rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sssd-2.4.0-9.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:40:06 -04:00 committed by Andrew Lukoshko
parent f61586ecc1
commit 9e8c2ec9f3
98 changed files with 26342 additions and 23721 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.3.0.tar.gz
SOURCES/sssd-2.4.0.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
61b8704c33ea80104fa9d94017c704e333c3c552 SOURCES/sssd-2.3.0.tar.gz
abcf616bf894d54623bf2541afdc7018e5d150aa SOURCES/sssd-2.4.0.tar.gz

64
SOURCES/0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch Normal file
View File

@ -0,0 +1,64 @@
From ff24d1538af88f83d0a3cc2817952cf70e7ca580 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sun, 22 Nov 2020 17:44:07 +0100
Subject: [PATCH] SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in
msgs[]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL
ptrs in results of sysdb_search_with_ts_attr()
Resolves: https://github.com/SSSD/sssd/issues/5412
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb_search.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index e616fd5bc..4ff65c1ae 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -221,6 +221,7 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
const char *attrs[])
{
errno_t ret;
+ size_t ts_cache_res_count = 0;
struct ldb_result *ts_cache_res = NULL;
if (ts_res == NULL || ctx->ldb_ts == NULL) {
@@ -231,7 +232,6 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
if (ts_cache_res == NULL) {
return ENOMEM;
}
- ts_cache_res->count = ts_res->count;
ts_cache_res->msgs = talloc_zero_array(ts_cache_res,
struct ldb_message *,
ts_res->count);
@@ -244,15 +244,18 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
ret = merge_msg_sysdb_attrs(ts_cache_res->msgs,
ctx,
ts_res->msgs[c],
- &ts_cache_res->msgs[c], attrs);
- if (ret != EOK) {
+ &ts_cache_res->msgs[ts_cache_res_count],
+ attrs);
+ if ((ret != EOK) || (ts_cache_res->msgs[ts_cache_res_count] == NULL)) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot merge sysdb cache values for %s\n",
ldb_dn_get_linearized(ts_res->msgs[c]->dn));
- /* non-fatal, we just get only the non-timestamp attrs */
+ /* non-fatal, just skip */
continue;
}
+ ts_cache_res_count += 1;
}
+ ts_cache_res->count = ts_cache_res_count;
*_ts_cache_res = ts_cache_res;
return EOK;
--
2.21.3

114
SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch
View File

@ -1,114 +0,0 @@
From a7c755672cd277497da3df4714f6d9457b6ac5ae Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 28 May 2020 15:02:43 +0200
Subject: [PATCH] ad_gpo_ndr.c: more ndr updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch add another update to the ndr code which was previously
updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and
1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc.
As missing update in ndr_pull_security_ace() cased
a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
added to prevent similar issues in future.
Resolves: https://github.com/SSSD/sssd/issues/5183
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_gpo_ndr.c | 1 +
src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++
2 files changed, 58 insertions(+)
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
index acd7b77c8..71d6d40f2 100644
--- a/src/providers/ad/ad_gpo_ndr.c
+++ b/src/providers/ad/ad_gpo_ndr.c
@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr,
ndr->offset += pad;
}
if (ndr_flags & NDR_BUFFERS) {
+ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
NDR_CHECK(ndr_pull_security_ace_object_ctr
(ndr, NDR_BUFFERS, &r->object));
}
diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c
index 97f70408a..d1f7a6915 100644
--- a/src/tests/cmocka/test_ad_gpo.c
+++ b/src/tests/cmocka/test_ad_gpo.c
@@ -347,6 +347,60 @@ void test_ad_gpo_ace_includes_host_sid_true(void **state)
group_size, ace_dom_sid, true);
}
+uint8_t test_sid_data[] = {
+0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
+0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
+0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8,
+0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55,
+0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00,
+0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60,
+0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
+0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00,
+0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00,
+0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11,
+0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
+0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00,
+0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00
+};
+
+void test_ad_gpo_parse_sd(void **state)
+{
+ int ret;
+ struct security_descriptor *sd = NULL;
+
+ ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd);
+ assert_int_equal(ret, EINVAL);
+
+ ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd);
+ assert_int_equal(ret, EOK);
+ assert_non_null(sd);
+ assert_int_equal(sd->revision, 1);
+ assert_int_equal(sd->type, 39940);
+ assert_null(sd->owner_sid);
+ assert_null(sd->group_sid);
+ assert_null(sd->sacl);
+ assert_non_null(sd->dacl);
+ assert_int_equal(sd->dacl->revision, 4);
+ assert_int_equal(sd->dacl->size, 308);
+ assert_int_equal(sd->dacl->num_aces, 10);
+ assert_int_equal(sd->dacl->aces[0].type, 0);
+ assert_int_equal(sd->dacl->aces[0].flags, 0);
+ assert_int_equal(sd->dacl->aces[0].size, 36);
+ assert_int_equal(sd->dacl->aces[0].access_mask, 917693);
+ /* There are more components and ACEs in the security_descriptor struct
+ * which are not checked here. */
+
+ talloc_free(sd);
+}
+
int main(int argc, const char *argv[])
{
poptContext pc;
@@ -385,6 +439,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true,
ad_gpo_test_setup,
ad_gpo_test_teardown),
+ cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd,
+ ad_gpo_test_setup,
+ ad_gpo_test_teardown),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
--
2.21.1

3226
SOURCES/0002-KCM-perf-improvements.patch Normal file
View File

File diff suppressed because it is too large Load Diff

39
SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch
View File

@ -1,39 +0,0 @@
From 532b75c937d767caf60bb00f1a525ae7f6c70cc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 20 May 2020 12:07:13 +0200
Subject: [PATCH] test: avoid endian issues in network tests
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
---
src/tests/cmocka/test_nss_srv.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 2c91d0a23..3cd7809cf 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -35,6 +35,7 @@
#include "util/util_sss_idmap.h"
#include "util/crypto/sss_crypto.h"
#include "util/crypto/nss/nss_util.h"
+#include "util/sss_endian.h"
#include "db/sysdb_private.h" /* new_subdomain() */
#include "db/sysdb_iphosts.h"
#include "db/sysdb_ipnetworks.h"
@@ -5308,7 +5309,13 @@ struct netent test_netent = {
.n_name = discard_const("test_network"),
.n_aliases = discard_const(test_netent_aliases),
.n_addrtype = AF_INET,
+#if (__BYTE_ORDER == __LITTLE_ENDIAN)
.n_net = 0x04030201 /* 1.2.3.4 */
+#elif (__BYTE_ORDER == __BIG_ENDIAN)
+ .n_net = 0x01020304 /* 1.2.3.4 */
+#else
+ #error "unknow endianess"
+#endif
};
static void mock_input_netbyname(const char *name)
--
2.21.1

29
SOURCES/0003-DEBUG-journal_send-was-made-static.patch Normal file
View File

@ -0,0 +1,29 @@
From 833034f5332d2492d413a9c97fded1480b58bf14 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 21 Oct 2020 18:47:32 +0200
Subject: [PATCH 3/4] DEBUG: journal_send() was made static
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/util/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/debug.c b/src/util/debug.c
index 1d5f75e4d..c162987b9 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -201,7 +201,7 @@ static void debug_printf(const char *format, ...)
}
#ifdef WITH_JOURNALD
-errno_t journal_send(const char *file,
+static errno_t journal_send(const char *file,
long line,
const char *function,
int level,
--
2.21.3

137
SOURCES/0003-sssctl-sssctl-config-check-alternative-config-file.patch
View File

@ -1,137 +0,0 @@
From 61f4aaa56ea876fb75c1366c938818b7799408ab Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Wed, 29 Apr 2020 16:40:36 +0200
Subject: [PATCH] sssctl: sssctl config-check alternative config file
The sssctl config-check now allows to specify alternative config
file so it can be tested before rewriting system configuration.
sssctl config-check -c ./sssd.conf
Configuration snippets are looked up in the same place under
conf.d directory. It would be in ./conf.d/ for the example above.
Resolves:
https://github.com/SSSD/sssd/issues/5142
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/confdb/confdb.h | 6 ++--
src/tools/sssctl/sssctl_config.c | 56 ++++++++++++++++++++++++++++----
2 files changed, 53 insertions(+), 9 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 0a5593232..a2b58e12a 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -40,8 +40,10 @@
#define CONFDB_DEFAULT_CFG_FILE_VER 2
#define CONFDB_FILE "config.ldb"
-#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf"
-#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/conf.d"
+#define SSSD_CONFIG_FILE_NAME "sssd.conf"
+#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME
+#define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d"
+#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/"CONFDB_DEFAULT_CONFIG_DIR_NAME
#define SSSD_MIN_ID 1
#define SSSD_LOCAL_MINID 1000
#define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh"
diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
index 74395b61c..de9f3de6e 100644
--- a/src/tools/sssctl/sssctl_config.c
+++ b/src/tools/sssctl/sssctl_config.c
@@ -34,6 +34,29 @@
#ifdef HAVE_LIBINI_CONFIG_V1_3
+
+static char *sssctl_config_snippet_path(TALLOC_CTX *ctx, const char *path)
+{
+ char *tmp = NULL;
+ const char delimiter = '/';
+ char *dpos = NULL;
+
+ tmp = talloc_strdup(ctx, path);
+ if (!tmp) {
+ return NULL;
+ }
+
+ dpos = strrchr(tmp, delimiter);
+ if (dpos != NULL) {
+ ++dpos;
+ *dpos = '\0';
+ } else {
+ *tmp = '\0';
+ }
+
+ return talloc_strdup_append(tmp, CONFDB_DEFAULT_CONFIG_DIR_NAME);
+}
+
errno_t sssctl_config_check(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
@@ -47,8 +70,15 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
size_t num_ra_error, num_ra_success;
char **strs = NULL;
TALLOC_CTX *tmp_ctx = NULL;
-
- ret = sss_tool_popt(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL);
+ const char *config_path = NULL;
+ const char *config_snippet_path = NULL;
+ struct poptOption long_options[] = {
+ {"config", 'c', POPT_ARG_STRING, &config_path,
+ 0, _("Specify a non-default config file"), NULL},
+ POPT_TABLEEND
+ };
+
+ ret = sss_tool_popt(cmdline, long_options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n");
return ret;
@@ -62,17 +92,29 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
goto done;
}
+ if (config_path != NULL) {
+ config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path);
+ if (config_snippet_path == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ } else {
+ config_path = SSSD_CONFIG_FILE;
+ config_snippet_path = CONFDB_DEFAULT_CONFIG_DIR;
+ }
+
ret = sss_ini_read_sssd_conf(init_data,
- SSSD_CONFIG_FILE,
- CONFDB_DEFAULT_CONFIG_DIR);
+ config_path,
+ config_snippet_path);
if (ret == ERR_INI_OPEN_FAILED) {
- PRINT("Failed to open %s\n", SSSD_CONFIG_FILE);
+ PRINT("Failed to open %s\n", config_path);
goto done;
}
if (!sss_ini_exists(init_data)) {
- PRINT("File %1$s does not exist.\n", SSSD_CONFIG_FILE);
+ PRINT("File %1$s does not exist.\n", config_path);
}
if (ret == ERR_INI_INVALID_PERMISSION) {
@@ -83,7 +125,7 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
if (ret == ERR_INI_PARSE_FAILED) {
PRINT("Failed to load configuration from %s.\n",
- SSSD_CONFIG_FILE);
+ config_path);
goto done;
}
--
2.21.1

71
SOURCES/0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch Normal file
View File

@ -0,0 +1,71 @@
From 18233532b72e62452eac6886652fa633ba055d8c Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 21 Oct 2020 19:20:03 +0200
Subject: [PATCH 4/4] DEBUG: fixes program identifier as seen in syslog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name`
to accomodate needs of own SSSD logs, but this affected journal/syslog
as well.
This patch amends situation:
- journal messages gets "umbrella" identifier "sssd[]"
- syslog uses default which is program name
Resolves: https://github.com/SSSD/sssd/issues/5384
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/util/debug.c | 2 +-
src/util/sss_log.c | 12 +++---------
2 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/src/util/debug.c b/src/util/debug.c
index c162987b9..f05b26500 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -250,7 +250,7 @@ static errno_t journal_send(const char *file,
"MESSAGE=%s", message,
"PRIORITY=%i", LOG_DEBUG,
"SSSD_DOMAIN=%s", domain,
- "SSSD_PRG_NAME=%s", debug_prg_name,
+ "SSSD_PRG_NAME=sssd[%s]", debug_prg_name,
"SSSD_DEBUG_LEVEL=%x", level,
NULL);
ret = -res;
diff --git a/src/util/sss_log.c b/src/util/sss_log.c
index 48e73dbea..c6b7435c6 100644
--- a/src/util/sss_log.c
+++ b/src/util/sss_log.c
@@ -107,7 +107,7 @@ static void sss_log_internal(int priority, int facility, const char *format,
"SSSD_DOMAIN=%s", domain,
"PRIORITY=%i", syslog_priority,
"SYSLOG_FACILITY=%i", LOG_FAC(facility),
- "SYSLOG_IDENTIFIER=%s", debug_prg_name,
+ "SYSLOG_IDENTIFIER=sssd[%s]", debug_prg_name,
NULL);
free(message);
@@ -118,15 +118,9 @@ static void sss_log_internal(int priority, int facility, const char *format,
static void sss_log_internal(int priority, int facility, const char *format,
va_list ap)
{
- int syslog_priority;
-
- syslog_priority = sss_to_syslog(priority);
-
- openlog(debug_prg_name, 0, facility);
-
- vsyslog(syslog_priority, format, ap);
+ int syslog_priority = sss_to_syslog(priority);
- closelog();
+ vsyslog(facility|syslog_priority, format, ap);
}
#endif /* WITH_JOURNALD */
--
2.21.3

664
SOURCES/0004-DEBUG-only-open-child-process-log-files-when-require.patch
View File

@ -1,664 +0,0 @@
From 375887543daf26003ff7d900cf6a69d0c0b58523 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 27 May 2020 22:33:50 +0200
Subject: [PATCH] DEBUG: only open child process log files when required
There was no reason to keep child process log files open permanently.
This patch:
- helps to avoid issue when SIGHUP was ignored for child process logs;
- somewhat reduces code duplication.
Resolves: https://github.com/SSSD/sssd/issues/4667
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/providers/ad/ad_gpo.c | 17 +++--------------
src/providers/ad/ad_init.c | 7 -------
src/providers/ad/ad_machine_pw_renewal.c | 2 +-
src/providers/ipa/ipa_init.c | 7 -------
src/providers/ipa/ipa_selinux.c | 17 +----------------
src/providers/krb5/krb5_child_handler.c | 2 +-
src/providers/krb5/krb5_common.h | 1 -
src/providers/krb5/krb5_init_shared.c | 8 --------
src/providers/ldap/ldap_common.c | 3 ---
src/providers/ldap/ldap_common.h | 6 ------
src/providers/ldap/ldap_init.c | 7 -------
src/providers/ldap/sdap_child_helpers.c | 10 +---------
src/responder/pam/pamsrv.c | 1 -
src/responder/pam/pamsrv.h | 2 --
src/responder/pam/pamsrv_cmd.c | 2 +-
src/responder/pam/pamsrv_p11.c | 9 ++-------
src/responder/ssh/ssh_private.h | 1 -
src/responder/ssh/ssh_reply.c | 4 ++--
src/responder/ssh/sshsrv.c | 10 ----------
src/tests/cmocka/test_cert_utils.c | 12 ++++++------
src/util/cert.h | 2 +-
src/util/cert/cert_common_p11_child.c | 9 ++++-----
src/util/child_common.c | 21 +++++++++++++++++----
src/util/child_common.h | 6 ++----
24 files changed, 42 insertions(+), 124 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index f17917552..bbe8d8a1e 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -99,15 +99,14 @@
#define GPO_CHILD SSSD_LIBEXEC_PATH"/gpo_child"
#endif
+#define GPO_CHILD_LOG_FILE "gpo_child"
+
/* If INI_PARSE_IGNORE_NON_KVP is not defined, use 0 (no effect) */
#ifndef INI_PARSE_IGNORE_NON_KVP
#define INI_PARSE_IGNORE_NON_KVP 0
#warning INI_PARSE_IGNORE_NON_KVP not defined.
#endif
-/* fd used by the gpo_child process for logging */
-int gpo_child_debug_fd = -1;
-
/* == common data structures and declarations ============================= */
struct gp_som {
@@ -1618,13 +1617,6 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
return ret;
}
-#define GPO_CHILD_LOG_FILE "gpo_child"
-
-static errno_t gpo_child_init(void)
-{
- return child_debug_init(GPO_CHILD_LOG_FILE, &gpo_child_debug_fd);
-}
-
/*
* This function retrieves the raw policy_setting_value for the input key from
* the GPO_Result object in the sysdb cache. It then parses the raw value and
@@ -1808,9 +1800,6 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
hash_value_t val;
enum gpo_map_type gpo_map_type;
- /* setup logging for gpo child */
- gpo_child_init();
-
req = tevent_req_create(mem_ctx, &state, struct ad_gpo_access_state);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
@@ -4763,7 +4752,7 @@ gpo_fork_child(struct tevent_req *req)
if (pid == 0) { /* child */
exec_child_ex(state,
pipefd_to_child, pipefd_from_child,
- GPO_CHILD, gpo_child_debug_fd, NULL, false,
+ GPO_CHILD, GPO_CHILD_LOG_FILE, NULL, false,
STDIN_FILENO, AD_GPO_CHILD_OUT_FILENO);
/* We should never get here */
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 05535fcb0..704e63a06 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -402,13 +402,6 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
sdap_id_ctx->opts->sdom->pvt = ad_id_ctx;
- ret = sdap_setup_child();
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n",
- ret, sss_strerror(ret));
- return ret;
- }
-
ret = ad_init_srv_plugin(be_ctx, ad_options);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n",
diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
index e0db5fad5..ce9bbe6f3 100644
--- a/src/providers/ad/ad_machine_pw_renewal.c
+++ b/src/providers/ad/ad_machine_pw_renewal.c
@@ -185,7 +185,7 @@ ad_machine_account_password_renewal_send(TALLOC_CTX *mem_ctx,
child_pid = fork();
if (child_pid == 0) { /* child */
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
- renewal_data->prog_path, -1,
+ renewal_data->prog_path, NULL,
extra_args, true,
STDIN_FILENO, STDERR_FILENO);
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index cdfd11d7a..d8d592653 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -571,13 +571,6 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx,
return ret;
}
- ret = sdap_setup_child();
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
- ret, sss_strerror(ret));
- return ret;
- }
-
if (dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE)) {
ret = ipa_init_server_mode(be_ctx, ipa_options, ipa_id_ctx);
if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 630f68ad5..9ae37b90d 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -51,9 +51,6 @@
#include <selinux/selinux.h>
-/* fd used by the selinux_child process for logging */
-int selinux_child_debug_fd = -1;
-
static struct tevent_req *
ipa_get_selinux_send(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
@@ -565,7 +562,6 @@ struct selinux_child_state {
struct child_io_fds *io;
};
-static errno_t selinux_child_init(void);
static errno_t selinux_child_create_buffer(struct selinux_child_state *state);
static errno_t selinux_fork_child(struct selinux_child_state *state);
static void selinux_child_step(struct tevent_req *subreq);
@@ -602,12 +598,6 @@ static struct tevent_req *selinux_child_send(TALLOC_CTX *mem_ctx,
state->io->read_from_child_fd = -1;
talloc_set_destructor((void *) state->io, child_io_destructor);
- ret = selinux_child_init();
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to init the child\n");
- goto immediately;
- }
-
ret = selinux_child_create_buffer(state);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to create the send buffer\n");
@@ -638,11 +628,6 @@ immediately:
return req;
}
-static errno_t selinux_child_init(void)
-{
- return child_debug_init(SELINUX_CHILD_LOG_FILE, &selinux_child_debug_fd);
-}
-
static errno_t selinux_child_create_buffer(struct selinux_child_state *state)
{
size_t rp;
@@ -712,7 +697,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
if (pid == 0) { /* child */
exec_child(state, pipefd_to_child, pipefd_from_child,
- SELINUX_CHILD, selinux_child_debug_fd);
+ SELINUX_CHILD, SELINUX_CHILD_LOG_FILE);
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
ret, sss_strerror(ret));
return ret;
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index b7fb54499..8546285b2 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -465,7 +465,7 @@ static errno_t fork_child(struct tevent_req *req)
if (pid == 0) { /* child */
exec_child_ex(state,
pipefd_to_child, pipefd_from_child,
- KRB5_CHILD, state->kr->krb5_ctx->child_debug_fd,
+ KRB5_CHILD, KRB5_CHILD_LOG_FILE,
krb5_child_extra_args, false,
STDIN_FILENO, STDOUT_FILENO);
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 493d12e5f..f198e2684 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -124,7 +124,6 @@ struct krb5_ctx {
struct dp_option *opts;
struct krb5_service *service;
struct krb5_service *kpasswd_service;
- int child_debug_fd;
sss_regexp_t *illegal_path_re;
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
index afe15b365..ea3d32805 100644
--- a/src/providers/krb5/krb5_init_shared.c
+++ b/src/providers/krb5/krb5_init_shared.c
@@ -71,14 +71,6 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
goto done;
}
- krb5_auth_ctx->child_debug_fd = -1; /* -1 means not initialized */
- ret = child_debug_init(KRB5_CHILD_LOG_FILE,
- &krb5_auth_ctx->child_debug_fd);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not set krb5_child debugging!\n");
- goto done;
- }
-
ret = parse_krb5_map_user(krb5_auth_ctx,
dp_opt_get_cstring(krb5_auth_ctx->opts,
KRB5_MAP_USER),
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 9d7806a2f..2133db36f 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -35,9 +35,6 @@
#include "providers/ldap/sdap_idmap.h"
-/* a fd the child process would log into */
-int ldap_child_debug_fd = -1;
-
errno_t ldap_id_setup_tasks(struct sdap_id_ctx *ctx)
{
return sdap_id_setup_tasks(ctx->be, ctx, ctx->opts->sdom,
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 63ee5dd84..13e6d4871 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -44,9 +44,6 @@
#define LDAP_ENUM_PURGE_TIMEOUT 10800
-/* a fd the child process would log into */
-extern int ldap_child_debug_fd;
-
struct sdap_id_ctx;
struct sdap_id_conn_ctx {
@@ -342,9 +339,6 @@ sdap_ipnetwork_handler_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
struct dp_reply_std *data);
-/* setup child logging */
-int sdap_setup_child(void);
-
errno_t string_to_shadowpw_days(const char *s, long *d);
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 1be5d13de..de64e5985 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -419,13 +419,6 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
return ret;
}
- ret = sdap_setup_child();
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
- ret, sss_strerror(ret));
- return ret;
- }
-
/* Setup SRV lookup plugin */
ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL);
if (ret != EOK) {
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index a03d28c9c..9d25aea8b 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -111,7 +111,7 @@ static errno_t sdap_fork_child(struct tevent_context *ev,
if (pid == 0) { /* child */
exec_child(child,
pipefd_to_child, pipefd_from_child,
- LDAP_CHILD, ldap_child_debug_fd);
+ LDAP_CHILD, LDAP_CHILD_LOG_FILE);
/* We should never get here */
DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec LDAP child\n");
@@ -512,11 +512,3 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req,
return EOK;
}
-
-
-
-/* Setup child logging */
-int sdap_setup_child(void)
-{
- return child_debug_init(LDAP_CHILD_LOG_FILE, &ldap_child_debug_fd);
-}
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index a4c9ebbbb..dde44a472 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -277,7 +277,6 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
goto done;
}
- pctx->p11_child_debug_fd = -1;
if (pctx->cert_auth) {
ret = p11_child_init(pctx);
if (ret != EOK) {
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 24bd9764d..478d91b93 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -54,7 +54,6 @@ struct pam_ctx {
char **app_services;
bool cert_auth;
- int p11_child_debug_fd;
char *nss_db;
struct sss_certmap_ctx *sss_certmap_ctx;
char **smartcard_services;
@@ -110,7 +109,6 @@ void sss_cai_check_users(struct cert_auth_info **list, size_t *_cert_count,
struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- int child_debug_fd,
const char *nss_db,
time_t timeout,
const char *verify_opts,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ddde9eda2..1cd901f15 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1404,7 +1404,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
return ret;
}
- req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
+ req = pam_check_cert_send(mctx, ev,
pctx->nss_db, p11_child_timeout,
cert_verification_opts, pctx->sss_certmap_ctx,
uri, pd);
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 8e276b200..3f0afaeff 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -242,7 +242,7 @@ errno_t p11_child_init(struct pam_ctx *pctx)
return ret;
}
- return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
+ return EOK;
}
static inline bool
@@ -705,7 +705,6 @@ static void p11_child_timeout(struct tevent_context *ev,
struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- int child_debug_fd,
const char *nss_db,
time_t timeout,
const char *verify_opts,
@@ -838,14 +837,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
goto done;
}
- if (child_debug_fd == -1) {
- child_debug_fd = STDERR_FILENO;
- }
-
child_pid = fork();
if (child_pid == 0) { /* child */
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
- P11_CHILD_PATH, child_debug_fd, extra_args, false,
+ P11_CHILD_PATH, P11_CHILD_LOG_FILE, extra_args, false,
STDIN_FILENO, STDOUT_FILENO);
/* We should never get here */
diff --git a/src/responder/ssh/ssh_private.h b/src/responder/ssh/ssh_private.h
index 028ccd616..5aa7e37d6 100644
--- a/src/responder/ssh/ssh_private.h
+++ b/src/responder/ssh/ssh_private.h
@@ -36,7 +36,6 @@ struct ssh_ctx {
char *ca_db;
bool use_cert_keys;
- int p11_child_debug_fd;
time_t certmap_last_read;
struct sss_certmap_ctx *sss_certmap_ctx;
char **cert_rules;
diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c
index 97914266d..edeb28765 100644
--- a/src/responder/ssh/ssh_reply.c
+++ b/src/responder/ssh/ssh_reply.c
@@ -249,7 +249,7 @@ struct tevent_req *ssh_get_output_keys_send(TALLOC_CTX *mem_ctx,
: state->user_cert_override;
subreq = cert_to_ssh_key_send(state, state->ev,
- state->ssh_ctx->p11_child_debug_fd,
+ P11_CHILD_LOG_FILE,
state->p11_child_timeout,
state->ssh_ctx->ca_db,
state->ssh_ctx->sss_certmap_ctx,
@@ -335,7 +335,7 @@ void ssh_get_output_keys_done(struct tevent_req *subreq)
goto done;
}
- subreq = cert_to_ssh_key_send(state, state->ev, -1,
+ subreq = cert_to_ssh_key_send(state, state->ev, NULL,
state->p11_child_timeout,
state->ssh_ctx->ca_db,
state->ssh_ctx->sss_certmap_ctx,
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index 7765e91b8..6072a702c 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -126,16 +126,6 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ssh_ctx->p11_child_debug_fd = -1;
- if (ssh_ctx->use_cert_keys) {
- ret = child_debug_init(P11_CHILD_LOG_FILE,
- &ssh_ctx->p11_child_debug_fd);
- if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Failed to setup p11_child logging, ignored.\n");
- }
- }
-
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c
index 848ed1a8d..1ff20576a 100644
--- a/src/tests/cmocka/test_cert_utils.c
+++ b/src/tests/cmocka/test_cert_utils.c
@@ -391,7 +391,7 @@ void test_cert_to_ssh_key_send(void **state)
ev = tevent_context_init(ts);
assert_non_null(ev);
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
#ifdef HAVE_NSS
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
#else
@@ -465,7 +465,7 @@ void test_cert_to_ssh_2keys_send(void **state)
ev = tevent_context_init(ts);
assert_non_null(ev);
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
#ifdef HAVE_NSS
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
#else
@@ -548,7 +548,7 @@ void test_cert_to_ssh_2keys_invalid_send(void **state)
ev = tevent_context_init(ts);
assert_non_null(ev);
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
#ifdef HAVE_NSS
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
#else
@@ -614,7 +614,7 @@ void test_ec_cert_to_ssh_key_send(void **state)
ev = tevent_context_init(ts);
assert_non_null(ev);
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
#ifdef HAVE_NSS
"sql:" ABS_BUILD_DIR "/src/tests/test_ECC_CA/p11_ecc_nssdb",
#else
@@ -691,7 +691,7 @@ void test_cert_to_ssh_2keys_with_certmap_send(void **state)
ev = tevent_context_init(ts);
assert_non_null(ev);
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
#ifdef HAVE_NSS
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
#else
@@ -769,7 +769,7 @@ void test_cert_to_ssh_2keys_with_certmap_2_send(void **state)
ev = tevent_context_init(ts);
assert_non_null(ev);
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
#ifdef HAVE_NSS
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
#else
diff --git a/src/util/cert.h b/src/util/cert.h
index d038a99f6..16dda37b3 100644
--- a/src/util/cert.h
+++ b/src/util/cert.h
@@ -57,7 +57,7 @@ errno_t get_ssh_key_from_derb64(TALLOC_CTX *mem_ctx, const char *derb64,
struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- int child_debug_fd, time_t timeout,
+ const char *logfile, time_t timeout,
const char *ca_db,
struct sss_certmap_ctx *sss_certmap_ctx,
size_t cert_count,
diff --git a/src/util/cert/cert_common_p11_child.c b/src/util/cert/cert_common_p11_child.c
index 1846ff89a..18a331f23 100644
--- a/src/util/cert/cert_common_p11_child.c
+++ b/src/util/cert/cert_common_p11_child.c
@@ -24,7 +24,7 @@
struct cert_to_ssh_key_state {
struct tevent_context *ev;
- int child_debug_fd;
+ const char *logfile;
time_t timeout;
const char **extra_args;
const char **certs;
@@ -45,7 +45,7 @@ static void cert_to_ssh_key_done(int child_status,
struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- int child_debug_fd, time_t timeout,
+ const char *logfile, time_t timeout,
const char *ca_db,
struct sss_certmap_ctx *sss_certmap_ctx,
size_t cert_count,
@@ -70,8 +70,7 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
}
state->ev = ev;
- state->child_debug_fd = (child_debug_fd == -1) ? STDERR_FILENO
- : child_debug_fd;
+ state->logfile = logfile;
state->timeout = timeout;
state->io = talloc(state, struct child_io_fds);
if (state->io == NULL) {
@@ -205,7 +204,7 @@ static errno_t cert_to_ssh_key_step(struct tevent_req *req)
child_pid = fork();
if (child_pid == 0) { /* child */
exec_child_ex(state, pipefd_to_child, pipefd_from_child, P11_CHILD_PATH,
- state->child_debug_fd, state->extra_args, false,
+ state->logfile, state->extra_args, false,
STDIN_FILENO, STDOUT_FILENO);
/* We should never get here */
DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec p11 child\n");
diff --git a/src/util/child_common.c b/src/util/child_common.c
index 3a07580c2..5cac725ca 100644
--- a/src/util/child_common.c
+++ b/src/util/child_common.c
@@ -47,6 +47,8 @@ struct sss_child_ctx {
struct sss_sigchild_ctx *sigchld_ctx;
};
+static errno_t child_debug_init(const char *logfile, int *debug_fd);
+
static void sss_child_handler(struct tevent_context *ev,
struct tevent_signal *se,
int signum,
@@ -725,13 +727,24 @@ fail:
void exec_child_ex(TALLOC_CTX *mem_ctx,
int *pipefd_to_child, int *pipefd_from_child,
- const char *binary, int debug_fd,
+ const char *binary, const char *logfile,
const char *extra_argv[], bool extra_args_only,
int child_in_fd, int child_out_fd)
{
int ret;
errno_t err;
char **argv;
+ int debug_fd = -1;
+
+ if (logfile) {
+ ret = child_debug_init(logfile, &debug_fd);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "child_debug_init() failed.\n");
+ exit(EXIT_FAILURE);
+ }
+ } else {
+ debug_fd = STDERR_FILENO;
+ }
close(pipefd_to_child[1]);
ret = dup2(pipefd_to_child[0], child_in_fd);
@@ -767,10 +780,10 @@ void exec_child_ex(TALLOC_CTX *mem_ctx,
void exec_child(TALLOC_CTX *mem_ctx,
int *pipefd_to_child, int *pipefd_from_child,
- const char *binary, int debug_fd)
+ const char *binary, const char *logfile)
{
exec_child_ex(mem_ctx, pipefd_to_child, pipefd_from_child,
- binary, debug_fd, NULL, false,
+ binary, logfile, NULL, false,
STDIN_FILENO, STDOUT_FILENO);
}
@@ -803,7 +816,7 @@ int child_io_destructor(void *ptr)
return EOK;
}
-errno_t child_debug_init(const char *logfile, int *debug_fd)
+static errno_t child_debug_init(const char *logfile, int *debug_fd)
{
int ret;
FILE *debug_filep;
diff --git a/src/util/child_common.h b/src/util/child_common.h
index 37116e2a7..92d66a500 100644
--- a/src/util/child_common.h
+++ b/src/util/child_common.h
@@ -106,7 +106,7 @@ void fd_nonblocking(int fd);
/* Never returns EOK, ether returns an error, or doesn't return on success */
void exec_child_ex(TALLOC_CTX *mem_ctx,
int *pipefd_to_child, int *pipefd_from_child,
- const char *binary, int debug_fd,
+ const char *binary, const char *logfile,
const char *extra_argv[], bool extra_args_only,
int child_in_fd, int child_out_fd);
@@ -115,10 +115,8 @@ void exec_child_ex(TALLOC_CTX *mem_ctx,
*/
void exec_child(TALLOC_CTX *mem_ctx,
int *pipefd_to_child, int *pipefd_from_child,
- const char *binary, int debug_fd);
+ const char *binary, const char *logfile);
int child_io_destructor(void *ptr);
-errno_t child_debug_init(const char *logfile, int *debug_fd);
-
#endif /* __CHILD_COMMON_H__ */
--
2.21.3

