From 87cae3c02010966af2f5d1d5d3cdfc41d3b798cf Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:15:10 +0000 Subject: [PATCH] import sssd-2.8.2-2.el8 --- .gitignore | 2 +- .sssd.metadata | 2 +- ...-Makefile-remove-unneeded-dependency.patch | 51 --- ...-shadow-last-change-in-sysdb-as-well.patch | 158 ++++++++++ ...context-mutex-outside-of-context-as-.patch | 155 --------- ...rror-codes-returned-by-common-read-w.patch | 58 ++++ ...E_REQ-Fix-hybrid-lookup-log-spamming.patch | 36 --- ...ll-returns-POLLNVAL-then-socket-is-a.patch | 63 ++++ ...04-Analyzer-Fix-escaping-raw-fstring.patch | 30 -- ...s_cli_sd-should-also-be-protected-wi.patch | 53 ++++ ...ore-appropriate-initial-value-for-fd.patch | 34 -- ...r-to-the-context-mutex-shouldn-t-be-.patch | 78 ----- ...-analyzer-to-work-without-SSSD-setup.patch | 33 -- ...008-RESPONDER-Fix-client-ID-tracking.patch | 297 ------------------ ...er-support-parallel-requests-parsing.patch | 185 ----------- SOURCES/0010-CLIENT-fix-client-fd-leak.patch | 295 ----------------- ...respect-krb5_validate-for-PAC-checks.patch | 124 -------- ...nalyzer-Optimize-list-verbose-output.patch | 141 --------- ...yzer-Ensure-parsed-id-contains-digit.patch | 43 --- ...-TOOLS-don-t-export-internal-helpers.patch | 94 ------ ...5-TOOLS-fixed-handling-of-init-error.patch | 71 ----- ...L-don-t-require-root-for-analyze-cmd.patch | 89 ------ .../0017-PAC-allow-to-disable-UPN-check.patch | 49 --- ...t-add-guessed-principal-to-the-cache.patch | 90 ------ SOURCES/0019-pac-relax-default-check.patch | 164 ---------- SOURCES/0020-oidc_child-escape-scopes.patch | 102 ------ ...lient-secret-if-available-to-get-dev.patch | 89 ------ ...ase-wait-interval-by-5s-if-slow_down.patch | 67 ---- ...child-add-client-secret-stdin-option.patch | 194 ------------ SPECS/sssd.spec | 94 ++++-- 30 files changed, 394 insertions(+), 2547 deletions(-) delete mode 100644 SOURCES/0001-Makefile-remove-unneeded-dependency.patch create mode 100644 SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch delete mode 100644 SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch create mode 100644 SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch delete mode 100644 SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch create mode 100644 SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch delete mode 100644 SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch create mode 100644 SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch delete mode 100644 SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch delete mode 100644 SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch delete mode 100644 SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch delete mode 100644 SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch delete mode 100644 SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch delete mode 100644 SOURCES/0010-CLIENT-fix-client-fd-leak.patch delete mode 100644 SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch delete mode 100644 SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch delete mode 100644 SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch delete mode 100644 SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch delete mode 100644 SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch delete mode 100644 SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch delete mode 100644 SOURCES/0017-PAC-allow-to-disable-UPN-check.patch delete mode 100644 SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch delete mode 100644 SOURCES/0019-pac-relax-default-check.patch delete mode 100644 SOURCES/0020-oidc_child-escape-scopes.patch delete mode 100644 SOURCES/0021-oidc_child-use-client-secret-if-available-to-get-dev.patch delete mode 100644 SOURCES/0022-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch delete mode 100644 SOURCES/0023-oidc_child-add-client-secret-stdin-option.patch diff --git a/.gitignore b/.gitignore index f74e090..a743af2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.7.3.tar.gz +SOURCES/sssd-2.8.2.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 6132eb6..6575e58 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz +4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz diff --git a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch deleted file mode 100644 index 271a5d8..0000000 --- a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 21 Jul 2022 20:16:32 +0200 -Subject: [PATCH] Makefile: remove unneeded dependency -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f) ---- - Makefile.am | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 669a0fc56..92d046888 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \ - $(KRB5_CFLAGS) \ - $(UUID_CFLAGS) \ - $(CURL_CFLAGS) \ -- $(JANSSON_CFLAGS) \ - $(NULL) - sssd_kcm_LDADD = \ - $(LIBADD_DL) \ - $(KRB5_LIBS) \ -- $(JANSSON_LIBS) \ - $(SSSD_LIBS) \ - $(UUID_LIBS) \ - $(SYSTEMD_DAEMON_LIBS) \ -@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \ - $(UUID_CFLAGS) \ - $(NULL) - test_kcm_marshalling_LDADD = \ -- $(JANSSON_LIBS) \ - $(UUID_LIBS) \ - $(KRB5_LIBS) \ - $(CMOCKA_LIBS) \ -@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \ - test_kcm_renewals_LDADD = \ - $(LIBADD_DL) \ - $(UUID_LIBS) \ -- $(JANSSON_LIBS) \ - $(KRB5_LIBS) \ - $(CARES_LIBS) \ - $(CMOCKA_LIBS) \ --- -2.37.1 - diff --git a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch new file mode 100644 index 0000000..60feece --- /dev/null +++ b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch @@ -0,0 +1,158 @@ +From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 8 Dec 2022 15:14:05 +0100 +Subject: [PATCH] ldap: update shadow last change in sysdb as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise pam can use the changed information whe id chaching is +enabled, so next authentication that fits into the id timeout +(5 seconds by default) will still sees the password as expired. + +Resolves: https://github.com/SSSD/sssd/issues/6477 + +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman +(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) +--- + src/db/sysdb.h | 4 ++++ + src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ + src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- + 3 files changed, 52 insertions(+), 5 deletions(-) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index 7c666f5c4..06b44f5ba 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, + struct sysdb_attrs *attrs, + int mod_op); + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname); ++ + /* Replace group attrs */ + int sysdb_set_group_attr(struct sss_domain_info *domain, + const char *name, +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 0d6f2d5cd..ed0df9872 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -1485,6 +1485,38 @@ done: + return ret; + } + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname) ++{ ++ struct sysdb_attrs *attrs; ++ char *value; ++ errno_t ret; ++ ++ attrs = sysdb_new_attrs(NULL); ++ if (attrs == NULL) { ++ return ENOMEM; ++ } ++ ++ /* The attribute contains number of days since the epoch */ ++ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); ++ if (value == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = sysdb_attrs_add_string(attrs, attrname, value); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); ++ ++done: ++ talloc_free(attrs); ++ return ret; ++} ++ + /* =Replace-Attributes-On-Group=========================================== */ + + int sysdb_set_group_attr(struct sss_domain_info *domain, +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 6404a9d3a..96b9d6df4 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { + struct pam_data *pd; + struct sdap_handle *sh; + char *dn; ++ enum pwexpire pw_expire_type; + }; + + static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); +@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + { + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *req; +- enum pwexpire pw_expire_type; + void *pw_expire_data; + size_t msg_len; + uint8_t *msg; +@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + ret = auth_recv(subreq, state, &state->sh, &state->dn, +- &pw_expire_type, &pw_expire_data); ++ &state->pw_expire_type, &pw_expire_data); + talloc_free(subreq); + + if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && +@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + } + + if (ret == EOK) { +- switch (pw_expire_type) { ++ switch (state->pw_expire_type) { + case PWEXPIRE_SHADOW: + ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); + break; +@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, +- "Unknown password expiration type %d.\n", pw_expire_type); ++ "Unknown password expiration type %d.\n", ++ state->pw_expire_type); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } +@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + case ERR_PASSWORD_EXPIRED: + DEBUG(SSSDBG_TRACE_LIBS, + "user [%s] successfully authenticated.\n", state->dn); +- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); ++ ret = sdap_pam_chpass_handler_change_step(state, req, ++ state->pw_expire_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_pam_chpass_handler_change_step() failed.\n"); +@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) + + switch (ret) { + case EOK: ++ if (state->pw_expire_type == PWEXPIRE_SHADOW) { ++ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, ++ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); ++ if (ret != EOK) { ++ state->pd->pam_status = PAM_SYSTEM_ERR; ++ goto done; ++ } ++ } ++ + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_CHPASS_DENIED: +-- +2.37.3 + diff --git a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch deleted file mode 100644 index 6caa8fc..0000000 --- a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 29 Jul 2022 14:57:20 +0200 -Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it - should survive context destruction / re-initialization -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Iker Pedrosa -Reviewed-by: Pavel Březina -(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911) ---- - src/sss_client/nss_mc.h | 4 ++-- - src/sss_client/nss_mc_common.c | 10 ++++++++-- - src/sss_client/nss_mc_group.c | 5 +++++ - src/sss_client/nss_mc_initgr.c | 5 +++++ - src/sss_client/nss_mc_passwd.c | 5 +++++ - src/sss_client/nss_mc_sid.c | 5 +++++ - 6 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index b66e8f09f..de1496ccc 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -48,7 +48,7 @@ enum sss_mc_state { - struct sss_cli_mc_ctx { - enum sss_mc_state initialized; - #if HAVE_PTHREAD -- pthread_mutex_t mutex; -+ pthread_mutex_t *mutex; - #endif - int fd; - -@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx { - }; - - #if HAVE_PTHREAD --#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #else - #define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #endif -diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c -index c73a93a9a..f38a4a85a 100644 ---- a/src/sss_client/nss_mc_common.c -+++ b/src/sss_client/nss_mc_common.c -@@ -58,14 +58,14 @@ do { \ - static void sss_mt_lock(struct sss_cli_mc_ctx *ctx) - { - #if HAVE_PTHREAD -- pthread_mutex_lock(&ctx->mutex); -+ pthread_mutex_lock(ctx->mutex); - #endif - } - - static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx) - { - #if HAVE_PTHREAD -- pthread_mutex_unlock(&ctx->mutex); -+ pthread_mutex_unlock(ctx->mutex); - #endif - } - -@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) - static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - { - uint32_t active_threads = ctx->active_threads; -+#if HAVE_PTHREAD -+ pthread_mutex_t *mutex = ctx->mutex; -+#endif - - if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { - munmap(ctx->mmap_base, ctx->mmap_size); -@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - - /* restore count of active threads */ - ctx->active_threads = active_threads; -+#if HAVE_PTHREAD -+ ctx->mutex = mutex; -+#endif - } - - static errno_t sss_nss_mc_init_ctx(const char *name, -diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c -index 2ea40c435..d4f2a82ab 100644 ---- a/src/sss_client/nss_mc_group.c -+++ b/src/sss_client/nss_mc_group.c -@@ -29,7 +29,12 @@ - #include "nss_mc.h" - #include "shared/safealign.