From 6d6ccdb21b35568d6cd6ded41a3bd84d177dca33 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Fri, 16 Dec 2022 22:22:42 +0100 Subject: [PATCH] Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2 Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service) Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around --- .gitignore | 1 + ...-shadow-last-change-in-sysdb-as-well.patch | 158 ++++++++++ 0010-CLIENT-fix-client-fd-leak.patch | 295 ------------------ sources | 2 +- sssd.spec | 16 +- 5 files changed, 174 insertions(+), 298 deletions(-) create mode 100644 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch delete mode 100644 0010-CLIENT-fix-client-fd-leak.patch diff --git a/.gitignore b/.gitignore index 167f5f4..5d54a5a 100644 --- a/.gitignore +++ b/.gitignore @@ -99,3 +99,4 @@ sssd-1.2.91.tar.gz /sssd-2.7.1.tar.gz /sssd-2.7.3.tar.gz /sssd-2.8.1.tar.gz +/sssd-2.8.2.tar.gz diff --git a/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch new file mode 100644 index 0000000..60feece --- /dev/null +++ b/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch @@ -0,0 +1,158 @@ +From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 8 Dec 2022 15:14:05 +0100 +Subject: [PATCH] ldap: update shadow last change in sysdb as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise pam can use the changed information whe id chaching is +enabled, so next authentication that fits into the id timeout +(5 seconds by default) will still sees the password as expired. + +Resolves: https://github.com/SSSD/sssd/issues/6477 + +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman +(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) +--- + src/db/sysdb.h | 4 ++++ + src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ + src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- + 3 files changed, 52 insertions(+), 5 deletions(-) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index 7c666f5c4..06b44f5ba 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, + struct sysdb_attrs *attrs, + int mod_op); + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname); ++ + /* Replace group attrs */ + int sysdb_set_group_attr(struct sss_domain_info *domain, + const char *name, +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 0d6f2d5cd..ed0df9872 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -1485,6 +1485,38 @@ done: + return ret; + } + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname) ++{ ++ struct sysdb_attrs *attrs; ++ char *value; ++ errno_t ret; ++ ++ attrs = sysdb_new_attrs(NULL); ++ if (attrs == NULL) { ++ return ENOMEM; ++ } ++ ++ /* The attribute contains number of days since the epoch */ ++ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); ++ if (value == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = sysdb_attrs_add_string(attrs, attrname, value); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); ++ ++done: ++ talloc_free(attrs); ++ return ret; ++} ++ + /* =Replace-Attributes-On-Group=========================================== */ + + int sysdb_set_group_attr(struct sss_domain_info *domain, +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 6404a9d3a..96b9d6df4 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { + struct pam_data *pd; + struct sdap_handle *sh; + char *dn; ++ enum pwexpire pw_expire_type; + }; + + static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); +@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + { + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *req; +- enum pwexpire pw_expire_type; + void *pw_expire_data; + size_t msg_len; + uint8_t *msg; +@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + ret = auth_recv(subreq, state, &state->sh, &state->dn, +- &pw_expire_type, &pw_expire_data); ++ &state->pw_expire_type, &pw_expire_data); + talloc_free(subreq); + + if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && +@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + } + + if (ret == EOK) { +- switch (pw_expire_type) { ++ switch (state->pw_expire_type) { + case PWEXPIRE_SHADOW: + ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); + break; +@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, +- "Unknown password expiration type %d.\n", pw_expire_type); ++ "Unknown password expiration type %d.\n", ++ state->pw_expire_type); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } +@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + case ERR_PASSWORD_EXPIRED: + DEBUG(SSSDBG_TRACE_LIBS, + "user [%s] successfully authenticated.\n", state->dn); +- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); ++ ret = sdap_pam_chpass_handler_change_step(state, req, ++ state->pw_expire_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_pam_chpass_handler_change_step() failed.