64
SOURCES/0005-DEBUG-use-new-exec_child-_ex-interface-in-tests.patch
View File

@ -1,64 +0,0 @@
From e58853f9ce63fae0c8b219b79be65c760a2f3e7e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 5 Jun 2020 13:57:59 +0200
Subject: [PATCH] DEBUG: use new exec_child(_ex) interface in tests
Resolves: https://github.com/SSSD/sssd/issues/4667
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tests/cmocka/test_child_common.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/tests/cmocka/test_child_common.c b/src/tests/cmocka/test_child_common.c
index 5cf460b50..87cae3405 100644
--- a/src/tests/cmocka/test_child_common.c
+++ b/src/tests/cmocka/test_child_common.c
@@ -97,7 +97,7 @@ void test_exec_child(void **state)
exec_child(child_tctx,
child_tctx->pipefd_to_child,
child_tctx->pipefd_from_child,
- CHILD_DIR"/"TEST_BIN, 2);
+ CHILD_DIR"/"TEST_BIN, NULL);
} else {
do {
errno = 0;
@@ -168,7 +168,7 @@ static void extra_args_test(struct child_test_ctx *child_tctx,
exec_child_ex(child_tctx,
child_tctx->pipefd_to_child,
child_tctx->pipefd_from_child,
- CHILD_DIR"/"TEST_BIN, 2, extra_args,
+ CHILD_DIR"/"TEST_BIN, NULL, extra_args,
extra_args_only,
STDIN_FILENO, STDOUT_FILENO);
} else {
@@ -291,7 +291,7 @@ void test_exec_child_handler(void **state)
exec_child(child_tctx,
child_tctx->pipefd_to_child,
child_tctx->pipefd_from_child,
- CHILD_DIR"/"TEST_BIN, 2);
+ CHILD_DIR"/"TEST_BIN, NULL);
}
ret = child_handler_setup(child_tctx->test_ctx->ev, child_pid,
@@ -341,7 +341,7 @@ void test_exec_child_echo(void **state)
exec_child_ex(child_tctx,
child_tctx->pipefd_to_child,
child_tctx->pipefd_from_child,
- CHILD_DIR"/"TEST_BIN, 2, NULL, false,
+ CHILD_DIR"/"TEST_BIN, NULL, NULL, false,
STDIN_FILENO, 3);
}
@@ -474,7 +474,7 @@ void test_sss_child(void **state)
exec_child(child_tctx,
child_tctx->pipefd_to_child,
child_tctx->pipefd_from_child,
- CHILD_DIR"/"TEST_BIN, 2);
+ CHILD_DIR"/"TEST_BIN, NULL);
}
ret = sss_child_register(child_tctx, sc_ctx,
--
2.21.3

36
SOURCES/0005-negcache-make-sure-domain-config-does-not-leak-into-.patch Normal file
View File

@ -0,0 +1,36 @@
From 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 8 Oct 2020 12:18:41 +0200
Subject: [PATCH 5/8] negcache: make sure domain config does not leak into
global
Resolves: https://github.com/SSSD/sssd/issues/5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/negcache.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index ce1c0ab8c..139218420 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -1050,6 +1050,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}
}
+ talloc_zfree(filter_list);
/* Populate non domain-specific negative cache user entries */
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_FILTER_USERS, &filter_list);
@@ -1185,6 +1186,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}
}
+ talloc_zfree(filter_list);
/* Populate non domain-specific negative cache group entries */
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_FILTER_GROUPS, &filter_list);
--
2.21.3

60
SOURCES/0006-NEGCACHE-skip-permanent-entries-in-users-groups-rese.patch
View File

@ -1,60 +0,0 @@
From 88e92967a7b4e3e4501b17f21812467effa331c7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 Jun 2020 13:51:28 +0200
Subject: [PATCH] NEGCACHE: skip permanent entries in [users/groups] reset
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Files provider calling `sss_ncache_reset_[users/groups]()`
during cache rebuilding was breaking neg-cache prepopulation.
Resolves: https://github.com/SSSD/sssd/issues/1024
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/responder/common/negcache.c | 9 +++++++++
src/responder/common/negcache.h | 1 +
2 files changed, 10 insertions(+)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index d9545aef6..ce1c0ab8c 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -900,12 +900,21 @@ static int delete_prefix(struct tdb_context *tdb,
TDB_DATA key, TDB_DATA data, void *state)
{
const char *prefix = (const char *) state;
+ unsigned long long int timestamp;
+ char *ep = NULL;
if (strncmp((char *)key.dptr, prefix, strlen(prefix) - 1) != 0) {
/* not interested in this key */
return 0;
}
+ errno = 0;
+ timestamp = strtoull((const char *)data.dptr, &ep, 10);
+ if ((errno == 0) && (*ep == '\0') && (timestamp == 0)) {
+ /* skip permanent entries */
+ return 0;
+ }
+
return tdb_delete(tdb, key);
}
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
index a80412215..4dcfb5e8f 100644
--- a/src/responder/common/negcache.h
+++ b/src/responder/common/negcache.h
@@ -146,6 +146,7 @@ int sss_ncache_set_locate_uid(struct sss_nc_ctx *ctx,
uid_t uid);
int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx);
+/* sss_ncache_reset_[users/groups] skips permanent entries */
int sss_ncache_reset_users(struct sss_nc_ctx *ctx);
int sss_ncache_reset_groups(struct sss_nc_ctx *ctx);
--
2.21.3

106
SOURCES/0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch Normal file
View File

@ -0,0 +1,106 @@
From 385af99ff4d5a75d0c1edc9ad830da3eb7478295 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 8 Oct 2020 17:57:29 +0200
Subject: [PATCH 6/8] utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()
To allow to only iterate over a singel domain an its sub-domains a new
flag is added to get_next_domain().
Resolves: https://github.com/SSSD/sssd/issues/5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tests/cmocka/test_utils.c | 31 +++++++++++++++++++++++++++++++
src/util/domain_info_utils.c | 10 +++++++---
src/util/util.h | 4 ++++
3 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index 945f5cb44..d77a972c1 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -877,6 +877,37 @@ static void test_get_next_domain_flags(void **state)
dom = get_next_domain(dom, gnd_flags);
assert_null(dom);
+
+ /* Descend only to subdomains */
+ gnd_flags = SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED;
+
+ dom = get_next_domain(test_ctx->dom_list, gnd_flags);
+ assert_non_null(dom);
+ assert_string_equal(dom->name, "sub1a");
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_null(dom);
+
+ dom = find_domain_by_name_ex(test_ctx->dom_list, "dom2", true,
+ SSS_GND_ALL_DOMAINS);
+ assert_non_null(dom);
+ assert_string_equal(dom->name, "dom2");
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_non_null(dom);
+ assert_string_equal(dom->name, "sub2a");
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_non_null(dom);
+ assert_string_equal(dom->name, "sub2b");
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_null(dom);
+
+ /* Expect NULL if the domain has no sub-domains */
+ test_ctx->dom_list->subdomains = NULL;
+ dom = get_next_domain(test_ctx->dom_list, gnd_flags);
+ assert_null(dom);
}
struct name_init_test_ctx {
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index aa3582f03..4d4726daa 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -39,16 +39,20 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
uint32_t gnd_flags)
{
struct sss_domain_info *dom;
- bool descend = gnd_flags & SSS_GND_DESCEND;
+ bool descend = gnd_flags & (SSS_GND_DESCEND | SSS_GND_SUBDOMAINS);
bool include_disabled = gnd_flags & SSS_GND_INCLUDE_DISABLED;
+ bool only_subdomains = gnd_flags & SSS_GND_SUBDOMAINS;
dom = domain;
while (dom) {
if (descend && dom->subdomains) {
dom = dom->subdomains;
- } else if (dom->next) {
+ } else if (dom->next && only_subdomains && IS_SUBDOMAIN(dom)) {
dom = dom->next;
- } else if (descend && IS_SUBDOMAIN(dom) && dom->parent->next) {
+ } else if (dom->next && !only_subdomains) {
+ dom = dom->next;
+ } else if (descend && !only_subdomains && IS_SUBDOMAIN(dom)
+ && dom->parent->next) {
dom = dom->parent->next;
} else {
dom = NULL;
diff --git a/src/util/util.h b/src/util/util.h
index fbcac5cd0..581c0edfb 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -565,7 +565,11 @@ struct sss_domain_info *get_domains_head(struct sss_domain_info *domain);
#define SSS_GND_DESCEND 0x01
#define SSS_GND_INCLUDE_DISABLED 0x02
+/* Descend to sub-domains of current domain but do not go to next parent */
+#define SSS_GND_SUBDOMAINS 0x04
#define SSS_GND_ALL_DOMAINS (SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED)
+#define SSS_GND_ALL_SUBDOMAINS (SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED)
+
struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
uint32_t gnd_flags);
struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain,
--
2.21.3

443
SOURCES/0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch Normal file
View File

@ -0,0 +1,443 @@
From 0dc81a52e2836010974e9f71b1f3e47c20fd498d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Oct 2020 11:56:21 +0200
Subject: [PATCH 7/8] negcache: make sure short names are added to sub-domains
If short names are used with filter_users or filter_groups in a
[domain/...] section they should be added to the sub-domains of this
domain as well.
Resolves: https://github.com/SSSD/sssd/issues/5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/negcache.c | 105 +++++++------
src/tests/cmocka/test_negcache.c | 254 +++++++++++++++++++++++++++++++
2 files changed, 312 insertions(+), 47 deletions(-)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 139218420..9ee39ce3e 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -971,6 +971,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
char *name = NULL;
struct sss_domain_info *dom = NULL;
struct sss_domain_info *domain_list = rctx->domains;
+ struct sss_domain_info *ddom;
char *domainname = NULL;
char *conf_path = NULL;
TALLOC_CTX *tmpctx = talloc_new(NULL);
@@ -1013,39 +1014,44 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}
- if (domainname && strcmp(domainname, dom->name)) {
- DEBUG(SSSDBG_TRACE_FUNC,
- "Mismatch between domain name (%s) and name "
- "set in FQN (%s), assuming %s is UPN\n",
- dom->name, domainname, filter_list[i]);
- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
+ /* Check domain and its sub-domains */
+ for (ddom = dom; ddom != NULL;
+ ddom = get_next_domain(ddom, SSS_GND_ALL_SUBDOMAINS)) {
+
+ if (domainname && strcmp(domainname, ddom->name)) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Mismatch between domain name (%s) and name "
+ "set in FQN (%s), assuming %s is UPN\n",
+ ddom->name, domainname, filter_list[i]);
+ ret = sss_ncache_set_upn(ncache, true, ddom, filter_list[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_ncache_set_upn failed (%d [%s]), ignored\n",
+ ret, sss_strerror(ret));
+ }
+ continue;
+ }
+
+ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
+ if (fqname == NULL) {
+ continue;
+ }
+
+ ret = sss_ncache_set_upn(ncache, true, ddom, fqname);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sss_ncache_set_upn failed (%d [%s]), ignored\n",
ret, sss_strerror(ret));
}
- continue;
- }
-
- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
- if (fqname == NULL) {
- continue;
- }
-
- ret = sss_ncache_set_upn(ncache, true, dom, fqname);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sss_ncache_set_upn failed (%d [%s]), ignored\n",
- ret, sss_strerror(ret));
- }
- ret = sss_ncache_set_user(ncache, true, dom, fqname);
- talloc_zfree(fqname);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to store permanent user filter for [%s]"
- " (%d [%s])\n", filter_list[i],
- ret, sss_strerror(ret));
- continue;
+ ret = sss_ncache_set_user(ncache, true, ddom, fqname);
+ talloc_zfree(fqname);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to store permanent user filter for [%s]"
+ " (%d [%s])\n", filter_list[i],
+ ret, sss_strerror(ret));
+ continue;
+ }
}
}
}
@@ -1161,27 +1167,32 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}
- if (domainname && strcmp(domainname, dom->name)) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Mismatch between domain name (%s) and name "
- "set in FQN (%s), skipping group %s\n",
- dom->name, domainname, name);
- continue;
- }
+ /* Check domain and its sub-domains */
+ for (ddom = dom;
+ ddom != NULL && (ddom == dom || ddom->parent != NULL);
+ ddom = get_next_domain(ddom, SSS_GND_ALL_DOMAINS)) {
+ if (domainname && strcmp(domainname, ddom->name)) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Mismatch between domain name (%s) and name "
+ "set in FQN (%s), skipping group %s\n",
+ ddom->name, domainname, name);
+ continue;
+ }
- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
- if (fqname == NULL) {
- continue;
- }
+ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
+ if (fqname == NULL) {
+ continue;
+ }
- ret = sss_ncache_set_group(ncache, true, dom, fqname);
- talloc_zfree(fqname);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to store permanent group filter for [%s]"
- " (%d [%s])\n", filter_list[i],
- ret, strerror(ret));
- continue;
+ ret = sss_ncache_set_group(ncache, true, ddom, fqname);
+ talloc_zfree(fqname);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to store permanent group filter for [%s]"
+ " (%d [%s])\n", filter_list[i],
+ ret, strerror(ret));
+ continue;
+ }
}
}
}
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index b3a379227..fb306b110 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -119,6 +119,8 @@ static int setup(void **state)
int ret;
struct test_state *ts;
+ test_dom_suite_setup(TESTS_PATH);
+
ts = talloc(NULL, struct test_state);
assert_non_null(ts);
@@ -133,6 +135,7 @@ static int setup(void **state)
static int teardown(void **state)
{
struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
talloc_free(ts);
return 0;
}
@@ -921,6 +924,255 @@ static void test_sss_ncache_reset_prepopulate(void **state)
assert_int_equal(ret, EEXIST);
}
+/* The main purpose of test_sss_ncache_short_name_in_domain is to test that
+ * short names in the filter_users or filter_groups options in a [domain/...]
+ * section are properly added to the related sub-domains as well (if there are
+ * any) and not added to domains from other [domain/...] sections. For
+ * completeness entries with fully-qualified names of the parent and the
+ * sub-domain and the generic UPN are added as well.
+ *
+ * The result should of course be independent of the present domains. To
+ * verify this the domains are added one after the other and the negative
+ * cache is repopulated each time.
+ *
+ * With the given domains, users and group we have to following expectations:
+ * - the short name entry will be added to the domain and all sub-domains as
+ * name and as upn by expanding it to a fully-qualified name with the
+ * domain name or sub-domain name respectively
+ * - the fully-qualified name from the parent domain is added as name and upn
+ * to the parent domain and as upn to all sub-domains
+ * - the fully-qualified name from the sub-domain is added as name to the
+ * sub-domain and as upn to the parent and all sub-domains
+ * - the generic upn is nowhere added as name and as upn to the parent and all
+ * sub-domains
+ * - none of the names is added to a different parent domain
+ *
+ * The following table should illustrated the expectations:
+ *
+ * user (name):
+ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
+ *-----------------+-----------+-----------------------+--------------------------+------------
+ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING | MISSING
+ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT | MISSING
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING
+ *
+ * user (upn):
+ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
+ *-----------------+-----------+-----------------------+--------------------------+------------
+ * TEST_DOM_NAME | PRESENT | PRESENT | PRESENT | PRESENT
+ * subTEST_DOM_NAME| PRESENT | PRESENT | PRESENT | PRESENT
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING
+ *
+ *
+ *
+ * groups:
+ * | shortgroup | parentg@TEST_DOM_NAME | subdomg@subTEST_DOM_NAME
+ *-----------------+------------+-----------------------+-------------------------
+ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING
+ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING
+ *
+ *
+ * The following expect_*() implement checks for the expextations:
+ */
+
+static void expect_in_parent(struct sss_nc_ctx *ncache,
+ struct sss_domain_info *dom)
+{
+ int ret;
+
+ ret = check_user_in_ncache(ncache, dom, "shortuser");
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_upn(ncache, dom, "shortuser@"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, dom, "parentu");
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_upn(ncache, dom, "parentu@"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, dom, "subdomu");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom, "subdomu@sub"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, dom, "upn");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom, "upn@upn.dom");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_group_in_ncache(ncache, dom, "shortgroup");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_group_in_ncache(ncache, dom, "parentg");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_group_in_ncache(ncache, dom, "subdomg");
+ assert_int_equal(ret, ENOENT);
+}
+
+static void expect_in_subdomain(struct sss_nc_ctx *ncache,
+ struct sss_domain_info *sub_dom)
+{
+ int ret;
+
+ ret = check_user_in_ncache(ncache, sub_dom, "shortuser");
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_upn(ncache, sub_dom, "shortuser@sub"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, sub_dom, "subdomu");
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_upn(ncache, sub_dom, "subdomu@sub"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, sub_dom, "upn");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, sub_dom, "upn@upn.dom");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, sub_dom, "parentu");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, sub_dom, "parentu@"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+
+ ret = check_group_in_ncache(ncache, sub_dom, "shortgroup");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_group_in_ncache(ncache, sub_dom, "parentg");
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_group_in_ncache(ncache, sub_dom, "subdomg");
+ assert_int_equal(ret, EEXIST);
+}
+static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
+ struct sss_domain_info *dom2)
+{
+ int ret;
+
+ ret = check_user_in_ncache(ncache, dom2, "shortuser");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom2, "shortuser"TEST_DOM_NAME);
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_user_in_ncache(ncache, dom2, "parentu");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom2, "parentu@"TEST_DOM_NAME);
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_user_in_ncache(ncache, dom2, "subdomu");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom2, "subdomu@sub"TEST_DOM_NAME);
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_user_in_ncache(ncache, dom2, "upn");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom2, "upn@upn.dom");
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_group_in_ncache(ncache, dom2, "shortgroup");
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_group_in_ncache(ncache, dom2, "parentg");
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_group_in_ncache(ncache, dom2, "subdomg");
+ assert_int_equal(ret, ENOENT);
+}
+
+static void test_sss_ncache_short_name_in_domain(void **state)
+{
+ int ret;
+ struct test_state *ts;
+ struct tevent_context *ev;
+ struct sss_nc_ctx *ncache;
+ struct sss_test_ctx *tc;
+ struct sss_domain_info *dom;
+ struct sss_domain_info *dom2;
+ struct sss_domain_info *sub_dom;
+
+ struct sss_test_conf_param params[] = {
+ { "filter_users", "shortuser, parentu@"TEST_DOM_NAME", "
+ "subdomu@sub"TEST_DOM_NAME", upn@upn.dom" },
+ { "filter_groups", "shortgroup, parentg@"TEST_DOM_NAME", "
+ "subdomg@sub"TEST_DOM_NAME },
+ { NULL, NULL },
+ };
+
+ const char *nss_filter_users[] = { params[0].value, NULL};
+ const char *nss_filter_groups[] = { params[1].value, NULL};
+
+ ts = talloc_get_type_abort(*state, struct test_state);
+
+ ev = tevent_context_init(ts);
+ assert_non_null(ev);
+
+ dom = talloc_zero(ts, struct sss_domain_info);
+ assert_non_null(dom);
+ dom->name = discard_const_p(char, TEST_DOM_NAME);
+ sss_domain_set_state(dom, DOM_ACTIVE);
+
+ ts->nctx = mock_nctx(ts);
+ assert_non_null(ts->nctx);
+
+ tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB,
+ TEST_DOM_NAME, TEST_ID_PROVIDER, params);
+ assert_non_null(tc);
+
+ ret = confdb_add_param(tc->confdb, true, "config/domain/"TEST_DOM_NAME,
+ "filter_users", nss_filter_users);
+ assert_int_equal(ret, EOK);
+
+ ret = confdb_add_param(tc->confdb, true, "config/domain"TEST_DOM_NAME,
+ "filter_groups", nss_filter_groups);
+ assert_int_equal(ret, EOK);
+
+ ncache = ts->ctx;
+ ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
+ assert_non_null(ts->rctx);
+ ts->rctx->cdb = tc->confdb;
+
+ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
+ assert_int_equal(ret, EOK);
+
+ /* Add another domain */
+ dom2 = talloc_zero(ts, struct sss_domain_info);
+ assert_non_null(dom2);
+ dom2->name = discard_const_p(char, TEST_DOM_NAME"2");
+ sss_domain_set_state(dom2, DOM_ACTIVE);
+ dom->next = dom2;
+ dom2->names = dom->names;
+
+ expect_in_parent(ncache, dom);
+ expect_no_entries_in_dom(ncache, dom2);
+
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
+ assert_int_equal(ret, EOK);
+
+ expect_in_parent(ncache, dom);
+ expect_no_entries_in_dom(ncache, dom2);
+
+ /* Add a sub domain */
+ sub_dom = talloc_zero(ts, struct sss_domain_info);
+ assert_non_null(sub_dom);
+ sub_dom->name = discard_const_p(char, "sub"TEST_DOM_NAME);
+ sss_domain_set_state(sub_dom, DOM_ACTIVE);
+ sub_dom->parent = dom;
+ dom->subdomains = sub_dom;
+ sub_dom->names = dom->names;
+
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
+ assert_int_equal(ret, EOK);
+
+ expect_in_parent(ncache, dom);
+ expect_in_subdomain(ncache, sub_dom);
+ expect_no_entries_in_dom(ncache, dom2);
+}
+
static void test_sss_ncache_reset(void **state)
{
errno_t ret;
@@ -1083,6 +1335,8 @@ int main(void)
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
+ setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
--
2.21.3

46
SOURCES/0007-util-inotify-fixed-CLANG_WARNING.patch
View File

@ -1,46 +0,0 @@
From 144e78dfebc0fd01feb6c11a37f81d01146cf33a Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 12 Jun 2020 19:10:33 +0200
Subject: [PATCH] util/inotify: fixed CLANG_WARNING
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixed following warning:
```
sssd-2.3.1/src/util/inotify.c:346:17: warning: Value stored to 'ret' is never read
# ret = EOK;
# ^ ~~~
```
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/util/inotify.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/util/inotify.c b/src/util/inotify.c
index ffc15ad4d..cf3e3d84d 100644
--- a/src/util/inotify.c
+++ b/src/util/inotify.c
@@ -319,7 +319,9 @@ static void snotify_internal_cb(struct tevent_context *ev,
in_event = (const struct inotify_event *) ptr;
- //debug_flags(in_event->mask, in_event->name);
+#if 0
+ debug_flags(in_event->mask, in_event->name);
+#endif
if (snctx->wctx->dir_wd == in_event->wd) {
ret = process_dir_event(snctx, in_event);
@@ -343,7 +345,6 @@ static void snotify_internal_cb(struct tevent_context *ev,
} else {
DEBUG(SSSDBG_MINOR_FAILURE,
"Unknown watch %d\n", in_event->wd);
- ret = EOK;
}
}
}
--
2.21.3

154
SOURCES/0008-negcache-do-not-use-default_domain_suffix.patch Normal file
View File

@ -0,0 +1,154 @@
From fa4b46e7de7297da3c0e37913eab8cba7f103629 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Oct 2020 15:26:39 +0200
Subject: [PATCH 8/8] negcache: do not use default_domain_suffix
When splitting the names from the filter_users and filter_groups options
do not use the default_domain_suffix because it will hide that the
original name is a short name and should be added everywhere.
Additionally this patch fixes a typo where sss_parse_name() was used
instead of sss_parse_name_for_domains().
Resolves: https://github.com/SSSD/sssd/issues/5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/negcache.c | 29 +++++++++++++++--------------
src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++--
2 files changed, 35 insertions(+), 16 deletions(-)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 9ee39ce3e..59e8ad7e7 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -1000,13 +1000,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
- rctx->default_domain,
+ NULL,
filter_list[i],
&domainname, &name);
if (ret == EAGAIN) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "cannot add [%s] to negcache because the required or "
- "default domain are not known yet\n", filter_list[i]);
+ "Can add [%s] only as UPN to negcache because the "
+ "required domain is not known yet\n", filter_list[i]);
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid name in filterUsers list: [%s] (%d)\n",
@@ -1066,12 +1066,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
- rctx->default_domain, filter_list[i],
+ NULL, filter_list[i],
&domainname, &name);
if (ret == EAGAIN) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot add [%s] to negcache because the required or "
- "default domain are not known yet\n", filter_list[i]);
+ "Can add [%s] only as UPN to negcache because the "
+ "required domain is not known yet\n", filter_list[i]);
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid name in filterUsers list: [%s] (%d)\n",
@@ -1158,9 +1158,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
if (ret != EOK) goto done;
for (i = 0; (filter_list && filter_list[i]); i++) {
- ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
- &domainname, &name);
+ ret = sss_parse_name_for_domains(tmpctx, domain_list,
+ NULL, filter_list[i],
+ &domainname, &name);
if (ret != EOK) {
+ /* Groups do not have UPNs, so domain names, if present,
+ * must be known */
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid name in filterGroups list: [%s] (%d)\n",
filter_list[i], ret);
@@ -1207,13 +1210,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
- rctx->default_domain, filter_list[i],
+ NULL, filter_list[i],
&domainname, &name);
- if (ret == EAGAIN) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot add [%s] to negcache because the required or "
- "default domain are not known yet\n", filter_list[i]);
- } else if (ret != EOK) {
+ if (ret != EOK) {
+ /* Groups do not have UPNs, so domain names, if present,
+ * must be known */
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid name in filterGroups list: [%s] (%d)\n",
filter_list[i], ret);
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index fb306b110..30218d52a 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -933,7 +933,9 @@ static void test_sss_ncache_reset_prepopulate(void **state)
*
* The result should of course be independent of the present domains. To
* verify this the domains are added one after the other and the negative
- * cache is repopulated each time.
+ * cache is repopulated each time. The result should be also independent of
+ * the setting of default_domain_suffix option which is tested by
+ * test_sss_ncache_short_name_in_domain_with_prefix.
*
* With the given domains, users and group we have to following expectations:
* - the short name entry will be added to the domain and all sub-domains as
@@ -1081,7 +1083,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
assert_int_equal(ret, ENOENT);
}
-static void test_sss_ncache_short_name_in_domain(void **state)
+static void run_sss_ncache_short_name_in_domain(void **state,
+ bool use_default_domain_prefix)
{
int ret;
struct test_state *ts;
@@ -1131,6 +1134,9 @@ static void test_sss_ncache_short_name_in_domain(void **state)
ncache = ts->ctx;
ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
assert_non_null(ts->rctx);
+ if (use_default_domain_prefix) {
+ ts->rctx->default_domain = discard_const(TEST_DOM_NAME);
+ }
ts->rctx->cdb = tc->confdb;
ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
@@ -1173,6 +1179,16 @@ static void test_sss_ncache_short_name_in_domain(void **state)
expect_no_entries_in_dom(ncache, dom2);
}
+static void test_sss_ncache_short_name_in_domain(void **state)
+{
+ run_sss_ncache_short_name_in_domain(state, false);
+}
+
+static void test_sss_ncache_short_name_in_domain_with_prefix(void **state)
+{
+ run_sss_ncache_short_name_in_domain(state, true);
+}
+
static void test_sss_ncache_reset(void **state)
{
errno_t ret;
@@ -1337,6 +1353,8 @@ int main(void)
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix,
+ setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
--
2.21.3