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - struct group *result, -diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c -index b05946263..bd7282935 100644 ---- a/src/sss_client/nss_mc_initgr.c -+++ b/src/sss_client/nss_mc_initgr.c -@@ -32,7 +32,12 @@ - #include "nss_mc.h" - #include "shared/safealign.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - long int *start, long int *size, -diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c -index 01c6801da..256d48444 100644 ---- a/src/sss_client/nss_mc_passwd.c -+++ b/src/sss_client/nss_mc_passwd.c -@@ -28,7 +28,12 @@ - #include - #include "nss_mc.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - struct passwd *result, -diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c -index af7d7bbd5..52e684da5 100644 ---- a/src/sss_client/nss_mc_sid.c -+++ b/src/sss_client/nss_mc_sid.c -@@ -30,7 +30,12 @@ - #include "util/mmap_cache.h" - #include "idmap/sss_nss_idmap.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type, - char **sid, uint32_t *type, --- -2.37.1 - diff --git a/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch new file mode 100644 index 0000000..fdc756a --- /dev/null +++ b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch @@ -0,0 +1,58 @@ +From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 3 Feb 2023 11:35:42 +0100 +Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common + read/write/check helpers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)` +error condition is detected, regular `POLLIN/POLLOUT` won't be set. +Error code set by error condition should have a priority. This enables +users of this helper to retry attempt (as designed). + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd) +--- + src/sss_client/common.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 2c888faa9..27e09f6f3 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & POLLOUT)) { ++ } else if (!(pfd.revents & POLLOUT)) { + *errnop = EBUSY; + } + break; +@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, + } + if (pfd.revents & (POLLERR | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & POLLIN)) { ++ } else if (!(pfd.revents & POLLIN)) { + *errnop = EBUSY; + } + break; +@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop, + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & (POLLIN | POLLOUT))) { ++ } else if (!(pfd.revents & (POLLIN | POLLOUT))) { + *errnop = EBUSY; + } + break; +-- +2.37.3 + diff --git a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch deleted file mode 100644 index 965ceaa..0000000 --- a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 1 Aug 2022 09:54:51 -0400 -Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Skip calling cache_req_data_set_hybrid_lookup() when hybrid data -is NULL for certain NSS request types (e.g. Service by Name). - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina -(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7) ---- - src/responder/nss/nss_get_object.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c -index 9762d6bfe..5a2e7e9bd 100644 ---- a/src/responder/nss/nss_get_object.c -+++ b/src/responder/nss/nss_get_object.c -@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx, - input_name); - } - -- cache_req_data_set_hybrid_lookup(hybrid_data, true); -+ if (hybrid_data != NULL) { -+ cache_req_data_set_hybrid_lookup(hybrid_data, true); -+ } - - return hybrid_data; - } --- -2.37.1 - diff --git a/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch new file mode 100644 index 0000000..d7c875f --- /dev/null +++ b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch @@ -0,0 +1,63 @@ +From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 8 Feb 2023 17:48:52 +0100 +Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is + alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise + there is a risk to close "foreign" socket opened in another thread. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3) +--- + src/sss_client/common.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 27e09f6f3..c8ade645b 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, + *errnop = ETIME; + break; + case 1: +- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { ++ if (pfd.revents & (POLLERR | POLLHUP)) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & POLLOUT)) { + *errnop = EBUSY; +@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, + if (pfd.revents & (POLLHUP)) { + pollhup = true; + } +- if (pfd.revents & (POLLERR | POLLNVAL)) { ++ if (pfd.revents & POLLERR) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & POLLIN)) { + *errnop = EBUSY; +@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop, + *errnop = ETIME; + break; + case 1: +- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { ++ if (pfd.revents & (POLLERR | POLLHUP)) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & (POLLIN | POLLOUT))) { + *errnop = EBUSY; +-- +2.37.3 + diff --git a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch deleted file mode 100644 index 7f87ccc..0000000 --- a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Thu, 14 Jul 2022 11:21:04 -0400 -Subject: [PATCH] Analyzer: Fix escaping raw fstring - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Iker Pedrosa -(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19) ---- - src/tools/analyzer/modules/request.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index b8dd9b25c..935e13adc 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -243,8 +243,8 @@ class RequestAnalyzer: - be_results = False - component = source.Component.NSS - resp = "nss" -- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]'] -- pattern.append(rf"\[CID#{cid}\\]") -+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]'] -+ pattern.append(rf"\[CID#{cid}\]") - - if args.pam: - component = source.Component.PAM --- -2.37.1 - diff --git a/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch new file mode 100644 index 0000000..dee9c9d --- /dev/null +++ b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch @@ -0,0 +1,53 @@ +From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 8 Feb 2023 18:58:37 +0100 +Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with + mutex. Otherwise a thread calling pam_end() can close socket mid pam + transaction in another thread. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug only manifested on platforms where "lockfree client" +feature wasn't built. + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082) +--- + src/sss_client/pam_sss.c | 3 +++ + src/sss_client/pam_sss_gss.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index afbdef59a..39ad17188 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err) + #endif /* PAM_DATA_REPLACE */ + + D(("Closing the fd")); ++ ++ sss_pam_lock(); + sss_cli_close_socket(); ++ sss_pam_unlock(); + } + + struct cert_auth_info { +diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c +index 1109ec570..dd578ae5d 100644 +--- a/src/sss_client/pam_sss_gss.c ++++ b/src/sss_client/pam_sss_gss.c +@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, + } + + done: ++ sss_pam_lock(); + sss_cli_close_socket(); ++ sss_pam_unlock(); + free(username); + free(domain); + free(target); +-- +2.37.3 + diff --git a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch deleted file mode 100644 index a820d44..0000000 --- a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Aug 2022 21:48:43 +0200 -Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f) ---- - src/sss_client/nss_mc.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index de1496ccc..0f88521e9 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx { - }; - - #if HAVE_PTHREAD --#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #else --#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #endif - - errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx); --- -2.37.1 - diff --git a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch deleted file mode 100644 index f759975..0000000 --- a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch +++ /dev/null @@ -1,78 +0,0 @@ -From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Aug 2022 21:51:03 +0200 -Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be - touched -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL` -was creating a possibility for a race. - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757) ---- - src/sss_client/nss_mc.h | 4 +++- - src/sss_client/nss_mc_common.c | 20 ++++++++++---------- - 2 files changed, 13 insertions(+), 11 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index 0f88521e9..9ab2736fa 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -44,7 +44,9 @@ enum sss_mc_state { - RECYCLED, - }; - --/* common stuff */ -+/* In the case this structure is extended, don't forget to update -+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`. -+ */ - struct sss_cli_mc_ctx { - enum sss_mc_state initialized; - #if HAVE_PTHREAD -diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c -index f38a4a85a..3128861bf 100644 ---- a/src/sss_client/nss_mc_common.c -+++ b/src/sss_client/nss_mc_common.c -@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) - - static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - { -- uint32_t active_threads = ctx->active_threads; --#if HAVE_PTHREAD -- pthread_mutex_t *mutex = ctx->mutex; --#endif - - if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { - munmap(ctx->mmap_base, ctx->mmap_size); - } -+ ctx->mmap_base = NULL; -+ ctx->mmap_size = 0; -+ - if (ctx->fd != -1) { - close(ctx->fd); - } -- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); - ctx->fd = -1; - -- /* restore count of active threads */ -- ctx->active_threads = active_threads; --#if HAVE_PTHREAD -- ctx->mutex = mutex; --#endif -+ ctx->seed = 0; -+ ctx->data_table = NULL; -+ ctx->dt_size = 0; -+ ctx->hash_table = NULL; -+ ctx->ht_size = 0; -+ ctx->initialized = UNINITIALIZED; -+ /* `mutex` and `active_threads` should be left intact */ - } - - static errno_t sss_nss_mc_init_ctx(const char *name, --- -2.37.1 - diff --git a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch deleted file mode 100644 index 0e06c29..0000000 --- a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch +++ /dev/null @@ -1,33 +0,0 @@ -From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 15 Aug 2022 16:17:59 -0400 -Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup - -Fixes an issue when the sssctl analyzer option is -used on systems where SSSD is not running or configured. This is -an expected use case when using --logdir option to analyze external -log files. - -Resolves: https://github.com/SSSD/sssd/issues/6298 - -Reviewed-by: Alexey Tikhonov ---- - src/tools/sssctl/sssctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index 3816125ad..f18689f9f 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -296,7 +296,7 @@ int main(int argc, const char **argv) - SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove), - SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch), - SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level), -- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze), -+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT), - #ifdef