\n"); +@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) + + switch (ret) { + case EOK: ++ if (state->pw_expire_type == PWEXPIRE_SHADOW) { ++ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, ++ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); ++ if (ret != EOK) { ++ state->pd->pam_status = PAM_SYSTEM_ERR; ++ goto done; ++ } ++ } ++ + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_CHPASS_DENIED: +-- +2.37.3 + diff --git a/0010-CLIENT-fix-client-fd-leak.patch b/0010-CLIENT-fix-client-fd-leak.patch deleted file mode 100644 index 48622c8..0000000 --- a/0010-CLIENT-fix-client-fd-leak.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 25 Aug 2022 18:10:46 +0200 -Subject: [PATCH] CLIENT: fix client fd leak - - - close client socket at thread exit - - only build lock-free client support if libc has required - functionality for a proper cleanup - - use proper mechanisms to init lock_mode only once - -:relnote:Lock-free client support will be only built if libc -provides `pthread_key_create()` and `pthread_once()`. For glibc -this means version 2.34+ - -Reviewed-by: Justin Stephenson -Reviewed-by: Sumit Bose -(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb) ---- - configure.ac | 29 +++++++++-- - src/man/Makefile.am | 5 +- - src/man/sssd.8.xml | 2 +- - src/sss_client/common.c | 83 +++++++++++++++++++------------- - src/sss_client/idmap/common_ex.c | 4 ++ - 5 files changed, 84 insertions(+), 39 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 93bd93b85..5a05de41e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include ]]) - m4_include([src/build_macros.m4]) - BUILD_WITH_SHARED_BUILD_DIR - --AC_COMPILE_IFELSE( -+ -+SAVE_LIBS=$LIBS -+LIBS= -+AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER; -- (void) m; /* unused */ -+ pthread_mutex_lock(&m); -+ pthread_mutex_unlock(&m); - ]])], - [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.]) - HAVE_PTHREAD=1 - ], -- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])]) -+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])]) -+LIBS=$SAVE_LIBS -+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) - - --AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) -+SAVE_LIBS=$LIBS -+LIBS= -+AC_LINK_IFELSE( -+ [AC_LANG_PROGRAM([[#include ]], -+ [[static pthread_key_t k; -+ static pthread_once_t f = PTHREAD_ONCE_INIT; -+ pthread_once(&f, NULL); -+ pthread_key_create(&k, NULL); -+ ]])], -+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.]) -+ HAVE_PTHREAD_EXT=1 -+ ], -+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])]) -+LIBS=$SAVE_LIBS -+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"]) -+ - - # Check library for the timer_create function - SAVE_LIBS=$LIBS -diff --git a/src/man/Makefile.am b/src/man/Makefile.am -index 93dd14819..063ff1bf0 100644 ---- a/src/man/Makefile.am -+++ b/src/man/Makefile.am -@@ -46,9 +46,12 @@ endif - if BUILD_KCM_RENEWAL - KCM_RENEWAL_CONDS = ;enable_kcm_renewal - endif -+if BUILD_LOCKFREE_CLIENT -+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support -+endif - - --CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS) -+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS) - - - #Special Rules: -diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml -index df07b7f29..5f507c631 100644 ---- a/src/man/sssd.8.xml -+++ b/src/man/sssd.8.xml -@@ -240,7 +240,7 @@ - If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", - client applications will not use the fast in-memory cache. - -- -+ - If the environment variable SSS_LOCKFREE is set to "NO", requests - from multiple threads of a single application will be serialized. - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 29c751a50..d762dff49 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -35,7 +35,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -62,8 +61,15 @@ - - /* common functions */ - -+#ifdef HAVE_PTHREAD_EXT -+static pthread_key_t sss_sd_key; -+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT; - static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */ - static __thread struct stat sss_cli_sb; /* the sss client stat buffer */ -+#else -+static int sss_cli_sd = -1; /* the sss client socket descriptor */ -+static struct stat sss_cli_sb; /* the sss client stat buffer */ -+#endif - - #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR - __attribute__((destructor)) -@@ -76,6 +82,18 @@ void sss_cli_close_socket(void) - } - } - -+#ifdef HAVE_PTHREAD_EXT -+static void sss_at_thread_exit(void *v) -+{ -+ sss_cli_close_socket(); -+} -+ -+static void init_sd_key(void) -+{ -+ pthread_key_create(&sss_sd_key, sss_at_thread_exit); -+} -+#endif -+ - /* Requests: - * - * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) -@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout - return -1; - } - -+#ifdef HAVE_PTHREAD_EXT -+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */ -+ -+ /* It actually doesn't matter what value to set for a key. -+ * The only important thing: key must be non-NULL to ensure -+ * destructor is executed at thread exit. -+ */ -+ pthread_setspecific(sss_sd_key, &sss_cli_sd); -+#endif -+ - /* set as non-blocking, close on exec, and make sure standard - * descriptors are not used */ - sd = make_safe_fd(sd); -@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len) - } - - #if HAVE_PTHREAD --bool sss_is_lockfree_mode(void) -+ -+#ifdef HAVE_PTHREAD_EXT -+static bool sss_lock_free = true; -+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT; -+ -+static void init_lock_mode(void) - { -- const char *env = NULL; -- enum { -- MODE_UNDEF, -- MODE_LOCKING, -- MODE_LOCKFREE -- }; -- static atomic_int mode = MODE_UNDEF; -- -- if (mode == MODE_UNDEF) { -- env = getenv("SSS_LOCKFREE"); -- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { -- mode = MODE_LOCKING; -- } else { -- mode = MODE_LOCKFREE; -- } -+ const char *env = getenv("SSS_LOCKFREE"); -+ -+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { -+ sss_lock_free = false; - } -+} - -- return (mode == MODE_LOCKFREE); -+bool sss_is_lockfree_mode(void) -+{ -+ pthread_once(&sss_lock_mode_initialized, init_lock_mode); -+ return sss_lock_free; - } -+#endif - - struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- - static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- --static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- - static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; - - static void sss_mt_lock(struct sss_mutex *m) - { -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return; - } -+#endif - - pthread_mutex_lock(&m->mtx); - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state); -@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m) - - static void sss_mt_unlock(struct sss_mutex *m) - { -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return; - } -+#endif - - pthread_setcancelstate(m->old_cancel_state, NULL); - pthread_mutex_unlock(&m->mtx); -@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void) - sss_mt_unlock(&sss_nss_mtx); - } - --/* NSS mutex wrappers */ -+/* PAM mutex wrappers */ - void sss_pam_lock(void) - { - sss_mt_lock(&sss_pam_mtx); -@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void) - sss_mt_unlock(&sss_pam_mtx); - } - --/* NSS mutex wrappers */ --void sss_nss_mc_lock(void) --{ -- sss_mt_lock(&sss_nss_mc_mtx); --} --void sss_nss_mc_unlock(void) --{ -- sss_mt_unlock(&sss_nss_mc_mtx); --} -- - /* PAC mutex wrappers */ - void sss_pac_lock(void) - { -diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c -index 4f454cd63..8c4894fd9 100644 ---- a/src/sss_client/idmap/common_ex.c -+++ b/src/sss_client/idmap/common_ex.c -@@ -28,7 +28,9 @@ - #include "common_private.h" - - extern struct sss_mutex sss_nss_mtx; -+#ifdef HAVE_PTHREAD_EXT - bool sss_is_lockfree_mode(void); -+#endif - - #define SEC_FROM_MSEC(ms) ((ms) / 1000) - #define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000) -@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime) - { - int ret; - -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return 0; - } -+#endif - - ret = pthread_mutex_timedlock(&m->mtx, endtime); - if (ret != 0) { --- -2.37.1 - diff --git a/sources b/sources index 5693232..49e768c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.8.1.tar.gz) = 419798fa3e7ab0ad407d9f53ead183e6c4ffb534c93ed20a944a2eea6760bffaa2336373a8d52bd43f8e7c100e52fccecc9d0859bde04f8ce4e7406102024c0e +SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55 diff --git a/sssd.spec b/sssd.spec index a354a71..d5ed30c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,7 +26,7 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.8.1 +Version: 2.8.2 Release: 1%{?dist} Summary: System Security Services Daemon License: GPLv3+ @@ -34,7 +34,7 @@ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -#Patch0001: +Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch ### Dependencies ### @@ -118,6 +118,7 @@ BuildRequires: samba-winbind BuildRequires: selinux-policy-targeted # required for p11_child smartcard tests BuildRequires: softhsm >= 2.1.0 +BuildRequires: bc BuildRequires: systemd-devel BuildRequires: systemtap-sdt-devel BuildRequires: uid_wrapper @@ -1059,6 +1060,17 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Fri Dec 16 2022 Alexey Tikhonov - 2.8.2-1 +- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2 +- Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search +- Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service) +- Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. +- Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization +- Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list +- Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged +- Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately +- Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around + * Fri Nov 4 2022 Alexey Tikhonov - 2.8.1-1 - Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2 - Resolves: rhbz#1507035 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file