97
SOURCES/0008-util-inotify-fixed-bug-in-inotify-event-processing.patch
View File

@ -1,97 +0,0 @@
From 0c5711f9bae1cb46d4cd3fbe5d86d8688087be13 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 12 Jun 2020 20:45:23 +0200
Subject: [PATCH] util/inotify: fixed bug in inotify event processing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Error was spotted with the help of the following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/util/inotify.c:327:21: warning: Value stored to 'rewatch' is never read
# rewatch = true;
# ^ ~~~~
```
First part of the issue was that EAGAIN returned by the process_dir_event()
didn't trigger snotify_rewatch() (as suggested by the comments).
Fixing this part is already enough to resolve issue #1031 (as it was
reported).
Another part of the issue was that process_file_event() return code wasn't
checked against EAGAIN (again, as suggested by the DEBUG message).
Strictly speaking, I'm not sure if this part is really required or
if processing DIR events would cover all cases, but rebuilding watches
on IN_IGNORED won't hurt.
Resolves: https://github.com/SSSD/sssd/issues/1031
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/util/inotify.c | 30 +++++++++++++-----------------
1 file changed, 13 insertions(+), 17 deletions(-)
diff --git a/src/util/inotify.c b/src/util/inotify.c
index cf3e3d84d..a3c33eddb 100644
--- a/src/util/inotify.c
+++ b/src/util/inotify.c
@@ -286,7 +286,7 @@ static void snotify_internal_cb(struct tevent_context *ev,
struct snotify_ctx *snctx;
ssize_t len;
errno_t ret;
- bool rewatch;
+ bool rewatch = false;
snctx = talloc_get_type(data, struct snotify_ctx);
if (snctx == NULL) {
@@ -305,7 +305,7 @@ static void snotify_internal_cb(struct tevent_context *ev,
} else {
DEBUG(SSSDBG_TRACE_INTERNAL, "All inotify events processed\n");
}
- return;
+ break;
}
if ((size_t) len < sizeof(struct inotify_event)) {
@@ -325,26 +325,22 @@ static void snotify_internal_cb(struct tevent_context *ev,
if (snctx->wctx->dir_wd == in_event->wd) {
ret = process_dir_event(snctx, in_event);
- if (ret == EAGAIN) {
- rewatch = true;
- /* Continue with the loop and read all the events from
- * this descriptor first, then rewatch when done
- */
- } else if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Failed to process inotify event\n");
- continue;
- }
} else if (snctx->wctx->file_wd == in_event->wd) {
ret = process_file_event(snctx, in_event);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Failed to process inotify event\n");
- continue;
- }
} else {
DEBUG(SSSDBG_MINOR_FAILURE,
"Unknown watch %d\n", in_event->wd);
+ ret = EOK;
+ }
+
+ if (ret == EAGAIN) {
+ rewatch = true;
+ /* Continue with the loop and read all the events from
+ * this descriptor first, then rewatch when done
+ */
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to process inotify event\n");
}
}
}
--
2.21.3

46
SOURCES/0009-Replaced-enter-with-insert.patch
View File

@ -1,46 +0,0 @@
From 02fbf47a85228c131f1b0575da091a01da700189 Mon Sep 17 00:00:00 2001
From: vinay mishra <vmishra@redhat.com>
Date: Mon, 18 May 2020 10:32:55 +0530
Subject: [PATCH] Replaced 'enter' with 'insert'
Resolves: https://github.com/SSSD/sssd/issues/5164
Signed-off-by: vinay mishra <vmishra@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/sss_client/pam_sss.c | 4 ++--
src/tests/intg/test_pam_responder.py | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d4f0a8917..69b440774 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2422,8 +2422,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return PAM_SUCCESS;
}
-#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s"
-#define SC_ENTER_FMT "Please enter smart card"
+#define SC_ENTER_LABEL_FMT "Please insert smart card labeled\n %s"
+#define SC_ENTER_FMT "Please insert smart card"
static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
int retries, bool quiet_mode)
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index 9b5e650ca..7a2458339 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -512,7 +512,7 @@ def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl):
assert end_time > start_time and \
(end_time - start_time) >= 20 and \
(end_time - start_time) < 40
- assert out.find("Please enter smart card\nPlease enter smart card") != -1
+ assert out.find("Please insert smart card\nPlease insert smart card") != -1
assert err.find("pam_authenticate for user [user1]: Authentication " +
"service cannot retrieve authentication info") != -1
--
2.21.3

43
SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch Normal file
View File

@ -0,0 +1,43 @@
From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 9 Dec 2020 14:07:22 +0100
Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path
Previous unefficient code encoded the secret multiple times:
secret -> base64 -> masterkey -> base64
To allow smooth upgrade for already existant ccache we need to also decode
the secret if it is still in the old format (type == simple). Otherwise
users are not able to log in.
Resolves: https://github.com/SSSD/sssd/issues/5349
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
index 726711ac4..ea5c8f9ee 100644
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
goto done;
}
+ if (strcmp(datatype, "simple") == 0) {
+ /* The secret is stored in b64 encoding, we need to decode it first. */
+ data = sss_base64_decode(tmp_ctx, (const char*)data, &len);
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n");
+ ret = EIO;
+ goto done;
+ }
+ }
+
buf = sss_iobuf_init_steal(tmp_ctx, data, len);
if (buf == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n");
--
2.21.3

166
SOURCES/0010-NSS-client-preserve-errno-during-_nss_sss_end-calls.patch
View File

@ -1,166 +0,0 @@
From aac4dbb17f3e19a2fbeefb38b3319827d3bf820e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 13 May 2020 13:13:43 +0200
Subject: [PATCH] NSS client: preserve errno during _nss_sss_end* calls
glibc does not expect that errno is changed by some of the calls
provided by nss modules. This caused at least issues when
_nss_sss_endpwent() is called in compat mode. According to
https://pubs.opengroup.org/onlinepubs/9699919799/functions/endpwent.html
endpwent() should only set errno in the case of an error. Since there is
no other way to report an error we will set errno in the case of an
error but preserve it otherwise. This should cause no issues because
glibc is taking precautions as well tracked by
https://sourceware.org/bugzilla/show_bug.cgi?id=25976.
To be on the safe side the other _nss_sss_end* calls will show the same
behavior.
Resolves: https://github.com/SSSD/sssd/issues/5153
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
---
src/sss_client/nss_group.c | 3 +++
src/sss_client/nss_hosts.c | 4 +++-
src/sss_client/nss_ipnetworks.c | 4 +++-
src/sss_client/nss_netgroup.c | 3 +++
src/sss_client/nss_passwd.c | 3 +++
src/sss_client/nss_services.c | 3 +++
6 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c
index 5ab2bdf78..4a201bf09 100644
--- a/src/sss_client/nss_group.c
+++ b/src/sss_client/nss_group.c
@@ -735,6 +735,7 @@ enum nss_status _nss_sss_endgrent(void)
{
enum nss_status nret;
int errnop;
+ int saved_errno = errno;
sss_nss_lock();
@@ -745,6 +746,8 @@ enum nss_status _nss_sss_endgrent(void)
NULL, NULL, NULL, &errnop);
if (nret != NSS_STATUS_SUCCESS) {
errno = errnop;
+ } else {
+ errno = saved_errno;
}
sss_nss_unlock();
diff --git a/src/sss_client/nss_hosts.c b/src/sss_client/nss_hosts.c
index 5e279468b..aa2676286 100644
--- a/src/sss_client/nss_hosts.c
+++ b/src/sss_client/nss_hosts.c
@@ -565,6 +565,7 @@ _nss_sss_endhostent(void)
{
enum nss_status nret;
int errnop;
+ int saved_errno = errno;
sss_nss_lock();
@@ -575,9 +576,10 @@ _nss_sss_endhostent(void)
NULL, NULL, NULL, &errnop);
if (nret != NSS_STATUS_SUCCESS) {
errno = errnop;
+ } else {
+ errno = saved_errno;
}
sss_nss_unlock();
-
return nret;
}
diff --git a/src/sss_client/nss_ipnetworks.c b/src/sss_client/nss_ipnetworks.c
index 15fee6039..08070499d 100644
--- a/src/sss_client/nss_ipnetworks.c
+++ b/src/sss_client/nss_ipnetworks.c
@@ -510,6 +510,7 @@ _nss_sss_endnetent(void)
{
enum nss_status nret;
int errnop;
+ int saved_errno = errno;
sss_nss_lock();
@@ -520,10 +521,11 @@ _nss_sss_endnetent(void)
NULL, NULL, NULL, &errnop);
if (nret != NSS_STATUS_SUCCESS) {
errno = errnop;
+ } else {
+ errno = saved_errno;
}
sss_nss_unlock();
-
return nret;
}
diff --git a/src/sss_client/nss_netgroup.c b/src/sss_client/nss_netgroup.c
index 3a1834a31..2fc88f8ae 100644
--- a/src/sss_client/nss_netgroup.c
+++ b/src/sss_client/nss_netgroup.c
@@ -309,6 +309,7 @@ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result)
{
enum nss_status nret;
int errnop;
+ int saved_errno = errno;
sss_nss_lock();
@@ -319,6 +320,8 @@ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result)
NULL, NULL, NULL, &errnop);
if (nret != NSS_STATUS_SUCCESS) {
errno = errnop;
+ } else {
+ errno = saved_errno;
}
sss_nss_unlock();
diff --git a/src/sss_client/nss_passwd.c b/src/sss_client/nss_passwd.c
index 96368bd6e..c386dd370 100644
--- a/src/sss_client/nss_passwd.c
+++ b/src/sss_client/nss_passwd.c
@@ -455,6 +455,7 @@ enum nss_status _nss_sss_endpwent(void)
{
enum nss_status nret;
int errnop;
+ int saved_errno = errno;
sss_nss_lock();
@@ -465,6 +466,8 @@ enum nss_status _nss_sss_endpwent(void)
NULL, NULL, NULL, &errnop);
if (nret != NSS_STATUS_SUCCESS) {
errno = errnop;
+ } else {
+ errno = saved_errno;
}
sss_nss_unlock();
diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c
index 13cb4c3ab..f8c2092cb 100644
--- a/src/sss_client/nss_services.c
+++ b/src/sss_client/nss_services.c
@@ -484,6 +484,7 @@ _nss_sss_endservent(void)
{
enum nss_status nret;
int errnop;
+ int saved_errno = errno;
sss_nss_lock();
@@ -494,6 +495,8 @@ _nss_sss_endservent(void)
NULL, NULL, NULL, &errnop);
if (nret != NSS_STATUS_SUCCESS) {
errno = errnop;
+ } else {
+ errno = saved_errno;
}
sss_nss_unlock();
--
2.21.3

112
SOURCES/0010-nss-check-if-groups-are-filtered-during-initgroups.patch Normal file
View File

@ -0,0 +1,112 @@
From c87b2208b9a58c12eeceb5b8ccf9c34dcd835b8d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 17 Nov 2020 12:59:23 +0100
Subject: [PATCH] nss: check if groups are filtered during initgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If groups are filtered, i.e. SSSD should not handle them, they should
not appear in the group list returned by an initgroups request.
Resolves: https://github.com/SSSD/sssd/issues/5403
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++
src/tests/intg/test_ldap.py | 12 +++++++++
2 files changed, 47 insertions(+)
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 8f1d3fe81..135b392f7 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -326,6 +326,34 @@ done:
return EOK;
}
+static bool is_group_filtered(struct sss_nc_ctx *ncache,
+ struct sss_domain_info *domain,
+ const char *grp_name, gid_t gid)
+{
+ int ret;
+
+ if (grp_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Group with gid [%"SPRIgid"] has no name, this should never "
+ "happen, trying to continue without.\n", gid);
+ } else {
+ ret = sss_ncache_check_group(ncache, domain, grp_name);
+ if (ret == EEXIST) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! "
+ "(negative cache)", grp_name);
+ return true;
+ }
+ }
+ ret = sss_ncache_check_gid(ncache, domain, gid);
+ if (ret == EEXIST) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! "
+ "(negative cache)", gid);
+ return true;
+ }
+
+ return false;
+}
+
errno_t
nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
struct nss_cmd_ctx *cmd_ctx,
@@ -344,6 +372,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
size_t body_len;
size_t rp;
gid_t gid;
+ const char *grp_name;
gid_t orig_gid;
errno_t ret;
int i;
@@ -392,6 +421,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
0);
posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
+ grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
+ NULL);
if (gid == 0) {
if (posix != NULL && strcmp(posix, "FALSE") == 0) {
@@ -404,6 +435,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
}
}
+ if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
+ continue;
+ }
+
SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp);
num_results++;
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 194d7d9cc..6a78c960f 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter):
with pytest.raises(KeyError):
grp.getgrgid(14)
+ # test initgroups - user1 is member of group_two_one_user_groups (2019)
+ # which is filtered out
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001)
+ assert res == sssd_id.NssReturnCode.SUCCESS
+
+ user_with_group_ids = [2001, 2012, 2015, 2017, 2018]
+ assert sorted(gids) == sorted(user_with_group_ids), \
+ "result: %s\n expected %s" % (
+ ", ".join(["%s" % s for s in sorted(gids)]),
+ ", ".join(["%s" % s for s in sorted(user_with_group_ids)])
+ )
+
@pytest.fixture
def sanity_nss_filter_cached(request, ldap_conn):
--
2.21.3

36
SOURCES/0011-ifp-fix-use-after-free.patch Normal file
View File

@ -0,0 +1,36 @@
From 81e757b7b1d69893b5725f9c148c55d89c779e7b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Nov 2020 10:12:15 +0100
Subject: [PATCH] ifp: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The variable fqdn is pointing to some data from state->res->msgs[0]. But
before fqdn is used in the next search state->res and the memory
hierarchy below is freed. As a result the location where fqdn is pointing
to might hold the expected data or other data and the search will fail
intermittently.
Resolves: https://github.com/SSSD/sssd/issues/5382
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/ifp/ifpsrv_cmd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index 9f20bf2db..d95618127 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -128,6 +128,7 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
tevent_req_error(req, ERR_INTERNAL);
return;
}
+ fqdn = talloc_steal(state, fqdn);
if (state->search_type == SSS_DP_USER) {
/* throw away the result and perform attr search */
--
2.21.3

43
SOURCES/0011-ipa-add-failover-to-subdomain-override-lookups.patch
View File

@ -1,43 +0,0 @@
From df632eec450791559a4a7644f241964397c10ff9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 5 Jun 2020 13:59:25 +0200
Subject: [PATCH] ipa: add failover to subdomain override lookups
In the ipa_subdomain_account request failover handling was missing.
Related to https://github.com/SSSD/sssd/issues/5075
(was https://pagure.io/SSSD/sssd/issue/4114)
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/providers/ipa/ipa_subdomains_id.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 1224c7b73..36f32fae8 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -208,6 +208,20 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq)
&state->override_attrs);
talloc_zfree(subreq);
if (ret != EOK) {
+ ret = sdap_id_op_done(state->op, ret, &dp_error);
+
+ if (dp_error == DP_ERR_OK && ret != EOK) {
+ /* retry */
+ subreq = sdap_id_op_connect_send(state->op, state, &ret);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n");
+ goto fail;
+ }
+ tevent_req_set_callback(subreq, ipa_subdomain_account_connected,
+ req);
+ return;
+ }
+
DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret);
goto fail;
}
--
2.21.3

132
SOURCES/0012-GPO-fix-link-order-in-a-SOM.patch
View File

@ -1,132 +0,0 @@
From dce025b882db7247571b135e928afb47f069a60f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 27 Feb 2020 06:54:21 +0100
Subject: [PATCH] GPO: fix link order in a SOM
GPOs of the same OU were applied in the wrong order. Details about how
GPOs should be processed can be found e.g. at
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
Resolves: https://github.com/SSSD/sssd/issues/5103
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ad/ad_gpo.c | 59 +++++++++++++++++++++++++++++----------
1 file changed, 45 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index bbe8d8a1e..1524c4bfc 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -3511,14 +3511,19 @@ ad_gpo_process_som_recv(struct tevent_req *req,
* - GPOs linked to an OU will be applied after GPOs linked to a Domain,
* which will be applied after GPOs linked to a Site.
* - multiple GPOs linked to a single SOM are applied in their link order
- * (i.e. 1st GPO linked to SOM is applied after 2nd GPO linked to SOM, etc).
+ * (i.e. 1st GPO linked to SOM is applied before 2nd GPO linked to SOM, etc).
* - enforced GPOs are applied after unenforced GPOs.
*
* As such, the _candidate_gpos output's dn fields looks like (in link order):
- * [unenforced {Site, Domain, OU}; enforced {Site, Domain, OU}]
+ * [unenforced {Site, Domain, OU}; enforced {OU, Domain, Site}]
*
* Note that in the case of conflicting policy settings, GPOs appearing later
- * in the list will trump GPOs appearing earlier in the list.
+ * in the list will trump GPOs appearing earlier in the list. Therefore the
+ * enforced GPOs are applied in revers order after the unenforced GPOs to
+ * make sure the enforced setting form the highest level will be applied.
+ *
+ * GPO processing details can be found e.g. at
+ * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
*/
static errno_t
ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
@@ -3542,6 +3547,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
int i = 0;
int j = 0;
int ret;
+ size_t som_count = 0;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -3568,6 +3574,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
}
i++;
}
+ som_count = i;
num_candidate_gpos = num_enforced + num_unenforced;
@@ -3590,9 +3597,43 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
goto done;
}
+ i = som_count -1 ;
+ while (i >= 0) {
+ gp_som = som_list[i];
+
+ /* For unenforced_gpo_dns the most specific GPOs with the highest
+ * priority should be the last. We start with the top-level SOM and go
+ * down to the most specific one and add the unenforced following the
+ * gplink_list where the GPO with the highest priority comes last. */
+ j = 0;
+ while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) {
+ gp_gplink = gp_som->gplink_list[j];
+
+ if (!gp_gplink->enforced) {
+ unenforced_gpo_dns[unenforced_idx] =
+ talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn);
+
+ if (unenforced_gpo_dns[unenforced_idx] == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ unenforced_idx++;
+ }
+ j++;
+ }
+ i--;
+ }
+
i = 0;
while (som_list[i]) {
gp_som = som_list[i];
+
+ /* For enforced GPOs we start processing with the most specific SOM to
+ * make sur enforced GPOs from higher levels override to lower level
+ * ones. According to the 'Group Policy Inheritance' tab in the
+ * Windows 'Goup Policy Management' utility in the same SOM the link
+ * order is still observed and an enforced GPO with a lower link order
+ * value still overrides an enforced GPO with a higher link order. */
j = 0;
while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) {
gp_gplink = gp_som->gplink_list[j];
@@ -3610,16 +3651,6 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
goto done;
}
enforced_idx++;
- } else {
-
- unenforced_gpo_dns[unenforced_idx] =
- talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn);
-
- if (unenforced_gpo_dns[unenforced_idx] == NULL) {
- ret = ENOMEM;
- goto done;
- }
- unenforced_idx++;
}
j++;
}
@@ -3638,7 +3669,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
}
gpo_dn_idx = 0;
- for (i = num_unenforced - 1; i >= 0; i--) {
+ for (i = 0; i < num_unenforced; i++) {
candidate_gpos[gpo_dn_idx] = talloc_zero(candidate_gpos, struct gp_gpo);
if (candidate_gpos[gpo_dn_idx] == NULL) {
ret = ENOMEM;
--
2.21.3

38
SOURCES/0012-ifp-fix-original-fix-use-after-free.patch Normal file
View File

@ -0,0 +1,38 @@
From 3b158934cbb8f87cbfaf1650389b8dcd654b92ca Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 19 Nov 2020 18:05:00 +0100
Subject: [PATCH] ifp: fix original fix use-after-free
The original fix stole the fqdn too earlier. Only for SSS_DP_USER
requests the steal is important. For other request where the first
result is returned to the caller the original version
might even cause issues since the name does not belong to the memory
hierarchy of the result anymore.
Resolves: https://github.com/SSSD/sssd/issues/5382
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/ifp/ifpsrv_cmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index d95618127..8cf1ec84c 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -128,10 +128,10 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
tevent_req_error(req, ERR_INTERNAL);
return;
}
- fqdn = talloc_steal(state, fqdn);
if (state->search_type == SSS_DP_USER) {
- /* throw away the result and perform attr search */
+ /* throw away the result but keep the fqdn and perform attr search */
+ fqdn = talloc_steal(state, fqdn);
talloc_zfree(state->res);
ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn,
--
2.21.3

68
SOURCES/0013-pam_sss-use-unique-id-for-gdm-choice-list.patch Normal file
View File

@ -0,0 +1,68 @@
From 1b9b7f5a635ede8eee90d13bfe0e1f87e51191a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 13 Nov 2020 12:59:39 +0100
Subject: [PATCH 13/16] pam_sss: use unique id for gdm choice list
Currently the key-id read from the Smartcard is used as key value for
the gdm choice list dialog. Since it might be possible that multiple
certificates use the same key and hence the same key-id this is not a
suitable value.
With this patch the string representation of a numerical counter is used.
Resolves: https://github.com/SSSD/sssd/issues/5400
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/pam_sss.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b844d257e..04dfdb55d 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -128,6 +128,7 @@ struct cert_auth_info {
char *key_id;
char *prompt_str;
char *pam_cert_user;
+ char *choice_list_id;
struct cert_auth_info *prev;
struct cert_auth_info *next;
};
@@ -141,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai)
free(cai->module_name);
free(cai->key_id);
free(cai->prompt_str);
+ free(cai->choice_list_id);
free(cai);
}
}
@@ -1698,7 +1700,15 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi)
ret = ENOMEM;
goto done;
}
- request->list.items[c].key = cai->key_id;
+ free(cai->choice_list_id);
+ ret = asprintf(&cai->choice_list_id, "%zu", c);
+ if (ret == -1) {
+ cai->choice_list_id = NULL;
+ ret = ENOMEM;
+ goto done;
+ }
+
+ request->list.items[c].key = cai->choice_list_id;
request->list.items[c++].text = prompt;
}
@@ -1719,7 +1729,7 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi)
}
DLIST_FOR_EACH(cai, pi->cert_list) {
- if (strcmp(response->key, cai->key_id) == 0) {
+ if (strcmp(response->key, cai->choice_list_id) == 0) {
pam_info(pamh, "Certificate %s selected", cai->key_id);
pi->selected_cert = cai;
ret = 0;
--
2.21.3

58
SOURCES/0013-sysdb-make-sysdb_update_subdomains-more-robust.patch
View File

@ -1,58 +0,0 @@
From 8ca799ea968e548337acb0300642a0d88f1bba9b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 7 May 2020 15:47:35 +0200
Subject: [PATCH 13/19] sysdb: make sysdb_update_subdomains() more robust
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some NULL checks are added basically to allow that missing values can be
set later.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb_subdomains.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index b170d1978..d256817a6 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -421,7 +421,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
}
/* in theory these may change, but it should never happen */
- if (strcasecmp(dom->realm, realm) != 0) {
+ if ((dom->realm == NULL && realm != NULL)
+ || (dom->realm != NULL && realm != NULL
+ && strcasecmp(dom->realm, realm) != 0)) {
DEBUG(SSSDBG_TRACE_INTERNAL,
"Realm name changed from [%s] to [%s]!\n",
dom->realm, realm);
@@ -432,7 +434,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
goto done;
}
}
- if (strcasecmp(dom->flat_name, flat) != 0) {
+ if ((dom->flat_name == NULL && flat != NULL)
+ || (dom->flat_name != NULL && flat != NULL
+ && strcasecmp(dom->flat_name, flat) != 0)) {
DEBUG(SSSDBG_TRACE_INTERNAL,
"Flat name changed from [%s] to [%s]!\n",
dom->flat_name, flat);
@@ -443,7 +447,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
goto done;
}
}
- if (strcasecmp(dom->domain_id, id) != 0) {
+ if ((dom->domain_id == NULL && id != NULL)
+ || (dom->domain_id != NULL && id != NULL
+ && strcasecmp(dom->domain_id, id) != 0)) {
DEBUG(SSSDBG_TRACE_INTERNAL,
"Domain changed from [%s] to [%s]!\n",
dom->domain_id, id);
--
2.21.3

334
SOURCES/0014-ad-rename-ad_master_domain_-to-ad_domain_info_.patch
View File

@ -1,334 +0,0 @@
From d3089173dd8be85a83cf0236e116ba8e11326a6d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 7 May 2020 16:51:02 +0200
Subject: [PATCH 14/19] ad: rename ad_master_domain_* to ad_domain_info_*
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The ad_master_domain_{send|recv} are not specific to the master domain
so a more generic name seems to be suitable.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_domain_info.c | 64 +++++++++++++++----------------
src/providers/ad/ad_domain_info.h | 10 ++---
src/providers/ad/ad_gpo.c | 8 ++--
src/providers/ad/ad_id.c | 14 +++----
src/providers/ad/ad_resolver.c | 8 ++--
src/providers/ad/ad_subdomains.c | 8 ++--
6 files changed, 56 insertions(+), 56 deletions(-)
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
index 5302c8083..52b2e2442 100644
--- a/src/providers/ad/ad_domain_info.c
+++ b/src/providers/ad/ad_domain_info.c
@@ -175,7 +175,7 @@ done:
return ret;
}
-struct ad_master_domain_state {
+struct ad_domain_info_state {
struct tevent_context *ev;
struct sdap_id_conn_ctx *conn;
struct sdap_id_op *id_op;
@@ -191,22 +191,22 @@ struct ad_master_domain_state {
char *sid;
};
-static errno_t ad_master_domain_next(struct tevent_req *req);
-static void ad_master_domain_next_done(struct tevent_req *subreq);
-static void ad_master_domain_netlogon_done(struct tevent_req *req);
+static errno_t ad_domain_info_next(struct tevent_req *req);
+static void ad_domain_info_next_done(struct tevent_req *subreq);
+static void ad_domain_info_netlogon_done(struct tevent_req *req);
struct tevent_req *
-ad_master_domain_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct sdap_id_conn_ctx *conn,
- struct sdap_id_op *op,
- const char *dom_name)
+ad_domain_info_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sdap_id_conn_ctx *conn,
+ struct sdap_id_op *op,
+ const char *dom_name)
{
errno_t ret;
struct tevent_req *req;
- struct ad_master_domain_state *state;
+ struct ad_domain_info_state *state;
- req = tevent_req_create(mem_ctx, &state, struct ad_master_domain_state);
+ req = tevent_req_create(mem_ctx, &state, struct ad_domain_info_state);
if (!req) return NULL;
state->ev = ev;
@@ -216,7 +216,7 @@ ad_master_domain_send(TALLOC_CTX *mem_ctx,
state->opts = conn->id_ctx->opts;
state->dom_name = dom_name;
- ret = ad_master_domain_next(req);
+ ret = ad_domain_info_next(req);
if (ret != EOK && ret != EAGAIN) {
goto immediate;
}
@@ -234,14 +234,14 @@ immediate:
}
static errno_t
-ad_master_domain_next(struct tevent_req *req)
+ad_domain_info_next(struct tevent_req *req)
{
struct tevent_req *subreq;
struct sdap_search_base *base;
const char *master_sid_attrs[] = {AD_AT_OBJECT_SID, NULL};
- struct ad_master_domain_state *state =
- tevent_req_data(req, struct ad_master_domain_state);
+ struct ad_domain_info_state *state =
+ tevent_req_data(req, struct ad_domain_info_state);
base = state->opts->sdom->search_bases[state->base_iter];
if (base == NULL) {
@@ -261,13 +261,13 @@ ad_master_domain_next(struct tevent_req *req)
DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
return ENOMEM;
}
- tevent_req_set_callback(subreq, ad_master_domain_next_done, req);
+ tevent_req_set_callback(subreq, ad_domain_info_next_done, req);
return EAGAIN;
}
static void
-ad_master_domain_next_done(struct tevent_req *subreq)
+ad_domain_info_next_done(struct tevent_req *subreq)
{
errno_t ret;
size_t reply_count;
@@ -281,8 +281,8 @@ ad_master_domain_next_done(struct tevent_req *subreq)
struct tevent_req *req = tevent_req_callback_data(subreq,
struct tevent_req);
- struct ad_master_domain_state *state =
- tevent_req_data(req, struct ad_master_domain_state);
+ struct ad_domain_info_state *state =
+ tevent_req_data(req, struct ad_domain_info_state);
ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply);
talloc_zfree(subreq);
@@ -293,7 +293,7 @@ ad_master_domain_next_done(struct tevent_req *subreq)
if (reply_count == 0) {
state->base_iter++;
- ret = ad_master_domain_next(req);
+ ret = ad_domain_info_next(req);
if (ret == EAGAIN) {
/* Async request will get us back here again */
return;
@@ -362,7 +362,7 @@ ad_master_domain_next_done(struct tevent_req *subreq)
goto done;
}
- tevent_req_set_callback(subreq, ad_master_domain_netlogon_done, req);
+ tevent_req_set_callback(subreq, ad_domain_info_netlogon_done, req);
return;
done:
@@ -370,7 +370,7 @@ done:
}
static void
-ad_master_domain_netlogon_done(struct tevent_req *subreq)
+ad_domain_info_netlogon_done(struct tevent_req *subreq)
{
int ret;
size_t reply_count;
@@ -378,8 +378,8 @@ ad_master_domain_netlogon_done(struct tevent_req *subreq)
struct tevent_req *req = tevent_req_callback_data(subreq,
struct tevent_req);
- struct ad_master_domain_state *state =
- tevent_req_data(req, struct ad_master_domain_state);
+ struct ad_domain_info_state *state =
+ tevent_req_data(req, struct ad_domain_info_state);
ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply);
talloc_zfree(subreq);
@@ -422,15 +422,15 @@ done:
}
errno_t
-ad_master_domain_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- char **_flat,
- char **_id,
- char **_site,
- char **_forest)
+ad_domain_info_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ char **_flat,
+ char **_id,
+ char **_site,
+ char **_forest)
{
- struct ad_master_domain_state *state = tevent_req_data(req,
- struct ad_master_domain_state);
+ struct ad_domain_info_state *state = tevent_req_data(req,
+ struct ad_domain_info_state);
TEVENT_REQ_RETURN_ON_ERROR(req);
diff --git a/src/providers/ad/ad_domain_info.h b/src/providers/ad/ad_domain_info.h
index b96e8a3c3..631e543f5 100644
--- a/src/providers/ad/ad_domain_info.h
+++ b/src/providers/ad/ad_domain_info.h
@@ -22,22 +22,22 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _AD_MASTER_DOMAIN_H_
-#define _AD_MASTER_DOMAIN_H_
+#ifndef _AD_DOMAIN_INFO_H_
+#define _AD_DOMAIN_INFO_H_
struct tevent_req *
-ad_master_domain_send(TALLOC_CTX *mem_ctx,
+ad_domain_info_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct sdap_id_conn_ctx *conn,
struct sdap_id_op *op,
const char *dom_name);
errno_t
-ad_master_domain_recv(struct tevent_req *req,
+ad_domain_info_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
char **_flat,
char **_id,
char **_site,
char **_forest);
-#endif /* _AD_MASTER_DOMAIN_H_ */
+#endif /* _AD_DOMAIN_INFO_H_ */
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 1524c4bfc..53560a754 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -3151,11 +3151,11 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
goto immediately;
}
- subreq = ad_master_domain_send(state, state->ev, conn,
- state->sdap_op, domain_name);
+ subreq = ad_domain_info_send(state, state->ev, conn,
+ state->sdap_op, domain_name);
if (subreq == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n");
ret = ENOMEM;
goto immediately;
}
@@ -3188,7 +3188,7 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
state = tevent_req_data(req, struct ad_gpo_process_som_state);
/* gpo code only cares about the site name */
- ret = ad_master_domain_recv(subreq, state, NULL, NULL, &site, NULL);
+ ret = ad_domain_info_recv(subreq, state, NULL, NULL, &site, NULL);
talloc_zfree(subreq);
if (ret != EOK || site == NULL) {
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 84e5c42ac..ca6486e03 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -663,12 +663,12 @@ ad_enumeration_conn_done(struct tevent_req *subreq)
return;
}
- subreq = ad_master_domain_send(state, state->ev,
- state->id_ctx->ldap_ctx,
- state->sdap_op,
- state->sdom->dom->name);
+ subreq = ad_domain_info_send(state, state->ev,
+ state->id_ctx->ldap_ctx,
+ state->sdap_op,
+ state->sdom->dom->name);
if (subreq == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n");
tevent_req_error(req, ret);
return;
}
@@ -687,8 +687,8 @@ ad_enumeration_master_done(struct tevent_req *subreq)
char *master_sid;
char *forest;
- ret = ad_master_domain_recv(subreq, state,
- &flat_name, &master_sid, NULL, &forest);
+ ret = ad_domain_info_recv(subreq, state,
+ &flat_name, &master_sid, NULL, &forest);
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
diff --git a/src/providers/ad/ad_resolver.c b/src/providers/ad/ad_resolver.c
index b58f08ecf..c87706094 100644
--- a/src/providers/ad/ad_resolver.c
+++ b/src/providers/ad/ad_resolver.c
@@ -317,10 +317,10 @@ ad_resolver_enumeration_conn_done(struct tevent_req *subreq)
return;
}
- subreq = ad_master_domain_send(state, state->ev, id_ctx->conn,
- state->sdap_op, state->sdom->dom->name);
+ subreq = ad_domain_info_send(state, state->ev, id_ctx->conn,
+ state->sdap_op, state->sdom->dom->name);
if (subreq == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n");
tevent_req_error(req, ret);
return;
}
@@ -346,7 +346,7 @@ ad_resolver_enumeration_master_done(struct tevent_req *subreq)
char *forest;
struct ad_id_ctx *ad_id_ctx;
- ret = ad_master_domain_recv(subreq, state,
+ ret = ad_domain_info_recv(subreq, state,
&flat_name, &master_sid, NULL, &forest);
talloc_zfree(subreq);
if (ret != EOK) {
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 06fbdb0ef..c53962283 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1756,8 +1756,8 @@ static void ad_subdomains_refresh_connect_done(struct tevent_req *subreq)
}
/* connect to the DC we are a member of */
- subreq = ad_master_domain_send(state, state->ev, state->id_ctx->conn,
- state->sdap_op, state->sd_ctx->domain_name);
+ subreq = ad_domain_info_send(state, state->ev, state->id_ctx->conn,
+ state->sdap_op, state->sd_ctx->domain_name);
if (subreq == NULL) {
tevent_req_error(req, ENOMEM);
return;
@@ -1779,8 +1779,8 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq)
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_subdomains_refresh_state);
- ret = ad_master_domain_recv(subreq, state, &flat_name, &master_sid,
- NULL, &state->forest);
+ ret = ad_domain_info_recv(subreq, state, &flat_name, &master_sid,
+ NULL, &state->forest);
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get master domain information "
--
2.21.3

1072
SOURCES/0014-authtok-add-label-to-Smartcard-token.patch Normal file
View File

File diff suppressed because it is too large Load Diff

208
SOURCES/0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch Normal file
View File

@ -0,0 +1,208 @@
From b8800d3e1b43f2eb28b2df7adb2bcb323bf2d1f1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Sat, 14 Nov 2020 17:52:35 +0100
Subject: [PATCH 15/16] pam_sss: add certificate label to reply to pam_sss
Add the certificate label to the data send back and forth to the pam
module to avoid the ambiguity if two certificates use the same key.
Resolves: https://github.com/SSSD/sssd/issues/5400
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/pam/pamsrv_p11.c | 13 ++++++++++---
src/sss_client/pam_sss.c | 15 +++++++++++++++
src/tests/cmocka/test_pam_srv.c | 20 ++++++++++++++++----
3 files changed, 41 insertions(+), 7 deletions(-)
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 23f94927a..e1fd72e64 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -1086,11 +1086,13 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
const char *token_name;
const char *module_name;
const char *key_id;
+ const char *label;
char *prompt;
size_t user_len;
size_t token_len;
size_t module_len;
size_t key_id_len;
+ size_t label_len;
size_t prompt_len;
size_t nss_name_len;
const char *username = "";
@@ -1113,16 +1115,18 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
token_name = sss_cai_get_token_name(cert_info);
module_name = sss_cai_get_module_name(cert_info);
key_id = sss_cai_get_key_id(cert_info);
+ label = sss_cai_get_label(cert_info);
user_len = strlen(username) + 1;
token_len = strlen(token_name) + 1;
module_len = strlen(module_name) + 1;
key_id_len = strlen(key_id) + 1;
+ label_len = strlen(label) + 1;
prompt_len = strlen(prompt) + 1;
nss_name_len = strlen(nss_username) +1;
- msg_len = user_len + token_len + module_len + key_id_len + prompt_len
- + nss_name_len;
+ msg_len = user_len + token_len + module_len + key_id_len + label_len
+ + prompt_len + nss_name_len;
msg = talloc_zero_size(mem_ctx, msg_len);
if (msg == NULL) {
@@ -1136,8 +1140,11 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
memcpy(msg + user_len + token_len, module_name, module_len);
memcpy(msg + user_len + token_len + module_len, key_id, key_id_len);
memcpy(msg + user_len + token_len + module_len + key_id_len,
+ label, label_len);
+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len,
prompt, prompt_len);
- memcpy(msg + user_len + token_len + module_len + key_id_len + prompt_len,
+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len
+ + prompt_len,
nss_username, nss_name_len);
talloc_free(prompt);
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index cffbfa770..c539d6de6 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -142,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai)
