { 0 };
+ dom1.name = discard_const("dom1");
+ struct sss_domain_info dom2 = { 0 };
+ dom2.name = discard_const("dom2");
+ struct sss_domain_info dom3 = { 0 };
+ dom3.name = discard_const("dom3");
+ int ret;
+ struct sdap_domain *sdom;
+
+ opts = talloc_zero(NULL, struct sdap_options);
+ assert_non_null(opts);
+
+ ret = sdap_domain_add(opts, &dom1, NULL);
+ assert_int_equal(ret, EOK);
+
+ ret = sdap_domain_add(opts, &dom2, NULL);
+ assert_int_equal(ret, EOK);
+
+ ret = sdap_domain_add(opts, &dom3, NULL);
+ assert_int_equal(ret, EOK);
+
+ sdom = sdap_domain_get_by_name(opts, NULL);
+ assert_null(sdom);
+
+ sdom = sdap_domain_get_by_name(opts, "abc");
+ assert_null(sdom);
+
+ sdom = sdap_domain_get_by_name(opts, "dom1");
+ assert_non_null(sdom);
+ assert_ptr_equal(sdom->dom, &dom1);
+
+ sdom = sdap_domain_get_by_name(opts, "dom2");
+ assert_non_null(sdom);
+ assert_ptr_equal(sdom->dom, &dom2);
+
+ sdom = sdap_domain_get_by_name(opts, "dom3");
+ assert_non_null(sdom);
+ assert_ptr_equal(sdom->dom, &dom3);
+
+ talloc_free(opts);
+}
+
int main(void)
{
const struct CMUnitTest tests[] = {
@@ -183,7 +228,8 @@ int main(void)
cmocka_unit_test(test_search_bases_success),
cmocka_unit_test(test_get_by_dn_fail),
cmocka_unit_test(test_get_by_dn),
- cmocka_unit_test(test_get_by_dn2)
+ cmocka_unit_test(test_get_by_dn2),
+ cmocka_unit_test(test_sdap_domain_get_by_name)
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.34.3

