rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2

Browse Source 
Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search
Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service)
Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization
Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately
Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
This commit is contained in:
Alexey Tikhonov 2022-12-16 22:22:42 +01:00
parent 70d23470fd
commit 6d6ccdb21b
5 changed files with 174 additions and 298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -99,3 +99,4 @@ sssd-1.2.91.tar.gz
/sssd-2.7.1.tar.gz
/sssd-2.7.3.tar.gz
/sssd-2.8.1.tar.gz
/sssd-2.8.2.tar.gz

158
0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch Normal file
View File

@ -0,0 +1,158 @@
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Dec 2022 15:14:05 +0100
Subject: [PATCH] ldap: update shadow last change in sysdb as well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.
Resolves: https://github.com/SSSD/sssd/issues/6477
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
---
src/db/sysdb.h | 4 ++++
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
3 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 7c666f5c4..06b44f5ba 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
struct sysdb_attrs *attrs,
int mod_op);
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname);
+
/* Replace group attrs */
int sysdb_set_group_attr(struct sss_domain_info *domain,
const char *name,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0d6f2d5cd..ed0df9872 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1485,6 +1485,38 @@ done:
return ret;
}
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname)
+{
+ struct sysdb_attrs *attrs;
+ char *value;
+ errno_t ret;
+
+ attrs = sysdb_new_attrs(NULL);
+ if (attrs == NULL) {
+ return ENOMEM;
+ }
+
+ /* The attribute contains number of days since the epoch */
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
+ if (value == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
+
+done:
+ talloc_free(attrs);
+ return ret;
+}
+
/* =Replace-Attributes-On-Group=========================================== */
int sysdb_set_group_attr(struct sss_domain_info *domain,
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 6404a9d3a..96b9d6df4 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
struct pam_data *pd;
struct sdap_handle *sh;
char *dn;
+ enum pwexpire pw_expire_type;
};
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
{
struct sdap_pam_chpass_handler_state *state;
struct tevent_req *req;
- enum pwexpire pw_expire_type;
void *pw_expire_data;
size_t msg_len;
uint8_t *msg;
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
ret = auth_recv(subreq, state, &state->sh, &state->dn,
- &pw_expire_type, &pw_expire_data);
+ &state->pw_expire_type, &pw_expire_data);
talloc_free(subreq);
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
}
if (ret == EOK) {
- switch (pw_expire_type) {
+ switch (state->pw_expire_type) {
case PWEXPIRE_SHADOW:
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
break;
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
- "Unknown password expiration type %d.\n", pw_expire_type);
+ "Unknown password expiration type %d.\n",
+ state->pw_expire_type);
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
case ERR_PASSWORD_EXPIRED:
DEBUG(SSSDBG_TRACE_LIBS,
"user [%s] successfully authenticated.\n", state->dn);
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
+ ret = sdap_pam_chpass_handler_change_step(state, req,
+ state->pw_expire_type);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sdap_pam_chpass_handler_change_step() failed.\n");
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
switch (ret) {
case EOK:
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
+ if (ret != EOK) {
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ }
+
state->pd->pam_status = PAM_SUCCESS;
break;
case ERR_CHPASS_DENIED:
--
2.37.3