HAVE_LIBINI_CONFIG_V1_3 - SSS_TOOL_DELIMITER("Configuration files tools:"), - SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), --- -2.37.1 - diff --git a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch deleted file mode 100644 index 769e082..0000000 --- a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch +++ /dev/null @@ -1,297 +0,0 @@ -From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Fri, 19 Aug 2022 09:50:22 -0400 -Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Client ID is not stored properly to match requests -when parallel requests are made to client SSSD - -Resolves: https://github.com/SSSD/sssd/issues/6307 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/cache_req/cache_req.c | 5 +++-- - .../plugins/cache_req_autofs_entry_by_name.c | 3 ++- - .../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++- - .../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++- - .../plugins/cache_req_ssh_host_id_by_name.c | 3 ++- - src/responder/common/responder.h | 2 +- - src/responder/common/responder_common.c | 12 +++++++----- - src/responder/common/responder_dp.c | 5 +++-- - src/responder/common/responder_get_domains.c | 3 ++- - src/responder/pam/pamsrv_cmd.c | 4 ++-- - 10 files changed, 26 insertions(+), 17 deletions(-) - -diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c -index 4dd45b038..bc65bae71 100644 ---- a/src/responder/common/cache_req/cache_req.c -+++ b/src/responder/common/cache_req/cache_req.c -@@ -24,6 +24,7 @@ - #include - - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder.h" - #include "responder/common/cache_req/cache_req_private.h" - #include "responder/common/cache_req/cache_req_plugin.h" -@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx, - } - state->first_iteration = true; - -- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n", -- rctx->client_id_num, cr->reqname); -+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n", -+ sss_chain_id_get(), cr->reqname); - - ret = cache_req_is_well_known_object(state, cr, &result); - if (ret == EOK) { -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -index 788b6708c..b2b0a06eb 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, - data->autofs_entry_name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -index 5d82641cc..23b11b1cd 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -index 29f289723..18c08ca39 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -index a8b8f47a8..29f52f10d 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -@@ -23,6 +23,7 @@ - - #include "db/sysdb_ssh.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, data->alias, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - static bool -diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h -index 5cb79e3e6..259b3ff13 100644 ---- a/src/responder/common/responder.h -+++ b/src/responder/common/responder.h -@@ -165,13 +165,13 @@ struct cli_ctx { - - struct cli_creds *creds; - char *cmd_line; -- uint64_t old_chain_id; - - void *protocol_ctx; - void *state_ctx; - - struct tevent_timer *idle; - time_t last_request_time; -+ uint32_t client_id_num; - }; - - struct sss_cmd_table { -diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c -index 6e3b61ef0..a4ba8ea71 100644 ---- a/src/responder/common/responder_common.c -+++ b/src/responder/common/responder_common.c -@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev, - "Failed to close fd [%d]: [%s]\n", - ctx->cfd, strerror(ret)); - } -- /* Restore the original chain id */ -- sss_chain_id_set(ctx->old_chain_id); - - DEBUG(SSSDBG_TRACE_INTERNAL, - "Terminated client [%p][%d]\n", -@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev, - int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd; - - rctx->client_id_num++; -- - if (accept_ctx->is_private) { - ret = stat(rctx->priv_sock_name, &stat_buf); - if (ret == -1) { -@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev, - - talloc_set_destructor(cctx, cli_ctx_destructor); - -+ cctx->client_id_num = rctx->client_id_num; -+ - len = sizeof(cctx->addr); - cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); - if (cctx->cfd == -1) { -@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev, - - DEBUG(SSSDBG_TRACE_FUNC, - "[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n", -- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), -+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), - cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : ""); - - return; -@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr, - uint16_t flags) - { - errno_t ret; -+ uint64_t old_chain_id; - struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx); - - /* Always reset the responder idle timer on any activity */ -@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr, - } - - /* Set the chain id */ -- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num); -+ old_chain_id = sss_chain_id_set(cctx->client_id_num); - - if (flags & TEVENT_FD_READ) { - recv_fn(cctx); -@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr, - send_fn(cctx); - return; - } -+ /* Restore the original chain id */ -+ sss_chain_id_set(old_chain_id); - } - - int sss_connection_setup(struct cli_ctx *cctx) -diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c -index d549e02d3..4b4770da1 100644 ---- a/src/responder/common/responder_dp.c -+++ b/src/responder/common/responder_dp.c -@@ -23,6 +23,7 @@ - #include - #include - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder_packet.h" - #include "responder/common/responder.h" - #include "providers/data_provider.h" -@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx, - subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, dp_flags, - entry_type, filter, dom->name, extra, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx, - SSS_BUS_PATH, - dp_flags, entry_type, - filter_type, filter_value, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c -index 918124756..aeff28d73 100644 ---- a/src/responder/common/responder_get_domains.c -+++ b/src/responder/common/responder_get_domains.c -@@ -19,6 +19,7 @@ - */ - - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder.h" - #include "providers/data_provider.h" - #include "db/sysdb.h" -@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx, - be_conn->bus_name, - SSS_BUS_PATH, dp_flags, - entry_type, filter, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index cb0e1b82f..1695554fc 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) - } - preq->cctx = cctx; - preq->cert_auth_local = false; -- preq->client_id_num = pctx->rctx->client_id_num; -+ preq->client_id_num = cctx->client_id_num; - - preq->pd = create_pam_data(preq); - if (!preq->pd) { -@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) - - pd->cmd = pam_cmd; - pd->priv = cctx->priv; -- pd->client_id_num = pctx->rctx->client_id_num; -+ pd->client_id_num = cctx->client_id_num; - - ret = pam_forwarder_parse_data(cctx, pd); - if (ret == EAGAIN) { --- -2.37.1 - diff --git a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch deleted file mode 100644 index b2c49e1..0000000 --- a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch +++ /dev/null @@ -1,185 +0,0 @@ -From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Fri, 19 Aug 2022 14:44:11 -0400 -Subject: [PATCH 9/9] Analyzer: support parallel requests parsing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Analyzer code(primarily the list verbose command) needs -changes to handle parsing the necessary lines from -NSS/PAM log files when multiple intermixed/parallel -client requests are sent to SSSD. - -Resolves: https://github.com/SSSD/sssd/issues/6307 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina - -Reviewed-by: Alexey Tikhonov ---- - src/tools/analyzer/modules/request.py | 119 +++++++++++++++----------- - 1 file changed, 67 insertions(+), 52 deletions(-) - -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index 935e13adc..b9fe3caf8 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -16,7 +16,6 @@ class RequestAnalyzer: - """ - module_parser = None - consumed_logs = [] -- done = "" - list_opts = [ - Option('--verbose', 'Verbose output', bool, '-v'), - Option('--pam', 'Filter only PAM requests', bool), -@@ -149,58 +148,74 @@ class RequestAnalyzer: - print(line) - return found_results - -- def print_formatted(self, line, verbose): -+ def print_formatted_verbose(self, source, patterns): -+ """ -+ Parse line and print formatted verbose list_requests output -+ -+ Args: -+ source (Reader): source Reader object -+ patterns (list): List of regex patterns to use for -+ matching lines -+ """ -+ # Get CID number, and print the basic line first -+ for line in self.matched_line(source, patterns): -+ cid = self.print_formatted(line) -+ -+ # Loop through each line with this CID number to extract and -+ # print the verbose data needed -+ verbose_patterns = ["(cache_req_send|cache_req_process_input|" -+ "cache_req_search_send)"] -+ for cidline in self.matched_line(source, verbose_patterns): -+ plugin = "" -+ name = "" -+ id = "" -+ -+ # skip any lines not pertaining to this CID -+ if f"CID#{cid}]" not in cidline: -+ continue -+ if "refreshed" in cidline: -+ continue -+ # CR Plugin name -+ if re.search("cache_req_send", cidline): -+ plugin = cidline.split('\'')[1] -+ # CR Input name -+ elif re.search("cache_req_process_input", cidline): -+ name = cidline.rsplit('[')[-1] -+ # CR Input id -+ elif re.search("cache_req_search_send", cidline): -+ id = cidline.rsplit()[-1] -+ -+ if plugin: -+ print(" - " + plugin) -+ if name: -+ print(" - " + name[:-2]) -+ if (id and ("UID" in cidline or "GID" in cidline)): -+ print(" - " + id) -+ -+ def print_formatted(self, line): - """ - Parse line and print formatted list_requests output - - Args: - line (str): line to parse -- verbose (bool): If true, enable verbose output -+ Returns: -+ Client ID from printed line, 0 otherwise - """ -- plugin = "" -- name = "" -- id = "" -- - # exclude backtrace logs - if line.startswith(' * '): -- return -- fields = line.split("[") -- cr_field = fields[3][7:] -- cr = cr_field.split(":")[0][4:] -+ return 0 - if "refreshed" in line: -- return -- # CR Plugin name -- if re.search("cache_req_send", line): -- plugin = line.split('\'')[1] -- # CR Input name -- elif re.search("cache_req_process_input", line): -- name = line.rsplit('[')[-1] -- # CR Input id -- elif re.search("cache_req_search_send", line): -- id = line.rsplit()[-1] -- # CID and client process name -- else: -- ts = line.split(")")[0] -- ts = ts[1:] -- fields = line.split("[") -- cid = fields[3][4:-9] -- cmd = fields[4][4:-1] -- uid = fields[5][4:-1] -- if not uid.isnumeric(): -- uid = fields[6][4:-1] -- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') -- -- if verbose: -- if plugin: -- print(" - " + plugin) -- if name: -- if cr not in self.done: -- print(" - " + name[:-2]) -- self.done = cr -- if id: -- if cr not in self.done: -- print(" - " + id) -- self.done = cr -+ return 0 -+ ts = line.split(")")[0] -+ ts = ts[1:] -+ fields = line.split("[") -+ cid = fields[3][4:-9] -+ cmd = fields[4][4:-1] -+ uid = fields[5][4:-1] -+ if not uid.isnumeric(): -+ uid = fields[6][4:-1] -+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') -+ return cid - - def list_requests(self, args): - """ -@@ -215,20 +230,20 @@ class RequestAnalyzer: - # Log messages matching the following regex patterns contain - # the useful info we need to produce list output - patterns = [r'\[cmd'] -- patterns.append("(cache_req_send|cache_req_process_input|" -- "cache_req_search_send)") - if args.pam: - component = source.Component.PAM - resp = "pam" - - logger.info(f"******** Listing {resp} client requests ********") - source.set_component(component, False) -- self.done = "" -- for line in self.matched_line(source, patterns): -- if isinstance(source, Journald): -- print(line) -- else: -- self.print_formatted(line, args.verbose) -+ if args.verbose: -+ self.print_formatted_verbose(source, patterns) -+ else: -+ for line in self.matched_line(source, patterns): -+ if isinstance(source, Journald): -+ print(line) -+ else: -+ self.print_formatted(line) - - def track_request(self, args): - """ --- -2.37.1 - diff --git a/SOURCES/0010-CLIENT-fix-client-fd-leak.patch b/SOURCES/0010-CLIENT-fix-client-fd-leak.patch deleted file mode 100644 index 48622c8..0000000 --- a/SOURCES/0010-CLIENT-fix-client-fd-leak.