297
SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch Normal file
View File

@ -0,0 +1,297 @@
From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 19 Aug 2022 09:50:22 -0400
Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Client ID is not stored properly to match requests
when parallel requests are made to client SSSD
Resolves: https://github.com/SSSD/sssd/issues/6307
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 5 +++--
.../plugins/cache_req_autofs_entry_by_name.c | 3 ++-
.../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++-
.../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++-
.../plugins/cache_req_ssh_host_id_by_name.c | 3 ++-
src/responder/common/responder.h | 2 +-
src/responder/common/responder_common.c | 12 +++++++-----
src/responder/common/responder_dp.c | 5 +++--
src/responder/common/responder_get_domains.c | 3 ++-
src/responder/pam/pamsrv_cmd.c | 4 ++--
10 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 4dd45b038..bc65bae71 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -24,6 +24,7 @@
#include <errno.h>
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "responder/common/responder.h"
#include "responder/common/cache_req/cache_req_private.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx,
}
state->first_iteration = true;
- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n",
- rctx->client_id_num, cr->reqname);
+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n",
+ sss_chain_id_get(), cr->reqname);
ret = cache_req_is_well_known_object(state, cr, &result);
if (ret == EOK) {
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index 788b6708c..b2b0a06eb 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -24,6 +24,7 @@
#include "db/sysdb.h"
#include "db/sysdb_autofs.h"
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "providers/data_provider.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
be_conn->bus_name, SSS_BUS_PATH,
0, data->name.name,
data->autofs_entry_name,
- cr->rctx->client_id_num);
+ sss_chain_id_get());
}
bool
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 5d82641cc..23b11b1cd 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -24,6 +24,7 @@
#include "db/sysdb.h"
#include "db/sysdb_autofs.h"
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "providers/data_provider.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
0, data->name.name,
- cr->rctx->client_id_num);
+ sss_chain_id_get());
}
bool
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index 29f289723..18c08ca39 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -24,6 +24,7 @@
#include "db/sysdb.h"
#include "db/sysdb_autofs.h"
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "providers/data_provider.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
0, data->name.name,
- cr->rctx->client_id_num);
+ sss_chain_id_get());
}
bool
diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
index a8b8f47a8..29f52f10d 100644
--- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
@@ -23,6 +23,7 @@
#include "db/sysdb_ssh.h"
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "providers/data_provider.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
0, data->name.name, data->alias,
- cr->rctx->client_id_num);
+ sss_chain_id_get());
}
static bool
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 5cb79e3e6..259b3ff13 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -165,13 +165,13 @@ struct cli_ctx {
struct cli_creds *creds;
char *cmd_line;
- uint64_t old_chain_id;
void *protocol_ctx;
void *state_ctx;
struct tevent_timer *idle;
time_t last_request_time;
+ uint32_t client_id_num;
};
struct sss_cmd_table {
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 6e3b61ef0..a4ba8ea71 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev,
"Failed to close fd [%d]: [%s]\n",
ctx->cfd, strerror(ret));
}
- /* Restore the original chain id */
- sss_chain_id_set(ctx->old_chain_id);
DEBUG(SSSDBG_TRACE_INTERNAL,
"Terminated client [%p][%d]\n",
@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev,
int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd;
rctx->client_id_num++;
-
if (accept_ctx->is_private) {
ret = stat(rctx->priv_sock_name, &stat_buf);
if (ret == -1) {
@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev,
talloc_set_destructor(cctx, cli_ctx_destructor);
+ cctx->client_id_num = rctx->client_id_num;
+
len = sizeof(cctx->addr);
cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
if (cctx->cfd == -1) {
@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev,
DEBUG(SSSDBG_TRACE_FUNC,
"[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n",
- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : "");
return;
@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr,
uint16_t flags)
{
errno_t ret;
+ uint64_t old_chain_id;
struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx);
/* Always reset the responder idle timer on any activity */
@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr,
}
/* Set the chain id */
- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num);
+ old_chain_id = sss_chain_id_set(cctx->client_id_num);
if (flags & TEVENT_FD_READ) {
recv_fn(cctx);
@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr,
send_fn(cctx);
return;
}
+ /* Restore the original chain id */
+ sss_chain_id_set(old_chain_id);
}
int sss_connection_setup(struct cli_ctx *cctx)
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index d549e02d3..4b4770da1 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -23,6 +23,7 @@
#include <sys/time.h>
#include <time.h>
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "responder/common/responder_packet.h"
#include "responder/common/responder.h"
#include "providers/data_provider.h"
@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH, dp_flags,
entry_type, filter, dom->name, extra,
- rctx->client_id_num);
+ sss_chain_id_get());
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
ret = ENOMEM;
@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx,
SSS_BUS_PATH,
dp_flags, entry_type,
filter_type, filter_value,
- rctx->client_id_num);
+ sss_chain_id_get());
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
ret = ENOMEM;
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
index 918124756..aeff28d73 100644
--- a/src/responder/common/responder_get_domains.c
+++ b/src/responder/common/responder_get_domains.c
@@ -19,6 +19,7 @@
*/
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "responder/common/responder.h"
#include "providers/data_provider.h"
#include "db/sysdb.h"
@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx,
be_conn->bus_name,
SSS_BUS_PATH, dp_flags,
entry_type, filter,
- rctx->client_id_num);
+ sss_chain_id_get());
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
ret = ENOMEM;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index cb0e1b82f..1695554fc 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
}
preq->cctx = cctx;
preq->cert_auth_local = false;
- preq->client_id_num = pctx->rctx->client_id_num;
+ preq->client_id_num = cctx->client_id_num;
preq->pd = create_pam_data(preq);
if (!preq->pd) {
@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
pd->cmd = pam_cmd;
pd->priv = cctx->priv;
- pd->client_id_num = pctx->rctx->client_id_num;
+ pd->client_id_num = cctx->client_id_num;
ret = pam_forwarder_parse_data(cctx, pd);
if (ret == EAGAIN) {
--
2.37.1