295
0010-CLIENT-fix-client-fd-leak.patch
View File

@ -1,295 +0,0 @@
From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 25 Aug 2022 18:10:46 +0200
Subject: [PATCH] CLIENT: fix client fd leak
- close client socket at thread exit
- only build lock-free client support if libc has required
functionality for a proper cleanup
- use proper mechanisms to init lock_mode only once
:relnote:Lock-free client support will be only built if libc
provides `pthread_key_create()` and `pthread_once()`. For glibc
this means version 2.34+
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb)
---
configure.ac | 29 +++++++++--
src/man/Makefile.am | 5 +-
src/man/sssd.8.xml | 2 +-
src/sss_client/common.c | 83 +++++++++++++++++++-------------
src/sss_client/idmap/common_ex.c | 4 ++
5 files changed, 84 insertions(+), 39 deletions(-)
diff --git a/configure.ac b/configure.ac
index 93bd93b85..5a05de41e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
m4_include([src/build_macros.m4])
BUILD_WITH_SHARED_BUILD_DIR
-AC_COMPILE_IFELSE(
+
+SAVE_LIBS=$LIBS
+LIBS=
+AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[#include <pthread.h>]],
[[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
- (void) m; /* unused */
+ pthread_mutex_lock(&m);
+ pthread_mutex_unlock(&m);
]])],
[AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.])
HAVE_PTHREAD=1
],
- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])])
+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])])
+LIBS=$SAVE_LIBS
+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
+SAVE_LIBS=$LIBS
+LIBS=
+AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[#include <pthread.h>]],
+ [[static pthread_key_t k;
+ static pthread_once_t f = PTHREAD_ONCE_INIT;
+ pthread_once(&f, NULL);
+ pthread_key_create(&k, NULL);
+ ]])],
+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.])
+ HAVE_PTHREAD_EXT=1
+ ],
+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])])
+LIBS=$SAVE_LIBS
+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"])
+
# Check library for the timer_create function
SAVE_LIBS=$LIBS
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 93dd14819..063ff1bf0 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -46,9 +46,12 @@ endif
if BUILD_KCM_RENEWAL
KCM_RENEWAL_CONDS = ;enable_kcm_renewal
endif
+if BUILD_LOCKFREE_CLIENT
+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support
+endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)
#Special Rules:
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
index df07b7f29..5f507c631 100644
--- a/src/man/sssd.8.xml
+++ b/src/man/sssd.8.xml
@@ -240,7 +240,7 @@
If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
client applications will not use the fast in-memory cache.
</para>
- <para>
+ <para condition="enable_lockfree_support">
If the environment variable SSS_LOCKFREE is set to "NO", requests
from multiple threads of a single application will be serialized.
</para>
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 29c751a50..d762dff49 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -35,7 +35,6 @@
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>
-#include <stdatomic.h>
#include <string.h>
#include <fcntl.h>
#include <poll.h>
@@ -62,8 +61,15 @@
/* common functions */
+#ifdef HAVE_PTHREAD_EXT
+static pthread_key_t sss_sd_key;
+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
+#else
+static int sss_cli_sd = -1; /* the sss client socket descriptor */
+static struct stat sss_cli_sb; /* the sss client stat buffer */
+#endif
#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
__attribute__((destructor))
@@ -76,6 +82,18 @@ void sss_cli_close_socket(void)
}
}
+#ifdef HAVE_PTHREAD_EXT
+static void sss_at_thread_exit(void *v)
+{
+ sss_cli_close_socket();
+}
+
+static void init_sd_key(void)
+{
+ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
+}
+#endif
+
/* Requests:
*
* byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
return -1;
}
+#ifdef HAVE_PTHREAD_EXT
+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
+
+ /* It actually doesn't matter what value to set for a key.
+ * The only important thing: key must be non-NULL to ensure
+ * destructor is executed at thread exit.
+ */
+ pthread_setspecific(sss_sd_key, &sss_cli_sd);
+#endif
+
/* set as non-blocking, close on exec, and make sure standard
* descriptors are not used */
sd = make_safe_fd(sd);
@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len)
}
#if HAVE_PTHREAD
-bool sss_is_lockfree_mode(void)
+
+#ifdef HAVE_PTHREAD_EXT
+static bool sss_lock_free = true;
+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT;
+
+static void init_lock_mode(void)
{
- const char *env = NULL;
- enum {
- MODE_UNDEF,
- MODE_LOCKING,
- MODE_LOCKFREE
- };
- static atomic_int mode = MODE_UNDEF;
-
- if (mode == MODE_UNDEF) {
- env = getenv("SSS_LOCKFREE");
- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
- mode = MODE_LOCKING;
- } else {
- mode = MODE_LOCKFREE;
- }
+ const char *env = getenv("SSS_LOCKFREE");
+
+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
+ sss_lock_free = false;
}
+}
- return (mode == MODE_LOCKFREE);
+bool sss_is_lockfree_mode(void)
+{
+ pthread_once(&sss_lock_mode_initialized, init_lock_mode);
+ return sss_lock_free;
}
+#endif
struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
-static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
static void sss_mt_lock(struct sss_mutex *m)
{
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return;
}
+#endif
pthread_mutex_lock(&m->mtx);
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m)
static void sss_mt_unlock(struct sss_mutex *m)
{
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return;
}
+#endif
pthread_setcancelstate(m->old_cancel_state, NULL);
pthread_mutex_unlock(&m->mtx);
@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void)
sss_mt_unlock(&sss_nss_mtx);
}
-/* NSS mutex wrappers */
+/* PAM mutex wrappers */
void sss_pam_lock(void)
{
sss_mt_lock(&sss_pam_mtx);
@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void)
sss_mt_unlock(&sss_pam_mtx);
}
-/* NSS mutex wrappers */
-void sss_nss_mc_lock(void)
-{
- sss_mt_lock(&sss_nss_mc_mtx);
-}
-void sss_nss_mc_unlock(void)
-{
- sss_mt_unlock(&sss_nss_mc_mtx);
-}
-
/* PAC mutex wrappers */
void sss_pac_lock(void)
{
diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c
index 4f454cd63..8c4894fd9 100644
--- a/src/sss_client/idmap/common_ex.c
+++ b/src/sss_client/idmap/common_ex.c
@@ -28,7 +28,9 @@
#include "common_private.h"
extern struct sss_mutex sss_nss_mtx;
+#ifdef HAVE_PTHREAD_EXT
bool sss_is_lockfree_mode(void);
+#endif
#define SEC_FROM_MSEC(ms) ((ms) / 1000)
#define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime)
{
int ret;
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return 0;
}
+#endif
ret = pthread_mutex_timedlock(&m->mtx, endtime);
if (ret != 0) {
--
2.37.1

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-2.8.1.tar.gz) = 419798fa3e7ab0ad407d9f53ead183e6c4ffb534c93ed20a944a2eea6760bffaa2336373a8d52bd43f8e7c100e52fccecc9d0859bde04f8ce4e7406102024c0e
SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55

16
sssd.spec
View File

@ -26,7 +26,7 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd
Version: 2.8.1
Version: 2.8.2
Release: 1%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
@ -34,7 +34,7 @@ URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
#Patch0001:
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
### Dependencies ###
@ -118,6 +118,7 @@ BuildRequires: samba-winbind
BuildRequires: selinux-policy-targeted
# required for p11_child smartcard tests
BuildRequires: softhsm >= 2.1.0
BuildRequires: bc
BuildRequires: systemd-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: uid_wrapper
@ -1059,6 +1060,17 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Fri Dec 16 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2
- Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search
- Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service)
- Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
- Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization
- Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
- Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
- Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately
- Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
* Fri Nov 4 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2
- Resolves: rhbz#1507035 - [RFE] SSSD does not support to change the users password when option ldap_pwd_policy equals to shadow in sssd.conf file