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 25 Aug 2022 18:10:46 +0200 -Subject: [PATCH] CLIENT: fix client fd leak - - - close client socket at thread exit - - only build lock-free client support if libc has required - functionality for a proper cleanup - - use proper mechanisms to init lock_mode only once - -:relnote:Lock-free client support will be only built if libc -provides `pthread_key_create()` and `pthread_once()`. For glibc -this means version 2.34+ - -Reviewed-by: Justin Stephenson -Reviewed-by: Sumit Bose -(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb) ---- - configure.ac | 29 +++++++++-- - src/man/Makefile.am | 5 +- - src/man/sssd.8.xml | 2 +- - src/sss_client/common.c | 83 +++++++++++++++++++------------- - src/sss_client/idmap/common_ex.c | 4 ++ - 5 files changed, 84 insertions(+), 39 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 93bd93b85..5a05de41e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include ]]) - m4_include([src/build_macros.m4]) - BUILD_WITH_SHARED_BUILD_DIR - --AC_COMPILE_IFELSE( -+ -+SAVE_LIBS=$LIBS -+LIBS= -+AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER; -- (void) m; /* unused */ -+ pthread_mutex_lock(&m); -+ pthread_mutex_unlock(&m); - ]])], - [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.]) - HAVE_PTHREAD=1 - ], -- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])]) -+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])]) -+LIBS=$SAVE_LIBS -+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) - - --AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) -+SAVE_LIBS=$LIBS -+LIBS= -+AC_LINK_IFELSE( -+ [AC_LANG_PROGRAM([[#include ]], -+ [[static pthread_key_t k; -+ static pthread_once_t f = PTHREAD_ONCE_INIT; -+ pthread_once(&f, NULL); -+ pthread_key_create(&k, NULL); -+ ]])], -+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.]) -+ HAVE_PTHREAD_EXT=1 -+ ], -+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])]) -+LIBS=$SAVE_LIBS -+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"]) -+ - - # Check library for the timer_create function - SAVE_LIBS=$LIBS -diff --git a/src/man/Makefile.am b/src/man/Makefile.am -index 93dd14819..063ff1bf0 100644 ---- a/src/man/Makefile.am -+++ b/src/man/Makefile.am -@@ -46,9 +46,12 @@ endif - if BUILD_KCM_RENEWAL - KCM_RENEWAL_CONDS = ;enable_kcm_renewal - endif -+if BUILD_LOCKFREE_CLIENT -+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support -+endif - - --CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS) -+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS) - - - #Special Rules: -diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml -index df07b7f29..5f507c631 100644 ---- a/src/man/sssd.8.xml -+++ b/src/man/sssd.8.xml -@@ -240,7 +240,7 @@ - If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", - client applications will not use the fast in-memory cache. - -- -+ - If the environment variable SSS_LOCKFREE is set to "NO", requests - from multiple threads of a single application will be serialized. - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 29c751a50..d762dff49 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -35,7 +35,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -62,8 +61,15 @@ - - /* common functions */ - -+#ifdef HAVE_PTHREAD_EXT -+static pthread_key_t sss_sd_key; -+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT; - static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */ - static __thread struct stat sss_cli_sb; /* the sss client stat buffer */ -+#else -+static int sss_cli_sd = -1; /* the sss client socket descriptor */ -+static struct stat sss_cli_sb; /* the sss client stat buffer */ -+#endif - - #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR - __attribute__((destructor)) -@@ -76,6 +82,18 @@ void sss_cli_close_socket(void) - } - } - -+#ifdef HAVE_PTHREAD_EXT -+static void sss_at_thread_exit(void *v) -+{ -+ sss_cli_close_socket(); -+} -+ -+static void init_sd_key(void) -+{ -+ pthread_key_create(&sss_sd_key, sss_at_thread_exit); -+} -+#endif -+ - /* Requests: - * - * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) -@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout - return -1; - } - -+#ifdef HAVE_PTHREAD_EXT -+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */ -+ -+ /* It actually doesn't matter what value to set for a key. -+ * The only important thing: key must be non-NULL to ensure -+ * destructor is executed at thread exit. -+ */ -+ pthread_setspecific(sss_sd_key, &sss_cli_sd); -+#endif -+ - /* set as non-blocking, close on exec, and make sure standard - * descriptors are not used */ - sd = make_safe_fd(sd); -@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len) - } - - #if HAVE_PTHREAD --bool sss_is_lockfree_mode(void) -+ -+#ifdef HAVE_PTHREAD_EXT -+static bool sss_lock_free = true; -+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT; -+ -+static void init_lock_mode(void) - { -- const char *env = NULL; -- enum { -- MODE_UNDEF, -- MODE_LOCKING, -- MODE_LOCKFREE -- }; -- static atomic_int mode = MODE_UNDEF; -- -- if (mode == MODE_UNDEF) { -- env = getenv("SSS_LOCKFREE"); -- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { -- mode = MODE_LOCKING; -- } else { -- mode = MODE_LOCKFREE; -- } -+ const char *env = getenv("SSS_LOCKFREE"); -+ -+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { -+ sss_lock_free = false; - } -+} - -- return (mode == MODE_LOCKFREE); -+bool sss_is_lockfree_mode(void) -+{ -+ pthread_once(&sss_lock_mode_initialized, init_lock_mode); -+ return sss_lock_free; - } -+#endif - - struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- - static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- --static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- - static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; - - static void sss_mt_lock(struct sss_mutex *m) - { -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return; - } -+#endif - - pthread_mutex_lock(&m->mtx); - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state); -@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m) - - static void sss_mt_unlock(struct sss_mutex *m) - { -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return; - } -+#endif - - pthread_setcancelstate(m->old_cancel_state, NULL); - pthread_mutex_unlock(&m->mtx); -@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void) - sss_mt_unlock(&sss_nss_mtx); - } - --/* NSS mutex wrappers */ -+/* PAM mutex wrappers */ - void sss_pam_lock(void) - { - sss_mt_lock(&sss_pam_mtx); -@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void) - sss_mt_unlock(&sss_pam_mtx); - } - --/* NSS mutex wrappers */ --void sss_nss_mc_lock(void) --{ -- sss_mt_lock(&sss_nss_mc_mtx); --} --void sss_nss_mc_unlock(void) --{ -- sss_mt_unlock(&sss_nss_mc_mtx); --} -- - /* PAC mutex wrappers */ - void sss_pac_lock(void) - { -diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c -index 4f454cd63..8c4894fd9 100644 ---- a/src/sss_client/idmap/common_ex.c -+++ b/src/sss_client/idmap/common_ex.c -@@ -28,7 +28,9 @@ - #include "common_private.h" - - extern struct sss_mutex sss_nss_mtx; -+#ifdef HAVE_PTHREAD_EXT - bool sss_is_lockfree_mode(void); -+#endif - - #define SEC_FROM_MSEC(ms) ((ms) / 1000) - #define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000) -@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime) - { - int ret; - -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return 0; - } -+#endif - - ret = pthread_mutex_timedlock(&m->mtx, endtime); - if (ret != 0) { --- -2.37.1 - diff --git a/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch b/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch deleted file mode 100644 index d747ae3..0000000 --- a/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 20 Sep 2022 15:37:01 +0200 -Subject: [PATCH] krb5: respect krb5_validate for PAC checks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The first step of checking the PAC is the same as during the Kerberos -ticket validation, requesting a service ticket for a service principal -from the local keytab. By default ticket validation is enable for the -IPA and AD provider where checking the PAC might become important. If -ticket validation is disabled manually it is most probably because there -are issues requesting the service ticket and fixing those is currently -not possible. - -Currently when SSSD is configured to check the PAC it ignores the -krb5_validate setting and tries to request a service ticket which would -fail in the case ticket validation is disabled for a reason. To not -cause regressions with this patch SSSD will skip the PAC checks if -ticket validation is disabled. - -Resolves: https://github.com/SSSD/sssd/issues/6355 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman -(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc) ---- - src/man/include/krb5_options.xml | 11 ++++++++++- - src/man/sssd.conf.5.xml | 13 ++++++++++--- - src/providers/krb5/krb5_child.c | 9 ++++----- - src/providers/krb5/krb5_init_shared.c | 10 ++++++++++ - 4 files changed, 34 insertions(+), 9 deletions(-) - -diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml -index c3292d1bb..d82be7bfa 100644 ---- a/src/man/include/krb5_options.xml -+++ b/src/man/include/krb5_options.xml -@@ -26,7 +26,16 @@ - keytab entry as the last entry or the only entry in the keytab file. - - -- Default: false -+ Default: false (IPA and AD provider: true) -+ -+ -+ Please note that the ticket validation is the first step when -+ checking the PAC (see 'pac_check' in the -+ -+ sssd.conf -+ 5 -+ manual page for details). If ticket -+ validation is disabled the PAC checks will be skipped as well. - - - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 615b41550..7a9920815 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit - - Apply additional checks on the PAC of the Kerberos - ticket which is available in Active Directory and -- FreeIPA domains, if configured. The following -- options can be used alone or in a comma-separated -- list: -+ FreeIPA domains, if configured. Please note that -+ Kerberos ticket validation must be enabled to be -+ able to check the PAC, i.e. the krb5_validate option -+ must be set to 'True' which is the default for the -+ IPA and AD provider. If krb5_validate is set to -+ 'False' the PAC checks will be skipped. -+ -+ -+ The following options can be used alone or in a -+ comma-separated list: - - - no_check -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 0a592da00..8727b4202 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[]) - goto done; - } - -- /* To be able to read the PAC we have to request a service ticket where we -- * have a key to decrypt it, this is the same step we use for validating -- * the ticket. */ -- if (cli_opts.check_pac_flags != 0) { -- kr->validate = true; -+ if (cli_opts.check_pac_flags != 0 && !kr->validate) { -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "PAC check is requested but krb5_validate is set to false. " -+ "PAC checks will be skipped.