58
SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch
View File

@ -1,58 +0,0 @@
From 80ffa314c669feaaffe487d8ea5004c149d948c8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 23 May 2022 09:05:43 +0200
Subject: [PATCH] ad: add fallback in ad_domain_info_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed
ad_domain_info_send() to handle multiple domains by searching for the
matching sdap_domain data. Unfortunately it assumed that the configured
name and the DNS domain name are always matching. This is true for all
sub-domains discovered at runtime by DNS lookups but might not be true
for the domain configured in sssd.conf. Since the configured domain is
the first in the list of sdap_domain data it will be used as a fallback
in case no data could be found by name.
Resolves: https://github.com/SSSD/sssd/issues/6170
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e)
---
src/providers/ad/ad_domain_info.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
index f3a82a198..9583c74b9 100644
--- a/src/providers/ad/ad_domain_info.c
+++ b/src/providers/ad/ad_domain_info.c
@@ -217,8 +217,23 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
state->opts = conn->id_ctx->opts;
state->dom_name = dom_name;
state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
+ /* The first domain in the list is the domain configured in sssd.conf and
+ * here it might be possible that the domain name from the config file and
+ * the DNS domain name do not match. All other sub-domains are discovered
+ * at runtime with the help of DNS lookups so it is expected that the
+ * names matches. Hence it makes sense to fall back to the first entry in
+ * the list if no matching domain was found since it is most probably
+ * related to the configured domain. */
+ if (state->sdom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "No internal domain data found for [%s], "
+ "falling back to first domain.\n",
+ state->dom_name);
+ state->sdom = state->opts->sdom;
+ }
if (state->sdom == NULL || state->sdom->search_bases == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Missing internal domain data for domain [%s].\n",
+ state->dom_name);
ret = EINVAL;
goto immediate;
}
--
2.34.3

185
SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch Normal file
View File

@ -0,0 +1,185 @@
From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 19 Aug 2022 14:44:11 -0400
Subject: [PATCH 9/9] Analyzer: support parallel requests parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Analyzer code(primarily the list verbose command) needs
changes to handle parsing the necessary lines from
NSS/PAM log files when multiple intermixed/parallel
client requests are sent to SSSD.
Resolves: https://github.com/SSSD/sssd/issues/6307
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tools/analyzer/modules/request.py | 119 +++++++++++++++-----------
1 file changed, 67 insertions(+), 52 deletions(-)
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
index 935e13adc..b9fe3caf8 100644
--- a/src/tools/analyzer/modules/request.py
+++ b/src/tools/analyzer/modules/request.py
@@ -16,7 +16,6 @@ class RequestAnalyzer:
"""
module_parser = None
consumed_logs = []
- done = ""
list_opts = [
Option('--verbose', 'Verbose output', bool, '-v'),
Option('--pam', 'Filter only PAM requests', bool),
@@ -149,58 +148,74 @@ class RequestAnalyzer:
print(line)
return found_results
- def print_formatted(self, line, verbose):
+ def print_formatted_verbose(self, source, patterns):
+ """
+ Parse line and print formatted verbose list_requests output
+
+ Args:
+ source (Reader): source Reader object
+ patterns (list): List of regex patterns to use for
+ matching lines
+ """
+ # Get CID number, and print the basic line first
+ for line in self.matched_line(source, patterns):
+ cid = self.print_formatted(line)
+
+ # Loop through each line with this CID number to extract and
+ # print the verbose data needed
+ verbose_patterns = ["(cache_req_send|cache_req_process_input|"
+ "cache_req_search_send)"]
+ for cidline in self.matched_line(source, verbose_patterns):
+ plugin = ""
+ name = ""
+ id = ""
+
+ # skip any lines not pertaining to this CID
+ if f"CID#{cid}]" not in cidline:
+ continue
+ if "refreshed" in cidline:
+ continue
+ # CR Plugin name
+ if re.search("cache_req_send", cidline):
+ plugin = cidline.split('\'')[1]
+ # CR Input name
+ elif re.search("cache_req_process_input", cidline):
+ name = cidline.rsplit('[')[-1]
+ # CR Input id
+ elif re.search("cache_req_search_send", cidline):
+ id = cidline.rsplit()[-1]
+
+ if plugin:
+ print(" - " + plugin)
+ if name:
+ print(" - " + name[:-2])
+ if (id and ("UID" in cidline or "GID" in cidline)):
+ print(" - " + id)
+
+ def print_formatted(self, line):
"""
Parse line and print formatted list_requests output
Args:
line (str): line to parse
- verbose (bool): If true, enable verbose output
+ Returns:
+ Client ID from printed line, 0 otherwise
"""
- plugin = ""
- name = ""
- id = ""
-
# exclude backtrace logs
if line.startswith(' * '):
- return
- fields = line.split("[")
- cr_field = fields[3][7:]
- cr = cr_field.split(":")[0][4:]
+ return 0
if "refreshed" in line:
- return
- # CR Plugin name
- if re.search("cache_req_send", line):
- plugin = line.split('\'')[1]
- # CR Input name
- elif re.search("cache_req_process_input", line):
- name = line.rsplit('[')[-1]
- # CR Input id
- elif re.search("cache_req_search_send", line):
- id = line.rsplit()[-1]
- # CID and client process name
- else:
- ts = line.split(")")[0]
- ts = ts[1:]
- fields = line.split("[")
- cid = fields[3][4:-9]
- cmd = fields[4][4:-1]
- uid = fields[5][4:-1]
- if not uid.isnumeric():
- uid = fields[6][4:-1]
- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
-
- if verbose:
- if plugin:
- print(" - " + plugin)
- if name:
- if cr not in self.done:
- print(" - " + name[:-2])
- self.done = cr
- if id:
- if cr not in self.done:
- print(" - " + id)
- self.done = cr
+ return 0
+ ts = line.split(")")[0]
+ ts = ts[1:]
+ fields = line.split("[")
+ cid = fields[3][4:-9]
+ cmd = fields[4][4:-1]
+ uid = fields[5][4:-1]
+ if not uid.isnumeric():
+ uid = fields[6][4:-1]
+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
+ return cid
def list_requests(self, args):
"""
@@ -215,20 +230,20 @@ class RequestAnalyzer:
# Log messages matching the following regex patterns contain
# the useful info we need to produce list output
patterns = [r'\[cmd']
- patterns.append("(cache_req_send|cache_req_process_input|"
- "cache_req_search_send)")
if args.pam:
component = source.Component.PAM
resp = "pam"
logger.info(f"******** Listing {resp} client requests ********")
source.set_component(component, False)
- self.done = ""
- for line in self.matched_line(source, patterns):
- if isinstance(source, Journald):
- print(line)
- else:
- self.print_formatted(line, args.verbose)
+ if args.verbose:
+ self.print_formatted_verbose(source, patterns)
+ else:
+ for line in self.matched_line(source, patterns):
+ if isinstance(source, Journald):
+ print(line)
+ else:
+ self.print_formatted(line)
def track_request(self, args):
"""
--
2.37.1