free(cai->token_name);
free(cai->module_name);
free(cai->key_id);
+ free(cai->label);
free(cai->prompt_str);
free(cai->choice_list_id);
free(cai);
@@ -936,6 +937,20 @@ static int parse_cert_info(struct pam_items *pi, uint8_t *buf, size_t len,
goto done;
}
+ cai->label = strdup((char *) &buf[*p + offset]);
+ if (cai->label == NULL) {
+ D(("strdup failed"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ offset += strlen(cai->label) + 1;
+ if (offset >= len) {
+ D(("Cert message size mismatch"));
+ ret = EINVAL;
+ goto done;
+ }
+
cai->prompt_str = strdup((char *) &buf[*p + offset]);
if (cai->prompt_str == NULL) {
D(("strdup failed"));
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index cb05042de..5506fbf34 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -62,13 +62,16 @@
#define TEST_TOKEN_NAME "SSSD Test Token"
#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
+#define TEST_LABEL "SSSD test cert 0001"
#define TEST_MODULE_NAME SOFTHSM2_PATH
#define TEST_PROMPT "SSSD test cert 0001\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD"
#define TEST2_PROMPT "SSSD test cert 0002\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD"
#define TEST5_PROMPT "SSSD test cert 0005\nCN=SSSD test cert 0005,OU=SSSD test,O=SSSD"
#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9"
+#define TEST2_LABEL "SSSD test cert 0002"
#define TEST5_KEY_ID "1195833C424AB00297F582FC43FFFFAB47A64CC9"
+#define TEST5_LABEL "SSSD test cert 0005"
static char CACHED_AUTH_TIMEOUT_STR[] = "4";
static const int CACHED_AUTH_TIMEOUT = 4;
@@ -673,6 +676,7 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
+ sizeof(TEST_TOKEN_NAME)
+ sizeof(TEST_MODULE_NAME)
+ sizeof(TEST_KEY_ID)
+ + sizeof(TEST_LABEL)
+ sizeof(TEST_PROMPT)
+ sizeof("pamuser")));
@@ -692,6 +696,10 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
assert_string_equal(body + rp, TEST_KEY_ID);
rp += sizeof(TEST_KEY_ID);
+ assert_int_equal(*(body + rp + sizeof(TEST_LABEL) - 1), 0);
+ assert_string_equal(body + rp, TEST_LABEL);
+ rp += sizeof(TEST_LABEL);
+
assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0);
assert_string_equal(body + rp, TEST_PROMPT);
rp += sizeof(TEST_PROMPT);
@@ -740,6 +748,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
TEST_TOKEN_NAME,
TEST_MODULE_NAME,
TEST_KEY_ID,
+ TEST_LABEL,
TEST_PROMPT,
NULL,
NULL };
@@ -749,6 +758,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
TEST_TOKEN_NAME,
TEST_MODULE_NAME,
TEST2_KEY_ID,
+ TEST2_LABEL,
TEST2_PROMPT,
NULL,
NULL };
@@ -756,10 +766,10 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
assert_int_equal(status, 0);
check_strings[0] = name;
- check_strings[5] = nss_name;
+ check_strings[6] = nss_name;
check_len = check_string_array_len(check_strings);
check2_strings[0] = name;
- check2_strings[5] = nss_name;
+ check2_strings[6] = nss_name;
check2_len = check_string_array_len(check2_strings);
@@ -843,6 +853,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
TEST_TOKEN2_NAME,
TEST_MODULE_NAME,
TEST2_KEY_ID,
+ TEST2_LABEL,
TEST2_PROMPT,
NULL,
NULL };
@@ -850,7 +861,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
assert_int_equal(status, 0);
check2_strings[0] = name;
- check2_strings[5] = nss_name;
+ check2_strings[6] = nss_name;
check2_len = check_string_array_len(check2_strings);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
@@ -895,7 +906,7 @@ static int test_pam_cert_X_token_X_check_ex(uint32_t status, uint8_t *body,
assert_int_equal(status, 0);
check_strings[0] = name;
- check_strings[5] = nss_name;
+ check_strings[6] = nss_name;
check_len = check_string_array_len(check_strings);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
@@ -946,6 +957,7 @@ static int test_pam_cert5_check(uint32_t status, uint8_t *body, size_t blen)
TEST_TOKEN_NAME,
TEST_MODULE_NAME,
TEST5_KEY_ID,
+ TEST5_LABEL,
TEST5_PROMPT,
NULL,
NULL };
--
2.21.3

117
SOURCES/0015-sysdb-make-new_subdomain-public.patch
View File

@ -1,117 +0,0 @@
From 9aa26f6514220bae3b3314f830e3e3f95fab2cf9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 7 May 2020 21:18:13 +0200
Subject: [PATCH 15/19] sysdb: make new_subdomain() public
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb.h | 18 ++++++++++++++++++
src/db/sysdb_private.h | 19 -------------------
src/tests/cmocka/test_negcache.c | 1 -
src/tests/cmocka/test_nss_srv.c | 1 -
src/tests/cmocka/test_responder_cache_req.c | 1 -
5 files changed, 18 insertions(+), 22 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 64e546f5b..e4ed10b54 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -562,6 +562,24 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name);
errno_t sysdb_subdomain_content_delete(struct sysdb_ctx *sysdb,
const char *name);
+/* The utility function to create a subdomain sss_domain_info object is handy
+ * for unit tests, so it should be available in a headerr.
+ */
+struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *parent,
+ const char *name,
+ const char *realm,
+ const char *flat_name,
+ const char *id,
+ enum sss_domain_mpg_mode mpg_mode,
+ bool enumerate,
+ const char *forest,
+ const char **upn_suffixes,
+ uint32_t trust_direction,
+ struct confdb_ctx *confdb,
+ bool enabled);
+
+
errno_t sysdb_get_ranges(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
size_t *range_count,
struct range_info ***range_list);
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
index 3302919a6..70fe3fa18 100644
--- a/src/db/sysdb_private.h
+++ b/src/db/sysdb_private.h
@@ -196,25 +196,6 @@ int sysdb_replace_ulong(struct ldb_message *msg,
int sysdb_delete_ulong(struct ldb_message *msg,
const char *attr, unsigned long value);
-/* The utility function to create a subdomain sss_domain_info object is handy
- * for unit tests, so it should be available in a header, but not a public util
- * one, because the only interface for the daemon itself should be adding
- * the sysdb domain object and calling sysdb_update_subdomains()
- */
-struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *parent,
- const char *name,
- const char *realm,
- const char *flat_name,
- const char *id,
- enum sss_domain_mpg_mode mpg_mode,
- bool enumerate,
- const char *forest,
- const char **upn_suffixes,
- uint32_t trust_direction,
- struct confdb_ctx *confdb,
- bool enabled);
-
/* Helper functions to deal with the timestamp cache should not be used
* outside the sysdb itself. The timestamp cache should be completely
* opaque to the sysdb consumers
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index 3ed1cb14a..b3a379227 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -38,7 +38,6 @@
#include "util/util_sss_idmap.h"
#include "lib/idmap/sss_idmap.h"
#include "util/util.h"
-#include "db/sysdb_private.h"
#include "responder/common/responder.h"
#include "responder/common/negcache.h"
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 3cd7809cf..99ba02a80 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -36,7 +36,6 @@
#include "util/crypto/sss_crypto.h"
#include "util/crypto/nss/nss_util.h"
#include "util/sss_endian.h"
-#include "db/sysdb_private.h" /* new_subdomain() */
#include "db/sysdb_iphosts.h"
#include "db/sysdb_ipnetworks.h"
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 2611c589b..68a651240 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -27,7 +27,6 @@
#include "tests/cmocka/common_mock_resp.h"
#include "db/sysdb.h"
#include "responder/common/cache_req/cache_req.h"
-#include "db/sysdb_private.h" /* new_subdomain() */
#define TESTS_PATH "tp_" BASE_FILE_STEM
#define TEST_CONF_DB "test_responder_cache_req_conf.ldb"
--
2.21.3

89
SOURCES/0016-ad-rename-ads_get_root_id_ctx-to-ads_get_dom_id_ctx.patch
View File

@ -1,89 +0,0 @@
From 2bad4d4b299440d33919a9fdb8c4d75814583e12 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 7 May 2020 21:24:42 +0200
Subject: [PATCH 16/19] ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since the function can be used to get the id ctx of any domain the
'root' is removed from the name.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index c53962283..a9a552ff7 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1231,37 +1231,37 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req)
}
static struct ad_id_ctx *
-ads_get_root_id_ctx(struct be_ctx *be_ctx,
- struct ad_id_ctx *ad_id_ctx,
- struct sss_domain_info *root_domain,
- struct sdap_options *opts)
+ads_get_dom_id_ctx(struct be_ctx *be_ctx,
+ struct ad_id_ctx *ad_id_ctx,
+ struct sss_domain_info *domain,
+ struct sdap_options *opts)
{
errno_t ret;
struct sdap_domain *sdom;
- struct ad_id_ctx *root_id_ctx;
+ struct ad_id_ctx *dom_id_ctx;
- sdom = sdap_domain_get(opts, root_domain);
+ sdom = sdap_domain_get(opts, domain);
if (sdom == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
- "Cannot get the sdom for %s!\n", root_domain->name);
+ "Cannot get the sdom for %s!\n", domain->name);
return NULL;
}
if (sdom->pvt == NULL) {
- ret = ad_subdom_ad_ctx_new(be_ctx, ad_id_ctx, root_domain,
- &root_id_ctx);
+ ret = ad_subdom_ad_ctx_new(be_ctx, ad_id_ctx, domain,
+ &dom_id_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_subdom_ad_ctx_new failed.\n");
return NULL;
}
- sdom->pvt = root_id_ctx;
+ sdom->pvt = dom_id_ctx;
} else {
- root_id_ctx = sdom->pvt;
+ dom_id_ctx = sdom->pvt;
}
- root_id_ctx->ldap_ctx->ignore_mark_offline = true;
- return root_id_ctx;
+ dom_id_ctx->ldap_ctx->ignore_mark_offline = true;
+ return dom_id_ctx;
}
struct ad_get_root_domain_state {
@@ -1403,9 +1403,9 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
goto done;
}
- state->root_id_ctx = ads_get_root_id_ctx(state->be_ctx,
- state->sd_ctx->ad_id_ctx,
- root_domain, state->opts);
+ state->root_id_ctx = ads_get_dom_id_ctx(state->be_ctx,
+ state->sd_ctx->ad_id_ctx,
+ root_domain, state->opts);
if (state->root_id_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot create id ctx for the root domain\n");
ret = EFAULT;
--
2.21.3

265
SOURCES/0016-add-tests-multiple-certs-same-id.patch Normal file
View File

@ -0,0 +1,265 @@
From f633f37e712cb0f7524a2ee257e15f34468149b4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Nov 2020 09:58:52 +0100
Subject: [PATCH 16/16] add tests multiple certs same id
Add unit test for the case that two certificates use the same key.
Resolves: https://github.com/SSSD/sssd/issues/5400
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tests/cmocka/test_pam_srv.c | 116 +++++++++++++++++++
src/tests/test_CA/Makefile.am | 26 ++++-
src/tests/test_CA/SSSD_test_cert_0006.config | 20 ++++
3 files changed, 161 insertions(+), 1 deletion(-)
create mode 100644 src/tests/test_CA/SSSD_test_cert_0006.config
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 5506fbf34..8ca5abd43 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -40,12 +40,14 @@
#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
#include "tests/test_CA/SSSD_test_cert_x509_0002.h"
#include "tests/test_CA/SSSD_test_cert_x509_0005.h"
+#include "tests/test_CA/SSSD_test_cert_x509_0006.h"
#include "tests/test_ECC_CA/SSSD_test_ECC_cert_x509_0001.h"
#else
#define SSSD_TEST_CERT_0001 ""
#define SSSD_TEST_CERT_0002 ""
#define SSSD_TEST_CERT_0005 ""
+#define SSSD_TEST_CERT_0006 ""
#define SSSD_TEST_ECC_CERT_0001 ""
#endif
@@ -1093,6 +1095,13 @@ static int test_pam_creds_insufficient_check(uint32_t status,
return EOK;
}
+static int test_pam_auth_err_check(uint32_t status, uint8_t *body, size_t blen)
+{
+ /* PAM_AUTH_ERR is returned for different types of error, we use different
+ * names for the check functions to make the purpose more clear. */
+ return test_pam_wrong_pw_offline_auth_check(status, body, blen);
+}
+
static int test_pam_user_unknown_check(uint32_t status,
uint8_t *body, size_t blen)
{
@@ -2500,6 +2509,107 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
assert_int_equal(ret, EOK);
}
+/* The following three tests cover a use case where multiple certificates are
+ * using the same key-pair. According to PKCS#11 specs "The CKA_ID field is
+ * intended to distinguish among multiple keys. In the case of public and
+ * private keys, this field assists in handling multiple keys held by the same
+ * subject; the key identifier for a public key and its corresponding private
+ * key should be the same. The key identifier should also be the same as for
+ * the corresponding certificate, if one exists. Cryptoki does not enforce
+ * these associations, however." As a result certificates sharing the same
+ * key-pair will have the same id on the Smartcard. This means a second
+ * parameter is needed to distinguish them. We use the label here.
+ *
+ * The first test makes sure authentication fails is the label is missing, the
+ * second and third test make sure that each certificate can be selected with
+ * the proper label. */
+void test_pam_cert_auth_2certs_same_id_no_label(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
+ TEST_MODULE_NAME,
+ "11111111",
+ NULL, NULL,
+ NULL, SSSD_TEST_CERT_0001);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+ set_cmd_cb(test_pam_auth_err_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_cert_auth_2certs_same_id_with_label_1(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
+ TEST_MODULE_NAME,
+ "11111111",
+ "SSSD test cert 0001", NULL,
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+ set_cmd_cb(test_pam_simple_check_success);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_cert_auth_2certs_same_id_with_label_6(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
+ TEST_MODULE_NAME,
+ "11111111",
+ "SSSD test cert 0006", NULL,
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0006);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+ set_cmd_cb(test_pam_simple_check_success);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
void test_pam_cert_preauth_uri_token1(void **state)
{
int ret;
@@ -3179,6 +3289,12 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_no_label,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_1,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_6,
+ pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index 0e0122737..8765d0fd6 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -6,6 +6,7 @@ dist_noinst_DATA = \
SSSD_test_cert_0003.config \
SSSD_test_cert_0004.config \
SSSD_test_cert_0005.config \
+ SSSD_test_cert_0006.config \
SSSD_test_cert_key_0001.pem \
SSSD_test_cert_key_0002.pem \
SSSD_test_cert_key_0003.pem \
@@ -25,7 +26,7 @@ pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids)))
pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
-extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id
if HAVE_FAKETIME
extra += SSSD_test_CA_expired_crl.pem
endif
@@ -41,6 +42,14 @@ $(pwdfile):
SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
+# SSSD_test_cert_0006 should use the same key as SSSD_test_cert_0001
+.INTERMEDIATE: SSSD_test_cert_req_0006.pem
+SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSSD_test_cert_0006.config
+ if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0006.config) -eq 0 ]; then \
+ $(OPENSSL) req -new -nodes -key $< -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
+ else \
+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
+ fi
SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config
if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_$*.config) -eq 0 ]; then \
@@ -52,6 +61,9 @@ SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test
SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem
$(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@
+SSSD_test_cert_pkcs12_0006.pem: SSSD_test_cert_x509_0006.pem $(srcdir)/SSSD_test_cert_key_0001.pem $(pwdfile)
+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_0006.pem -inkey $(srcdir)/SSSD_test_cert_key_0001.pem -nodes -passout file:$(pwdfile) -out $@
+
SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile)
$(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
@@ -130,6 +142,18 @@ softhsm2_ocsp.conf:
@echo "objectstore.backend = file" >> $@
@echo "slots.removable = true" >> $@
+softhsm2_2certs_same_id: softhsm2_2certs_same_id.conf SSSD_test_cert_x509_0001.pem SSSD_test_cert_x509_0006.pem
+ mkdir $@
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0006.pem --login --label 'SSSD test cert 0006' --id '11111111'
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id '11111111'
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id '11111111'
+
+softhsm2_2certs_same_id.conf:
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2certs_same_id" > $@
+ @echo "objectstore.backend = file" >> $@
+ @echo "slots.removable = true" >> $@
+
CLEANFILES = \
index.txt index.txt.attr \
index.txt.attr.old index.txt.old \
diff --git a/src/tests/test_CA/SSSD_test_cert_0006.config b/src/tests/test_CA/SSSD_test_cert_0006.config
new file mode 100644
index 000000000..762de55cd
--- /dev/null
+++ b/src/tests/test_CA/SSSD_test_cert_0006.config
@@ -0,0 +1,20 @@
+# This certificate is used in
+# - src/tests/cmocka/test_pam_srv.c
+# and should use the same key-pair as SSSD_test_cert_0001
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+O = SSSD
+OU = SSSD test
+CN = SSSD test cert 0006
+
+[ req_exts ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "SSSD test Certificate"
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd//
--
2.21.3

44
SOURCES/0017-ad-remove-unused-trust_type-from-ad_subdom_store.patch
View File

@ -1,44 +0,0 @@
From 8c642a542245a9f9fde5c2de9c96082b4c0d0963 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 11 May 2020 21:26:13 +0200
Subject: [PATCH 17/19] ad: remove unused trust_type from ad_subdom_store()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index a9a552ff7..198f5c916 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -576,7 +576,6 @@ ad_subdom_store(struct confdb_ctx *cdb,
enum idmap_error_code err;
struct ldb_message_element *el;
char *sid_str = NULL;
- uint32_t trust_type;
enum sss_domain_mpg_mode mpg_mode;
enum sss_domain_mpg_mode default_mpg_mode;
@@ -586,13 +585,6 @@ ad_subdom_store(struct confdb_ctx *cdb,
goto done;
}
- ret = sysdb_attrs_get_uint32_t(subdom_attrs, AD_AT_TRUST_TYPE,
- &trust_type);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_uint32_t failed.\n");
- goto done;
- }
-
ret = sysdb_attrs_get_string(subdom_attrs, AD_AT_TRUST_PARTNER, &name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "failed to get subdomain name\n");
--
2.21.3

53
SOURCES/0017-data_provider_be-Add-random-offset-default.patch Normal file
View File

@ -0,0 +1,53 @@
From 1e9abd508ea5627465d528788645d4dbe53d7d31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
Date: Wed, 2 Dec 2020 03:00:26 +0100
Subject: [PATCH 17/18] data_provider_be: Add random offset default
Replace hardcoded default value of 30 with more meaningful
OFFLINE_TIMEOUT_RANDOM_OFFSET define.
This value is used to calculate task timeout during offline
status checking by formula (from SSSD MAN page):
new_interval = (old_interval * 2) + random_offset
As it is explicite mentioned in documentation it should
be expressed in the code similar way.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/providers/data_provider_be.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 4c10d6b48..10421c6b4 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -51,6 +51,7 @@
#define ONLINE_CB_RETRY 3
#define ONLINE_CB_RETRY_MAX_DELAY 4
+#define OFFLINE_TIMEOUT_RANDOM_OFFSET 30
#define OFFLINE_TIMEOUT_DEFAULT 60
#define OFFLINE_TIMEOUT_MAX_DEFAULT 3600
@@ -152,9 +153,13 @@ void be_mark_offline(struct be_ctx *ctx)
offline_timeout = get_offline_timeout(ctx);
offline_timeout_max = get_offline_timeout_max(ctx);
- ret = be_ptask_create_sync(ctx, ctx,
- offline_timeout, offline_timeout,
- offline_timeout, 30, offline_timeout,
+ ret = be_ptask_create_sync(ctx,
+ ctx,
+ offline_timeout,
+ offline_timeout,
+ offline_timeout,
+ OFFLINE_TIMEOUT_RANDOM_OFFSET,
+ offline_timeout,
offline_timeout_max,
try_to_go_online,
ctx, "Check if online (periodic)",
--
2.21.3

283
SOURCES/0018-ad-add-ad_check_domain_-send-recv.patch
View File

@ -1,283 +0,0 @@
From 3ae3286d61ed796f0be7a1d72157af3687bc04a5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 7 May 2020 21:26:16 +0200
Subject: [PATCH 18/19] ad: add ad_check_domain_{send|recv}
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This new request tries to get the basic domain information like domain
SID and NetBIOS domain name for a domain given by the name. To achieve
this the needed data is added to general domain structure and the SDAP
domain structure. If the domain data cannot be looked up the data is
removed again.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 251 +++++++++++++++++++++++++++++++
1 file changed, 251 insertions(+)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 198f5c916..299aa7391 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -2143,3 +2143,254 @@ errno_t ad_subdomains_init(TALLOC_CTX *mem_ctx,
return EOK;
}
+
+struct ad_check_domain_state {
+ struct tevent_context *ev;
+ struct be_ctx *be_ctx;
+ struct sdap_id_op *sdap_op;
+ struct ad_id_ctx *dom_id_ctx;
+ struct sdap_options *opts;
+
+ const char *dom_name;
+ struct sss_domain_info *dom;
+ struct sss_domain_info *parent;
+ struct sdap_domain *sdom;
+
+ char *flat;
+ char *site;
+ char *forest;
+ char *sid;
+};
+
+static void ad_check_domain_connect_done(struct tevent_req *subreq);
+static void ad_check_domain_done(struct tevent_req *subreq);
+
+static int ad_check_domain_destructor(void *mem)
+{
+ struct ad_check_domain_state *state = talloc_get_type(mem,
+ struct ad_check_domain_state);
+
+ if (state->sdom != NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Removing sdap domain [%s].\n",
+ state->dom->name);
+ sdap_domain_remove(state->opts, state->dom);
+ /* terminate all requests for this subdomain so we can free it */
+ dp_terminate_domain_requests(state->be_ctx->provider, state->dom->name);
+ talloc_zfree(state->sdom);
+ }
+
+ if (state->dom != NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Removing domain [%s].\n", state->dom->name);
+ sss_domain_set_state(state->dom, DOM_DISABLED);
+ DLIST_REMOVE(state->be_ctx->domain->subdomains, state->dom);
+ talloc_zfree(state->dom);
+ }
+
+ return 0;
+}
+
+struct tevent_req *
+ad_check_domain_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_ctx *be_ctx,
+ struct ad_id_ctx *ad_id_ctx,
+ const char *dom_name,
+ const char *parent_dom_name)
+{
+ errno_t ret;
+ struct tevent_req *req;
+ struct tevent_req *subreq;
+ struct ad_check_domain_state *state;
+
+ req = tevent_req_create(mem_ctx, &state, struct ad_check_domain_state);
+ if (req == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
+ return NULL;
+ }
+
+ state->ev = ev;
+ state->be_ctx = be_ctx;
+ state->opts = ad_id_ctx->sdap_id_ctx->opts;
+ state->dom_name = dom_name;
+ state->parent = NULL;
+ state->sdom = NULL;
+
+ state->dom = find_domain_by_name(be_ctx->domain, dom_name, true);
+ if (state->dom == NULL) {
+ state->parent = find_domain_by_name(be_ctx->domain, parent_dom_name,
+ true);
+ if (state->parent == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to find domain object for domain [%s].\n",
+ parent_dom_name);
+ ret = ENOENT;
+ goto immediately;
+ }
+
+ state->dom = new_subdomain(state->parent, state->parent, dom_name,
+ dom_name, NULL, NULL, MPG_DISABLED, false,
+ state->parent->forest,
+ NULL, 0, be_ctx->cdb, true);
+ if (state->dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "new_subdomain() failed.\n");
+ ret = EINVAL;
+ goto immediately;
+ }
+
+ talloc_set_destructor((TALLOC_CTX *) state, ad_check_domain_destructor);
+
+ DLIST_ADD_END(state->parent->subdomains, state->dom,
+ struct sss_domain_info *);
+
+ ret = sdap_domain_add(state->opts, state->dom, &state->sdom);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_domain_subdom_add failed.\n");
+ goto immediately;
+ }
+
+ ret = ad_set_search_bases(ad_id_ctx->ad_options->id, state->sdom);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "failed to set ldap search bases for "
+ "domain '%s'. Will try to use automatically detected search "
+ "bases.", state->sdom->dom->name);
+ }
+
+ }
+
+ state->dom_id_ctx = ads_get_dom_id_ctx(be_ctx, ad_id_ctx, state->dom,
+ state->opts);
+ if (state->dom_id_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ads_get_dom_id_ctx() failed.\n");
+ ret = EINVAL;
+ goto immediately;
+ }
+
+ state->sdap_op = sdap_id_op_create(state,
+ state->dom_id_ctx->sdap_id_ctx->conn->conn_cache);
+ if (state->sdap_op == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n");
+ ret = ENOMEM;
+ goto immediately;
+ }
+
+ subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
+
+ tevent_req_set_callback(subreq, ad_check_domain_connect_done, req);
+
+ return req;
+
+immediately:
+ if (ret == EOK) {
+ tevent_req_done(req);
+ } else {
+ tevent_req_error(req, ret);
+ }
+ tevent_req_post(req, ev);
+
+ return req;
+}
+
+static void ad_check_domain_connect_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req;
+ struct ad_check_domain_state *state;
+ int ret;
+ int dp_error;
+
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct ad_check_domain_state);
+
+ ret = sdap_id_op_connect_recv(subreq, &dp_error);
+ talloc_zfree(subreq);
+
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to LDAP "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ if (dp_error == DP_ERR_OFFLINE) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "No AD server is available, "
+ "cannot get the subdomain list while offline\n");
+ ret = ERR_OFFLINE;
+ }
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ subreq = ad_domain_info_send(state, state->ev,
+ state->dom_id_ctx->sdap_id_ctx->conn,
+ state->sdap_op, state->dom_name);
+
+ tevent_req_set_callback(subreq, ad_check_domain_done, req);
+
+ return;
+}
+
+static void ad_check_domain_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req;
+ struct ad_check_domain_state *state;
+ errno_t ret;
+
+
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct ad_check_domain_state);
+
+ ret = ad_domain_info_recv(subreq, state, &state->flat, &state->sid,
+ &state->site, &state->forest);
+ talloc_zfree(subreq);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup domain information "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s.\n", state->flat, state->sid,
+ state->site, state->forest);
+
+ /* New domain was successfully checked, remove destructor. */
+ talloc_set_destructor(state, NULL);
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+errno_t ad_check_domain_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ char **_flat,
+ char **_id,
+ char **_site,
+ char **_forest)
+{
+ struct ad_check_domain_state *state = tevent_req_data(req,
+ struct ad_check_domain_state);
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ if (_flat) {
+ *_flat = talloc_steal(mem_ctx, state->flat);
+ }
+
+ if (_site) {
+ *_site = talloc_steal(mem_ctx, state->site);
+ }
+
+ if (_forest) {
+ *_forest = talloc_steal(mem_ctx, state->forest);
+ }
+
+ if (_id) {
+ *_id = talloc_steal(mem_ctx, state->sid);
+ }
+
+ return EOK;
+}
--
2.21.3

59
SOURCES/0018-data_provider_be-MAN-page-update.patch Normal file
View File

@ -0,0 +1,59 @@
From 171b664ec4a7c94583b35597bd7e1e72bf89d217 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
Date: Wed, 2 Dec 2020 03:10:50 +0100
Subject: [PATCH 18/18] data_provider_be: MAN page update
Updated description of parameters:
* offline_timeout
* offline_timeout_max
MAN page now explains that in some circumstances
corelation of offline_timeout and offline_timeout_max values
may lead to offline checking interval not incrementing.
This is a false positive error as in fact the value
just saturates almost instantly.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/man/sssd.conf.5.xml | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index d637e2eaa..8b330de58 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -739,12 +739,12 @@
offline_timeout + random_offset
</para>
<para>
- The random offset can increment up to 30 seconds.
+ The random offset value is from 0 to 30.
After each unsuccessful attempt to go online,
the new interval is recalculated by the following:
</para>
<para>
- new_interval = old_interval*2 + random_offset
+ new_interval = (old_interval * 2) + random_offset
</para>
<para>
Note that the maximum length of each interval
@@ -769,6 +769,16 @@
<para>
A value of 0 disables the incrementing behaviour.
</para>
+ <para>
+ The value of this parameter should be set in correlation
+ to offline_timeout parameter value.
+ </para>
+ <para>
+ With offline_timeout set to 60 (default value) there is no point
+ in setting offlinet_timeout_max to less than 120 as it will
+ saturate instantly. General rule here should be to set
+ offline_timeout_max to at least 4 times offline_timeout.
+ </para>
<para>
Although a value between 0 and offline_timeout may be
specified, it has the effect of overriding the
--
2.21.3

281
SOURCES/0019-ad-check-forest-root-directly-if-not-present-on-loca.patch
View File

@ -1,281 +0,0 @@
From e25e1e9228a6108d8e94f2e99f3004e6cbfc3349 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 12 May 2020 16:55:32 +0200
Subject: [PATCH 19/19] ad: check forest root directly if not present on local
DC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the information about the forest root domain cannot be read from the
local domain-controller it is tried to read it from a DC of the forest
root directly.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 184 +++++++++++++++++++++++++++----
1 file changed, 164 insertions(+), 20 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 299aa7391..7c6f51db7 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -35,6 +35,10 @@
#include <ndr.h>
#include <ndr/ndr_nbt.h>
+/* Avoid that ldb_val is overwritten by data_blob.h */
+#undef ldb_val
+#include <ldb.h>
+
/* Attributes of AD trusted domains */
#define AD_AT_FLATNAME "flatName"
#define AD_AT_SID "securityIdentifier"
@@ -1258,15 +1262,37 @@ ads_get_dom_id_ctx(struct be_ctx *be_ctx,
struct ad_get_root_domain_state {
struct ad_subdomains_ctx *sd_ctx;
+ struct tevent_context *ev;
struct be_ctx *be_ctx;
struct sdap_idmap_ctx *idmap_ctx;
struct sdap_options *opts;
+ const char *domain;
+ const char *forest;
+ struct sysdb_attrs **reply;
+ size_t reply_count;
struct ad_id_ctx *root_id_ctx;
struct sysdb_attrs *root_domain_attrs;
};
static void ad_get_root_domain_done(struct tevent_req *subreq);
+static void ad_check_root_domain_done(struct tevent_req *subreq);
+static errno_t
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
+
+struct tevent_req *
+ad_check_domain_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_ctx *be_ctx,
+ struct ad_id_ctx *ad_id_ctx,
+ const char *dom_name,
+ const char *parent_dom_name);
+errno_t ad_check_domain_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ char **_flat,
+ char **_id,
+ char **_site,
+ char **_forest);
static struct tevent_req *
ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
@@ -1305,6 +1331,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
state->opts = opts = sd_ctx->sdap_id_ctx->opts;
state->be_ctx = sd_ctx->be_ctx;
state->idmap_ctx = opts->idmap_ctx;
+ state->ev = ev;
+ state->domain = domain;
+ state->forest = forest;
filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest);
if (filter == NULL) {
@@ -1340,17 +1369,14 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
{
struct tevent_req *req;
struct ad_get_root_domain_state *state;
- struct sysdb_attrs **reply;
- struct sss_domain_info *root_domain;
- size_t reply_count;
- bool has_changes;
errno_t ret;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_get_root_domain_state);
- ret = sdap_search_bases_return_first_recv(subreq, state, &reply_count,
- &reply);
+ ret = sdap_search_bases_return_first_recv(subreq, state,
+ &state->reply_count,
+ &state->reply);
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information "
@@ -1358,19 +1384,142 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
goto done;
}
- if (reply_count == 0) {
- DEBUG(SSSDBG_OP_FAILURE, "No information provided for root domain\n");
- ret = ENOENT;
- goto done;
- } else if (reply_count > 1) {
+ if (state->reply_count == 0) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "No information provided for root domain, trying directly.\n");
+ subreq = ad_check_domain_send(state, state->ev, state->be_ctx,
+ state->sd_ctx->ad_id_ctx, state->forest,
+ state->domain);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ad_check_domain_send() failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ tevent_req_set_callback(subreq, ad_check_root_domain_done, req);
+ return;
+ } else if (state->reply_count > 1) {
DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, "
"domain list might be incomplete!\n");
ret = ERR_MALFORMED_ENTRY;
goto done;
}
+ ret = ad_get_root_domain_refresh(state);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
+ }
+
+done:
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+static void ad_check_root_domain_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req;
+ struct ad_get_root_domain_state *state;
+ errno_t ret;
+ char *flat = NULL;
+ char *id = NULL;
+ enum idmap_error_code err;
+ struct ldb_val id_val;
+
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct ad_get_root_domain_state);
+
+ ret = ad_check_domain_recv(state, subreq, &flat, &id, NULL, NULL);
+ talloc_zfree(subreq);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to check forest root information "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+ if (flat == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "NetBIOS name of forest root not available.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ if (id == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Domain SID of forest root not available.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ state->reply = talloc_array(state, struct sysdb_attrs *, 1);
+ if (state->reply == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_array() failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ state->reply[0] = sysdb_new_attrs(state->reply);
+ if (state->reply[0] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs() failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_FLATNAME, flat);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_TRUST_PARTNER,
+ state->forest);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
+ goto done;
+ }
+
+ err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
+ &id_val.data, &id_val.length);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not convert SID: [%s].\n", idmap_error_string(err));
+ ret = EFAULT;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_val(state->reply[0], AD_AT_SID, &id_val);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
+ goto done;
+ }
+
+ state->reply_count = 1;
+
+ ret = ad_get_root_domain_refresh(state);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
+ }
+
+done:
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+static errno_t
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
+{
+ struct sss_domain_info *root_domain;
+ bool has_changes;
+ errno_t ret;
+
ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts,
- reply, reply_count, true,
+ state->reply, state->reply_count, true,
&state->sd_ctx->last_refreshed,
&has_changes);
if (ret != EOK) {
@@ -1387,8 +1536,8 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
}
}
- state->root_domain_attrs = reply[0];
- root_domain = ads_get_root_domain(state->be_ctx, reply[0]);
+ state->root_domain_attrs = state->reply[0];
+ root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]);
if (root_domain == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n");
ret = EFAULT;
@@ -1407,12 +1556,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
ret = EOK;
done:
- if (ret != EOK) {
- tevent_req_error(req, ret);
- return;
- }
-
- tevent_req_done(req);
+ return ret;
}
static errno_t ad_get_root_domain_recv(TALLOC_CTX *mem_ctx,
--
2.21.3

3410
SOURCES/0019-logs-review.patch Normal file
View File

File diff suppressed because it is too large Load Diff

44
SOURCES/0020-man-Document-invalid-selinux-context-for-homedirs.patch
View File

@ -1,44 +0,0 @@
From d8d743870c459b5ff283c89d78b70d1684bd19a9 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Wed, 13 May 2020 09:45:56 +0200
Subject: [PATCH] man: Document invalid selinux context for homedirs
The default value of fallback_homedir expands into path, that is not
expected by selinux. Generally not only selinux might be affected by
this default value. This PR documents the issue and recommends
further steps.
Resolves:
https://github.com/SSSD/sssd/issues/5155
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
---
src/man/include/ad_modified_defaults.xml | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
index 91623d57a..65c9a0140 100644
--- a/src/man/include/ad_modified_defaults.xml
+++ b/src/man/include/ad_modified_defaults.xml
@@ -92,6 +92,18 @@
this fallback behavior, you can explicitly
set "fallback_homedir = %o".
</para>
+ <para>
+ Note that the system typically expects a home directory
+ in /home/%u folder. If you decide to use a different
+ directory structure, some other parts of your system may
+ need adjustments.
+ </para>
+ <para>
+ For example automated creation of home directories in
+ combination with selinux requires selinux adjustment,
+ otherwise the home directory will be created with wrong
+ selinux context.
+ </para>
</listitem>
</itemizedlist>