\n"); - } - - kerr = privileged_krb5_setup(kr, offline); -diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c -index ee48f459b..3e6ebe2ed 100644 ---- a/src/providers/krb5/krb5_init_shared.c -+++ b/src/providers/krb5/krb5_init_shared.c -@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, - goto done; - } - -+ if (krb5_auth_ctx->check_pac_flags != 0 -+ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) { -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "PAC check is requested but krb5_validate is set to false. " -+ "PAC checks will be skipped.\n"); -+ sss_log(SSS_LOG_WARNING, -+ "PAC check is requested but krb5_validate is set to false. " -+ "PAC checks will be skipped."); -+ } -+ - ret = parse_krb5_map_user(krb5_auth_ctx, - dp_opt_get_cstring(krb5_auth_ctx->opts, - KRB5_MAP_USER), --- -2.37.3 - diff --git a/SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch b/SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch deleted file mode 100644 index 97db9b4..0000000 --- a/SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 70e254653edb21923d7565c80704e1ce6865d991 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Wed, 12 Oct 2022 08:48:45 -0400 -Subject: [PATCH] Analyzer: Optimize list verbose output -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Modify the analyzer to parse the responder log file in one pass. This -avoids repeated parsing of a single log file. This operation will now -store log lines in a dictionary on a single pass then format and print -the output accordingly. Does not affect 'list' or 'show' output. - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman ---- - src/tools/analyzer/modules/request.py | 71 ++++++++++++++++++--------- - 1 file changed, 48 insertions(+), 23 deletions(-) - -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index b9fe3caf8..15c8e6bfb 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -148,36 +148,57 @@ class RequestAnalyzer: - print(line) - return found_results - -- def print_formatted_verbose(self, source, patterns): -+ def print_formatted_verbose(self, source): - """ -- Parse line and print formatted verbose list_requests output -+ Parse log file and print formatted verbose list_requests output - - Args: - source (Reader): source Reader object -- patterns (list): List of regex patterns to use for -- matching lines - """ -- # Get CID number, and print the basic line first -- for line in self.matched_line(source, patterns): -- cid = self.print_formatted(line) -- -- # Loop through each line with this CID number to extract and -- # print the verbose data needed -- verbose_patterns = ["(cache_req_send|cache_req_process_input|" -- "cache_req_search_send)"] -- for cidline in self.matched_line(source, verbose_patterns): -+ data = {} -+ # collect cid log lines from single run through of parsing the log -+ # into dictionary # (cid, ts) -> logline_output -+ for line in source: -+ if "CID#" not in line: -+ continue -+ -+ # parse CID and ts from line, key is a tuple of (cid,ts) -+ fields = line.split("[") -+ # timestamp to the minute, cut off seconds, ms -+ ts = fields[0][:17] -+ result = re.search('CID#[0-9]*', fields[3]) -+ cid = result.group(0) -+ -+ # if mapping exists, append line to output. Otherwise create new mapping -+ if (cid, ts) in data.keys(): -+ data[(cid, ts)] += line -+ else: -+ data[(cid, ts)] = line -+ -+ # pretty print the data -+ for k, v in data.items(): -+ cr_done = [] -+ id_done = [] -+ for cidline in v.splitlines(): - plugin = "" - name = "" - id = "" - -- # skip any lines not pertaining to this CID -- if f"CID#{cid}]" not in cidline: -- continue -- if "refreshed" in cidline: -- continue -+ # CR number -+ fields = cidline.split("[") -+ cr_field = fields[3][7:] -+ cr = cr_field.split(":")[0][4:] -+ # Client connected, top-level info line -+ if re.search(r'\[cmd', cidline): -+ self.print_formatted(cidline) - # CR Plugin name - if re.search("cache_req_send", cidline): - plugin = cidline.split('\'')[1] -+ id_done.clear() -+ # Extract CR number -+ fields = cidline.split("[") -+ cr_field = fields[3][7:] -+ cr = cr_field.split(":")[0][4:] - # CR Input name - elif re.search("cache_req_process_input", cidline): - name = cidline.rsplit('[')[-1] -@@ -188,9 +209,14 @@ class RequestAnalyzer: - if plugin: - print(" - " + plugin) - if name: -- print(" - " + name[:-2]) -+ # Avoid duplicate output with the same CR # -+ if cr not in cr_done: -+ print(" - " + name[:-1]) -+ cr_done.append(cr) - if (id and ("UID" in cidline or "GID" in cidline)): -- print(" - " + id) -+ if id not in id_done: -+ print(" - " + id) -+ id_done.append(id) - - def print_formatted(self, line): - """ -@@ -237,7 +263,7 @@ class RequestAnalyzer: - logger.info(f"******** Listing {resp} client requests ********") - source.set_component(component, False) - if args.verbose: -- self.print_formatted_verbose(source, patterns) -+ self.print_formatted_verbose(source) - else: - for line in self.matched_line(source, patterns): - if isinstance(source, Journald): -@@ -258,8 +284,7 @@ class RequestAnalyzer: - be_results = False - component = source.Component.NSS - resp = "nss" -- pattern = [rf'REQ_TRACE.*\[CID #{cid}\]'] -- pattern.append(rf"\[CID#{cid}\]") -+ pattern = [rf"\[CID#{cid}\]"] - - if args.pam: - component = source.Component.PAM --- -2.37.3 - diff --git a/SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch b/SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch deleted file mode 100644 index aea3aae..0000000 --- a/SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 89ea4a5feaf30f80a79ca3ba8166f304cc414e07 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Tue, 15 Nov 2022 12:47:51 -0500 -Subject: [PATCH] Analyzer: Ensure parsed id contains digit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In analyzer list verbose output, we parse the last field of cache_req_search_send() lines. -Certain log messages need to be filtered out by ensuring the parsed field is -a digit, such as the last line below. - -[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test -[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test -[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@domain-zflo.com -[cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119@domain-zflo.com] from cache - -Reviewed-by: Iker Pedrosa -Reviewed-by: Tomáš Halman -(cherry picked from commit bfa8d50c479cf8ef7b299eb5848309a3a9ea7f12) - -Reviewed-by: Iker Pedrosa -Reviewed-by: Tomáš Halman ---- - src/tools/analyzer/modules/request.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index 15c8e6bfb..bf279ea75 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -214,7 +214,7 @@ class RequestAnalyzer: - print(" - " + name[:-1]) - cr_done.append(cr) - if (id and ("UID" in cidline or "GID" in cidline)): -- if id not in id_done: -+ if id not in id_done and bool(re.search(r'\d', id)): - print(" - " + id) - id_done.append(id) - --- -2.37.3 - diff --git a/SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch b/SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch deleted file mode 100644 index 7a5c780..0000000 --- a/SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 7e23e6394b518dd013c6b03a1a63715899180935 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Sun, 6 Nov 2022 11:22:22 +0100 -Subject: [PATCH 14/16] TOOLS: don't export internal helpers -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Iker Pedrosa -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit 6ef3aade0394e32540242f902c9f21bb8d6c41f2) - -Reviewed-by: Iker Pedrosa -Reviewed-by: Justin Stephenson ---- - src/tools/common/sss_tools.c | 16 ++++++++-------- - src/tools/common/sss_tools.h | 12 ------------ - 2 files changed, 8 insertions(+), 20 deletions(-) - -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index c066ddc5c..47b85bdd2 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -178,9 +178,9 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx, - return ret; - } - --errno_t sss_tool_init(TALLOC_CTX *mem_ctx, -- int *argc, const char **argv, -- struct sss_tool_ctx **_tool_ctx) -+static errno_t sss_tool_init(TALLOC_CTX *mem_ctx, -+ int *argc, const char **argv, -+ struct sss_tool_ctx **_tool_ctx) - { - struct sss_tool_ctx *tool_ctx; - -@@ -235,7 +235,7 @@ static size_t sss_tool_max_length(struct sss_route_cmd *commands) - return max; - } - --void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands) -+static void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands) - { - int min_len; - int i; -@@ -304,10 +304,10 @@ done: - return ret; - } - --errno_t sss_tool_route(int argc, const char **argv, -- struct sss_tool_ctx *tool_ctx, -- struct sss_route_cmd *commands, -- void *pvt) -+static errno_t sss_tool_route(int argc, const char **argv, -+ struct sss_tool_ctx *tool_ctx, -+ struct sss_route_cmd *commands, -+ void *pvt) - { - struct sss_cmdline cmdline; - const char *cmd; -diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h -index 0e4308ee6..578186633 100644 ---- a/src/tools/common/sss_tools.h -+++ b/src/tools/common/sss_tools.h -@@ -35,10 +35,6 @@ struct sss_tool_ctx { - struct sss_domain_info *domains; - }; - --errno_t sss_tool_init(TALLOC_CTX *mem_ctx, -- int *argc, const char **argv, -- struct sss_tool_ctx **_tool_ctx); -- - struct sss_cmdline { - const char *exec; /* argv[0] */ - const char *command; /* command name */ -@@ -69,14 +65,6 @@ struct sss_route_cmd { - int flags; - }; - --void sss_tool_usage(const char *tool_name, -- struct sss_route_cmd *commands); -- --errno_t sss_tool_route(int argc, const char **argv, -- struct sss_tool_ctx *tool_ctx, -- struct sss_route_cmd *commands, -- void *pvt); -- - typedef errno_t (*sss_popt_fn)(poptContext pc, char option, void *pvt); - - enum sss_tool_opt { --- -2.37.3 - diff --git a/SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch b/SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch deleted file mode 100644 index 45c291a..0000000 --- a/SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch +++ /dev/null @@ -1,71 +0,0 @@ -From bd16242ef6780fd2808bf03f79eda5d940094bc5 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Sun, 6 Nov 2022 12:25:37 +0100 -Subject: [PATCH 15/16] TOOLS: fixed handling of init error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Before execution of `tool_cmd_init()` `init_err` wasn't set, -so `sss_tools_handles_init_error()` check was a no-op. - -Consequently, a proper check after `tool_cmd_init()` was missing. - -Reviewed-by: Iker Pedrosa -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit 7af46ba0e925da61b7b4003c3fa6d51c05c1116e) - -Reviewed-by: Iker Pedrosa -Reviewed-by: Justin Stephenson ---- - src/tools/common/sss_tools.c | 17 ++++------------- - src/tools/common/sss_tools.h | 1 - - 2 files changed, 4 insertions(+), 14 deletions(-) - -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index 47b85bdd2..38ae88306 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -336,22 +336,13 @@ static errno_t sss_tool_route(int argc, const char **argv, - cmdline.argc = argc - 2; - cmdline.argv = argv + 2; - -- if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) { -- DEBUG(SSSDBG_FATAL_FAILURE, -- "Command %s does not handle initialization error [%d] %s\n", -- cmdline.command, tool_ctx->init_err, -- sss_strerror(tool_ctx->init_err)); -- return tool_ctx->init_err; -- } -- - if (!tool_ctx->print_help) { - ret = tool_cmd_init(tool_ctx, &commands[i]); -- if (ret == ERR_SYSDB_VERSION_TOO_OLD) { -- tool_ctx->init_err = ret; -- } else if (ret != EOK) { -+ -+ if (!sss_tools_handles_init_error(&commands[i], ret)) { - DEBUG(SSSDBG_FATAL_FAILURE, -- "Command initialization