34
SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch
View File

@ -1,34 +0,0 @@
From 0eae7db9e06645ef88d0cf15672770776293edb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 23 May 2022 11:05:01 +0200
Subject: [PATCH] pam_sss_gss: KRB5CCNAME may be NULL
Resolves: https://github.com/SSSD/sssd/issues/6180
:fixes: A regression in pam_sss_gss module causing a failure if
KRB5CCNAME environment variable was not set was fixed.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 9aad30711a5928f0e8a3627305b6449291de507f)
---
src/sss_client/pam_sss_gss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
index 51047efc3..77a58e4cf 100644
--- a/src/sss_client/pam_sss_gss.c
+++ b/src/sss_client/pam_sss_gss.c
@@ -492,7 +492,8 @@ static errno_t sss_cli_getenv(const char *variable_name, char **_value)
{
char *value = getenv(variable_name);
if (value == NULL) {
- return ENOENT;
+ *_value = NULL;
+ return EOK;
}
*_value = strdup(value);
--
2.34.3

295
SOURCES/0010-CLIENT-fix-client-fd-leak.patch Normal file
View File

@ -0,0 +1,295 @@
From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 25 Aug 2022 18:10:46 +0200
Subject: [PATCH] CLIENT: fix client fd leak
- close client socket at thread exit
- only build lock-free client support if libc has required
functionality for a proper cleanup
- use proper mechanisms to init lock_mode only once
:relnote:Lock-free client support will be only built if libc
provides `pthread_key_create()` and `pthread_once()`. For glibc
this means version 2.34+
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb)
---
configure.ac | 29 +++++++++--
src/man/Makefile.am | 5 +-
src/man/sssd.8.xml | 2 +-
src/sss_client/common.c | 83 +++++++++++++++++++-------------
src/sss_client/idmap/common_ex.c | 4 ++
5 files changed, 84 insertions(+), 39 deletions(-)
diff --git a/configure.ac b/configure.ac
index 93bd93b85..5a05de41e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
m4_include([src/build_macros.m4])
BUILD_WITH_SHARED_BUILD_DIR
-AC_COMPILE_IFELSE(
+
+SAVE_LIBS=$LIBS
+LIBS=
+AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[#include <pthread.h>]],
[[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
- (void) m; /* unused */
+ pthread_mutex_lock(&m);
+ pthread_mutex_unlock(&m);
]])],
[AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.])
HAVE_PTHREAD=1
],
- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])])
+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])])
+LIBS=$SAVE_LIBS
+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
+SAVE_LIBS=$LIBS
+LIBS=
+AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[#include <pthread.h>]],
+ [[static pthread_key_t k;
+ static pthread_once_t f = PTHREAD_ONCE_INIT;
+ pthread_once(&f, NULL);
+ pthread_key_create(&k, NULL);
+ ]])],
+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.])
+ HAVE_PTHREAD_EXT=1
+ ],
+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])])
+LIBS=$SAVE_LIBS
+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"])
+
# Check library for the timer_create function
SAVE_LIBS=$LIBS
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 93dd14819..063ff1bf0 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -46,9 +46,12 @@ endif
if BUILD_KCM_RENEWAL
KCM_RENEWAL_CONDS = ;enable_kcm_renewal
endif
+if BUILD_LOCKFREE_CLIENT
+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support
+endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)
#Special Rules:
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
index df07b7f29..5f507c631 100644
--- a/src/man/sssd.8.xml
+++ b/src/man/sssd.8.xml
@@ -240,7 +240,7 @@
If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
client applications will not use the fast in-memory cache.
</para>
- <para>
+ <para condition="enable_lockfree_support">
If the environment variable SSS_LOCKFREE is set to "NO", requests
from multiple threads of a single application will be serialized.
</para>