</refsect2>
--
2.21.3

31
SOURCES/0020-sss_format.h-include-config.h.patch Normal file
View File

@ -0,0 +1,31 @@
From 45f2eb57dc9068cba13099cab90f1be3f3455442 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 2 Oct 2020 14:04:24 +0200
Subject: [PATCH 20/27] sss_format.h: include config.h
config.h is required for the definitions to work correctly. Compilation
will fail if sss_format.h is included in a file that does not include
directly or indirectly config.h
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/sss_format.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/util/sss_format.h b/src/util/sss_format.h
index 5cf080842..9a3041704 100644
--- a/src/util/sss_format.h
+++ b/src/util/sss_format.h
@@ -27,6 +27,8 @@
#ifndef __SSS_FORMAT_H__
#define __SSS_FORMAT_H__
+#include "config.h"
+
#include <inttypes.h>
/* key_serial_t is defined in keyutils.h as typedef int32_t */
--
2.21.3

59
SOURCES/0021-packet-add-sss_packet_set_body.patch Normal file
View File

@ -0,0 +1,59 @@
From 3b0e48c33c6b43688ff46fed576266cfe6362595 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Oct 2020 13:25:17 +0200
Subject: [PATCH 21/27] packet: add sss_packet_set_body
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/common/responder_packet.c | 19 +++++++++++++++++++
src/responder/common/responder_packet.h | 5 +++++
2 files changed, 24 insertions(+)
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
index ab15b1dac..f56d92276 100644
--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
@@ -302,6 +302,25 @@ void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen
*blen = sss_packet_get_len(packet) - SSS_NSS_HEADER_SIZE;
}
+errno_t sss_packet_set_body(struct sss_packet *packet,
+ uint8_t *body,
+ size_t blen)
+{
+ uint8_t *pbody;
+ size_t plen;
+ errno_t ret;
+
+ ret = sss_packet_grow(packet, blen);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ sss_packet_get_body(packet, &pbody, &plen);
+ memcpy(pbody, body, blen);
+
+ return EOK;
+}
+
void sss_packet_set_error(struct sss_packet *packet, int error)
{
SAFEALIGN_SETMEM_UINT32(packet->buffer + SSS_PACKET_ERR_OFFSET, error,
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
index afceb4aae..509a22a9a 100644
--- a/src/responder/common/responder_packet.h
+++ b/src/responder/common/responder_packet.h
@@ -42,4 +42,9 @@ uint32_t sss_packet_get_status(struct sss_packet *packet);
void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen);
void sss_packet_set_error(struct sss_packet *packet, int error);
+/* Grow packet and set its body. */
+errno_t sss_packet_set_body(struct sss_packet *packet,
+ uint8_t *body,
+ size_t blen);
+
#endif /* __SSSSRV_PACKET_H__ */
--
2.21.3

37
SOURCES/0021-pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch
View File

@ -1,37 +0,0 @@
From 26c794da31c215fef3e41429f6f13afdaf349bee Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 3 Jun 2020 20:35:04 +0200
Subject: [PATCH 21/22] pam_sss: add SERVICE_IS_GDM_SMARTCARD
Resolves: https://github.com/SSSD/sssd/issues/5190
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/pam_sss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 69b440774..7e59f0487 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -71,6 +71,8 @@
#define DEBUG_MGS_LEN 1024
#define MAX_AUTHTOK_SIZE (1024*1024)
#define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)")
+#define SERVICE_IS_GDM_SMARTCARD(pitem) (strcmp((pitem)->pam_service, \
+ "gdm-smartcard") == 0)
static void logger(pam_handle_t *pamh, int level, const char *fmt, ...) {
va_list ap;
@@ -2580,7 +2582,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
return PAM_AUTHINFO_UNAVAIL;
}
- if (strcmp(pi.pam_service, "gdm-smartcard") == 0
+ if (SERVICE_IS_GDM_SMARTCARD(&pi)
|| (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
ret = check_login_token_name(pamh, &pi, retries,
quiet_mode);
--
2.21.3

119
SOURCES/0022-domain-store-hostname-and-keytab-path.patch Normal file
View File

@ -0,0 +1,119 @@
From 6715b31f2e12c7f76cfb477551cee46e697c7d51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Oct 2020 13:25:58 +0200
Subject: [PATCH 22/27] domain: store hostname and keytab path
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 45 +++++++++++++++++++++++++++++++++++++++
src/confdb/confdb.h | 6 ++++++
src/db/sysdb_subdomains.c | 12 +++++++++++
3 files changed, 63 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index d2fc018fd..f981ddf1e 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -871,6 +871,35 @@ done:
return ret;
}
+static char *confdb_get_domain_hostname(TALLOC_CTX *mem_ctx,
+ struct ldb_result *res,
+ const char *provider)
+{
+ char sys[HOST_NAME_MAX + 1] = {'\0'};
+ const char *opt = NULL;
+ int ret;
+
+ if (strcasecmp(provider, "ad") == 0) {
+ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ad_hostname", NULL);
+ } else if (strcasecmp(provider, "ipa") == 0) {
+ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ipa_hostname", NULL);
+ }
+
+ if (opt != NULL) {
+ return talloc_strdup(mem_ctx, opt);
+ }
+
+ ret = gethostname(sys, sizeof(sys));
+ if (ret != 0) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get hostname [%d]: %s\n", ret,
+ sss_strerror(ret));
+ return NULL;
+ }
+
+ return talloc_strdup(mem_ctx, sys);
+}
+
static int confdb_get_domain_internal(struct confdb_ctx *cdb,
TALLOC_CTX *mem_ctx,
const char *name,
@@ -1536,6 +1565,22 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
+ domain->hostname = confdb_get_domain_hostname(domain, res, domain->provider);
+ if (domain->hostname == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain hostname\n");
+ goto done;
+ }
+
+ domain->krb5_keytab = NULL;
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], "krb5_keytab", NULL);
+ if (tmp != NULL) {
+ domain->krb5_keytab = talloc_strdup(domain, tmp);
+ if (domain->krb5_keytab == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain keytab!\n");
+ goto done;
+ }
+ }
+
domain->has_views = false;
domain->view_name = NULL;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index fd6d76cde..54e3f7380 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -425,6 +425,12 @@ struct sss_domain_info {
/* Do not use the _output_fqnames property directly in new code, but rather
* use sss_domain_info_{get,set}_output_fqnames(). */
bool output_fqnames;
+
+ /* Hostname associated with this domain. */
+ const char *hostname;
+
+ /* Keytab used by this domain. */
+ const char *krb5_keytab;
};
/**
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index d256817a6..5b42f9bdc 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -125,6 +125,18 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
}
}
+ dom->hostname = talloc_strdup(dom, parent->hostname);
+ if (dom->hostname == NULL && parent->hostname != NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy hostname.\n");
+ goto fail;
+ }
+
+ dom->krb5_keytab = talloc_strdup(dom, parent->krb5_keytab);
+ if (dom->krb5_keytab == NULL && parent->krb5_keytab != NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy krb5_keytab.\n");
+ goto fail;
+ }
+
dom->enumerate = enumerate;
dom->fqnames = true;
dom->mpg_mode = mpg_mode;
--
2.21.3

80
SOURCES/0022-pam_sss-special-handling-for-gdm-smartcard.patch
View File

@ -1,80 +0,0 @@
From 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 3 Jun 2020 20:36:54 +0200
Subject: [PATCH 22/22] pam_sss: special handling for gdm-smartcard
The gdm-smartcard service is special since it is triggered by the
presence of a Smartcard and even in the case of an error it will
immediately try again. To break this loop we should ask for an user
input and asking for a PIN is most straight forward and would show the
same behavior as pam_pkcs11.
Additionally it does not make sense to fall back the a password prompt
for gdm-smartcard so also here a PIN prompt should be shown.
Resolves: https://github.com/SSSD/sssd/issues/5190
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/pam_sss.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 7e59f0487..093e53af5 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1835,8 +1835,13 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
struct pam_message m[2] = { { 0 }, { 0 } };
struct pam_response *resp = NULL;
struct cert_auth_info *cai = pi->selected_cert;
+ struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
+ NULL, NULL, NULL, NULL, NULL };
- if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') {
+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
+ cai = &empty_cai;
+ } else if (cai == NULL || cai->token_name == NULL
+ || *cai->token_name == '\0') {
return PAM_SYSTEM_ERR;
}
@@ -2188,6 +2193,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
}
}
ret = prompt_sc_pin(pamh, pi);
+ } else if (SERVICE_IS_GDM_SMARTCARD(pi)) {
+ /* Use pin prompt as fallback for gdm-smartcard */
+ ret = prompt_sc_pin(pamh, pi);
} else {
ret = prompt_password(pamh, pi, _("Password: "));
}
@@ -2496,7 +2504,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
{
int ret;
int pam_status;
- struct pam_items pi;
+ struct pam_items pi = { 0 };
uint32_t flags = 0;
const int *exp_data;
int *pw_exp_data;
@@ -2570,7 +2578,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
/*
* Since we are only interested in the result message
* and will always use password authentication
- * as a fallback, errors can be ignored here.
+ * as a fallback (except for gdm-smartcard),
+ * errors can be ignored here.
*/
}
}
@@ -2588,7 +2597,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
quiet_mode);
if (ret != PAM_SUCCESS) {
D(("check_login_token_name failed.\n"));
- return ret;
}
}
--
2.21.3

70
SOURCES/0023-cache_req-add-helper-to-call-user-by-upn-search.patch Normal file
View File

@ -0,0 +1,70 @@
From a3e2677f919c6b1b1649ad80cc3435b4bb2efc0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 10 Dec 2020 19:28:58 +0100
Subject: [PATCH 23/27] cache_req: add helper to call user by upn search
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/common/cache_req/cache_req.h | 13 +++++++++++
.../cache_req/plugins/cache_req_user_by_upn.c | 23 +++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index d36cb2d3b..d301a076e 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -277,6 +277,19 @@ cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
#define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \
cache_req_single_domain_recv(mem_ctx, req, _result)
+struct tevent_req *
+cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_nc_ctx *ncache,
+ int cache_refresh_percent,
+ enum cache_req_dom_type req_dom_type,
+ const char *domain,
+ const char *upn);
+
+#define cache_req_user_by_upn_recv(mem_ctx, req, _result) \
+ cache_req_single_domain_recv(mem_ctx, req, _result);
+
struct tevent_req *
cache_req_user_by_id_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
index e08ab70ae..037994c8c 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
@@ -133,3 +133,26 @@ const struct cache_req_plugin cache_req_user_by_upn = {
.dp_get_domain_send_fn = NULL,
.dp_get_domain_recv_fn = NULL,
};
+
+struct tevent_req *
+cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_nc_ctx *ncache,
+ int cache_refresh_percent,
+ enum cache_req_dom_type req_dom_type,
+ const char *domain,
+ const char *upn)
+{
+ struct cache_req_data *data;
+
+ data = cache_req_data_name(mem_ctx, CACHE_REQ_USER_BY_UPN, upn);
+ if (data == NULL) {
+ return NULL;
+ }
+
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
+ cache_refresh_percent,
+ req_dom_type, domain,
+ data);
+}
--
2.21.3

36
SOURCES/0023-pam_sss-make-sure-old-certificate-data-is-removed-be.patch
View File

@ -1,36 +0,0 @@
From 31e57432537b9d248839159d83cfa9049faf192b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 19 Jun 2020 13:32:30 +0200
Subject: [PATCH] pam_sss: make sure old certificate data is removed before
retry
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To avoid that certificates will be shown in the certificate selection
which are not available anymore they must be remove before a new request
to look up the certificates is send to SSSD's PAM responder.
Resolves: https://github.com/SSSD/sssd/issues/5190
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sss_client/pam_sss.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index e3ad2c9b2..6a3ba2f50 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2467,6 +2467,8 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
&& strcmp(login_token_name,
pi->cert_list->token_name) != 0)) {
+ free_cert_list(pi->cert_list);
+ pi->cert_list = NULL;
if (retries < 0) {
ret = PAM_AUTHINFO_UNAVAIL;
goto done;
--
2.21.3

27
SOURCES/0024-pam-fix-typo-in-debug-message.patch Normal file
View File

@ -0,0 +1,27 @@
From dcc42015f7ada1c4e4daed17e2c8087e29cb7616 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 1 Oct 2020 14:02:44 +0200
Subject: [PATCH 24/27] pam: fix typo in debug message
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/pam/pamsrv_cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1d0251497..acbfc0c39 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1941,7 +1941,7 @@ static void pam_check_user_search_next(struct tevent_req *req)
talloc_zfree(req);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE, "Cache lookup failed, trying to get fresh "
- "data from the backened.\n");
+ "data from the backend.\n");
}
DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
--
2.21.3

34
SOURCES/0024-systemtap-Missing-a-comma.patch
View File

@ -1,34 +0,0 @@
From 66029529fa0f0e2d16999f22294822deeec5f60b Mon Sep 17 00:00:00 2001
From: Alejandro Visiedo <avisiedo@redhat.com>
Date: Thu, 11 Jun 2020 00:36:04 +0200
Subject: [PATCH] systemtap: Missing a comma
sssd_functions.stp was missing a comma.
Thanks to William Cohen for reporting the issue and the patch to fix it.
https://bugzilla.redhat.com/show_bug.cgi?id=1840194
Resolves: https://github.com/SSSD/sssd/issues/5201
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/systemtap/sssd_functions.stp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/systemtap/sssd_functions.stp b/src/systemtap/sssd_functions.stp
index 1eb140ccf..01f553177 100644
--- a/src/systemtap/sssd_functions.stp
+++ b/src/systemtap/sssd_functions.stp
@@ -7,7 +7,7 @@ global TARGET_ID=0, TARGET_AUTH=1, TARGET_ACCESS=2, TARGET_CHPASS=3,
global METHOD_CHECK_ONLINE=0, METHOD_ACCOUNT_HANDLER=1, METHOD_AUTH_HANDLER=2,
METHOD_ACCESS_HANDLER=3, METHOD_SELINUX_HANDLER=4, METHOD_SUDO_HANDLER=5,
METHOD_AUTOFS_HANDLER=6, METHOD_HOSTID_HANDLER=7, METHOD_DOMAINS_HANDLER=8,
- METHOD_RESOLVER_HANDLER=9 METHOD_SENTINEL=10
+ METHOD_RESOLVER_HANDLER=9, METHOD_SENTINEL=10
function acct_req_desc(entry_type)
{
--
2.21.3

280
SOURCES/0025-pam-add-pam_gssapi_services-option.patch Normal file
View File

@ -0,0 +1,280 @@
From d63172f1277c5ed166a22f04d144bf85ded4757c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 9 Oct 2020 13:03:54 +0200
Subject: [PATCH 25/27] pam: add pam_gssapi_services option
:config: Added `pam_gssapi_services` to list PAM services
that can authenticate using GSSAPI
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 12 +++++++++++
src/confdb/confdb.h | 4 ++++
src/config/SSSDConfig/sssdoptions.py | 1 +
src/config/SSSDConfigTest.py | 6 ++++--
src/config/cfg_rules.ini | 3 +++
src/config/etc/sssd.api.conf | 2 ++
src/db/sysdb_subdomains.c | 13 ++++++++++++
src/man/sssd.conf.5.xml | 30 ++++++++++++++++++++++++++++
src/responder/pam/pamsrv.c | 21 +++++++++++++++++++
src/responder/pam/pamsrv.h | 3 +++
10 files changed, 93 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index f981ddf1e..7f1956d6d 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1581,6 +1581,18 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
}
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
+ "-");
+ if (tmp != NULL) {
+ ret = split_on_separator(domain, tmp, ',', true, true,
+ &domain->gssapi_services, NULL);
+ if (ret != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES);
+ goto done;
+ }
+ }
+
domain->has_views = false;
domain->view_name = NULL;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 54e3f7380..7a3bc8bb5 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -144,6 +144,7 @@
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
#define CONFDB_PAM_P11_URI "p11_uri"
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
+#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
@@ -431,6 +432,9 @@ struct sss_domain_info {
/* Keytab used by this domain. */
const char *krb5_keytab;
+
+ /* List of PAM services that are allowed to authenticate with GSSAPI. */
+ char **gssapi_services;
};
/**
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index de96db6f4..f59fe8d9f 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -104,6 +104,7 @@ class SSSDOptions(object):
'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
+ 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
# [sudo]
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 323be5ed3..21fffe1b6 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -653,7 +653,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'full_name_format',
're_expression',
'cached_auth_timeout',
- 'auto_private_groups']
+ 'auto_private_groups',
+ 'pam_gssapi_services']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -1030,7 +1031,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'full_name_format',
're_expression',
'cached_auth_timeout',
- 'auto_private_groups']
+ 'auto_private_groups',
+ 'pam_gssapi_services']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 773afd8bb..c6dfd5648 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -139,6 +139,7 @@ option = pam_p11_allowed_services
option = p11_wait_for_card_timeout
option = p11_uri
option = pam_initgroups_scheme
+option = pam_gssapi_services
[rule/allowed_sudo_options]
validator = ini_allowed_options
@@ -437,6 +438,7 @@ option = wildcard_limit
option = full_name_format
option = re_expression
option = auto_private_groups
+option = pam_gssapi_services
#Entry cache timeouts
option = entry_cache_user_timeout
@@ -831,6 +833,7 @@ option = ad_backup_server
option = ad_site
option = use_fully_qualified_names
option = auto_private_groups
+option = pam_gssapi_services
[rule/sssd_checks]
validator = sssd_checks
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 623160ffd..f46f3c46d 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -80,6 +80,7 @@ pam_p11_allowed_services = str, None, false
p11_wait_for_card_timeout = int, None, false
p11_uri = str, None, false
pam_initgroups_scheme = str, None, false
+pam_gssapi_services = str, None, false
[sudo]
# sudo service
@@ -199,6 +200,7 @@ cached_auth_timeout = int, None, false
full_name_format = str, None, false
re_expression = str, None, false
auto_private_groups = str, None, false
+pam_gssapi_services = str, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 5b42f9bdc..bfc6df0f5 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -184,6 +184,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->homedir_substr = parent->homedir_substr;
dom->override_gid = parent->override_gid;
+ dom->gssapi_services = parent->gssapi_services;
+
if (parent->sysdb == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
goto fail;
@@ -241,6 +243,17 @@ check_subdom_config_file(struct confdb_ctx *confdb,
sd_conf_path, CONFDB_DOMAIN_FQ,
subdomain->fqnames ? "TRUE" : "FALSE");
+ /* allow to set pam_gssapi_services */
+ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
+ CONFDB_PAM_GSSAPI_SERVICES,
+ &subdomain->gssapi_services);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to get %s option for the subdomain: %s\n",
+ CONFDB_PAM_GSSAPI_SERVICES, subdomain->name);
+ goto done;
+ }
+
ret = EOK;
done:
talloc_free(tmp_ctx);
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index d247400bf..db9dd4677 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1706,6 +1706,35 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_gssapi_services</term>
+ <listitem>
+ <para>
+ Comma separated list of PAM services that are
+ allowed to try GSSAPI authentication using
+ pam_sss_gss.so module.
+ </para>
+ <para>
+ To disable GSSAPI authentication, set this option
+ to <quote>-</quote> (dash).
+ </para>
+ <para>
+ Note: This option can also be set per-domain which
+ overwrites the value in [pam] section. It can also
+ be set for trusted domain which overwrites the value
+ in the domain section.
+ </para>
+ <para>
+ Example:
+ <programlisting>
+pam_gssapi_services = sudo, sudo-i
+ </programlisting>
+ </para>
+ <para>
+ Default: - (GSSAPI authentication is disabled)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
@@ -3780,6 +3809,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
<para>ad_backup_server,</para>
<para>ad_site,</para>
<para>use_fully_qualified_names</para>
+ <para>pam_gssapi_services</para>
<para>
For more details about these options see their individual description
in the manual page.
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 1f1ee608b..0492569c7 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -327,6 +327,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
}
}
+ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_GSSAPI_SERVICES, "-", &tmpstr);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to determine gssapi services.\n");
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr,
+ CONFDB_PAM_GSSAPI_SERVICES);
+
+ if (tmpstr != NULL) {
+ ret = split_on_separator(pctx, tmpstr, ',', true, true,
+ &pctx->gssapi_services, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "split_on_separator() failed [%d]: [%s].\n", ret,
+ sss_strerror(ret));
+ goto done;
+ }
+ }
+
/* The responder is initialized. Now tell it to the monitor. */
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
SSS_PAM_SBUS_SERVICE_NAME,
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 24d307a14..730dee288 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -62,6 +62,9 @@ struct pam_ctx {
int num_prompting_config_sections;
enum pam_initgroups_scheme initgroups_scheme;
+
+ /* List of PAM services that are allowed to authenticate with GSSAPI. */
+ char **gssapi_services;
};
struct pam_auth_req {
--
2.21.3

94
SOURCES/0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch
View File

@ -1,94 +0,0 @@
From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 26 Jun 2020 12:07:48 +0200
Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils
target
To avoid regression for case where files is used for proxy but authentication
is handled by other module then pam_unix. E.g. auth_provider = krb
This provides different solution to the ticket and improves the documentation.
Resolves:
https://github.com/SSSD/sssd/issues/5129
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 25 ++++++++++++++++++++-----
src/man/sssd.conf.5.xml | 12 +++++++++---
2 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 65ad18dcf..c2daa9a2c 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
struct sss_domain_info *domain;
struct ldb_result *res;
TALLOC_CTX *tmp_ctx;
- const char *tmp;
+ const char *tmp, *tmp_pam_target, *tmp_auth;
int ret, val;
uint32_t entry_cache_timeout;
char *default_domain;
@@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) {
- /* The password field must be reported as 'x' for proxy provider
- * using files library, else pam_unix won't
- * authenticate this entry. */
+ /* The password field must be reported as 'x' for proxy provider
+ * using files library, else pam_unix won't authenticate this entry.
+ * We set this only for sssd-shadowutils target which can be used
+ * to authenticate with pam_unix only. Otherwise we let administrator
+ * to overwrite default * value with pwfield option to avoid regression
+ * on more common use case where remote authentication is required. */
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
CONFDB_PROXY_LIBNAME,
NULL);
- if (tmp != NULL && strcasecmp(tmp, "files") == 0) {
+
+ tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_DOMAIN_AUTH_PROVIDER,
+ NULL);
+
+ tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_PROXY_PAM_TARGET,
+ NULL);
+
+ if (tmp != NULL && tmp_pam_target != NULL
+ && strcasecmp(tmp, "files") == 0
+ && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0)
+ && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) {
domain->pwfield = "x";
}
}
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index cae24bb63..44b3b8f20 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u
<quote>password</quote> field.
</para>
<para>
- This option can also be set per-domain.
+ Default: <quote>*</quote>
</para>
<para>
- Default: <quote>*</quote> (remote domains)
- or <quote>x</quote> (the files domain)
+ Note: This option can also be set per-domain which
+ overwrites the value in [nss] section.
+ </para>
+ <para>
+ Default: <quote>not set</quote> (remote domains),
+ <quote>x</quote> (the files domain),
+ <quote>x</quote> (proxy domain with nss_files
+ and sssd-shadowutils target)
</para>
</listitem>
</varlistentry>
--
2.21.3

291
SOURCES/0026-files-allow-root-membership.patch
View File

@ -1,291 +0,0 @@
From 8969c43dc2d8d0800c2f0b509d078378db855622 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 23 Jun 2020 12:05:08 +0200
Subject: [PATCH] files: allow root membership
There are two use cases that do not work with files provider:
1. User has primary GID 0:
This is fine by itself since SSSD does not store this user in cache and it is
handled only by `nss_files` so the user (`tuser`) is returned correctly. The
problem is when you try to resolve group that the user is member of. In this
case that the membership is missing the group (but only if the user was
previously resolved and thus stored in negative cache).
```
tuser:x:1001:0::/home/tuser:/bin/bash
tuser:x:1001:tuser
// tuser@files is ghost member of the group so it is returned because it is not in negative cache
$ getent group tuser
tuser:x:1001:tuser
// expire memcache
// tuser@files is ghost member but not returned because it is in negative cache
$ id tuser // returned from nss_files
uid=1001(tuser) gid=0(root) groups=0(root),1001(tuser)
[pbrezina /dev/shm/sssd]$ getent group tuser
tuser:x:1001:
```
**2. root is member of other group**
The root member is missing from the membership since it was filtered out by
negative cache.
```
tuser:x:1001:root
$ id root
uid=0(root) gid=0(root) groups=0(root),1001(tuser)
[pbrezina /dev/shm/sssd]$ getent group tuser
tuser:x:1001:
```
In files provider, only the users that we do not want to managed are stored
as ghost member, therefore we can let nss_files handle group that has ghost
members.
Tests are changed as well to work with this behavior. Users are added when
required and ghost are expected to return ENOENT.
Resolves:
https://github.com/SSSD/sssd/issues/5170
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nss_protocol_grent.c | 18 +++++++
src/tests/intg/files_ops.py | 13 +++++
src/tests/intg/test_files_provider.py | 73 ++++++++++++++++----------
3 files changed, 77 insertions(+), 27 deletions(-)
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 9c443d0e7..6d8e71083 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -141,6 +141,24 @@ nss_protocol_fill_members(struct sss_packet *packet,
members[0] = nss_get_group_members(domain, msg);
members[1] = nss_get_group_ghosts(domain, msg, group_name);
+ if (is_files_provider(domain) && members[1] != NULL) {
+ /* If there is a ghost member in files provider it means that we
+ * did not store the user on purpose (e.g. it has uid or gid 0).
+ * Therefore nss_files does handle the user and therefore we
+ * must let nss_files to also handle this group in order to
+ * provide correct membership. */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Unknown members found. nss_files will handle it.\n");
+
+ ret = sss_ncache_set_group(rctx->ncache, false, domain, group_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_ncache_set_group failed.\n");
+ }
+
+ ret = ENOENT;
+ goto done;
+ }
+
sss_packet_get_body(packet, &body, &body_len);
num_members = 0;
diff --git a/src/tests/intg/files_ops.py b/src/tests/intg/files_ops.py
index c1c4465e7..57959f501 100644
--- a/src/tests/intg/files_ops.py
+++ b/src/tests/intg/files_ops.py
@@ -103,6 +103,13 @@ class FilesOps(object):
contents = self._read_contents()
+ def _has_line(self, key):
+ try:
+ self._get_named_line(key, self._read_contents())
+ return True
+ except KeyError:
+ return False
+
class PasswdOps(FilesOps):
"""
@@ -132,6 +139,9 @@ class PasswdOps(FilesOps):
def userdel(self, name):
self._del_line(name)
+ def userexist(self, name):
+ return self._has_line(name)
+
class GroupOps(FilesOps):
"""
@@ -158,3 +168,6 @@ class GroupOps(FilesOps):
def groupdel(self, name):
self._del_line(name)
+
+ def groupexist(self, name):
+ return self._has_line(name)
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 023333020..90be198c3 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -60,11 +60,13 @@ OV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010,
dir='/home/ov/user1',
shell='/bin/ov_user1_shell')
-ALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001,
+ALT_USER1 = dict(name='alt_user1', passwd='x', uid=60001, gid=70001,
gecos='User for tests from alt files',
dir='/home/altuser1',
shell='/bin/bash')
+ALL_USERS = [CANARY, USER1, USER2, OV_USER1, ALT_USER1]
+
CANARY_GR = dict(name='canary',
gid=300001,
mem=[])
@@ -365,21 +367,34 @@ def setup_pw_with_canary(passwd_ops_setup):
return setup_pw_with_list(passwd_ops_setup, [CANARY])
-def setup_gr_with_list(grp_ops, group_list):
+def add_group_members(pwd_ops, group):
+ members = {x['name']: x for x in ALL_USERS}
+ for member in group['mem']:
+ if pwd_ops.userexist(member):
+ continue
+
+ pwd_ops.useradd(**members[member])
+
+
+def setup_gr_with_list(pwd_ops, grp_ops, group_list):
for group in group_list:
+ add_group_members(pwd_ops, group)
grp_ops.groupadd(**group)
+
ent.assert_group_by_name(CANARY_GR['name'], CANARY_GR)
return grp_ops
@pytest.fixture
-def add_group_with_canary(group_ops_setup):
- return setup_gr_with_list(group_ops_setup, [GROUP1, CANARY_GR])
+def add_group_with_canary(passwd_ops_setup, group_ops_setup):
+ return setup_gr_with_list(
+ passwd_ops_setup, group_ops_setup, [GROUP1, CANARY_GR]
+ )
@pytest.fixture
-def setup_gr_with_canary(group_ops_setup):
- return setup_gr_with_list(group_ops_setup, [CANARY_GR])
+def setup_gr_with_canary(passwd_ops_setup, group_ops_setup):
+ return setup_gr_with_list(passwd_ops_setup, group_ops_setup, [CANARY_GR])
def poll_canary(fn, name, threshold=20):
@@ -766,7 +781,9 @@ def test_gid_zero_does_not_resolve(files_domain_only):
assert res == NssReturnCode.NOTFOUND
-def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only):
+def test_add_remove_add_file_group(
+ setup_pw_with_canary, setup_gr_with_canary, files_domain_only
+):
"""
Test that removing a group is detected and the group
is removed from the sssd database. Similarly, an add
@@ -776,6 +793,7 @@ def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only):
res, group = call_sssd_getgrnam(GROUP1["name"])
assert res == NssReturnCode.NOTFOUND
+ add_group_members(setup_pw_with_canary, GROUP1)
setup_gr_with_canary.groupadd(**GROUP1)
check_group(GROUP1)
@@ -817,8 +835,10 @@ def test_mod_group_gid(add_group_with_canary, files_domain_only):
@pytest.fixture
-def add_group_nomem_with_canary(group_ops_setup):
- return setup_gr_with_list(group_ops_setup, [GROUP_NOMEM, CANARY_GR])
+def add_group_nomem_with_canary(passwd_ops_setup, group_ops_setup):
+ return setup_gr_with_list(
+ passwd_ops_setup, group_ops_setup, [GROUP_NOMEM, CANARY_GR]
+ )
def test_getgrnam_no_members(add_group_nomem_with_canary, files_domain_only):
@@ -911,16 +931,19 @@ def test_getgrnam_ghost(setup_pw_with_canary,
setup_gr_with_canary,
files_domain_only):
"""
- Test that a group with members while the members are not present
- are added as ghosts. This is also what nss_files does, getgrnam would
- return group members that do not exist as well.
+ Test that group if not found (and will be handled by nss_files) if there
+ are any ghost members.
"""
user_and_group_setup(setup_pw_with_canary,
setup_gr_with_canary,
[],
[GROUP12],
False)
- check_group(GROUP12)
+
+ time.sleep(1)
+ res, group = call_sssd_getgrnam(GROUP12["name"])
+ assert res == NssReturnCode.NOTFOUND
+
for member in GROUP12['mem']:
res, _ = call_sssd_getpwnam(member)
assert res == NssReturnCode.NOTFOUND
@@ -932,7 +955,10 @@ def ghost_and_member_test(pw_ops, grp_ops, reverse):
[USER1],
[GROUP12],
reverse)
- check_group(GROUP12)
+
+ time.sleep(1)
+ res, group = call_sssd_getgrnam(GROUP12["name"])
+ assert res == NssReturnCode.NOTFOUND
# We checked that the group added has the same members as group12,
# so both user1 and user2. Now check that user1 is a member of
@@ -1027,28 +1053,21 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
modgroup = dict(GROUP_NOMEM)
modgroup['mem'] = ['user1', 'user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
- check_group(modgroup)
+ time.sleep(1)
+ res, group = call_sssd_getgrnam(modgroup['name'])
+ assert res == sssd_id.NssReturnCode.NOTFOUND
modgroup['mem'] = ['user2']
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
- check_group(modgroup)
+ time.sleep(1)
+ res, group = call_sssd_getgrnam(modgroup['name'])
+ assert res == sssd_id.NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user1')
assert res == NssReturnCode.NOTFOUND
res, _ = call_sssd_getpwnam('user2')
assert res == NssReturnCode.NOTFOUND
- # Add this user and verify it's been added as a member
- pwd_ops.useradd(**USER2)
- # The negative cache might still have user2 from the previous request,
- # flushing the caches might help to prevent a failed lookup after adding
- # the user.
- subprocess.call(["sss_cache", "-E"])
- res, groups = sssd_id_sync('user2')
- assert res == sssd_id.NssReturnCode.SUCCESS
- assert len(groups) == 2
- assert 'group_nomem' in groups
-
def realloc_users(pwd_ops, num):
# Intentionally not including the last one because
--
2.21.3

250
SOURCES/0026-pam-add-pam_gssapi_check_upn-option.patch Normal file
View File

@ -0,0 +1,250 @@
From fffe3169bb490c4b010b168c639aa6f9b2ec0c52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 10 Dec 2020 22:05:30 +0100
Subject: [PATCH 26/27] pam: add pam_gssapi_check_upn option
:config: Added `pam_gssapi_check_upn` to enforce authentication
only with principal that can be associated with target user.
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 10 ++++++++++
src/confdb/confdb.h | 2 ++
src/config/SSSDConfig/sssdoptions.py | 1 +
src/config/SSSDConfigTest.py | 6 ++++--
src/config/cfg_rules.ini | 3 +++
src/config/etc/sssd.api.conf | 2 ++
src/db/sysdb_subdomains.c | 12 ++++++++++++
src/man/sssd.conf.5.xml | 26 ++++++++++++++++++++++++++
src/responder/pam/pamsrv.c | 9 +++++++++
src/responder/pam/pamsrv.h | 1 +
10 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 7f1956d6d..2881ce5da 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1593,6 +1593,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
}
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_CHECK_UPN,
+ NULL);
+ if (tmp != NULL) {
+ domain->gssapi_check_upn = talloc_strdup(domain, tmp);
+ if (domain->gssapi_check_upn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
domain->has_views = false;
domain->view_name = NULL;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 7a3bc8bb5..036f9ecad 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -145,6 +145,7 @@
#define CONFDB_PAM_P11_URI "p11_uri"
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
+#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
@@ -435,6 +436,7 @@ struct sss_domain_info {
/* List of PAM services that are allowed to authenticate with GSSAPI. */
char **gssapi_services;
+ char *gssapi_check_upn; /* true | false | NULL */
};
/**
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index f59fe8d9f..5da52a937 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -105,6 +105,7 @@ class SSSDOptions(object):
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
+ 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
# [sudo]
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 21fffe1b6..ea4e4f6c9 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -654,7 +654,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
're_expression',
'cached_auth_timeout',
'auto_private_groups',
- 'pam_gssapi_services']
+ 'pam_gssapi_services',
+ 'pam_gssapi_check_upn']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -1032,7 +1033,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
're_expression',
'cached_auth_timeout',
'auto_private_groups',
- 'pam_gssapi_services']
+ 'pam_gssapi_services',
+ 'pam_gssapi_check_upn']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index c6dfd5648..6642c6321 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -140,6 +140,7 @@ option = p11_wait_for_card_timeout
option = p11_uri
option = pam_initgroups_scheme
option = pam_gssapi_services
+option = pam_gssapi_check_upn
[rule/allowed_sudo_options]
validator = ini_allowed_options
@@ -439,6 +440,7 @@ option = full_name_format
option = re_expression
option = auto_private_groups
option = pam_gssapi_services
+option = pam_gssapi_check_upn
#Entry cache timeouts
option = entry_cache_user_timeout
@@ -834,6 +836,7 @@ option = ad_site
option = use_fully_qualified_names
option = auto_private_groups
option = pam_gssapi_services
+option = pam_gssapi_check_upn
[rule/sssd_checks]
validator = sssd_checks