failed [%d] %s\n", -- ret, sss_strerror(ret)); -+ "Command %s does not handle initialization error [%d] %s\n", -+ cmdline.command, ret, sss_strerror(ret)); - return ret; - } - } -diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h -index 578186633..75dc15391 100644 ---- a/src/tools/common/sss_tools.h -+++ b/src/tools/common/sss_tools.h -@@ -30,7 +30,6 @@ struct sss_tool_ctx { - struct confdb_ctx *confdb; - - bool print_help; -- errno_t init_err; - char *default_domain; - struct sss_domain_info *domains; - }; --- -2.37.3 - diff --git a/SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch b/SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch deleted file mode 100644 index 698472c..0000000 --- a/SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 66c318d212d56e26f303fc52d5fecbde4a6b9589 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 10 Nov 2022 22:18:06 +0100 -Subject: [PATCH 16/16] SSSCTL: don't require 'root' for "analyze" cmd -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -:relnote: `sssctl analyze` tool doesn't require anymore to be run under root. - -Reviewed-by: Iker Pedrosa -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit 99791400bec1054cf0081884e013a3cbed75fe8a) - -Reviewed-by: Iker Pedrosa -Reviewed-by: Justin Stephenson ---- - src/tools/common/sss_tools.c | 16 +++++++++------- - src/tools/common/sss_tools.h | 3 ++- - src/tools/sssctl/sssctl.c | 2 +- - 3 files changed, 12 insertions(+), 9 deletions(-) - -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index 38ae88306..d16de7c4d 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -267,6 +267,15 @@ static int tool_cmd_init(struct sss_tool_ctx *tool_ctx, - struct sss_route_cmd *command) - { - int ret; -+ uid_t uid; -+ -+ if (!(command->flags & SSS_TOOL_FLAG_SKIP_ROOT_CHECK)) { -+ uid = getuid(); -+ if (uid != 0) { -+ ERROR("'%s' must be run as root\n", command->command); -+ return EXIT_FAILURE; -+ } -+ } - - if (command->flags & SSS_TOOL_FLAG_SKIP_CMD_INIT) { - return EOK; -@@ -515,15 +524,8 @@ int sss_tool_main(int argc, const char **argv, - void *pvt) - { - struct sss_tool_ctx *tool_ctx; -- uid_t uid; - errno_t ret; - -- uid = getuid(); -- if (uid != 0) { -- ERROR("%1$s must be run as root\n", argv[0]); -- return EXIT_FAILURE; -- } -- - ret = sss_tool_init(NULL, &argc, argv, &tool_ctx); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n"); -diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h -index 75dc15391..24dd4b559 100644 ---- a/src/tools/common/sss_tools.h -+++ b/src/tools/common/sss_tools.h -@@ -54,7 +54,8 @@ typedef errno_t - #define SSS_TOOL_DELIMITER(message) {"", _(message), 0, NULL, 0} - #define SSS_TOOL_LAST {NULL, NULL, 0, NULL, 0} - --#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01 -+#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01 -+#define SSS_TOOL_FLAG_SKIP_ROOT_CHECK 0x02 - - struct sss_route_cmd { - const char *command; -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index f18689f9f..b73d19ffe 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -296,7 +296,7 @@ int main(int argc, const char **argv) - SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove), - SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch), - SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level), -- SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT), -+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK), - #ifdef HAVE_LIBINI_CONFIG_V1_3 - SSS_TOOL_DELIMITER("Configuration files tools:"), - SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), --- -2.37.3 - diff --git a/SOURCES/0017-PAC-allow-to-disable-UPN-check.patch b/SOURCES/0017-PAC-allow-to-disable-UPN-check.patch deleted file mode 100644 index f5b565d..0000000 --- a/SOURCES/0017-PAC-allow-to-disable-UPN-check.patch +++ /dev/null @@ -1,49 +0,0 @@ -From a86d1740167031bf6444ff821a201164c11ba09c Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 16 Nov 2022 09:28:54 +0100 -Subject: [PATCH 17/19] PAC: allow to disable UPN check - -Currently it was not possible to skip the UPN check which checks if the -UPN in the PAC and the one stored in SSSD's cache are different. -Additionally the related debug message will show both principals if they -differ. - -Resolves: https://github.com/SSSD/sssd/issues/6451 - -(cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a) - -Reviewed-by: Alexey Tikhonov ---- - src/providers/ad/ad_pac_common.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c -index 0ed817111..79f79b7a7 100644 ---- a/src/providers/ad/ad_pac_common.c -+++ b/src/providers/ad/ad_pac_common.c -@@ -224,9 +224,19 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg, - - if (user_data != NULL) { - if (strcasecmp(user_data, upn_dns_info->upn_name) != 0) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "UPN of user entry and PAC do not match.\n"); -- return ERR_CHECK_PAC_FAILED; -+ if (pac_check_opts & CHECK_PAC_CHECK_UPN) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "UPN of user entry [%s] and " -+ "PAC [%s] do not match.\n", -+ user_data, -+ upn_dns_info->upn_name); -+ return ERR_CHECK_PAC_FAILED; -+ } else { -+ DEBUG(SSSDBG_IMPORTANT_INFO, "UPN of user entry [%s] and " -+ "PAC [%s] do not match, " -+ "ignored.\n", user_data, -+ upn_dns_info->upn_name); -+ return EOK; -+ } - } - } - --- -2.37.3 - diff --git a/SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch b/SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch deleted file mode 100644 index 7ab2783..0000000 --- a/SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 29aa434816ce6ae2aaf3b0bcf24b89f05f426d1b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 22 Nov 2022 13:39:26 +0100 -Subject: [PATCH 18/19] ipa: do not add guessed principal to the cache - -Currently on IPA clients a calculated principal based on the user name -and the Kerberos realm is added to the cached user object. This code is -quite old and might have been necessary at times when sub-domain support -was added to SSSD. But since quite some time SSSD is capable of -generating the principal on the fly during authentication if nothing is -stored in the cache. - -Removing the code makes the cache more consistent with other use-cases, -e.g. with the IPA server where this attribute is empty, and allows to -properly detect a missing UPN, e.g. during the PAC validation. - -Resolves: https://github.com/SSSD/sssd/issues/6451 - -(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c) - -Reviewed-by: Alexey Tikhonov ---- - src/providers/ipa/ipa_s2n_exop.c | 44 -------------------------------- - 1 file changed, 44 deletions(-) - -diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c -index c68c1de26..81927a6b8 100644 ---- a/src/providers/ipa/ipa_s2n_exop.c -+++ b/src/providers/ipa/ipa_s2n_exop.c -@@ -2467,8 +2467,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - time_t now; - struct sss_nss_homedir_ctx homedir_ctx; - char *name = NULL; -- char *realm; -- char *short_name = NULL; - char *upn = NULL; - gid_t gid; - gid_t orig_gid = 0; -@@ -2607,48 +2605,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - goto done; - } - -- if (upn == NULL) { -- /* We also have to store a fake UPN here, because otherwise the -- * krb5 child later won't be able to properly construct one as -- * the username is fully qualified but the child doesn't have -- * access to the regex to deconstruct it */ -- /* FIXME: The real UPN is available from the PAC, we should get -- * it from there. */ -- realm = get_uppercase_realm(tmp_ctx, dom->name); -- if (!realm) { -- DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n"); -- ret = ENOMEM; -- goto done; -- } -- -- ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name, -- &short_name, NULL); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot parse internal name %s\n", -- attrs->a.user.pw_name); -- goto done; -- } -- -- upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm); -- if (!upn) { -- DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n"); -- ret = ENOMEM; -- goto done; -- } -- -- /* We might already have the SID or the UPN from other sources -- * hence sysdb_attrs_add_string_safe is used to avoid double -- * entries. */ -- ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN, -- upn); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -- "sysdb_attrs_add_string failed.\n"); -- goto done; -- } -- } -- - if (req_input->type == REQ_INP_SECID) { - ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, - SYSDB_SID_STR, --- -2.37.3 - diff --git a/SOURCES/0019-pac-relax-default-check.patch b/SOURCES/0019-pac-relax-default-check.patch deleted file mode 100644 index 178a1e2..0000000 --- a/SOURCES/0019-pac-relax-default-check.patch +++ /dev/null @@ -1,164 +0,0 @@ -From 0e618c36ed74c240f7acd071ccb7bfd405b2d827 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 22 Nov 2022 14:43:21 +0100 -Subject: [PATCH 19/19] pac: relax default check - -To avoid issues with the UPN check during PAC validation when -'ldap_user_principal' is set to a not existing attribute to skip reading -user principals a new 'pac_check' option, 'check_upn_allow_missing' is -added to the default options. With this option only a log message is -shown but the check will not fail. - -Resolves: https://github.com/SSSD/sssd/issues/6451 - -(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79) - -Reviewed-by: Alexey Tikhonov ---- - src/confdb/confdb.h | 2 +- - src/man/sssd.conf.5.xml | 30 +++++++++++++++++++++++++++++- - src/providers/ad/ad_pac_common.c | 24 ++++++++++++++++++++---- - src/util/pac_utils.c | 10 ++++++++++ - src/util/util.h | 2 ++ - 5 files changed, 62 insertions(+), 6 deletions(-) - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index 83f6be7f9..5fda67585 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -181,7 +181,7 @@ - #define CONFDB_PAC_LIFETIME "pac_lifetime" - #define CONFDB_PAC_CHECK "pac_check" - #define CONFDB_PAC_CHECK_DEFAULT "no_check" --#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex" -+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_allow_missing, check_upn_dns_info_ex" - - /* InfoPipe */ - #define CONFDB_IFP_CONF_ENTRY "config/ifp" -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 7a9920815..d9f4a7481 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -2275,6 +2275,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit - consistent. - - -+ -+ check_upn_allow_missing -+ -+ This option should be used together -+ with 'check_upn' and handles the case where -+ a UPN is set on the server-side but is not -+ read by SSSD. The typical example is a -+ FreeIPA domain where 'ldap_user_principal' -+ is set to a not existing attribute name. -+ This was typically done to work-around -+ issues in the handling of enterprise -+ principals. But this is fixed since quite -+ some time and FreeIPA can handle enterprise -+ principals just fine and there is no need -+ anymore to set 'ldap_user_principal'. -+ Currently this option is set by -+ default to avoid regressions in such -+ environments. A log message will be added -+ to the system log and SSSD's debug log in -+ case a UPN is found in the PAC but not in -+ SSSD's cache. To avoid this log message it -+ would be best to evaluate if the -+ 'ldap_user_principal' option can be removed. -+ If this is not possible, removing -+ 'check_upn' will skip the test and avoid the -+ log message. -+ -+ - - upn_dns_info_present - -@@ -2305,7 +2333,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit - - - Default: no_check (AD and IPA provider -- 'check_upn, check_upn_dns_info_ex') -+ 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex') - - - -diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c -index 79f79b7a7..fcb54cd2c 100644 ---- a/src/providers/ad/ad_pac_common.c -+++ b/src/providers/ad/ad_pac_common.c -@@ -215,10 +215,26 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg, - DEBUG(SSSDBG_MINOR_FAILURE, "User object does not have a UPN but PAC " - "says otherwise, maybe ldap_user_principal option is set.