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 29c751a50..d762dff49 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -35,7 +35,6 @@
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>
-#include <stdatomic.h>
#include <string.h>
#include <fcntl.h>
#include <poll.h>
@@ -62,8 +61,15 @@
/* common functions */
+#ifdef HAVE_PTHREAD_EXT
+static pthread_key_t sss_sd_key;
+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
+#else
+static int sss_cli_sd = -1; /* the sss client socket descriptor */
+static struct stat sss_cli_sb; /* the sss client stat buffer */
+#endif
#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
__attribute__((destructor))
@@ -76,6 +82,18 @@ void sss_cli_close_socket(void)
}
}
+#ifdef HAVE_PTHREAD_EXT
+static void sss_at_thread_exit(void *v)
+{
+ sss_cli_close_socket();
+}
+
+static void init_sd_key(void)
+{
+ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
+}
+#endif
+
/* Requests:
*
* byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
return -1;
}
+#ifdef HAVE_PTHREAD_EXT
+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
+
+ /* It actually doesn't matter what value to set for a key.
+ * The only important thing: key must be non-NULL to ensure
+ * destructor is executed at thread exit.
+ */
+ pthread_setspecific(sss_sd_key, &sss_cli_sd);
+#endif
+
/* set as non-blocking, close on exec, and make sure standard
* descriptors are not used */
sd = make_safe_fd(sd);
@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len)
}
#if HAVE_PTHREAD
-bool sss_is_lockfree_mode(void)
+
+#ifdef HAVE_PTHREAD_EXT
+static bool sss_lock_free = true;
+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT;
+
+static void init_lock_mode(void)
{
- const char *env = NULL;
- enum {
- MODE_UNDEF,
- MODE_LOCKING,
- MODE_LOCKFREE
- };
- static atomic_int mode = MODE_UNDEF;
-
- if (mode == MODE_UNDEF) {
- env = getenv("SSS_LOCKFREE");
- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
- mode = MODE_LOCKING;
- } else {
- mode = MODE_LOCKFREE;
- }
+ const char *env = getenv("SSS_LOCKFREE");
+
+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
+ sss_lock_free = false;
}
+}
- return (mode == MODE_LOCKFREE);
+bool sss_is_lockfree_mode(void)
+{
+ pthread_once(&sss_lock_mode_initialized, init_lock_mode);
+ return sss_lock_free;
}
+#endif
struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
-static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
static void sss_mt_lock(struct sss_mutex *m)
{
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return;
}
+#endif
pthread_mutex_lock(&m->mtx);
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m)
static void sss_mt_unlock(struct sss_mutex *m)
{
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return;
}
+#endif
pthread_setcancelstate(m->old_cancel_state, NULL);
pthread_mutex_unlock(&m->mtx);
@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void)
sss_mt_unlock(&sss_nss_mtx);
}
-/* NSS mutex wrappers */
+/* PAM mutex wrappers */
void sss_pam_lock(void)
{
sss_mt_lock(&sss_pam_mtx);
@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void)
sss_mt_unlock(&sss_pam_mtx);
}
-/* NSS mutex wrappers */
-void sss_nss_mc_lock(void)
-{
- sss_mt_lock(&sss_nss_mc_mtx);
-}
-void sss_nss_mc_unlock(void)
-{
- sss_mt_unlock(&sss_nss_mc_mtx);
-}
-
/* PAC mutex wrappers */
void sss_pac_lock(void)
{
diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c
index 4f454cd63..8c4894fd9 100644
--- a/src/sss_client/idmap/common_ex.c
+++ b/src/sss_client/idmap/common_ex.c
@@ -28,7 +28,9 @@
#include "common_private.h"
extern struct sss_mutex sss_nss_mtx;
+#ifdef HAVE_PTHREAD_EXT
bool sss_is_lockfree_mode(void);
+#endif
#define SEC_FROM_MSEC(ms) ((ms) / 1000)
#define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime)
{
int ret;
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return 0;
}
+#endif
ret = pthread_mutex_timedlock(&m->mtx, endtime);
if (ret != 0) {
--
2.37.1