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index f46f3c46d..d3cad7380 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -81,6 +81,7 @@ p11_wait_for_card_timeout = int, None, false
p11_uri = str, None, false
pam_initgroups_scheme = str, None, false
pam_gssapi_services = str, None, false
+pam_gssapi_check_upn = bool, None, false
[sudo]
# sudo service
@@ -201,6 +202,7 @@ full_name_format = str, None, false
re_expression = str, None, false
auto_private_groups = str, None, false
pam_gssapi_services = str, None, false
+pam_gssapi_check_upn = bool, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index bfc6df0f5..03ba12164 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -254,6 +254,18 @@ check_subdom_config_file(struct confdb_ctx *confdb,
goto done;
}
+ /* allow to set pam_gssapi_check_upn */
+ ret = confdb_get_string(confdb, subdomain, sd_conf_path,
+ CONFDB_PAM_GSSAPI_CHECK_UPN,
+ subdomain->parent->gssapi_check_upn,
+ &subdomain->gssapi_check_upn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to get %s option for the subdomain: %s\n",
+ CONFDB_PAM_GSSAPI_CHECK_UPN, subdomain->name);
+ goto done;
+ }
+
ret = EOK;
done:
talloc_free(tmp_ctx);
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index db9dd4677..d637e2eaa 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1735,6 +1735,31 @@ pam_gssapi_services = sudo, sudo-i
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_gssapi_check_upn</term>
+ <listitem>
+ <para>
+ If True, SSSD will require that the Kerberos user
+ principal that successfully authenticated through
+ GSSAPI can be associated with the user who is being
+ authenticated. Authentication will fail if the check
+ fails.
+ </para>
+ <para>
+ If False, every user that is able to obtained
+ required service ticket will be authenticated.
+ </para>
+ <para>
+ Note: This option can also be set per-domain which
+ overwrites the value in [pam] section. It can also
+ be set for trusted domain which overwrites the value
+ in the domain section.
+ </para>
+ <para>
+ Default: True
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
@@ -3810,6 +3835,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
<para>ad_site,</para>
<para>use_fully_qualified_names</para>
<para>pam_gssapi_services</para>
+ <para>pam_gssapi_check_upn</para>
<para>
For more details about these options see their individual description
in the manual page.
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 0492569c7..0db2824ff 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -348,6 +348,15 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
}
}
+ ret = confdb_get_bool(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_GSSAPI_CHECK_UPN, true,
+ &pctx->gssapi_check_upn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read %s [%d]: %s\n",
+ CONFDB_PAM_GSSAPI_CHECK_UPN, ret, sss_strerror(ret));
+ goto done;
+ }
+
/* The responder is initialized. Now tell it to the monitor. */
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
SSS_PAM_SBUS_SERVICE_NAME,
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 730dee288..bf4dd75b0 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -65,6 +65,7 @@ struct pam_ctx {
/* List of PAM services that are allowed to authenticate with GSSAPI. */
char **gssapi_services;
+ bool gssapi_check_upn;
};
struct pam_auth_req {
--
2.21.3

42
SOURCES/0027-PAM-do-not-treat-error-for-cache-only-lookups-as-fat.patch
View File

@ -1,42 +0,0 @@
From 100839b64390d7010bfa28552fd9381ef4366496 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 26 Jun 2020 09:48:17 +0200
Subject: [PATCH] PAM: do not treat error for cache-only lookups as fatal
The original fatal error came from a time where at this place in the
code the response form the backend was checked and an error was clearly
fatal.
Now we only check if the entry is in the cache and valid. An error would
mean that the backend is called to lookup or refresh the entry. So the
backend can change the state of the cache and make upcoming cache
lookups successful. So it makes sense to not only call the backend if
ENOENT is returned but for all kind of errors.
Resolves https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/responder/pam/pamsrv_cmd.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1cd901f15..666131cb7 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1941,10 +1941,8 @@ static void pam_check_user_search_next(struct tevent_req *req)
ret = cache_req_single_domain_recv(preq, req, &result);
talloc_zfree(req);
if (ret != EOK && ret != ENOENT) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Fatal error, killing connection!\n");
- talloc_zfree(preq->cctx);
- return;
+ DEBUG(SSSDBG_OP_FAILURE, "Cache lookup failed, trying to get fresh "
+ "data from the backened.\n");
}
DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
--
2.21.3

1866
SOURCES/0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch Normal file
View File

File diff suppressed because it is too large Load Diff

100
SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch Normal file
View File

@ -0,0 +1,100 @@
From 3f0ba4c2dcf9126b0f94bca4a056b516759d25c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 6 Mar 2020 12:49:04 +0100
Subject: [PATCH 13/18] cache_req: allow cache_req to return ERR_OFFLINE if all
dp request failed
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 13 +++++++++++++
src/responder/common/cache_req/cache_req.h | 4 ++++
src/responder/common/cache_req/cache_req_data.c | 12 ++++++++++++
src/responder/common/cache_req/cache_req_private.h | 3 +++
4 files changed, 32 insertions(+)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index afb0e7cda..0c8538414 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -974,6 +974,13 @@ static void cache_req_search_domains_done(struct tevent_req *subreq)
case ERR_ID_OUTSIDE_RANGE:
case ENOENT:
if (state->check_next == false) {
+ if (state->cr->data->propogate_offline_status && !state->dp_success) {
+ /* Not found and data provider request failed so we were
+ * unable to fetch the data. */
+ ret = ERR_OFFLINE;
+ goto done;
+ }
+
/* Not found. */
ret = ENOENT;
goto done;
@@ -1002,6 +1009,12 @@ done:
case EAGAIN:
break;
default:
+ if (ret == ENOENT && state->cr->data->propogate_offline_status
+ && !state->dp_success) {
+ /* Not found and data provider request failed so we were
+ * unable to fetch the data. */
+ ret = ERR_OFFLINE;
+ }
tevent_req_error(req, ret);
break;
}
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index 72d4abe5e..d36cb2d3b 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -171,6 +171,10 @@ void
cache_req_data_set_requested_domains(struct cache_req_data *data,
char **requested_domains);
+void
+cache_req_data_set_propogate_offline_status(struct cache_req_data *data,
+ bool propogate_offline_status);
+
enum cache_req_type
cache_req_data_get_type(struct cache_req_data *data);
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
index 14c4ad14f..fe9f3db29 100644
--- a/src/responder/common/cache_req/cache_req_data.c
+++ b/src/responder/common/cache_req/cache_req_data.c
@@ -455,6 +455,18 @@ cache_req_data_set_requested_domains(struct cache_req_data *data,
data->requested_domains = requested_domains;
}
+void
+cache_req_data_set_propogate_offline_status(struct cache_req_data *data,
+ bool propogate_offline_status)
+{
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n");
+ return;
+ }
+
+ data->propogate_offline_status = propogate_offline_status;
+}
+
enum cache_req_type
cache_req_data_get_type(struct cache_req_data *data)
{
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
index bfca688b9..2d52e7600 100644
--- a/src/responder/common/cache_req/cache_req_private.h
+++ b/src/responder/common/cache_req/cache_req_private.h
@@ -103,6 +103,9 @@ struct cache_req_data {
/* if set, only search in the listed domains */
char **requested_domains;
+
+ /* if set, ERR_OFFLINE is returned if data provider is offline */
+ bool propogate_offline_status;
};
struct tevent_req *
--
2.21.3

193
SOURCES/0028-mem-cache-sizes-of-free-and-data-tables-were-made-co.patch
View File

@ -1,193 +0,0 @@
From 2d90e642078c15f001b34a0a50a67fa6eac9a3b9 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 3 Mar 2020 18:44:11 +0100
Subject: [PATCH 28/35] mem-cache: sizes of free and data tables were made
consistent
Since size of "free table" didn't account for SSS_AVG_*_PAYLOAD factor
only small fraction of "data table" was actually used.
SSS_AVG_*_PAYLOAD differentiation for different payload types only
affected size of hash table and was removed as unjustified.
Resolves:
https://github.com/SSSD/sssd/issues/5115
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nsssrv.c | 22 +++++++++++-------
src/responder/nss/nsssrv_mmap_cache.c | 33 +++++++--------------------
src/responder/nss/nsssrv_mmap_cache.h | 2 --
src/util/mmap_cache.h | 3 ---
4 files changed, 22 insertions(+), 38 deletions(-)
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index 87300058f..21d93ae77 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -83,10 +83,9 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx,
return ret;
}
- /* TODO: read cache sizes from configuration */
DEBUG(SSSDBG_TRACE_FUNC, "Clearing memory caches.\n");
ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid,
- SSS_MC_CACHE_ELEMENTS,
+ -1, /* keep current size */
(time_t) memcache_timeout,
&nctx->pwd_mc_ctx);
if (ret != EOK) {
@@ -96,7 +95,7 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx,
}
ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid,
- SSS_MC_CACHE_ELEMENTS,
+ -1, /* keep current size */
(time_t) memcache_timeout,
&nctx->grp_mc_ctx);
if (ret != EOK) {
@@ -106,7 +105,7 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx,
}
ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid,
- SSS_MC_CACHE_ELEMENTS,
+ -1, /* keep current size */
(time_t)memcache_timeout,
&nctx->initgr_mc_ctx);
if (ret != EOK) {
@@ -210,6 +209,11 @@ done:
static int setup_memcaches(struct nss_ctx *nctx)
{
+ /* TODO: read cache sizes from configuration */
+ static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */
+ static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */
+ static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */
+
int ret;
int memcache_timeout;
@@ -239,11 +243,11 @@ static int setup_memcaches(struct nss_ctx *nctx)
return EOK;
}
- /* TODO: read cache sizes from configuration */
ret = sss_mmap_cache_init(nctx, "passwd",
nctx->mc_uid, nctx->mc_gid,
SSS_MC_PASSWD,
- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
+ SSS_MC_CACHE_PASSWD_SLOTS,
+ (time_t)memcache_timeout,
&nctx->pwd_mc_ctx);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
@@ -252,7 +256,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
ret = sss_mmap_cache_init(nctx, "group",
nctx->mc_uid, nctx->mc_gid,
SSS_MC_GROUP,
- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
+ SSS_MC_CACHE_GROUP_SLOTS,
+ (time_t)memcache_timeout,
&nctx->grp_mc_ctx);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
@@ -261,7 +266,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
ret = sss_mmap_cache_init(nctx, "initgroups",
nctx->mc_uid, nctx->mc_gid,
SSS_MC_INITGROUPS,
- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
+ SSS_MC_CACHE_INITGROUP_SLOTS,
+ (time_t)memcache_timeout,
&nctx->initgr_mc_ctx);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index 69e767690..5e23bbe6f 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -28,13 +28,6 @@
#include "responder/nss/nss_private.h"
#include "responder/nss/nsssrv_mmap_cache.h"
-/* arbitrary (avg of my /etc/passwd) */
-#define SSS_AVG_PASSWD_PAYLOAD (MC_SLOT_SIZE * 4)
-/* short group name and no gids (private user group */
-#define SSS_AVG_GROUP_PAYLOAD (MC_SLOT_SIZE * 3)
-/* average place for 40 supplementary groups + 2 names */
-#define SSS_AVG_INITGROUP_PAYLOAD (MC_SLOT_SIZE * 5)
-
#define MC_NEXT_BARRIER(val) ((((val) + 1) & 0x00ffffff) | 0xf0000000)
#define MC_RAISE_BARRIER(m) do { \
@@ -1251,24 +1244,14 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
enum sss_mc_type type, size_t n_elem,
time_t timeout, struct sss_mc_ctx **mcc)
{
+ /* sss_mc_header alone occupies whole slot,
+ * so each entry takes 2 slots at the very least
+ */
+ static const int PAYLOAD_FACTOR = 2;
+
struct sss_mc_ctx *mc_ctx = NULL;
- int payload;
int ret, dret;
- switch (type) {
- case SSS_MC_PASSWD:
- payload = SSS_AVG_PASSWD_PAYLOAD;
- break;
- case SSS_MC_GROUP:
- payload = SSS_AVG_GROUP_PAYLOAD;
- break;
- case SSS_MC_INITGROUPS:
- payload = SSS_AVG_INITGROUP_PAYLOAD;
- break;
- default:
- return EINVAL;
- }
-
mc_ctx = talloc_zero(mem_ctx, struct sss_mc_ctx);
if (!mc_ctx) {
return ENOMEM;
@@ -1303,9 +1286,9 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
/* hash table is double the size because it will store both forward and
* reverse keys (name/uid, name/gid, ..) */
- mc_ctx->ht_size = MC_HT_SIZE(n_elem * 2);
- mc_ctx->dt_size = MC_DT_SIZE(n_elem, payload);
- mc_ctx->ft_size = MC_FT_SIZE(n_elem);
+ mc_ctx->ht_size = MC_HT_SIZE(2 * n_elem / PAYLOAD_FACTOR);
+ mc_ctx->dt_size = n_elem * MC_SLOT_SIZE;
+ mc_ctx->ft_size = n_elem / 8; /* 1 bit per slot */
mc_ctx->mmap_size = MC_HEADER_SIZE +
MC_ALIGN64(mc_ctx->dt_size) +
MC_ALIGN64(mc_ctx->ft_size) +
diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h
index e06257949..c40af2fb4 100644
--- a/src/responder/nss/nsssrv_mmap_cache.h
+++ b/src/responder/nss/nsssrv_mmap_cache.h
@@ -22,8 +22,6 @@
#ifndef _NSSSRV_MMAP_CACHE_H_
#define _NSSSRV_MMAP_CACHE_H_
-#define SSS_MC_CACHE_ELEMENTS 50000
-
struct sss_mc_ctx;
enum sss_mc_type {
diff --git a/src/util/mmap_cache.h b/src/util/mmap_cache.h
index 63e096027..d3d92bc98 100644
--- a/src/util/mmap_cache.h
+++ b/src/util/mmap_cache.h
@@ -40,9 +40,6 @@ typedef uint32_t rel_ptr_t;
#define MC_HT_SIZE(elems) ( (elems) * MC_32 )
#define MC_HT_ELEMS(size) ( (size) / MC_32 )
-#define MC_DT_SIZE(elems, payload) ( (elems) * (payload) )
-#define MC_FT_SIZE(elems) ( (elems) / 8 )
-/* ^^ 8 bits per byte so we need just elems/8 bytes to represent all blocks */
#define MC_PTR_ADD(ptr, bytes) (void *)((uint8_t *)(ptr) + (bytes))
#define MC_PTR_DIFF(ptr, base) ((uint8_t *)(ptr) - (uint8_t *)(base))
--
2.21.3

543
SOURCES/0029-NSS-make-memcache-size-configurable.patch
View File

@ -1,543 +0,0 @@
From 80e7163b7bf512a45e2fa31494f3bdff9e9e2dce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 4 Mar 2020 16:26:18 +0100
Subject: [PATCH 29/35] NSS: make memcache size configurable
Added options to configure memcache size:
memcache_size_passwd
memcache_size_group
memcache_size_initgroups
Related:
https://github.com/SSSD/sssd/issues/4578
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.h | 3 +
src/config/SSSDConfig/sssdoptions.py | 3 +
src/config/cfg_rules.ini | 3 +
src/man/sssd.conf.5.xml | 78 +++++++++
src/responder/nss/nsssrv.c | 104 ++++++++----
src/tests/intg/test_memory_cache.py | 236 +++++++++++++++++++++++++++
6 files changed, 398 insertions(+), 29 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index a5d35fd70..c96896da5 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -115,6 +115,9 @@
#define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
#define CONFDB_NSS_DEFAULT_SHELL "default_shell"
#define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout"
+#define CONFDB_NSS_MEMCACHE_SIZE_PASSWD "memcache_size_passwd"
+#define CONFDB_NSS_MEMCACHE_SIZE_GROUP "memcache_size_group"
+#define CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS "memcache_size_initgroups"
#define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring"
#define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home"
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index 9c071f70a..16d85cfa3 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -72,6 +72,9 @@ class SSSDOptions(object):
'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
'default_shell': _('Shell to use if the provider does not list one'),
'memcache_timeout': _('How long will be in-memory cache records valid'),
+ 'memcache_size_passwd': _('Number of slots in fast in-memory cache for passwd requests'),
+ 'memcache_size_group': _('Number of slots in fast in-memory cache for group requests'),
+ 'memcache_size_initgroups': _('Number of slots in fast in-memory cache for initgroups requests'),
'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
'if the template contains the format string %H.'),
'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 1a7e2c5cd..2874ea048 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -92,6 +92,9 @@ option = shell_fallback
option = default_shell
option = get_domains_timeout
option = memcache_timeout
+option = memcache_size_passwd
+option = memcache_size_group
+option = memcache_size_initgroups
[rule/allowed_pam_options]
validator = ini_allowed_options
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 9a9679a4b..9bc2e26e5 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1100,6 +1100,84 @@ fallback_homedir = /home/%u
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>memcache_size_passwd (integer)</term>
+ <listitem>
+ <para>
+ Number of slots allocated inside fast in-memory
+ cache for passwd requests. Note that one entry
+ in fast in-memory cache can occupy more than one slot.
+ Setting the size to 0 will disable the passwd in-memory
+ cache.
+ </para>
+ <para>
+ Default: 200000
+ </para>
+ <para>
+ WARNING: Disabled or too small in-memory cache can
+ have significant negative impact on SSSD's
+ performance.
+ </para>
+ <para>
+ NOTE: If the environment variable
+ SSS_NSS_USE_MEMCACHE is set to "NO", client
+ applications will not use the fast in-memory
+ cache.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>memcache_size_group (integer)</term>
+ <listitem>
+ <para>
+ Number of slots allocated inside fast in-memory
+ cache for group requests. Note that one entry
+ in fast in-memory cache can occupy more than one
+ slot. Setting the size to 0 will disable the group
+ in-memory cache.
+ </para>
+ <para>
+ Default: 150000
+ </para>
+ <para>
+ WARNING: Disabled or too small in-memory cache can
+ have significant negative impact on SSSD's
+ performance.
+ </para>
+ <para>
+ NOTE: If the environment variable
+ SSS_NSS_USE_MEMCACHE is set to "NO", client
+ applications will not use the fast in-memory
+ cache.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>memcache_size_initgroups (integer)</term>
+ <listitem>
+ <para>
+ Number of slots allocated inside fast in-memory
+ cache for initgroups requests. Note that one entry
+ in fast in-memory cache can occupy more than one
+ slot. Setting the size to 0 will disable the
+ initgroups in-memory cache.
+ </para>
+ <para>
+ Default: 250000
+ </para>
+ <para>
+ WARNING: Disabled or too small in-memory cache can
+ have significant negative impact on SSSD's
+ performance.
+ </para>
+ <para>
+ NOTE: If the environment variable
+ SSS_NSS_USE_MEMCACHE is set to "NO", client
+ applications will not use the fast in-memory
+ cache.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>user_attributes (string)</term>
<listitem>
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index 21d93ae77..0a201d3ae 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -209,13 +209,16 @@ done:
static int setup_memcaches(struct nss_ctx *nctx)
{
- /* TODO: read cache sizes from configuration */
+ /* Default memcache sizes */
static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */
static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */
static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */
int ret;
int memcache_timeout;
+ int mc_size_passwd;
+ int mc_size_group;
+ int mc_size_initgroups;
/* Remove the CLEAR_MC_FLAG file if exists. */
ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG);
@@ -243,34 +246,77 @@ static int setup_memcaches(struct nss_ctx *nctx)
return EOK;
}
- ret = sss_mmap_cache_init(nctx, "passwd",
- nctx->mc_uid, nctx->mc_gid,
- SSS_MC_PASSWD,
- SSS_MC_CACHE_PASSWD_SLOTS,
- (time_t)memcache_timeout,
- &nctx->pwd_mc_ctx);
- if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
- }
-
- ret = sss_mmap_cache_init(nctx, "group",
- nctx->mc_uid, nctx->mc_gid,
- SSS_MC_GROUP,
- SSS_MC_CACHE_GROUP_SLOTS,
- (time_t)memcache_timeout,
- &nctx->grp_mc_ctx);
- if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
- }
-
- ret = sss_mmap_cache_init(nctx, "initgroups",
- nctx->mc_uid, nctx->mc_gid,
- SSS_MC_INITGROUPS,
- SSS_MC_CACHE_INITGROUP_SLOTS,
- (time_t)memcache_timeout,
- &nctx->initgr_mc_ctx);
- if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
+ /* Get all memcache sizes from confdb (pwd, grp, initgr) */
+
+ ret = confdb_get_int(nctx->rctx->cdb,
+ CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_MEMCACHE_SIZE_PASSWD,
+ SSS_MC_CACHE_PASSWD_SLOTS,
+ &mc_size_passwd);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to get 'memcache_size_passwd' option from confdb.\n");
+ return ret;
+ }
+
+ ret = confdb_get_int(nctx->rctx->cdb,
+ CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_MEMCACHE_SIZE_GROUP,
+ SSS_MC_CACHE_GROUP_SLOTS,
+ &mc_size_group);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to get 'memcache_size_group' option from confdb.\n");
+ return ret;
+ }
+
+ ret = confdb_get_int(nctx->rctx->cdb,
+ CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS,
+ SSS_MC_CACHE_INITGROUP_SLOTS,
+ &mc_size_initgroups);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to get 'memcache_size_nitgroups' option from confdb.\n");
+ return ret;
+ }
+
+ /* Initialize the fast in-memory caches if they were not disabled */
+
+ if (mc_size_passwd != 0) {
+ ret = sss_mmap_cache_init(nctx, "passwd",
+ nctx->mc_uid, nctx->mc_gid,
+ SSS_MC_PASSWD,
+ mc_size_passwd,
+ (time_t)memcache_timeout,
+ &nctx->pwd_mc_ctx);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
+ }
+ }
+
+ if (mc_size_group != 0) {
+ ret = sss_mmap_cache_init(nctx, "group",
+ nctx->mc_uid, nctx->mc_gid,
+ SSS_MC_GROUP,
+ mc_size_group,
+ (time_t)memcache_timeout,
+ &nctx->grp_mc_ctx);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
+ }
+ }
+
+ if (mc_size_initgroups != 0) {
+ ret = sss_mmap_cache_init(nctx, "initgroups",
+ nctx->mc_uid, nctx->mc_gid,
+ SSS_MC_INITGROUPS,
+ mc_size_initgroups,
+ (time_t)memcache_timeout,
+ &nctx->initgr_mc_ctx);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
+ }
}
return EOK;
diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py
index 322f76fe0..6ed696e00 100644
--- a/src/tests/intg/test_memory_cache.py
+++ b/src/tests/intg/test_memory_cache.py
@@ -135,6 +135,112 @@ def load_data_to_ldap(request, ldap_conn):
create_ldap_fixture(request, ldap_conn, ent_list)
+@pytest.fixture
+def disable_memcache_rfc2307(request, ldap_conn):
+ load_data_to_ldap(request, ldap_conn)
+
+ conf = unindent("""\
+ [sssd]
+ domains = LDAP
+ services = nss
+
+ [nss]
+ memcache_size_group = 0
+ memcache_size_passwd = 0
+ memcache_size_initgroups = 0
+
+ [domain/LDAP]
+ ldap_auth_disable_tls_never_use_in_production = true
+ ldap_schema = rfc2307
+ id_provider = ldap
+ auth_provider = ldap
+ sudo_provider = ldap
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+@pytest.fixture
+def disable_pwd_mc_rfc2307(request, ldap_conn):
+ load_data_to_ldap(request, ldap_conn)
+
+ conf = unindent("""\
+ [sssd]
+ domains = LDAP
+ services = nss
+
+ [nss]
+ memcache_size_passwd = 0
+
+ [domain/LDAP]
+ ldap_auth_disable_tls_never_use_in_production = true
+ ldap_schema = rfc2307
+ id_provider = ldap
+ auth_provider = ldap
+ sudo_provider = ldap
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+@pytest.fixture
+def disable_grp_mc_rfc2307(request, ldap_conn):
+ load_data_to_ldap(request, ldap_conn)
+
+ conf = unindent("""\
+ [sssd]
+ domains = LDAP
+ services = nss
+
+ [nss]
+ memcache_size_group = 0
+
+ [domain/LDAP]
+ ldap_auth_disable_tls_never_use_in_production = true
+ ldap_schema = rfc2307
+ id_provider = ldap
+ auth_provider = ldap
+ sudo_provider = ldap
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+@pytest.fixture
+def disable_initgr_mc_rfc2307(request, ldap_conn):
+ load_data_to_ldap(request, ldap_conn)
+
+ conf = unindent("""\
+ [sssd]
+ domains = LDAP
+ services = nss
+
+ [nss]
+ memcache_size_initgroups = 0
+
+ [domain/LDAP]
+ ldap_auth_disable_tls_never_use_in_production = true
+ ldap_schema = rfc2307
+ id_provider = ldap
+ auth_provider = ldap
+ sudo_provider = ldap
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
@pytest.fixture
def sanity_rfc2307(request, ldap_conn):
load_data_to_ldap(request, ldap_conn)
@@ -354,6 +460,19 @@ def test_getgrnam_simple_with_mc(ldap_conn, sanity_rfc2307):
test_getgrnam_simple(ldap_conn, sanity_rfc2307)
+def test_getgrnam_simple_disabled_pwd_mc(ldap_conn, disable_pwd_mc_rfc2307):
+ test_getgrnam_simple(ldap_conn, disable_pwd_mc_rfc2307)
+ stop_sssd()
+ test_getgrnam_simple(ldap_conn, disable_pwd_mc_rfc2307)
+
+
+def test_getgrnam_simple_disabled_intitgr_mc(ldap_conn,
+ disable_initgr_mc_rfc2307):
+ test_getgrnam_simple(ldap_conn, disable_initgr_mc_rfc2307)
+ stop_sssd()
+ test_getgrnam_simple(ldap_conn, disable_initgr_mc_rfc2307)
+
+
def test_getgrnam_membership(ldap_conn, sanity_rfc2307):
ent.assert_group_by_name(
"group1",
@@ -919,3 +1038,120 @@ def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307):
grp.getgrnam('group1')
with pytest.raises(KeyError):
grp.getgrgid(2001)
+
+
+def test_disabled_mc(ldap_conn, disable_memcache_rfc2307):
+ ent.assert_passwd_by_name(
+ 'user1',
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+ ent.assert_passwd_by_uid(
+ 1001,
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+
+ ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
+ ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
+
+ assert_user_gids_equal('user1', [2000, 2001])
+
+ stop_sssd()
+
+ # sssd is stopped and the memory cache is disabled;
+ # so pytest should not be able to find anything
+ with pytest.raises(KeyError):
+ pwd.getpwnam('user1')
+ with pytest.raises(KeyError):
+ pwd.getpwuid(1001)
+
+ with pytest.raises(KeyError):
+ grp.getgrnam('group1')
+ with pytest.raises(KeyError):
+ grp.getgrgid(2001)
+
+ with pytest.raises(KeyError):
+ (res, errno, gids) = sssd_id.get_user_gids('user1')
+
+
+def test_disabled_passwd_mc(ldap_conn, disable_pwd_mc_rfc2307):
+ ent.assert_passwd_by_name(
+ 'user1',
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+ ent.assert_passwd_by_uid(
+ 1001,
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+
+ assert_user_gids_equal('user1', [2000, 2001])
+
+ stop_sssd()
+
+ # passwd cache is disabled
+ with pytest.raises(KeyError):
+ pwd.getpwnam('user1')
+ with pytest.raises(KeyError):
+ pwd.getpwuid(1001)
+
+ # Initgroups looks up the user first, hence KeyError from the
+ # passwd database even if the initgroups cache is active.
+ with pytest.raises(KeyError):
+ (res, errno, gids) = sssd_id.get_user_gids('user1')
+
+
+def test_disabled_group_mc(ldap_conn, disable_grp_mc_rfc2307):
+ ent.assert_passwd_by_name(
+ 'user1',
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+ ent.assert_passwd_by_uid(
+ 1001,
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+
+ ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
+ ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
+
+ assert_user_gids_equal('user1', [2000, 2001])
+
+ stop_sssd()
+
+ # group cache is disabled, other caches should work
+ ent.assert_passwd_by_name(
+ 'user1',
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+ ent.assert_passwd_by_uid(
+ 1001,
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+
+ with pytest.raises(KeyError):
+ grp.getgrnam('group1')
+ with pytest.raises(KeyError):
+ grp.getgrgid(2001)
+
+ assert_user_gids_equal('user1', [2000, 2001])
+
+
+def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307):
+ # Even if initgroups is disabled, passwd should work
+ ent.assert_passwd_by_name(
+ 'user1',
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+ ent.assert_passwd_by_uid(
+ 1001,
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+
+ stop_sssd()
+
+ ent.assert_passwd_by_name(
+ 'user1',
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+ ent.assert_passwd_by_uid(
+ 1001,
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
--
2.21.3

58
SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch Normal file
View File

@ -0,0 +1,58 @@
From e50258da70b67ff1b0f928e2e7875bc2fa32dfde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 6 Mar 2020 13:12:46 +0100
Subject: [PATCH 14/18] autofs: return ERR_OFFLINE if we fail to get
information from backend and cache is empty
Resolves:
https://github.com/SSSD/sssd/issues/3413
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 ++
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 ++
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index cb674add6..55c9fc8b0 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -142,6 +142,8 @@ cache_req_autofs_entry_by_name_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ cache_req_data_set_propogate_offline_status(data, true);
+
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
cache_refresh_percent,
CACHE_REQ_POSIX_DOM, domain,
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 3c08eaf4f..823eb3595 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -136,6 +136,8 @@ cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ cache_req_data_set_propogate_offline_status(data, true);
+
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
cache_refresh_percent,
CACHE_REQ_POSIX_DOM, domain,
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index 1b5645fa0..3e47b1321 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -168,6 +168,8 @@ cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ cache_req_data_set_propogate_offline_status(data, true);
+
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
cache_refresh_percent,
CACHE_REQ_POSIX_DOM, domain,
--
2.21.3

83
SOURCES/0030-NSS-avoid-excessive-log-messages.patch
View File

@ -1,83 +0,0 @@
From e12340e7d9efe5f272e58d69333c1c09c3bcc44d Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 4 Mar 2020 21:09:33 +0100
Subject: [PATCH 30/35] NSS: avoid excessive log messages
- do not log error message if mem-cache was disabled explicitly
- increase message severity in case of fail to store entry in mem-cache
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nss_protocol_grent.c | 12 +++++++-----
src/responder/nss/nss_protocol_pwent.c | 7 ++++---
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 2f6d869ef..8f1d3fe81 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -292,16 +292,17 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
num_results++;
/* Do not store entry in memory cache during enumeration or when
- * requested. */
+ * requested or if cache explicitly disabled. */
if (!cmd_ctx->enumeration
- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) {
+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0)
+ && (nss_ctx->grp_mc_ctx != NULL)) {
members = (char *)&body[rp_members];
members_size = body_len - rp_members;
ret = sss_mmap_cache_gr_store(&nss_ctx->grp_mc_ctx, name, &pwfield,
gid, num_members, members,
members_size);
if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_OP_FAILURE,
"Failed to store group %s (%s) in mem-cache [%d]: %s!\n",
name->str, result->domain->name, ret, sss_strerror(ret));
}
@@ -423,7 +424,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
}
if (nss_ctx->initgr_mc_ctx
- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) {
+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0)
+ && (nss_ctx->initgr_mc_ctx != NULL)) {
to_sized_string(&rawname, cmd_ctx->rawname);
to_sized_string(&unique_name, result->lookup_name);
@@ -431,7 +433,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
&unique_name, num_results,
body + 2 * sizeof(uint32_t));
if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_OP_FAILURE,
"Failed to store initgroups %s (%s) in mem-cache [%d]: %s!\n",
rawname.str, domain->name, ret, sss_strerror(ret));
sss_packet_set_size(packet, 0);
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
index 31fd01698..f9f3f0cf0 100644
--- a/src/responder/nss/nss_protocol_pwent.c
+++ b/src/responder/nss/nss_protocol_pwent.c
@@ -301,13 +301,14 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
num_results++;
/* Do not store entry in memory cache during enumeration or when
- * requested. */
+ * requested or if cache explicitly disabled. */
if (!cmd_ctx->enumeration
- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) {
+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0)
+ && (nss_ctx->pwd_mc_ctx != NULL)) {
ret = sss_mmap_cache_pw_store(&nss_ctx->pwd_mc_ctx, name, &pwfield,
uid, gid, &gecos, &homedir, &shell);
if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_OP_FAILURE,
"Failed to store user %s (%s) in mmap cache [%d]: %s!\n",
name->str, result->domain->name, ret, sss_strerror(ret));
}
--
2.21.3

51
SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch Normal file
View File

@ -0,0 +1,51 @@
From 9098108a7142513fa04afdf92a2c1b3ac002c56e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 6 Mar 2020 13:44:56 +0100
Subject: [PATCH 15/18] autofs: translate ERR_OFFLINE to EHOSTDOWN
So we do not publish internal error code.
Resolves:
https://github.com/SSSD/sssd/issues/3413
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/common.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 902438c86..d29332939 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -44,6 +44,7 @@
#define _(STRING) dgettext (PACKAGE, STRING)
#include "sss_cli.h"
#include "common_private.h"
+#include "util/util_errors.h"
#if HAVE_PTHREAD
#include <pthread.h>
@@ -1054,9 +1055,17 @@ int sss_autofs_make_request(enum sss_cli_command cmd,
uint8_t **repbuf, size_t *replen,
int *errnop)
{
- return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT,
- repbuf, replen, errnop,
- SSS_AUTOFS_SOCKET_NAME);
+ enum sss_status status;
+
+ status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT,
+ repbuf, replen, errnop,
+ SSS_AUTOFS_SOCKET_NAME);
+
+ if (*errnop == ERR_OFFLINE) {
+ *errnop = EHOSTDOWN;
+ }
+
+ return status;
}
int sss_ssh_make_request(enum sss_cli_command cmd,
--
2.21.3

101
SOURCES/0031-NSS-enhanced-debug-during-mem-cache-initialization.patch
View File

@ -1,101 +0,0 @@
From be8052bbb61c572702fe16e2850539f445dcc0e2 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 4 Mar 2020 22:13:52 +0100
Subject: [PATCH 31/35] NSS: enhanced debug during mem-cache initialization
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nsssrv.c | 39 ++++++++++++++++++++++++++++++++------
1 file changed, 33 insertions(+), 6 deletions(-)
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index 0a201d3ae..42a63d9bb 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -255,7 +255,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
&mc_size_passwd);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Failed to get 'memcache_size_passwd' option from confdb.\n");
+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_PASSWD
+ "' option from confdb.\n");
return ret;
}
@@ -266,7 +267,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
&mc_size_group);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Failed to get 'memcache_size_group' option from confdb.\n");
+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_GROUP
+ "' option from confdb.\n");
return ret;
}
@@ -277,7 +279,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
&mc_size_initgroups);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Failed to get 'memcache_size_nitgroups' option from confdb.\n");
+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS
+ "' option from confdb.\n");
return ret;
}
@@ -291,8 +294,16 @@ static int setup_memcaches(struct nss_ctx *nctx)
(time_t)memcache_timeout,
&nctx->pwd_mc_ctx);
if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize passwd mmap cache: '%s'\n",
+ sss_strerror(ret));
+ } else {
+ DEBUG(SSSDBG_CONF_SETTINGS, "Passwd mmap cache size is %d\n",
+ mc_size_passwd);
}
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Passwd mmap cache is explicitly DISABLED\n");
}
if (mc_size_group != 0) {
@@ -303,8 +314,16 @@ static int setup_memcaches(struct nss_ctx *nctx)
(time_t)memcache_timeout,
&nctx->grp_mc_ctx);
if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize group mmap cache: '%s'\n",
+ sss_strerror(ret));
+ } else {
+ DEBUG(SSSDBG_CONF_SETTINGS, "Group mmap cache size is %d\n",
+ mc_size_group);
}
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Group mmap cache is explicitly DISABLED\n");
}
if (mc_size_initgroups != 0) {
@@ -315,8 +334,16 @@ static int setup_memcaches(struct nss_ctx *nctx)
(time_t)memcache_timeout,
&nctx->initgr_mc_ctx);
if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize initgroups mmap cache: '%s'\n",
+ sss_strerror(ret));
+ } else {
+ DEBUG(SSSDBG_CONF_SETTINGS, "Initgroups mmap cache size is %d\n",
+ mc_size_initgroups);
}
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Initgroups mmap cache is explicitly DISABLED\n");
}
return EOK;
--
2.21.3

61
SOURCES/0031-autofs-disable-fast-reply.patch Normal file
View File

@ -0,0 +1,61 @@
From 34c519a4851194164befc150df8e768431e66405 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 22 Sep 2020 11:04:25 +0200
Subject: [PATCH 16/18] autofs: disable fast reply
If the backend is offline when autofs starts and reads auto.master map
we don't want to wait 60 seconds before the offline flag is reset. We
need to allow autofs to retry the call much sooner.
Resolves:
https://github.com/SSSD/sssd/issues/3413
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +-