\n"); - if (pac_check_opts & CHECK_PAC_CHECK_UPN) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "UPN is missing but PAC UPN check required, " -- "PAC validation failed.\n"); -- return ERR_CHECK_PAC_FAILED; -+ if (pac_check_opts & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) { -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "UPN is missing but PAC UPN check required, " -+ "PAC validation failed. However, " -+ "'check_upn_allow_missing' is set and the error is " -+ "ignored. To make this message go away please check " -+ "why the UPN is not read from the server. In FreeIPA " -+ "environments 'ldap_user_principal' is most probably " -+ "set to a non-existing attribute name to avoid " -+ "issues with enterprise principals. This is not " -+ "needed anymore with recent versions of FreeIPA.\n"); -+ sss_log(SSS_LOG_CRIT, "PAC validation issue, please check " -+ "sssd_pac.log for details"); -+ return EOK; -+ } else { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "UPN is missing but PAC UPN check required, " -+ "PAC validation failed.\n"); -+ return ERR_CHECK_PAC_FAILED; -+ } - } - } - -diff --git a/src/util/pac_utils.c b/src/util/pac_utils.c -index c53b0c082..4499d8dfd 100644 ---- a/src/util/pac_utils.c -+++ b/src/util/pac_utils.c -@@ -64,6 +64,8 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags) - flags |= CHECK_PAC_CHECK_UPN_DNS_INFO_EX; - flags |= CHECK_PAC_UPN_DNS_INFO_PRESENT; - flags |= CHECK_PAC_CHECK_UPN; -+ } else if (strcasecmp(list[c], CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR) == 0) { -+ flags |= CHECK_PAC_CHECK_UPN_ALLOW_MISSING; - } else { - DEBUG(SSSDBG_OP_FAILURE, "Unknown value [%s] for pac_check.\n", - list[c]); -@@ -72,6 +74,14 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags) - } - } - -+ if ((flags & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) -+ && !(flags & CHECK_PAC_CHECK_UPN)) { -+ DEBUG(SSSDBG_CONF_SETTINGS, -+ "pac_check option '%s' is set but '%s' is not set, this means " -+ "the UPN is not checked.\n", -+ CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR, CHECK_PAC_CHECK_UPN_STR); -+ } -+ - ret = EOK; - - done: -diff --git a/src/util/util.h b/src/util/util.h -index 6d9111874..4b2651c2c 100644 ---- a/src/util/util.h -+++ b/src/util/util.h -@@ -818,6 +818,8 @@ uint64_t get_spend_time_us(uint64_t st); - #define CHECK_PAC_CHECK_UPN_DNS_INFO_EX (1 << 3) - #define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT_STR "upn_dns_info_ex_present" - #define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT (1 << 4) -+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR "check_upn_allow_missing" -+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING (1 << 5) - - errno_t get_pac_check_config(struct confdb_ctx *cdb, uint32_t *pac_check_opts); - #endif /* __SSSD_UTIL_H__ */ --- -2.37.3 - diff --git a/SOURCES/0020-oidc_child-escape-scopes.patch b/SOURCES/0020-oidc_child-escape-scopes.patch deleted file mode 100644 index 606eb26..0000000 --- a/SOURCES/0020-oidc_child-escape-scopes.patch +++ /dev/null @@ -1,102 +0,0 @@ -From ace43c8ce02d19cf536ce35749aa2ed734089189 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 18 Aug 2022 13:55:21 +0200 -Subject: [PATCH 20/23] oidc_child: escape scopes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Before using the user provided scopes in the HTTP request they should be -properly escaped according to RFC-3986. - -Resolves: https://github.com/SSSD/sssd/issues/6146 - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb) - -Reviewed-by: Alexey Tikhonov ---- - src/oidc_child/oidc_child.c | 4 ++-- - src/oidc_child/oidc_child_curl.c | 35 ++++++++++++++++++++++++++++++++ - src/oidc_child/oidc_child_util.h | 2 ++ - 3 files changed, 39 insertions(+), 2 deletions(-) - -diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c -index e58afccd3..aeeac3595 100644 ---- a/src/oidc_child/oidc_child.c -+++ b/src/oidc_child/oidc_child.c -@@ -119,9 +119,9 @@ static errno_t set_endpoints(struct devicecode_ctx *dc_ctx, - } - - if (scope != NULL && *scope != '\0') { -- dc_ctx->scope = talloc_strdup(dc_ctx, scope); -+ dc_ctx->scope = url_encode_string(dc_ctx, scope); - if (dc_ctx->scope == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy scopes.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to encode and copy scopes.\n"); - ret = ENOMEM; - goto done; - } -diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c -index 20e17a566..df438e007 100644 ---- a/src/oidc_child/oidc_child_curl.c -+++ b/src/oidc_child/oidc_child_curl.c -@@ -26,6 +26,41 @@ - #include - #include "oidc_child/oidc_child_util.h" - -+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp) -+{ -+ CURL *curl_ctx = NULL; -+ char *tmp; -+ char *out = NULL; -+ -+ if (inp == NULL) { -+ DEBUG(SSSDBG_TRACE_ALL, "Empty input.\n"); -+ return NULL; -+ } -+ -+ curl_ctx = curl_easy_init(); -+ if (curl_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize curl.\n"); -+ return NULL; -+ } -+ -+ tmp = curl_easy_escape(curl_ctx, inp, 0); -+ if (tmp == NULL) { -+ DEBUG(SSSDBG_TRACE_ALL, "curl_easy_escape failed for [%s].\n", inp); -+ goto done; -+ } -+ -+ out = talloc_strdup(mem_ctx, tmp); -+ curl_free(tmp); -+ if (out == NULL) { -+ DEBUG(SSSDBG_TRACE_ALL, "talloc_strdup failed.\n"); -+ goto done; -+ } -+ -+done: -+ curl_easy_cleanup(curl_ctx); -+ return (out); -+} -+ - /* The curl write_callback will always append the received data. To start a - * new string call clean_http_data() before the curl request.*/ - void clean_http_data(struct devicecode_ctx *dc_ctx) -diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h -index c781bf1b1..ae5a72bc2 100644 ---- a/src/oidc_child/oidc_child_util.h -+++ b/src/oidc_child/oidc_child_util.h -@@ -61,6 +61,8 @@ struct devicecode_ctx { - }; - - /* oidc_child_curl.c */ -+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp); -+ - errno_t init_curl(void *p); - - void clean_http_data(struct devicecode_ctx *dc_ctx); --- -2.37.3 - diff --git a/SOURCES/0021-oidc_child-use-client-secret-if-available-to-get-dev.patch b/SOURCES/0021-oidc_child-use-client-secret-if-available-to-get-dev.patch deleted file mode 100644 index 2a4e9ab..0000000 --- a/SOURCES/0021-oidc_child-use-client-secret-if-available-to-get-dev.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 18 Aug 2022 14:01:34 +0200 -Subject: [PATCH 21/23] oidc_child: use client secret if available to get - device code -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Some IdP have the concept of confidential client, i.e. clients where the -client's secret can be stored safely by the related application. For a -confidential client some IdPs expects that the client secret is used in -all requests together with the client ID although OAuth2 specs currently -only mention this explicitly for the token request. To make sure the -device code can be requested in this case the client secret is added to -the device code request if the secret is provided. - -Resolves: https://github.com/SSSD/sssd/issues/6146 - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a) - -Reviewed-by: Alexey Tikhonov ---- - src/oidc_child/oidc_child.c | 2 +- - src/oidc_child/oidc_child_curl.c | 12 +++++++++++- - src/oidc_child/oidc_child_util.h | 2 +- - 3 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c -index aeeac3595..c8d35d5d8 100644 ---- a/src/oidc_child/oidc_child.c -+++ b/src/oidc_child/oidc_child.c -@@ -454,7 +454,7 @@ int main(int argc, const char *argv[]) - } - - if (opts.get_device_code) { -- ret = get_devicecode(dc_ctx, opts.client_id); -+ ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n"); - goto done; -diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c -index df438e007..6e80c3abf 100644 ---- a/src/oidc_child/oidc_child_curl.c -+++ b/src/oidc_child/oidc_child_curl.c -@@ -428,7 +428,7 @@ done: - #define DEFAULT_SCOPE "user" - - errno_t get_devicecode(struct devicecode_ctx *dc_ctx, -- const char *client_id) -+ const char *client_id, const char *client_secret) - { - int ret; - -@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx, - return ENOMEM; - } - -+ if (client_secret != NULL) { -+ post_data = talloc_asprintf_append(post_data, "&client_secret=%s", -+ client_secret); -+ if (post_data == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to add client secret to POST data.\n"); -+ return ENOMEM; -+ } -+ } -+ - clean_http_data(dc_ctx); - ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint, - post_data, NULL); -diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h -index ae5a72bc2..8b106ae79 100644 ---- a/src/oidc_child/oidc_child_util.h -+++ b/src/oidc_child/oidc_child_util.h -@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx, - errno_t get_jwks(struct devicecode_ctx *dc_ctx); - - errno_t get_devicecode(struct devicecode_ctx *dc_ctx, -- const char *client_id); -+ const char *client_id, const char *client_secret); - - errno_t get_token(TALLOC_CTX *mem_ctx, - struct devicecode_ctx *dc_ctx, const char *client_id, --- -2.37.3 - diff --git a/SOURCES/0022-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch b/SOURCES/0022-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch deleted file mode 100644 index 8d2183c..0000000 --- a/SOURCES/0022-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 55bfa944ad0197ae294d85ac42abf98297fa3a5d Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 18 Aug 2022 14:19:59 +0200 -Subject: [PATCH 22/23] oidc_child: increase wait interval by 5s if 'slow_down' - is returned -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While waiting for the user to authenticate with the IdP oidc_child -currently only handles the error code 'authorization_pending' and waits -for the given interval until a new request is send. But there is also -'slow_down' which should not be treated as fatal error but should just -increase the waiting time permanently for 5s. - -Resolves: https://github.com/SSSD/sssd/issues/6146 - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit 5ed7670766483040211713f8182510775c76b962) - -Reviewed-by: Alexey Tikhonov ---- - src/oidc_child/oidc_child_curl.c | 8 +++++++- - src/oidc_child/oidc_child_json.c | 6 ++++++ - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c -index 6e80c3abf..cf0976021 100644 ---- a/src/oidc_child/oidc_child_curl.c -+++ b/src/oidc_child/oidc_child_curl.c -@@ -378,8 +378,14 @@ errno_t get_token(TALLOC_CTX *mem_ctx, - break; - } - -- sleep(dc_ctx->interval); - waiting_time += dc_ctx->interval; -+ if (waiting_time >= dc_ctx->expires_in) { -+ /* Next sleep will end after the request is expired on the -+ * server side, so we can just error out now. */ -+ ret = ETIMEDOUT; -+ break; -+ } -+ sleep(dc_ctx->interval); - } while (waiting_time < dc_ctx->expires_in); - - if (ret != EOK) { -diff --git a/src/oidc_child/oidc_child_json.c b/src/oidc_child/oidc_child_json.c -index efc1997aa..a89794c4c 100644 ---- a/src/oidc_child/oidc_child_json.c -+++ b/src/oidc_child/oidc_child_json.c -@@ -413,6 +413,12 @@ errno_t parse_token_result(struct devicecode_ctx *dc_ctx, - if (strcmp(json_string_value(tmp), "authorization_pending") == 0) { - json_decref(result); - return EAGAIN; -+ } else if (strcmp(json_string_value(tmp), "slow_down") == 0) { -+ /* RFC 8628: "... the interval MUST be increased by 5 seconds for" -+ * "this and all subsequent requests." */ -+ dc_ctx->interval += 5; -+ json_decref(result); -+ return EAGAIN; - } else { - *error_description = get_json_string(dc_ctx, result, - "error_description"); --- -2.37.3 - diff --git a/SOURCES/0023-oidc_child-add-client-secret-stdin-option.patch b/SOURCES/0023-oidc_child-add-client-secret-stdin-option.patch deleted file mode 100644 index 8ac9ba7..0000000 --- a/SOURCES/0023-oidc_child-add-client-secret-stdin-option.patch +++ /dev/null @@ -1,194 +0,0 @@ -From 2f3cd781879e7063fcd996389071458587623e1c Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 22 Aug 2022 11:37:07 +0200 -Subject: [PATCH 23/23] oidc_child: add --client-secret-stdin option -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since there is the use-case of confidential client which requires that -the client secret must be sent to the IdP we should handle it -confidentially by not putting it on the command line but sending it via -stdin. - -Resolves: https://github.com/SSSD/sssd/issues/6146 - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit 1a475e0c537c905c80406ceb88c7b34e6400bc40) - -Reviewed-by: Alexey Tikhonov ---- - src/oidc_child/oidc_child.c | 89 ++++++++++++++++++++++++++++++++++--- - 1 file changed, 82 insertions(+), 7 deletions(-) - -diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c -index c8d35d5d8..7758cdc25 100644 ---- a/src/oidc_child/oidc_child.c -+++ b/src/oidc_child/oidc_child.c -@@ -34,7 +34,7 @@ - #include "util/atomic_io.h" - - #define IN_BUF_SIZE 4096 --static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx) -+static errno_t read_from_stdin(TALLOC_CTX *mem_ctx, char **out) - { - uint8_t buf[IN_BUF_SIZE]; - ssize_t len; -@@ -56,7 +56,7 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx) - return EINVAL; - } - -- str = talloc_strndup(dc_ctx, (char *) buf, len); -+ str = talloc_strndup(mem_ctx, (char *) buf, len); - sss_erase_mem_securely(buf, IN_BUF_SIZE); - if (str == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); -@@ -65,21 +65,72 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx) - talloc_set_destructor((void *) str, sss_erase_talloc_mem_securely); - - if (strlen(str) != len) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Input contains additional data, " -- "only JSON encoded device code expected.\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Input contains additional data.\n"); - talloc_free(str); - return EINVAL; - } - -+ *out = str; -+ -+ return EOK; -+} -+ -+static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx, -+ const char **out) -+{ -+ char *str; -+ errno_t ret; -+ char *sep; -+ -+ ret = read_from_stdin(dc_ctx, &str); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n"); -+ return ret; -+ } -+ -+ if (out != NULL) { -+ /* expect the client secret in the first line */ -+ sep = strchr(str, '\n'); -+ if (sep == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Format error, expecting client secret and JSON data.\n"); -+ talloc_free(str); -+ return EINVAL; -+ } -+ *sep = '\0'; -+ *out = str; -+ sep++; -+ } else { -+ sep = str; -+ } -+ - clean_http_data(dc_ctx); -- dc_ctx->http_data = str; -+ dc_ctx->http_data = talloc_strdup(dc_ctx, sep); - - DEBUG(SSSDBG_TRACE_ALL, "JSON device code: [%s].\n", dc_ctx->http_data); - - return EOK; - } - -+static errno_t read_client_secret_from_stdin(struct devicecode_ctx *dc_ctx, -+ const char **out) -+{ -+ char *str; -+ errno_t ret; -+ -+ ret = read_from_stdin(dc_ctx, &str); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n"); -+ return ret; -+ } -+ -+ *out = str; -+ -+ DEBUG(SSSDBG_TRACE_ALL, "Client secret: [%s].\n", *out); -+ -+ return EOK; -+} -+ - static errno_t set_endpoints(struct devicecode_ctx *dc_ctx, - const char *device_auth_endpoint, - const char *token_endpoint, -@@ -210,6 +261,7 @@ struct cli_opts { - const char *jwks_uri; - const char *scope; - const char *client_secret; -+ bool client_secret_stdin; - const char *ca_db; - const char *user_identifier_attr; - bool libcurl_debug; -@@ -253,6 +305,8 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts) - {"client-id", 0, POPT_ARG_STRING, &opts->client_id, 0, _("Client ID"), NULL}, - {"client-secret", 0, POPT_ARG_STRING, &opts->client_secret, 0, - _("Client secret (if needed)"), NULL}, -+ {"client-secret-stdin", 0, POPT_ARG_NONE, NULL, 's', -+ _("Read client secret from standard input"), NULL}, - {"ca-db", 0, POPT_ARG_STRING, &opts->ca_db, 0, - _("Path to PEM file with CA certificates"), NULL}, - {"libcurl-debug", 0, POPT_ARG_NONE, NULL, 'c', -@@ -280,6 +334,9 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts) - case 'c': - opts->libcurl_debug = true; - break; -+ case 's': -+ opts->client_secret_stdin = true; -+ break; - default: - fprintf(stderr, "\nInvalid option %s: %s\n\n", - poptBadOption(pc, 0), poptStrerror(opt)); -@@ -324,6 +381,12 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts) - goto done; - } - -+ if (opts->client_secret != NULL && opts->client_secret_stdin) { -+ fprintf(stderr, "\n--client-secret and --client-secret-stdin are " -+ "mutually exclusive.\n\n"); -+ goto done; -+ } -+ - poptFreeContext(pc); - print_usage = false; - -@@ -454,6 +517,15 @@ int main(int argc, const char *argv[]) - } - - if (opts.get_device_code) { -+ if (opts.client_secret_stdin) { -+ ret = read_client_secret_from_stdin(dc_ctx, &opts.client_secret); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to read client secret from stdin.\n"); -+ goto done; -+ } -+ } -+ - ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n"); -@@ -463,7 +535,10 @@ int main(int argc, const char *argv[]) - - if (opts.get_access_token) { - if (dc_ctx->device_code == NULL) { -- ret = read_device_code_from_stdin(dc_ctx); -+ ret = read_device_code_from_stdin(dc_ctx, -+ opts.client_secret_stdin -+ ? &opts.client_secret -+ : NULL); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Failed to read device code from stdin.\n"); --- -2.37.3 - diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 4079416..c395105 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -18,8 +18,8 @@ %global enable_systemtap_opt --enable-systemtap Name: sssd -Version: 2.7.3 -Release: 4%{?dist}.3 +Version: 2.8.2 +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -27,29 +27,10 @@ URL: https://github.com/SSSD/sssd Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-Makefile-remove-unneeded-dependency.patch -Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch -Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch -Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch -Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch -Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch -Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch -Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch -Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch -Patch0010: 0010-CLIENT-fix-client-fd-leak.patch -Patch0011: 0011-krb5-respect-krb5_validate-for-PAC-checks.patch -Patch0012: 0012-Analyzer-Optimize-list-verbose-output.patch -Patch0013: 0013-Analyzer-Ensure-parsed-id-contains-digit.patch -Patch0014: 0014-TOOLS-don-t-export-internal-helpers.patch -Patch0015: 0015-TOOLS-fixed-handling-of-init-error.patch -Patch0016: 0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch -Patch0017: 0017-PAC-allow-to-disable-UPN-check.patch -Patch0018: 0018-ipa-do-not-add-guessed-principal-to-the-cache.patch -Patch0019: 0019-pac-relax-default-check.patch -Patch0020: 0020-oidc_child-escape-scopes.patch -Patch0021: 0021-oidc_child-use-client-secret-if-available-to-get-dev.patch -Patch0022: 0022-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch -Patch0023: 0023-oidc_child-add-client-secret-stdin-option.patch +Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch +Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch +Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch +Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch ### Downstream Patches ### @@ -127,6 +108,7 @@ BuildRequires: jansson-devel BuildRequires: libcurl-devel BuildRequires: libjose-devel BuildRequires: softhsm >= 2.1.0 +BuildRequires: bc BuildRequires: openssl BuildRequires: openssh BuildRequires: libnl3-devel @@ -613,7 +595,6 @@ autoreconf -ivf --with-syslog=journald \ --with-subid \ --enable-sss-default-nss-plugin \ - --enable-files-domain \ --without-python2-bindings \ --with-sssd-user=sssd \ %{?with_cifs_utils_plugin_option} \ @@ -1117,6 +1098,38 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %systemd_post sssd-ssh.socket %systemd_post sssd-sudo.socket +function mod_nss() { + if [ -f "$1" ] ; then + # Change order 'sss <-> files' if default pattern is found + match_pattern="^[[:blank:]]*(passwd|group):(.*)sss[[:blank:]]+files(.*)" + if grep -E -r -q -s "$match_pattern" "$1"; then + sed -i.save_by_rpm -E -e " + s/$match_pattern/\1:\2files sss\3/ + " "$1" &>/dev/null || : + # Remove obsolete comment + sed -i -E -e '/# .sssd. performs its own .files.-based caching, so it should generally/d' "$1" &>/dev/null || : + sed -i -E -e '/# come before .files.\./d' "$1" &>/dev/null || : + fi + fi +} + +if grep -E -r -q -s "[[:blank:]]*id_provider[[:blank:]]*=[[:blank:]]*files" /etc/sssd/ || + grep -E -i -r -q -s "[[:blank:]]*enable_files_domain[[:blank:]]*=[[:blank:]]*true" /etc/sssd ; then + # "files provider" configured explicitly, leave nsswitch.conf intact + : +else + NSSFILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)" + if [ "$NSSFILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then + mod_nss "/etc/authselect/user-nsswitch.conf" + authselect apply-changes &> /dev/null || : + else + mod_nss "$NSSFILE" + # also apply the same changes to user-nsswitch.conf to affect + # possible future authselect configuration + mod_nss "/etc/authselect/user-nsswitch.conf" + fi +fi + %preun common %systemd_preun sssd.service %systemd_preun sssd-autofs.socket @@ -1200,16 +1213,29 @@ fi %systemd_postun_with_restart sssd.service %changelog -* Thu Dec 15 2022 Alexey Tikhonov - 2.7.3-4.3 -- Resolves: rhbz#2152883 - authenticating against external IdP services okta (native app) with OAuth client secret failed [rhel-8.7.0.z] +* Mon Feb 13 2023 Alexey Tikhonov - 2.8.2-2 +- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" -* Fri Dec 9 2022 Alexey Tikhonov - 2.7.3-4.2 -- Resolves: rhbz#2139871 - Analyzer: Optimize and remove duplicate messages in verbose list [rhel-8.7.0.z] -- Resolves: rhbz#2142961 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged [rhel-8.7.0.z] -- Resolves: rhbz#2148989 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around [rhel-8.7.0.z] +* Mon Dec 19 2022 Alexey Tikhonov - 2.8.2-1 +- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 +- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. +- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization +- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list +- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged +- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around +- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) -* Thu Oct 13 2022 Alexey Tikhonov - 2.7.3-4.1 -- Resolves: rhbz#2128544 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) [rhel-8.7.0.z] +* Tue Nov 22 2022 Alexey Tikhonov - 2.8.1-1 +- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 +- Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr +- Resolves: rhbz#2144579 - sssd timezone issues sudonotafter +- Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file +- Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) +- Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed + +* Mon Oct 31 2022 Alexey Tikhonov - 2.7.3-5 +- Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release + Rebuild against Samba rebase. * Fri Aug 26 2022 Alexey Tikhonov - 2.7.3-4 - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8