92
SPECS/sssd.spec
View File

@ -18,8 +18,8 @@
%global enable_systemtap_opt --enable-systemtap
Name: sssd
Version: 2.6.2
Release: 4%{?dist}.1
Version: 2.7.3
Release: 4%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -27,15 +27,16 @@ URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Patch0004: 0004-po-update-translations.patch
Patch0005: 0005-Revert-usertools-force-local-user-for-sssd-process-u.patch
Patch0006: 0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch
Patch0007: 0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch
Patch0008: 0008-ad-add-fallback-in-ad_domain_info_send.patch
Patch0009: 0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch
Patch0001: 0001-Makefile-remove-unneeded-dependency.patch
Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch
Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
Patch0010: 0010-CLIENT-fix-client-fd-leak.patch
### Downstream Patches ###
@ -109,6 +110,9 @@ BuildRequires: pam_wrapper
BuildRequires: p11-kit-devel
BuildRequires: openssl-devel
BuildRequires: gnutls-utils
BuildRequires: jansson-devel
BuildRequires: libcurl-devel
BuildRequires: libjose-devel
BuildRequires: softhsm >= 2.1.0
BuildRequires: openssl
BuildRequires: openssh
@ -541,6 +545,16 @@ Requires: krb5-libs >= 1.18.2-11
An implementation of a Kerberos KCM server. Use this package if you want to
use the KCM: Kerberos credentials cache.
%package idp
Summary: Kerberos plugins and OIDC helper for external identity providers.
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
%description idp
This package provides Kerberos plugins that are required to enable
authentication against external identity providers. Additionally a helper
program to handle the OAuth 2.0 Device Authorization Grant is provided.
%prep
# Update timestamps on the files touched by a patch, to avoid non-equal
# .pyc/.pyo files across the multilib peers within a build, where "Level"
@ -626,6 +640,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
# Enable krb5 idp plugins by default (when sssd-idp package is installed)
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
# krb5 configuration snippet
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
@ -932,6 +950,7 @@ done
%{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/pam_sss_gss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
%{_mandir}/man8/sssd_krb5_localauth_plugin.8*
%files -n libsss_sudo
%defattr(-,root,root,-)
@ -1053,6 +1072,12 @@ done
%{_unitdir}/sssd-kcm.service
%{_mandir}/man8/sssd-kcm.8*
%files idp
%{_libexecdir}/%{servicename}/oidc_child
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
%pre ipa
getent group sssd >/dev/null || groupadd -r sssd
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
@ -1162,12 +1187,47 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Thu Jun 2 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4.1
- Resolves: rhbz#2072958 - Use right sdap_domain in ad_domain_info_send [rhel-8.6.0.z]
- Resolves: rhbz#2089244 - pam_sss_gss ceased to work after upgrade to 8.6 [rhel-8.6.0.z]
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
* Thu Apr 21 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4
- Resolves: rhbz#2074648 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop [rhel-8.6.0.z]
* Tue Aug 23 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-3
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
- Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured
- Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend
* Wed Aug 10 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-2
- Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases
- Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs
- Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL
* Wed Jul 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-1
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
- Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization
* Mon Jun 20 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.2-1
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
- Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets
- Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file
- Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6
- Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf
- Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP
- Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect
- Resolves: rhbz#2098617 - Harden kerberos ticket validation
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
* Wed May 18 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-2
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
- Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
- Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
- Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
- Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname()
- Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd
- Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
- Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send
- Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
- Resolves: rhbz#2087745 - 2FA prompting setting ineffective
- Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names