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +-
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index 55c9fc8b0..cd2085187 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -84,7 +84,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_GetEntry_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
- DP_FAST_REPLY, data->name.name,
+ 0, data->name.name,
data->autofs_entry_name);
}
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 823eb3595..9d9bc3a97 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -81,7 +81,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
- DP_FAST_REPLY, data->name.name);
+ 0, data->name.name);
}
bool
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index 3e47b1321..ee0156b6a 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -113,7 +113,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
- DP_FAST_REPLY, data->name.name);
+ 0, data->name.name);
}
bool
--
2.21.3

168
SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch Normal file
View File

@ -0,0 +1,168 @@
From 8a22d4ad45f5fc8e888be693539495093c2b3c35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 4 Nov 2020 14:20:10 +0100
Subject: [PATCH 17/18] autofs: correlate errors for different protocol
versions
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/autofs/autofs_test_client.c | 12 ++++++++
src/sss_client/autofs/sss_autofs.c | 35 +++++++++++++++++++---
src/sss_client/autofs/sss_autofs.exports | 9 +++---
src/sss_client/autofs/sss_autofs_private.h | 5 ++++
4 files changed, 53 insertions(+), 8 deletions(-)
diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c
index c5358233f..4b285151e 100644
--- a/src/sss_client/autofs/autofs_test_client.c
+++ b/src/sss_client/autofs/autofs_test_client.c
@@ -45,10 +45,14 @@ int main(int argc, const char *argv[])
char *value = NULL;
char *pc_key = NULL;
int pc_setent = 0;
+ int pc_protocol = 1;
+ unsigned int protocol;
+ unsigned int requested_protocol = 1;
struct poptOption long_options[] = {
POPT_AUTOHELP
{ "by-name", 'n', POPT_ARG_STRING, &pc_key, 0, "Request map by name", NULL },
{ "only-setent", 's', POPT_ARG_VAL, &pc_setent, 1, "Run only setent, do not enumerate", NULL },
+ { "protocol", 'p', POPT_ARG_INT, &pc_protocol, 0, "Protocol version", NULL },
POPT_TABLEEND
};
poptContext pc = NULL;
@@ -69,6 +73,14 @@ int main(int argc, const char *argv[])
poptFreeContext(pc);
+ requested_protocol = pc_protocol;
+ protocol = _sss_auto_protocol_version(requested_protocol);
+ if (protocol != requested_protocol) {
+ fprintf(stderr, "Unsupported protocol version: %d -> %d\n",
+ requested_protocol, protocol);
+ exit(EXIT_FAILURE);
+ }
+
ret = _sss_setautomntent(mapname, &ctx);
if (ret) {
fprintf(stderr, "setautomntent failed [%d]: %s\n",
diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c
index 482ff2c40..ef27cf895 100644
--- a/src/sss_client/autofs/sss_autofs.c
+++ b/src/sss_client/autofs/sss_autofs.c
@@ -20,6 +20,7 @@
#include <errno.h>
#include <stdlib.h>
+#include <stdatomic.h>
#include "sss_client/autofs/sss_autofs_private.h"
#include "sss_client/sss_cli.h"
@@ -33,6 +34,32 @@
/* How many entries shall _sss_getautomntent_r retrieve at once */
#define GETAUTOMNTENT_MAX_ENTRIES 512
+static atomic_uint _protocol = 0;
+
+unsigned int _sss_auto_protocol_version(unsigned int requested)
+{
+ switch (requested) {
+ case 0:
+ /* EHOSTDOWN will be translated to ENOENT */
+ _protocol = 0;
+ return 0;
+ default:
+ /* There is no other protocol version at this point. */
+ _protocol = 1;
+ return 1;
+ }
+}
+
+/* Returns correct errno based on autofs version expectations. */
+static errno_t errnop_to_errno(int errnop)
+{
+ if (errnop == EHOSTDOWN && _protocol == 0) {
+ return ENOENT;
+ }
+
+ return errnop;
+}
+
struct automtent {
char *mapname;
size_t cursor;
@@ -93,7 +120,7 @@ _sss_setautomntent(const char *mapname, void **context)
&repbuf, &replen, &errnop);
if (ret != SSS_STATUS_SUCCESS) {
free(name);
- ret = errnop;
+ ret = errnop_to_errno(errnop);
goto out;
}
@@ -310,7 +337,7 @@ _sss_getautomntent_r(char **key, char **value, void *context)
&repbuf, &replen, &errnop);
free(data);
if (ret != SSS_STATUS_SUCCESS) {
- ret = errnop;
+ ret = errnop_to_errno(errnop);
goto out;
}
@@ -408,7 +435,7 @@ _sss_getautomntbyname_r(const char *key, char **value, void *context)
&repbuf, &replen, &errnop);
free(data);
if (ret != SSS_STATUS_SUCCESS) {
- ret = errnop;
+ ret = errnop_to_errno(errnop);
goto out;
}
@@ -467,7 +494,7 @@ _sss_endautomntent(void **context)
ret = sss_autofs_make_request(SSS_AUTOFS_ENDAUTOMNTENT,
NULL, NULL, NULL, &errnop);
if (ret != SSS_STATUS_SUCCESS) {
- ret = errnop;
+ ret = errnop_to_errno(errnop);
goto out;
}
diff --git a/src/sss_client/autofs/sss_autofs.exports b/src/sss_client/autofs/sss_autofs.exports
index f9ce8f5b2..ec61f715e 100644
--- a/src/sss_client/autofs/sss_autofs.exports
+++ b/src/sss_client/autofs/sss_autofs.exports
@@ -2,10 +2,11 @@ EXPORTED {
# public functions
global:
- _sss_setautomntent;
- _sss_getautomntent_r;
- _sss_getautomntbyname_r;
- _sss_endautomntent;
+ _sss_auto_protocol_version;
+ _sss_setautomntent;
+ _sss_getautomntent_r;
+ _sss_getautomntbyname_r;
+ _sss_endautomntent;
# everything else is local
local:
diff --git a/src/sss_client/autofs/sss_autofs_private.h b/src/sss_client/autofs/sss_autofs_private.h
index 6459c1cc7..7fd49db1d 100644
--- a/src/sss_client/autofs/sss_autofs_private.h
+++ b/src/sss_client/autofs/sss_autofs_private.h
@@ -21,6 +21,11 @@
#include <errno.h>
#include "util/util.h"
+/**
+ * Choose an autofs protocol version to be used between autofs and sss_autofs.
+ */
+unsigned int _sss_auto_protocol_version(unsigned int requested);
+
/**
* Selects a map for processing.
*/
--
2.21.3

53
SOURCES/0032-mem-cache-added-log-message-in-case-cache-is-full.patch
View File

@ -1,53 +0,0 @@
From 2ad4aa8f265e02d01f77e5d29d8377d849c78d11 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 4 Mar 2020 22:33:17 +0100
Subject: [PATCH 32/35] mem-cache: added log message in case cache is full
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nsssrv_mmap_cache.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index 5e23bbe6f..23df164da 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -371,6 +371,20 @@ static bool sss_mc_is_valid_rec(struct sss_mc_ctx *mcc, struct sss_mc_rec *rec)
return true;
}
+static const char *mc_type_to_str(enum sss_mc_type type)
+{
+ switch (type) {
+ case SSS_MC_PASSWD:
+ return "PASSWD";
+ case SSS_MC_GROUP:
+ return "GROUP";
+ case SSS_MC_INITGROUPS:
+ return "INITGROUPS";
+ default:
+ return "-UNKNOWN-";
+ }
+}
+
/* FIXME: This is a very simplistic, inefficient, memory allocator,
* it will just free the oldest entries regardless of expiration if it
* cycled the whole free bits map and found no empty slot */
@@ -438,6 +452,14 @@ static errno_t sss_mc_find_free_slots(struct sss_mc_ctx *mcc,
} else {
cur = mcc->next_slot;
}
+ if (cur == 0) {
+ /* inform only once per full loop to avoid excessive spam */
+ DEBUG(SSSDBG_IMPORTANT_INFO, "mmap cache of type '%s' is full\n",
+ mc_type_to_str(mcc->type));
+ sss_log(SSS_LOG_NOTICE, "mmap cache of type '%s' is full, if you see "
+ "this message often then please consider increase of cache size",
+ mc_type_to_str(mcc->type));
+ }
for (i = 0; i < num_slots; i++) {
MC_PROBE_BIT(mcc->free_table, cur + i, used);
if (used) {
--
2.21.3

189
SOURCES/0033-NSS-make-memcache-size-configurable-in-megabytes.patch
View File

@ -1,189 +0,0 @@
From b7f31936e21b109b5446c48513619cd87974be54 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 31 Mar 2020 22:57:25 +0200
Subject: [PATCH 33/35] NSS: make memcache size configurable in megabytes
Memcache size was made configurable in megabytes and not in slots
to hide internal implementation from users.
Relates: https://github.com/SSSD/sssd/issues/5115
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/config/SSSDConfig/sssdoptions.py | 6 ++---
src/man/sssd.conf.5.xml | 33 +++++++++++++---------------
src/responder/nss/nsssrv.c | 20 +++++++++--------
3 files changed, 29 insertions(+), 30 deletions(-)
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index 16d85cfa3..f57ad4b41 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -72,9 +72,9 @@ class SSSDOptions(object):
'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
'default_shell': _('Shell to use if the provider does not list one'),
'memcache_timeout': _('How long will be in-memory cache records valid'),
- 'memcache_size_passwd': _('Number of slots in fast in-memory cache for passwd requests'),
- 'memcache_size_group': _('Number of slots in fast in-memory cache for group requests'),
- 'memcache_size_initgroups': _('Number of slots in fast in-memory cache for initgroups requests'),
+ 'memcache_size_passwd': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for passwd requests'),
+ 'memcache_size_group': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for group requests'),
+ 'memcache_size_initgroups': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for initgroups requests'),
'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
'if the template contains the format string %H.'),
'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 9bc2e26e5..874a09c49 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1076,7 +1076,7 @@ fallback_homedir = /home/%u
</listitem>
</varlistentry>
<varlistentry>
- <term>memcache_timeout (int)</term>
+ <term>memcache_timeout (integer)</term>
<listitem>
<para>
Specifies time in seconds for which records
@@ -1104,14 +1104,13 @@ fallback_homedir = /home/%u
<term>memcache_size_passwd (integer)</term>
<listitem>
<para>
- Number of slots allocated inside fast in-memory
- cache for passwd requests. Note that one entry
- in fast in-memory cache can occupy more than one slot.
- Setting the size to 0 will disable the passwd in-memory
- cache.
+ Size (in megabytes) of the data table allocated inside
+ fast in-memory cache for passwd requests.
+ Setting the size to 0 will disable the passwd
+ in-memory cache.
</para>
<para>
- Default: 200000
+ Default: 8
</para>
<para>
WARNING: Disabled or too small in-memory cache can
@@ -1130,14 +1129,13 @@ fallback_homedir = /home/%u
<term>memcache_size_group (integer)</term>
<listitem>
<para>
- Number of slots allocated inside fast in-memory
- cache for group requests. Note that one entry
- in fast in-memory cache can occupy more than one
- slot. Setting the size to 0 will disable the group
+ Size (in megabytes) of the data table allocated inside
+ fast in-memory cache for group requests.
+ Setting the size to 0 will disable the group
in-memory cache.
</para>
<para>
- Default: 150000
+ Default: 6
</para>
<para>
WARNING: Disabled or too small in-memory cache can
@@ -1156,14 +1154,13 @@ fallback_homedir = /home/%u
<term>memcache_size_initgroups (integer)</term>
<listitem>
<para>
- Number of slots allocated inside fast in-memory
- cache for initgroups requests. Note that one entry
- in fast in-memory cache can occupy more than one
- slot. Setting the size to 0 will disable the
- initgroups in-memory cache.
+ Size (in megabytes) of the data table allocated inside
+ fast in-memory cache for initgroups requests.
+ Setting the size to 0 will disable the initgroups
+ in-memory cache.
</para>
<para>
- Default: 250000
+ Default: 10
</para>
<para>
WARNING: Disabled or too small in-memory cache can
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index 42a63d9bb..741e94aaa 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -34,6 +34,7 @@
#include "util/util.h"
#include "util/sss_ptr_hash.h"
+#include "util/mmap_cache.h"
#include "responder/nss/nss_private.h"
#include "responder/nss/nss_iface.h"
#include "responder/nss/nsssrv_mmap_cache.h"
@@ -210,9 +211,10 @@ done:
static int setup_memcaches(struct nss_ctx *nctx)
{
/* Default memcache sizes */
- static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */
- static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */
- static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */
+ static const size_t SSS_MC_CACHE_SLOTS_PER_MB = 1024*1024/MC_SLOT_SIZE;
+ static const size_t SSS_MC_CACHE_PASSWD_SIZE = 8;
+ static const size_t SSS_MC_CACHE_GROUP_SIZE = 6;
+ static const size_t SSS_MC_CACHE_INITGROUP_SIZE = 10;
int ret;
int memcache_timeout;
@@ -251,7 +253,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
ret = confdb_get_int(nctx->rctx->cdb,
CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_MEMCACHE_SIZE_PASSWD,
- SSS_MC_CACHE_PASSWD_SLOTS,
+ SSS_MC_CACHE_PASSWD_SIZE,
&mc_size_passwd);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
@@ -263,7 +265,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
ret = confdb_get_int(nctx->rctx->cdb,
CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_MEMCACHE_SIZE_GROUP,
- SSS_MC_CACHE_GROUP_SLOTS,
+ SSS_MC_CACHE_GROUP_SIZE,
&mc_size_group);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
@@ -275,7 +277,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
ret = confdb_get_int(nctx->rctx->cdb,
CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS,
- SSS_MC_CACHE_INITGROUP_SLOTS,
+ SSS_MC_CACHE_INITGROUP_SIZE,
&mc_size_initgroups);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
@@ -290,7 +292,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
ret = sss_mmap_cache_init(nctx, "passwd",
nctx->mc_uid, nctx->mc_gid,
SSS_MC_PASSWD,
- mc_size_passwd,
+ mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB,
(time_t)memcache_timeout,
&nctx->pwd_mc_ctx);
if (ret) {
@@ -310,7 +312,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
ret = sss_mmap_cache_init(nctx, "group",
nctx->mc_uid, nctx->mc_gid,
SSS_MC_GROUP,
- mc_size_group,
+ mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB,
(time_t)memcache_timeout,
&nctx->grp_mc_ctx);
if (ret) {
@@ -330,7 +332,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
ret = sss_mmap_cache_init(nctx, "initgroups",
nctx->mc_uid, nctx->mc_gid,
SSS_MC_INITGROUPS,
- mc_size_initgroups,
+ mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB,
(time_t)memcache_timeout,
&nctx->initgr_mc_ctx);
if (ret) {
--
2.21.3

28
SOURCES/0033-configure-check-for-stdatomic.h.patch Normal file
View File

@ -0,0 +1,28 @@
From 075519bceca7a8f4fa28a0b7c538f2f50d552d13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 26 Nov 2020 14:56:08 +0100
Subject: [PATCH 18/18] configure: check for stdatomic.h
Recent autofs patches adds dependency on automic_uint/_Atomic type from C11
standard. This is supported in both gcc and clang for a long time now.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
configure.ac | 1 +
1 file changed, 1 insertion(+)
diff --git a/configure.ac b/configure.ac
index 1af1d1785..0d24c4b35 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,6 +42,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
AC_CHECK_HEADERS(stdint.h dlfcn.h)
+AC_CHECK_HEADERS([stdatomic.h],,AC_MSG_ERROR([C11 atomic types are not supported]))
AC_CONFIG_HEADER(config.h)
AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
--
2.21.3

131
SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch Normal file
View File

@ -0,0 +1,131 @@
From 2499bd145f566bfd73b8c7e284b910dd2b36c6d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 15 Jan 2021 12:04:38 +0100
Subject: [PATCH] cache_req: ignore autofs not configured error
Otherwise we return ERR_OFFLINE for domains where autofs provider is not
set (such as implicit files domain) which is undesirable.
Steps to reproduce:
1. Enable implicit files domains and LDAP domain with autofs configured
2. Setup NFS server to export `/exports` with `/exports/home/test`
3. Add autofs mount points:
```
dn: ou=mount,dc=ldap,dc=vm
ou: mount
objectClass: organizationalUnit
objectClass: top
dn: nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
objectClass: nisMap
objectClass: top
nisMapName: auto.master
dn: cn=/export/home,nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
objectClass: nisObject
objectClass: top
cn: /export/home
nisMapEntry: auto.home
nisMapName: auto.master
dn: nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
objectClass: nisMap
objectClass: top
nisMapName: auto.home
dn: cn=/,nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
objectClass: nisObject
objectClass: top
cn: /
nisMapEntry: -fstype=nfs,rw master.ldap.vm:/export/home/&
nisMapName: auto.home
```
4. Run SSSD and autofs
5. cd to /exports/home/test
The directory will not be mounted with the new autofs protocol. It
will succeed with the old protocol. In both versions, you'll see
that SSSD returned ERR_OFFLINE:
```
(2021-01-15 11:44:48): [be[implicit_files]] [sbus_issue_request_done] (0x0040): sssd.DataProvider.Autofs.GetEntry: Error [1432158215]: DP target is not configured
...
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Looking up [auto.home:test] in cache
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Object [auto.home:test] was not found in cache
(2021-01-15 11:44:49): [autofs] [cache_req_search_ncache_add_to_domain] (0x2000): CR #3: This request type does not support negative cache
(2021-01-15 11:44:49): [autofs] [cache_req_process_result] (0x0400): CR #3: Finished: Error 1432158212: SSSD is offline
```
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
.../cache_req/plugins/cache_req_autofs_entry_by_name.c | 10 +++++++++-
.../cache_req/plugins/cache_req_autofs_map_by_name.c | 10 +++++++++-
.../cache_req/plugins/cache_req_autofs_map_entries.c | 10 +++++++++-
3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index cd2085187..f411fd351 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -92,7 +92,15 @@ bool
cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq,
struct cache_req *cr)
{
- return sbus_call_dp_autofs_GetEntry_recv(subreq) == EOK;
+ errno_t ret;
+
+ ret = sbus_call_dp_autofs_GetEntry_recv(subreq);
+
+ if (ret == ERR_MISSING_DP_TARGET) {
+ ret = EOK;
+ }
+
+ return ret == EOK;
}
const struct cache_req_plugin cache_req_autofs_entry_by_name = {
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 9d9bc3a97..c22cf0c8e 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -88,7 +88,15 @@ bool
cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq,
struct cache_req *cr)
{
- return sbus_call_dp_autofs_GetMap_recv(subreq) == EOK;
+ errno_t ret;
+
+ ret = sbus_call_dp_autofs_GetMap_recv(subreq);
+
+ if (ret == ERR_MISSING_DP_TARGET) {
+ ret = EOK;
+ }
+
+ return ret == EOK;
}
const struct cache_req_plugin cache_req_autofs_map_by_name = {
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index ee0156b6a..4d9db6595 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -120,7 +120,15 @@ bool
cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq,
struct cache_req *cr)
{
- return sbus_call_dp_autofs_Enumerate_recv(subreq) == EOK;
+ errno_t ret;
+
+ ret = sbus_call_dp_autofs_Enumerate_recv(subreq);
+
+ if (ret == ERR_MISSING_DP_TARGET) {
+ ret = EOK;
+ }
+
+ return ret == EOK;
}
const struct cache_req_plugin cache_req_autofs_map_entries = {
--
2.21.3

38
SOURCES/0034-mem-cache-comment-added.patch
View File

@ -1,38 +0,0 @@
From b96b05bc40757b26f177e4093d7f4f5b96a0f7d0 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 3 Jul 2020 18:45:11 +0200
Subject: [PATCH 34/35] mem-cache: comment added
Added comment explaining usage of `mcc->next_slot`
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nsssrv_mmap_cache.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index 23df164da..71919e4ac 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -65,7 +65,7 @@ struct sss_mc_ctx {
uint8_t *free_table; /* free list bitmaps */
uint32_t ft_size; /* size of free table */
- uint32_t next_slot; /* the next slot after last allocation */
+ uint32_t next_slot; /* the next slot after last allocation done via erasure */
uint8_t *data_table; /* data table address (in mmap) */
uint32_t dt_size; /* size of data table */
@@ -442,6 +442,9 @@ static errno_t sss_mc_find_free_slots(struct sss_mc_ctx *mcc,
if (cur == t) {
/* ok found num_slots consecutive free bits */
*free_slot = cur - num_slots;
+ /* `mcc->next_slot` is not updated here intentionally.
+ * For details see discussion in https://github.com/SSSD/sssd/pull/999
+ */
return EOK;
}
}
--
2.21.3

262
SOURCES/0035-mem-cache-always-cleanup-old-content.patch
View File

@ -1,262 +0,0 @@
From 484507bf20d27afd700d52c67651e6f08d1da1a3 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 8 Jul 2020 11:34:12 +0200
Subject: [PATCH 35/35] mem-cache: always cleanup old content
(Try to) cleanup old files even if currently mem-cache is disabled.
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nsssrv.c | 98 ++++++++++-----------------
src/responder/nss/nsssrv_mmap_cache.c | 74 ++++++++++++--------
2 files changed, 79 insertions(+), 93 deletions(-)
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index 741e94aaa..ffb1ca29d 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -242,12 +242,6 @@ static int setup_memcaches(struct nss_ctx *nctx)
return ret;
}
- if (memcache_timeout == 0) {
- DEBUG(SSSDBG_CONF_SETTINGS,
- "Fast in-memory cache will not be initialized.");
- return EOK;
- }
-
/* Get all memcache sizes from confdb (pwd, grp, initgr) */
ret = confdb_get_int(nctx->rctx->cdb,
@@ -288,64 +282,40 @@ static int setup_memcaches(struct nss_ctx *nctx)
/* Initialize the fast in-memory caches if they were not disabled */
- if (mc_size_passwd != 0) {
- ret = sss_mmap_cache_init(nctx, "passwd",
- nctx->mc_uid, nctx->mc_gid,
- SSS_MC_PASSWD,
- mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB,
- (time_t)memcache_timeout,
- &nctx->pwd_mc_ctx);
- if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to initialize passwd mmap cache: '%s'\n",
- sss_strerror(ret));
- } else {
- DEBUG(SSSDBG_CONF_SETTINGS, "Passwd mmap cache size is %d\n",
- mc_size_passwd);
- }
- } else {
- DEBUG(SSSDBG_IMPORTANT_INFO,
- "Passwd mmap cache is explicitly DISABLED\n");
- }
-
- if (mc_size_group != 0) {
- ret = sss_mmap_cache_init(nctx, "group",
- nctx->mc_uid, nctx->mc_gid,
- SSS_MC_GROUP,
- mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB,
- (time_t)memcache_timeout,
- &nctx->grp_mc_ctx);
- if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to initialize group mmap cache: '%s'\n",
- sss_strerror(ret));
- } else {
- DEBUG(SSSDBG_CONF_SETTINGS, "Group mmap cache size is %d\n",
- mc_size_group);
- }
- } else {
- DEBUG(SSSDBG_IMPORTANT_INFO,
- "Group mmap cache is explicitly DISABLED\n");
- }
-
- if (mc_size_initgroups != 0) {
- ret = sss_mmap_cache_init(nctx, "initgroups",
- nctx->mc_uid, nctx->mc_gid,
- SSS_MC_INITGROUPS,
- mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB,
- (time_t)memcache_timeout,
- &nctx->initgr_mc_ctx);
- if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to initialize initgroups mmap cache: '%s'\n",
- sss_strerror(ret));
- } else {
- DEBUG(SSSDBG_CONF_SETTINGS, "Initgroups mmap cache size is %d\n",
- mc_size_initgroups);
- }
- } else {
- DEBUG(SSSDBG_IMPORTANT_INFO,
- "Initgroups mmap cache is explicitly DISABLED\n");
+ ret = sss_mmap_cache_init(nctx, "passwd",
+ nctx->mc_uid, nctx->mc_gid,
+ SSS_MC_PASSWD,
+ mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB,
+ (time_t)memcache_timeout,
+ &nctx->pwd_mc_ctx);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize passwd mmap cache: '%s'\n",
+ sss_strerror(ret));
+ }
+
+ ret = sss_mmap_cache_init(nctx, "group",
+ nctx->mc_uid, nctx->mc_gid,
+ SSS_MC_GROUP,
+ mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB,
+ (time_t)memcache_timeout,
+ &nctx->grp_mc_ctx);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize group mmap cache: '%s'\n",
+ sss_strerror(ret));
+ }
+
+ ret = sss_mmap_cache_init(nctx, "initgroups",
+ nctx->mc_uid, nctx->mc_gid,
+ SSS_MC_INITGROUPS,
+ mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB,
+ (time_t)memcache_timeout,
+ &nctx->initgr_mc_ctx);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize initgroups mmap cache: '%s'\n",
+ sss_strerror(ret));
}
return EOK;
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index 71919e4ac..f66e76ce4 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -1108,48 +1108,48 @@ static errno_t sss_mc_set_recycled(int fd)
return EOK;
}
-/*
- * When we (re)create a new file we must mark the current file as recycled
- * so active clients will abandon its use ASAP.
- * We unlink the current file and make a new one.
- */
-static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx)
+static void sss_mc_destroy_file(const char *filename)
{
- mode_t old_mask;
+ const useconds_t t = 50000;
+ const int retries = 3;
int ofd;
- int ret, uret;
- useconds_t t = 50000;
- int retries = 3;
+ int ret;
- ofd = open(mc_ctx->file, O_RDWR);
+ ofd = open(filename, O_RDWR);
if (ofd != -1) {
ret = sss_br_lock_file(ofd, 0, 1, retries, t);
if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Failed to lock file %s.\n", mc_ctx->file);
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to lock file %s.\n", filename);
}
ret = sss_mc_set_recycled(ofd);
if (ret) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to mark mmap file %s as"
- " recycled: %d(%s)\n",
- mc_ctx->file, ret, strerror(ret));
+ " recycled: %d (%s)\n",
+ filename, ret, strerror(ret));
}
-
close(ofd);
} else if (errno != ENOENT) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to open old memory cache file %s: %d(%s).\n",
- mc_ctx->file, ret, strerror(ret));
+ "Failed to open old memory cache file %s: %d (%s)\n",
+ filename, ret, strerror(ret));
}
errno = 0;
- ret = unlink(mc_ctx->file);
+ ret = unlink(filename);
if (ret == -1 && errno != ENOENT) {
ret = errno;
- DEBUG(SSSDBG_TRACE_FUNC, "Failed to rm mmap file %s: %d(%s)\n",
- mc_ctx->file, ret, strerror(ret));
+ DEBUG(SSSDBG_TRACE_FUNC, "Failed to delete mmap file %s: %d (%s)\n",
+ filename, ret, strerror(ret));
}
+}
+
+static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx)
+{
+ const useconds_t t = 50000;
+ const int retries = 3;
+ mode_t old_mask;
+ int ret, uret;
/* temporarily relax umask as we need the file to be readable
* by everyone for now */
@@ -1276,9 +1276,32 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
struct sss_mc_ctx *mc_ctx = NULL;
int ret, dret;
+ char *filename;
+
+ filename = talloc_asprintf(mem_ctx, "%s/%s", SSS_NSS_MCACHE_DIR, name);
+ if (!filename) {
+ return ENOMEM;
+ }
+ /*
+ * First of all mark the current file as recycled
+ * and unlink so active clients will abandon its use ASAP
+ */
+ sss_mc_destroy_file(filename);
+
+ if ((timeout == 0) || (n_elem == 0)) {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Fast '%s' mmap cache is explicitly DISABLED\n",
+ mc_type_to_str(type));
+ *mcc = NULL;
+ return EOK;
+ }
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Fast '%s' mmap cache: timeout = %d, slots = %zu\n",
+ mc_type_to_str(type), (int)timeout, n_elem);
mc_ctx = talloc_zero(mem_ctx, struct sss_mc_ctx);
if (!mc_ctx) {
+ talloc_free(filename);
return ENOMEM;
}
mc_ctx->fd = -1;
@@ -1297,12 +1320,7 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
mc_ctx->valid_time_slot = timeout;
- mc_ctx->file = talloc_asprintf(mc_ctx, "%s/%s",
- SSS_NSS_MCACHE_DIR, name);
- if (!mc_ctx->file) {
- ret = ENOMEM;
- goto done;
- }
+ mc_ctx->file = talloc_steal(mc_ctx, filename);
/* elements must always be multiple of 8 to make things easier to handle,
* so we increase by the necessary amount if they are not a multiple */
@@ -1320,8 +1338,6 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
MC_ALIGN64(mc_ctx->ht_size);
- /* for now ALWAYS create a new file on restart */
-
ret = sss_mc_create_file(mc_ctx);
if (ret) {
goto done;
--
2.21.3

100
SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch Normal file
View File

@ -0,0 +1,100 @@
From 19c2c641e669ee1c08d6706c132625dc30e64609 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 12 Jan 2021 16:40:56 +0100
Subject: [PATCH] simple: fix memory leak while reloading lists
The simple access provider will reload the access and deny lists at
runtime to make sure that users and groups from domains which are
discovered at runtime are properly processed.
While reloading the lists the original lists are not freed and an
intermediate list wasn't removed as well.
Resolves: https://github.com/SSSD/sssd/issues/5456
:fixes: Memory leak in the simple access provider
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/simple/simple_access.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
index 1868569b1..49226adf2 100644
--- a/src/providers/simple/simple_access.c
+++ b/src/providers/simple/simple_access.c
@@ -117,17 +117,13 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
const char *name;
const char *option;
char **orig_list;
- char ***ctx_list;
+ char **ctx_list;
} lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
{"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
{"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
{"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
{NULL, NULL, NULL, NULL}};
- lists[0].ctx_list = &ctx->allow_users;
- lists[1].ctx_list = &ctx->deny_users;
- lists[2].ctx_list = &ctx->allow_groups;
- lists[3].ctx_list = &ctx->deny_groups;
ret = sysdb_master_domain_update(bectx->domain);
if (ret != EOK) {
@@ -141,7 +137,6 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
lists[i].option, &lists[i].orig_list);
if (ret == ENOENT) {
DEBUG(SSSDBG_FUNC_DATA, "%s list is empty.\n", lists[i].name);
- *lists[i].ctx_list = NULL;
continue;
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string_as_list failed.\n");
@@ -149,7 +144,8 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
}
ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
- lists[i].ctx_list);
+ &lists[i].ctx_list);
+ talloc_free(lists[i].orig_list);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse %s list [%d]: %s\n",
lists[i].name, ret, sss_strerror(ret));
@@ -157,6 +153,18 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
}
}
+ talloc_free(ctx->allow_users);
+ ctx->allow_users = talloc_steal(ctx, lists[0].ctx_list);
+
+ talloc_free(ctx->deny_users);
+ ctx->deny_users = talloc_steal(ctx, lists[1].ctx_list);
+
+ talloc_free(ctx->allow_groups);
+ ctx->allow_groups = talloc_steal(ctx, lists[2].ctx_list);
+
+ talloc_free(ctx->deny_groups);
+ ctx->deny_groups = talloc_steal(ctx, lists[3].ctx_list);
+
if (!ctx->allow_users &&
!ctx->allow_groups &&
!ctx->deny_users &&
@@ -165,9 +173,15 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
"No rules supplied for simple access provider. "
"Access will be granted for all users.\n");
}
+
+
return EOK;
failed:
+ for (i = 0; lists[i].name != NULL; i++) {
+ talloc_free(lists[i].ctx_list);
+ }
+
return ret;
}
--
2.21.3

38
SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch Normal file
View File

@ -0,0 +1,38 @@
From bdf461c7577c458d7b2a785b2007c0ccae73e3f7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 11 Jan 2021 18:28:02 +0100
Subject: [PATCH] SBUS: do not try to del non existing sender
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/5425
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sbus/request/sbus_request_sender.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/sbus/request/sbus_request_sender.c b/src/sbus/request/sbus_request_sender.c
index cecb188b0..39cdec064 100644
--- a/src/sbus/request/sbus_request_sender.c
+++ b/src/sbus/request/sbus_request_sender.c
@@ -101,10 +101,11 @@ void
sbus_senders_delete(hash_table_t *table,
const char *name)
{
- DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n",
- name);
-
- sss_ptr_hash_delete(table, name, true);
+ if (sss_ptr_hash_has_key(table, name)) {
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n",
+ name);
+ sss_ptr_hash_delete(table, name, true);
+ }
}
errno_t
--
2.21.3

16083
SOURCES/0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch
View File

File diff suppressed because it is too large Load Diff

1537
SOURCES/0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch
View File

File diff suppressed because it is too large Load Diff

34
SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch Normal file
View File

@ -0,0 +1,34 @@
From c0ae6d34ff7c170ca0e6d0faa8a2daf9a77becb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 8 Jan 2021 14:00:47 +0100
Subject: [PATCH] pamsrv_gssapi: fix implicit conversion warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
src/responder/pam/pamsrv_gssapi.c: In function pam_cmd_gssapi_sec_ctx:
src/responder/pam/pamsrv_gssapi.c:716:64: error: implicit conversion from enum sss_domain_type to enum cache_req_dom_type [-Werror=enum-conversion]
716 | cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX,
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/pam/pamsrv_gssapi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c
index 099675e1c..2d05c7888 100644
--- a/src/responder/pam/pamsrv_gssapi.c
+++ b/src/responder/pam/pamsrv_gssapi.c
@@ -713,7 +713,8 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
DEBUG(SSSDBG_TRACE_FUNC, "Checking that target user matches UPN\n");
req = cache_req_user_by_upn_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx,
- cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX,
+ cli_ctx->rctx->ncache, 0,
+ CACHE_REQ_POSIX_DOM,
domain->name, state->authenticated_upn);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
--
2.21.3

34
SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch Normal file
View File

@ -0,0 +1,34 @@
From cc173629f30fbc885ee90e52a205554b118e0ee6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 11 Jan 2021 13:11:39 +0100
Subject: [PATCH 38/39] gssapi: default pam_gssapi_services to NULL in domain
section
We need to distinguish when the option is not set in domain section and when
it is is explicitly disabled. Now if it is not set, domain->gssapi_services
is NULL and we'll use value from the pam section.
Without this change, the value in the pam section is ignored.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 2881ce5da..befcfff2d 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1582,7 +1582,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
- "-");
+ NULL);
if (tmp != NULL) {
ret = split_on_separator(domain, tmp, ',', true, true,
&domain->gssapi_services, NULL);
--
2.21.3

63
SOURCES/0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch
View File

@ -1,63 +0,0 @@
From 72b8e02c77f0b0b7e36663fa3bd3fd6987ea1b80 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 13 Jul 2020 18:11:40 +0200
Subject: [PATCH] sssctl: sssctl config-check alternative snippet dir
The sssctl config-check now allows to specify not only alternative
config file but also snippet dir.
sssctl config-check -c ./sssd.conf -s /etc/sssd/conf.d
Configuration snippets are still looked up in the same place under
conf.d directory by default. It would be in ./conf.d/ for the example
above.
Resolves:
https://github.com/SSSD/sssd/issues/5142
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/tools/sssctl/sssctl_config.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
index de9f3de6e..db4aeeae4 100644
--- a/src/tools/sssctl/sssctl_config.c
+++ b/src/tools/sssctl/sssctl_config.c
@@ -75,6 +75,11 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
struct poptOption long_options[] = {
{"config", 'c', POPT_ARG_STRING, &config_path,
0, _("Specify a non-default config file"), NULL},
+ {"snippet", 's', POPT_ARG_STRING, &config_snippet_path,
+ 0, _("Specify a non-default snippet dir (The default is to look in "
+ "the same place where the main config file is located. For "
+ "example if the config is set to \"/my/path/sssd.conf\", "
+ "the snippet dir \"/my/path/conf.d\" is used)"), NULL},
POPT_TABLEEND
};
@@ -92,16 +97,17 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
goto done;
}
- if (config_path != NULL) {
+ if (config_path == NULL) {
+ config_path = SSSD_CONFIG_FILE;
+ }
+
+ if (config_snippet_path == NULL) {
config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path);
if (config_snippet_path == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n");
ret = ENOMEM;
goto done;
}
- } else {
- config_path = SSSD_CONFIG_FILE;
- config_snippet_path = CONFDB_DEFAULT_CONFIG_DIR;
}
ret = sss_ini_read_sssd_conf(init_data,
--
2.21.3

651
SOURCES/0039-certmap-sanitize-LDAP-search-filter.patch
View File

@ -1,651 +0,0 @@
From a2b9a84460429181f2a4fa7e2bb5ab49fd561274 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Dec 2019 11:31:14 +0100
Subject: [PATCH] certmap: sanitize LDAP search filter
The sss_certmap_get_search_filter() will now sanitize the values read
from the certificates before adding them to a search filter. To be able
to get the plain values as well sss_certmap_expand_mapping_rule() is
added.
Resolves:
https://github.com/SSSD/sssd/issues/5135
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
Makefile.am | 2 +-
src/lib/certmap/sss_certmap.c | 42 ++++++++++--
src/lib/certmap/sss_certmap.exports | 5 ++
src/lib/certmap/sss_certmap.h | 35 ++++++++--
src/responder/pam/pamsrv_p11.c | 5 +-
src/tests/cmocka/test_certmap.c | 98 +++++++++++++++++++++++++++-
src/util/util.c | 94 ---------------------------
src/util/util_ext.c | 99 +++++++++++++++++++++++++++++
8 files changed, 272 insertions(+), 108 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 059e1eaf6..4bacabdda 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2163,7 +2163,7 @@ libsss_certmap_la_LIBADD = \
$(NULL)
libsss_certmap_la_LDFLAGS = \
-Wl,--version-script,$(srcdir)/src/lib/certmap/sss_certmap.exports \
- -version-info 1:0:1
+ -version-info 2:0:2
if HAVE_NSS
libsss_certmap_la_SOURCES += \
diff --git a/src/lib/certmap/sss_certmap.c b/src/lib/certmap/sss_certmap.c
index 703782b53..f19e57732 100644
--- a/src/lib/certmap/sss_certmap.c
+++ b/src/lib/certmap/sss_certmap.c
@@ -441,10 +441,12 @@ static int expand_san(struct sss_certmap_ctx *ctx,
static int expand_template(struct sss_certmap_ctx *ctx,
struct parsed_template *parsed_template,
struct sss_cert_content *cert_content,
+ bool sanitize,
char **expanded)
{
int ret;
char *exp = NULL;
+ char *exp_sanitized = NULL;
if (strcmp("issuer_dn", parsed_template->name) == 0) {
ret = rdn_list_2_dn_str(ctx, parsed_template->conversion,
@@ -455,6 +457,8 @@ static int expand_template(struct sss_certmap_ctx *ctx,
} else if (strncmp("subject_", parsed_template->name, 8) == 0) {
ret = expand_san(ctx, parsed_template, cert_content->san_list, &exp);
} else if (strcmp("cert", parsed_template->name) == 0) {
+ /* cert blob is already sanitized */
+ sanitize = false;
ret = expand_cert(ctx, parsed_template, cert_content, &exp);
} else {
CM_DEBUG(ctx, "Unsupported template name.");
@@ -471,6 +475,16 @@ static int expand_template(struct sss_certmap_ctx *ctx,
goto done;
}
+ if (sanitize) {
+ ret = sss_filter_sanitize(ctx, exp, &exp_sanitized);
+ if (ret != EOK) {
+ CM_DEBUG(ctx, "Failed to sanitize expanded template.");
+ goto done;
+ }
+ talloc_free(exp);
+ exp = exp_sanitized;
+ }
+
ret = 0;
done:
@@ -485,7 +499,7 @@ done:
static int get_filter(struct sss_certmap_ctx *ctx,
struct ldap_mapping_rule *parsed_mapping_rule,
- struct sss_cert_content *cert_content,
+ struct sss_cert_content *cert_content, bool sanitize,
char **filter)
{
struct ldap_mapping_rule_comp *comp;
@@ -503,7 +517,7 @@ static int get_filter(struct sss_certmap_ctx *ctx,
result = talloc_strdup_append(result, comp->val);
} else if (comp->type == comp_template) {
ret = expand_template(ctx, comp->parsed_template, cert_content,
- &expanded);
+ sanitize, &expanded);
if (ret != 0) {
CM_DEBUG(ctx, "Failed to expanded template.");
goto done;
@@ -791,8 +805,9 @@ done:
return ret;
}
-int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
+static int expand_mapping_rule_ex(struct sss_certmap_ctx *ctx,
const uint8_t *der_cert, size_t der_size,
+ bool sanitize,
char **_filter, char ***_domains)
{
int ret;
@@ -819,7 +834,8 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
return EINVAL;
}
- ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, &filter);
+ ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, sanitize,
+ &filter);
goto done;
}
@@ -829,7 +845,7 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
if (ret == 0) {
/* match */
ret = get_filter(ctx, r->parsed_mapping_rule, cert_content,
- &filter);
+ sanitize, &filter);
if (ret != 0) {
CM_DEBUG(ctx, "Failed to get filter");
goto done;
@@ -873,6 +889,22 @@ done:
return ret;
}
+int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
+ const uint8_t *der_cert, size_t der_size,
+ char **_filter, char ***_domains)
+{
+ return expand_mapping_rule_ex(ctx, der_cert, der_size, true,
+ _filter, _domains);
+}
+
+int sss_certmap_expand_mapping_rule(struct sss_certmap_ctx *ctx,
+ const uint8_t *der_cert, size_t der_size,
+ char **_expanded, char ***_domains)
+{
+ return expand_mapping_rule_ex(ctx, der_cert, der_size, false,
+ _expanded, _domains);
+}
+
int sss_certmap_init(TALLOC_CTX *mem_ctx,
sss_certmap_ext_debug *debug, void *debug_priv,
struct sss_certmap_ctx **ctx)
diff --git a/src/lib/certmap/sss_certmap.exports b/src/lib/certmap/sss_certmap.exports
index a9e48d6d0..7d7667738 100644
--- a/src/lib/certmap/sss_certmap.exports
+++ b/src/lib/certmap/sss_certmap.exports
@@ -16,3 +16,8 @@ SSS_CERTMAP_0.1 {
global:
sss_certmap_display_cert_content;
} SSS_CERTMAP_0.0;
+
+SSS_CERTMAP_0.2 {
+ global:
+ sss_certmap_expand_mapping_rule;
+} SSS_CERTMAP_0.1;
diff --git a/src/lib/certmap/sss_certmap.h b/src/lib/certmap/sss_certmap.h
index 7da2d1c58..058d4f9e4 100644
--- a/src/lib/certmap/sss_certmap.h
+++ b/src/lib/certmap/sss_certmap.h
@@ -103,7 +103,7 @@ int sss_certmap_add_rule(struct sss_certmap_ctx *ctx,
*
* @param[in] ctx certmap context previously initialized with
* @ref sss_certmap_init
- * @param[in] der_cert binary blog with the DER encoded certificate
+ * @param[in] der_cert binary blob with the DER encoded certificate
* @param[in] der_size size of the certificate blob
*
* @return
@@ -119,10 +119,11 @@ int sss_certmap_match_cert(struct sss_certmap_ctx *ctx,
*
* @param[in] ctx certmap context previously initialized with
* @ref sss_certmap_init
- * @param[in] der_cert binary blog with the DER encoded certificate
+ * @param[in] der_cert binary blob with the DER encoded certificate
* @param[in] der_size size of the certificate blob
- * @param[out] filter LDAP filter string, caller should free the data by
- * calling sss_certmap_free_filter_and_domains
+ * @param[out] filter LDAP filter string, expanded templates are sanitized,
+ * caller should free the data by calling
+ * sss_certmap_free_filter_and_domains
* @param[out] domains NULL-terminated array of strings with the domains the
* rule applies, caller should free the data by calling
* sss_certmap_free_filter_and_domains
@@ -136,8 +137,32 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
const uint8_t *der_cert, size_t der_size,
char **filter, char ***domains);
+/**
+ * @brief Expand the mapping rule by replacing the templates
+ *
+ * @param[in] ctx certmap context previously initialized with
+ * @ref sss_certmap_init
+ * @param[in] der_cert binary blob with the DER encoded certificate
+ * @param[in] der_size size of the certificate blob
+ * @param[out] expanded expanded mapping rule, templates are filled in
+ * verbatim in contrast to sss_certmap_get_search_filter,
+ * caller should free the data by
+ * calling sss_certmap_free_filter_and_domains
+ * @param[out] domains NULL-terminated array of strings with the domains the
+ * rule applies, caller should free the data by calling
+ * sss_certmap_free_filter_and_domains
+ *
+ * @return
+ * - 0: certificate matches a rule
+ * - ENOENT: certificate does not match
+ * - EINVAL: internal error
+ */
+int sss_certmap_expand_mapping_rule(struct sss_certmap_ctx *ctx,
+ const uint8_t *der_cert, size_t der_size,
+ char **_expanded, char ***_domains);
/**
* @brief Free data returned by @ref sss_certmap_get_search_filter
+ * and @ref sss_certmap_expand_mapping_rule
*
* @param[in] filter LDAP filter strings returned by
* sss_certmap_get_search_filter
@@ -150,7 +175,7 @@ void sss_certmap_free_filter_and_domains(char *filter, char **domains);
* @brief Get a string with the content of the certificate used by the library
*
* @param[in] mem_ctx Talloc memory context, may be NULL
- * @param[in] der_cert binary blog with the DER encoded certificate
+ * @param[in] der_cert binary blob with the DER encoded certificate
* @param[in] der_size size of the certificate blob
* @param[out] desc Multiline string showing the certificate content
* which is used by libsss_certmap
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 3f0afaeff..cdf239e07 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -1049,9 +1049,10 @@ static char *get_cert_prompt(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = sss_certmap_get_search_filter(ctx, der, der_size, &filter, &domains);
+ ret = sss_certmap_expand_mapping_rule(ctx, der, der_size,
+ &filter, &domains);
if (ret != 0) {
- DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_get_search_filter failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_expand_mapping_rule failed.\n");
goto done;
}
diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
index c882202a0..232ff7878 100644
--- a/src/tests/cmocka/test_certmap.c
+++ b/src/tests/cmocka/test_certmap.c
@@ -1431,6 +1431,15 @@ static void test_sss_certmap_get_search_filter(void **state)
&filter, &domains);
assert_int_equal(ret, 0);
assert_non_null(filter);
+ assert_string_equal(filter, "rule100=<I>CN=Certificate\\20Authority,O=IPA.DEVEL"
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
+ assert_null(domains);
+
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
assert_string_equal(filter, "rule100=<I>CN=Certificate Authority,O=IPA.DEVEL"
"<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
assert_null(domains);
@@ -1445,6 +1454,17 @@ static void test_sss_certmap_get_search_filter(void **state)
&filter, &domains);
assert_int_equal(ret, 0);
assert_non_null(filter);
+ assert_string_equal(filter, "rule99=<I>CN=Certificate\\20Authority,O=IPA.DEVEL"
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
+
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
assert_string_equal(filter, "rule99=<I>CN=Certificate Authority,O=IPA.DEVEL"
"<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
assert_non_null(domains);
@@ -1466,6 +1486,16 @@ static void test_sss_certmap_get_search_filter(void **state)
assert_string_equal(domains[0], "test.dom");
assert_null(domains[1]);
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "rule98=userCertificate;binary=" TEST_CERT_BIN);
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
+
ret = sss_certmap_add_rule(ctx, 97,
"KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
"LDAP:rule97=<I>{issuer_dn!nss_x500}<S>{subject_dn}",
@@ -1476,6 +1506,17 @@ static void test_sss_certmap_get_search_filter(void **state)
&filter, &domains);
assert_int_equal(ret, 0);
assert_non_null(filter);
+ assert_string_equal(filter, "rule97=<I>O=IPA.DEVEL,CN=Certificate\\20Authority"
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
+
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
assert_string_equal(filter, "rule97=<I>O=IPA.DEVEL,CN=Certificate Authority"
"<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
assert_non_null(domains);
@@ -1492,6 +1533,17 @@ static void test_sss_certmap_get_search_filter(void **state)
&filter, &domains);
assert_int_equal(ret, 0);
assert_non_null(filter);
+ assert_string_equal(filter, "rule96=<I>O=IPA.DEVEL,CN=Certificate\\20Authority"
+ "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
+
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
assert_string_equal(filter, "rule96=<I>O=IPA.DEVEL,CN=Certificate Authority"
"<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
assert_non_null(domains);
@@ -1510,6 +1562,14 @@ static void test_sss_certmap_get_search_filter(void **state)
assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")");
assert_null(domains);
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")");
+ assert_null(domains);
+
ret = sss_certmap_add_rule(ctx, 94,
"KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
"LDAP:rule94=<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}",
@@ -1520,12 +1580,22 @@ static void test_sss_certmap_get_search_filter(void **state)
&filter, &domains);
assert_int_equal(ret, 0);
assert_non_null(filter);
- assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate Authority"
+ assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate\\20Authority"
"<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
assert_non_null(domains);
assert_string_equal(domains[0], "test.dom");
assert_null(domains[1]);
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
+ sizeof(test_cert_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate Authority"
+ "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
+ assert_non_null(domains);
+ assert_string_equal(domains[0], "test.dom");
+ assert_null(domains[1]);
ret = sss_certmap_add_rule(ctx, 89, NULL,
"(rule89={subject_nt_principal})",
@@ -1539,6 +1609,14 @@ static void test_sss_certmap_get_search_filter(void **state)
assert_string_equal(filter, "(rule89=tu1@ad.devel)");
assert_null(domains);
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der),
+ sizeof(test_cert2_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
+ assert_string_equal(filter, "(rule89=tu1@ad.devel)");
+ assert_null(domains);
+
ret = sss_certmap_add_rule(ctx, 88, NULL,
"(rule88={subject_nt_principal.short_name})",
NULL);
@@ -1560,6 +1638,15 @@ static void test_sss_certmap_get_search_filter(void **state)
&filter, &domains);
assert_int_equal(ret, 0);
assert_non_null(filter);
+ assert_string_equal(filter, "rule87=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA"
+ "<S>DC=devel,DC=ad,CN=Users,CN=t\\20u,E=test.user@email.domain");
+ assert_null(domains);
+
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der),
+ sizeof(test_cert2_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
assert_string_equal(filter, "rule87=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA"
"<S>DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain");
assert_null(domains);
@@ -1573,6 +1660,15 @@ static void test_sss_certmap_get_search_filter(void **state)
&filter, &domains);
assert_int_equal(ret, 0);
assert_non_null(filter);
+ assert_string_equal(filter, "rule86=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA"
+ "<S>DC=devel,DC=ad,CN=Users,CN=t\\20u,E=test.user@email.domain");
+ assert_null(domains);
+
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der),
+ sizeof(test_cert2_der),
+ &filter, &domains);
+ assert_int_equal(ret, 0);
+ assert_non_null(filter);
assert_string_equal(filter, "rule86=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA"
"<S>DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain");
assert_null(domains);
diff --git a/src/util/util.c b/src/util/util.c
index d9bd3cb59..19d447328 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -436,100 +436,6 @@ errno_t sss_hash_create(TALLOC_CTX *mem_ctx, unsigned long count,
return sss_hash_create_ex(mem_ctx, count, tbl, 0, 0, 0, 0, NULL, NULL);
}
-errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx,
- const char *input,
- char **sanitized,
- const char *ignore)
-{
- char *output;
- size_t i = 0;
- size_t j = 0;
- char *allowed;
-
- /* Assume the worst-case. We'll resize it later, once */
- output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1);
- if (!output) {
- return ENOMEM;
- }
-
- while (input[i]) {
- /* Even though this character might have a special meaning, if it's
- * explicitly allowed, just copy it and move on
- */
- if (ignore == NULL) {
- allowed = NULL;
- } else {
- allowed = strchr(ignore, input[i]);
- }
- if (allowed) {
- output[j++] = input[i++];
- continue;
- }
-
- switch(input[i]) {
- case '\t':
- output[j++] = '\\';
- output[j++] = '0';
- output[j++] = '9';
- break;
- case ' ':
- output[j++] = '\\';
- output[j++] = '2';
- output[j++] = '0';
- break;
- case '*':
- output[j++] = '\\';
- output[j++] = '2';
- output[j++] = 'a';
- break;
- case '(':
- output[j++] = '\\';
- output[j++] = '2';
- output[j++] = '8';
- break;
- case ')':
- output[j++] = '\\';
- output[j++] = '2';
- output[j++] = '9';
- break;
- case '\\':
- output[j++] = '\\';
- output[j++] = '5';
- output[j++] = 'c';
- break;
- case '\r':
- output[j++] = '\\';
- output[j++] = '0';
- output[j++] = 'd';
- break;
- case '\n':
- output[j++] = '\\';
- output[j++] = '0';
- output[j++] = 'a';
- break;
- default:
- output[j++] = input[i];
- }
-
- i++;
- }
- output[j] = '\0';
- *sanitized = talloc_realloc(mem_ctx, output, char, j+1);
- if (!*sanitized) {
- talloc_free(output);
- return ENOMEM;
- }
-
- return EOK;
-}
-
-errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx,
- const char *input,
- char **sanitized)
-{
- return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL);
-}
-
char *
sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr)
{
diff --git a/src/util/util_ext.c b/src/util/util_ext.c
index 04dc02a8a..a89b60f76 100644
--- a/src/util/util_ext.c
+++ b/src/util/util_ext.c
@@ -29,6 +29,11 @@
#define EOK 0
+#ifndef HAVE_ERRNO_T
+#define HAVE_ERRNO_T
+typedef int errno_t;
+#endif
+
int split_on_separator(TALLOC_CTX *mem_ctx, const char *str,
const char sep, bool trim, bool skip_empty,
char ***_list, int *size)
@@ -141,3 +146,97 @@ bool string_in_list(const char *string, char **list, bool case_sensitive)
return false;
}
+
+errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx,
+ const char *input,
+ char **sanitized,
+ const char *ignore)
+{
+ char *output;
+ size_t i = 0;
+ size_t j = 0;
+ char *allowed;
+
+ /* Assume the worst-case. We'll resize it later, once */
+ output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1);
+ if (!output) {
+ return ENOMEM;
+ }
+
+ while (input[i]) {
+ /* Even though this character might have a special meaning, if it's
+ * explicitly allowed, just copy it and move on
+ */
+ if (ignore == NULL) {
+ allowed = NULL;
+ } else {
+ allowed = strchr(ignore, input[i]);
+ }
+ if (allowed) {
+ output[j++] = input[i++];
+ continue;
+ }
+
+ switch(input[i]) {
+ case '\t':
+ output[j++] = '\\';
+ output[j++] = '0';
+ output[j++] = '9';
+ break;
+ case ' ':
+ output[j++] = '\\';
+ output[j++] = '2';
+ output[j++] = '0';
+ break;
+ case '*':
+ output[j++] = '\\';
+ output[j++] = '2';
+ output[j++] = 'a';
+ break;
+ case '(':
+ output[j++] = '\\';
+ output[j++] = '2';
+ output[j++] = '8';
+ break;
+ case ')':
+ output[j++] = '\\';
+ output[j++] = '2';
+ output[j++] = '9';
+ break;
+ case '\\':
+ output[j++] = '\\';
+ output[j++] = '5';
+ output[j++] = 'c';
+ break;
+ case '\r':
+ output[j++] = '\\';
+ output[j++] = '0';
+ output[j++] = 'd';
+ break;
+ case '\n':
+ output[j++] = '\\';
+ output[j++] = '0';
+ output[j++] = 'a';
+ break;
+ default:
+ output[j++] = input[i];
+ }
+
+ i++;
+ }
+ output[j] = '\0';
+ *sanitized = talloc_realloc(mem_ctx, output, char, j+1);
+ if (!*sanitized) {
+ talloc_free(output);
+ return ENOMEM;
+ }
+
+ return EOK;
+}
+
+errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx,
+ const char *input,
+ char **sanitized)
+{
+ return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL);
+}
--
2.21.3

133
SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch Normal file
View File

@ -0,0 +1,133 @@
From 111b8b4d62a4fe192c075e6f6bfacb408e6074b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 12 Jan 2021 13:50:11 +0100
Subject: [PATCH 39/39] pam_sss_gssapi: fix coverity issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
```
1. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
2. Defect type: RESOURCE_LEAK
3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to.
Expand
3. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
4. Defect type: RESOURCE_LEAK
6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to.
Expand
5. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to.
Expand
6. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to.
1. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username'
Expand
2. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn'
Expand
3. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target'
Expand
4. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain'
```
Also fix compilation warning
```
../src/sss_client/pam_sss_gss.c:339:5: warning: reply may be used uninitialized in this function [-Wmaybe-uninitialized]
339 | free(reply);
| ^~~~~~~~~~~
../src/sss_client/pam_sss_gss.c:328:14: note: reply was declared here
328 | uint8_t *reply;
| ^~~~~
../src/sss_client/pam_sss_gss.c:270:11: warning: reply_len may be used uninitialized in this function [-Wmaybe-uninitialized]
270 | upn = malloc(reply_len * sizeof(char));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/sss_client/pam_sss_gss.c:327:12: note: reply_len was declared here
327 | size_t reply_len;
| ^~~~~~~~~
```
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/sss_client/pam_sss_gss.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
index cd38db7da..51be36ece 100644
--- a/src/sss_client/pam_sss_gss.c
+++ b/src/sss_client/pam_sss_gss.c
@@ -195,6 +195,8 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
struct sss_cli_req_data req_data;
size_t service_len;
size_t user_len;
+ size_t reply_len;
+ uint8_t *reply = NULL;
uint8_t *data;
errno_t ret;
int ret_errno;
@@ -217,7 +219,7 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
req_data.data = data;
- ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len,
+ ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, &reply, &reply_len,
&ret_errno);
free(data);
if (ret != PAM_SUCCESS) {
@@ -233,6 +235,16 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
return (ret_errno != EOK) ? ret_errno : EIO;
}
+ if (ret_errno == EOK) {
+ *_reply = reply;
+ *_reply_len = reply_len;
+ } else {
+ /* We got PAM_SUCCESS therefore the communication with SSSD was
+ * successful and we have received a reply buffer. We just don't care
+ * about it, we are only interested in the error code. */
+ free(reply);
+ }
+
return ret_errno;
}
@@ -257,7 +269,8 @@ static errno_t sssd_gssapi_init_recv(uint8_t *reply,
target = malloc(reply_len * sizeof(char));
upn = malloc(reply_len * sizeof(char));
if (username == NULL || domain == NULL || target == NULL || upn == NULL) {
- return ENOMEM;
+ ret = ENOMEM;
+ goto done;
}
buf = (const char*)reply;
@@ -311,8 +324,8 @@ static errno_t sssd_gssapi_init(pam_handle_t *pamh,
char **_target,
char **_upn)
{
- size_t reply_len;
- uint8_t *reply;
+ size_t reply_len = 0;
+ uint8_t *reply = NULL;
errno_t ret;
ret = sssd_gssapi_init_send(pamh, pam_service, pam_user, &reply,
@@ -549,6 +562,7 @@ int pam_sm_authenticate(pam_handle_t *pamh,
done:
sss_pam_close_fd();
+ free(username);
free(domain);
free(target);
free(upn);
--
2.21.3

42
SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch
View File

@ -1,42 +0,0 @@
From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
Date: Thu, 28 May 2020 12:12:58 +0200
Subject: [PATCH] AD: Enforcing GPO rule restriction on user
This fixes bug related to ad_gpo_implicit_deny option set to True.
gpo_implict_denay was checked only for dacl_filtered_gpos,
but not for cse_filtered_gpos.
Resolves:
https://github.com/SSSD/sssd/issues/5181
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ad/ad_gpo.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 53560a754..2c6aa7fa6 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
/* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */
DEBUG(SSSDBG_TRACE_FUNC,
"no applicable gpos found after cse_guid filtering\n");
- ret = EOK;
+
+ if (state->gpo_implicit_deny == true) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
+ " is set to 'true'. The user will be denied access.\n");
+ ret = ERR_ACCESS_DENIED;
+ } else {
+ ret = EOK;
+ }
+
goto done;
}
--
2.21.3

40
SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch Normal file
View File

@ -0,0 +1,40 @@
From cd48ef5071741443e3b84e100a4d4d28e3578e4f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 25 Jan 2021 15:14:05 +0200
Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When IPA allows to add AD users and groups directly to sudo rules
(FreeIPA 4.9.1 or later), external groups will already have '%' prefix.
Thus, we don't need to add additional '%'.
Resolves: https://github.com/SSSD/sssd/issues/5475
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ipa/ipa_sudo_conversion.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index cfb41d8b0..1bfee096d 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx,
const char *value,
bool *skip_entry)
{
+ if (value == NULL)
+ return NULL;
+
+ if (value[0] == '%')
+ return talloc_strdup(mem_ctx, value);
+
return talloc_asprintf(mem_ctx, "%%%s", value);
}
--
2.21.3

33
SOURCES/0041-man-clarify-AD-certificate-rule.patch
View File

@ -1,33 +0,0 @@
From 3bb910503bb7cbc20105f0a302db400f04436d2a Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 18 Aug 2020 11:45:18 +0200
Subject: [PATCH] man: clarify AD certificate rule
Clarify AD specific certificate rule example by changing userPrincipal to
userPrincipalName. Moreover, match the subject principal name in the
example with the rule name.
Resolves:
https://github.com/SSSD/sssd/issues/5278
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/man/sss-certmap.5.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
index 10343625e..09aec997c 100644
--- a/src/man/sss-certmap.5.xml
+++ b/src/man/sss-certmap.5.xml
@@ -487,7 +487,7 @@
sign.
</para>
<para>
- Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
+ Example: (|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name}))
</para>
</listitem>
</varlistentry>
--
2.21.3

199
SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch Normal file
View File

@ -0,0 +1,199 @@
From e07eeea7df55ede36ac0978ac904c1bb11188265 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 20 Jan 2021 17:48:44 +0100
Subject: [PATCH 41/42] responders: add callback to schedule_get_domains_task()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To allow responders to run dedicated code at the end of the initial
getDomains request a callback is added.
Resolves: https://github.com/SSSD/sssd/issues/5469
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/responder/autofs/autofssrv.c | 2 +-
src/responder/common/responder.h | 5 ++++-
src/responder/common/responder_get_domains.c | 12 +++++++++++-
src/responder/ifp/ifpsrv.c | 2 +-
src/responder/nss/nsssrv.c | 3 ++-
src/responder/pac/pacsrv.c | 2 +-
src/responder/pam/pamsrv.c | 3 ++-
src/responder/ssh/sshsrv.c | 2 +-
src/responder/sudo/sudosrv.c | 2 +-
src/tests/cmocka/test_responder_common.c | 2 +-
10 files changed, 25 insertions(+), 10 deletions(-)
diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
index 27de1b44a..130eaf775 100644
--- a/src/responder/autofs/autofssrv.c
+++ b/src/responder/autofs/autofssrv.c
@@ -142,7 +142,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index f83ba1bc0..ff0559c08 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -366,10 +366,13 @@ errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
char **_domain);
+typedef void (get_domains_callback_fn_t)(void *);
errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct resp_ctx *rctx,
- struct sss_nc_ctx *optional_ncache);
+ struct sss_nc_ctx *optional_ncache,
+ get_domains_callback_fn_t *callback,
+ void *callback_pvt);
errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string,
bool allow_sss_loop,
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
index e551b0fff..12b6e9028 100644
--- a/src/responder/common/responder_get_domains.c
+++ b/src/responder/common/responder_get_domains.c
@@ -430,6 +430,8 @@ static errno_t check_last_request(struct resp_ctx *rctx, const char *hint)
struct get_domains_state {
struct resp_ctx *rctx;
struct sss_nc_ctx *optional_ncache;
+ get_domains_callback_fn_t *callback;
+ void *callback_pvt;
};
static void get_domains_at_startup_done(struct tevent_req *req)
@@ -462,6 +464,10 @@ static void get_domains_at_startup_done(struct tevent_req *req)
}
}
+ if (state->callback != NULL) {
+ state->callback(state->callback_pvt);
+ }
+
talloc_free(state);
return;
}
@@ -489,7 +495,9 @@ static void get_domains_at_startup(struct tevent_context *ev,
errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct resp_ctx *rctx,
- struct sss_nc_ctx *optional_ncache)
+ struct sss_nc_ctx *optional_ncache,
+ get_domains_callback_fn_t *callback,
+ void *callback_pvt)
{
struct tevent_immediate *imm;
struct get_domains_state *state;
@@ -500,6 +508,8 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
}
state->rctx = rctx;
state->optional_ncache = optional_ncache;
+ state->callback = callback;
+ state->callback_pvt = callback_pvt;
imm = tevent_create_immediate(mem_ctx);
if (imm == NULL) {
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
index 7407ee07b..ee1452728 100644
--- a/src/responder/ifp/ifpsrv.c
+++ b/src/responder/ifp/ifpsrv.c
@@ -266,7 +266,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
return EIO;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"schedule_get_domains_tasks failed.\n");
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index e80104e3d..2b7958e80 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -557,7 +557,8 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
}
responder_set_fd_limit(fd_limit);
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache,
+ NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
index 217f83c26..96935150b 100644
--- a/src/responder/pac/pacsrv.c
+++ b/src/responder/pac/pacsrv.c
@@ -129,7 +129,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index de1620e82..8b1ce2e92 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -246,7 +246,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
}
responder_set_fd_limit(fd_limit);
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
+ NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto done;
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index 6072a702c..e79a0438c 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -126,7 +126,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index 5951b17b1..dc4a44b2f 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -102,7 +102,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
index 5fc0d712d..29356253b 100644
--- a/src/tests/cmocka/test_responder_common.c
+++ b/src/tests/cmocka/test_responder_common.c
@@ -265,7 +265,7 @@ void test_schedule_get_domains_task(void **state)
ret = schedule_get_domains_task(dummy_ncache_ptr,
parse_inp_ctx->rctx->ev,
parse_inp_ctx->rctx,
- dummy_ncache_ptr);
+ dummy_ncache_ptr, NULL, NULL);
assert_int_equal(ret, EOK);
ret = test_ev_loop(parse_inp_ctx->tctx);
--
2.21.3

72
SOURCES/0042-config-allow-prompting-options-in-configuration.patch
View File

@ -1,72 +0,0 @@
From 4526858adb58736066a0b2cf2dc793ddfe671b2b Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 4 Aug 2020 15:39:51 +0200
Subject: [PATCH] config: allow prompting options in configuration
False warnings were logged after enabling prompting options in
configuration file. This change modifies the configuration rules to
allow prompting options.
Resolves:
https://github.com/SSSD/sssd/issues/5259
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/config/cfg_rules.ini | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 2874ea048..2d4e7b51d 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -14,6 +14,10 @@ section = session_recording
section_re = ^secrets/users/[0-9]\+$
section_re = ^secrets/secrets$
section_re = ^secrets/kcm$
+section_re = ^prompting/password$
+section_re = ^prompting/password/[^/\@]\+$
+section_re = ^prompting/2fa$
+section_re = ^prompting/2fa/[^/\@]\+$
section_re = ^domain/[^/\@]\+$
section_re = ^domain/[^/\@]\+/[^/\@]\+$
section_re = ^application/[^/\@]\+$
@@ -332,6 +336,36 @@ option = scope
option = users
option = groups
+# Prompting during authentication
+[rule/allowed_prompting_password_options]
+validator = ini_allowed_options
+section_re = ^prompting/password$
+
+option = password_prompt
+
+[rule/allowed_prompting_2fa_options]
+validator = ini_allowed_options
+section_re = ^prompting/2fa$
+
+option = single_prompt
+option = first_prompt
+option = second_prompt
+
+[rule/allowed_prompting_password_subsec_options]
+validator = ini_allowed_options
+section_re = ^prompting/password/[^/\@]\+$
+
+option = password_prompt
+
+[rule/allowed_prompting_2fa_subsec_options]
+validator = ini_allowed_options
+section_re = ^prompting/2fa/[^/\@]\+$
+
+option = single_prompt
+option = first_prompt
+option = second_prompt
+
+
[rule/allowed_domain_options]
validator = ini_allowed_options
section_re = ^\(domain\|application\)/[^/]\+$
--
2.21.3

64
SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch Normal file
View File

@ -0,0 +1,64 @@
From cb936e92041d63f79a74c30bae8140c74a18dbc0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 20 Jan 2021 18:25:04 +0100
Subject: [PATCH 42/42] pam: refresh certificate maps at the end of initial
domains lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During startup SSSD's responders send a getDomains request to all
backends to refresh some domain related needed by the responders.
The PAM responder specifically needs the certificate mapping and
matching rules when Smartcard authentication is enable. Currently the
rules are not refreshed at the end of the initial request but the code
assumed that the related structures are initialized after the request
finished.
To avoid a race condition this patch adds a callback to the end of the
request to make sure the rules are properly refreshed even if they are
already initialized before.
Resolves: https://github.com/SSSD/sssd/issues/5469
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/responder/pam/pamsrv.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 8b1ce2e92..65370662d 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -154,6 +154,18 @@ static errno_t get_app_services(struct pam_ctx *pctx)
return EOK;
}
+static void pam_get_domains_callback(void *pvt)
+{
+ struct pam_ctx *pctx;
+ int ret;
+
+ pctx = talloc_get_type(pvt, struct pam_ctx);
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
+ }
+}
+
static int pam_process_init(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct confdb_ctx *cdb,
@@ -247,7 +259,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
responder_set_fd_limit(fd_limit);
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
- NULL, NULL);
+ pam_get_domains_callback, pctx);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto done;
--
2.21.3

134
SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch Normal file
View File

@ -0,0 +1,134 @@
From 0c6924b8d474daf35ee30d74e5496957e503b206 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 20 Jan 2021 15:40:34 +0100
Subject: [PATCH] SBUS: set sbus_name before dp_init_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some async task might access sbus_name before dp_initialized() was executed
Resolves: https://github.com/SSSD/sssd/issues/5466
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/data_provider/dp.c | 21 ++++-----------------
src/providers/data_provider/dp.h | 6 +++---
src/providers/data_provider_be.c | 12 ++++++++++--
3 files changed, 17 insertions(+), 22 deletions(-)
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
index 90324d74d..64fe847b2 100644
--- a/src/providers/data_provider/dp.c
+++ b/src/providers/data_provider/dp.c
@@ -134,7 +134,6 @@ static int dp_destructor(struct data_provider *provider)
struct dp_init_state {
struct be_ctx *be_ctx;
struct data_provider *provider;
- char *sbus_name;
};
static void dp_init_done(struct tevent_req *subreq);
@@ -144,7 +143,8 @@ dp_init_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
uid_t uid,
- gid_t gid)
+ gid_t gid,
+ const char *sbus_name)
{
struct dp_init_state *state;
struct tevent_req *subreq;
@@ -177,13 +177,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
state->provider->gid = gid;
state->provider->be_ctx = be_ctx;
- state->sbus_name = sss_iface_domain_bus(state, be_ctx->domain);
- if (state->sbus_name == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n");
- ret = ENOMEM;
- goto done;
- }
-
/* Initialize data provider bus. Data provider can receive client
* registration and other D-Bus methods. However no data provider
* request will be executed as long as the modules and targets
@@ -192,7 +185,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
talloc_set_destructor(state->provider, dp_destructor);
subreq = sbus_server_create_and_connect_send(state->provider, ev,
- state->sbus_name, NULL, sbus_address, true, 1000, uid, gid,
+ sbus_name, NULL, sbus_address, true, 1000, uid, gid,
(sbus_server_on_connection_cb)dp_client_init,
(sbus_server_on_connection_data)state->provider);
if (subreq == NULL) {
@@ -270,16 +263,10 @@ done:
}
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
- struct tevent_req *req,
- const char **_sbus_name)
+ struct tevent_req *req)
{
- struct dp_init_state *state;
- state = tevent_req_data(req, struct dp_init_state);
-
TEVENT_REQ_RETURN_ON_ERROR(req);
- *_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
-
return EOK;
}
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
index a8b6e9f3a..95c6588ad 100644
--- a/src/providers/data_provider/dp.h
+++ b/src/providers/data_provider/dp.h
@@ -122,11 +122,11 @@ dp_init_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
uid_t uid,
- gid_t gid);
+ gid_t gid,
+ const char *sbus_name);
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
- struct tevent_req *req,
- const char **_sbus_name);
+ struct tevent_req *req);
bool _dp_target_enabled(struct data_provider *provider,
const char *module_name,
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index f059a3f96..8458146ea 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -565,7 +565,15 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
goto done;
}
- req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
+ be_ctx->sbus_name = sss_iface_domain_bus(be_ctx, be_ctx->domain);
+ if (be_ctx->sbus_name == NULL) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid,
+ be_ctx->sbus_name);
if (req == NULL) {
ret = ENOMEM;
goto done;
@@ -612,7 +620,7 @@ static void dp_initialized(struct tevent_req *req)
be_ctx = tevent_req_callback_data(req, struct be_ctx);
- ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
+ ret = dp_init_recv(be_ctx, req);
talloc_zfree(req);
if (ret != EOK) {
goto done;
--
2.21.3

77
SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch
View File

@ -1,77 +0,0 @@
From 10366b4ee8c01ea20d908102e92d52fdeda168c3 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 18 Aug 2020 14:37:04 +0200
Subject: [PATCH] p11_child: switch default ocsp_dgst to sha1
For details please see discussion at
https://github.com/SSSD/sssd/pull/837#issuecomment-672831519
:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1
Resolves:
https://github.com/SSSD/sssd/issues/5002
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/man/sssd.conf.5.xml | 3 ++-
src/p11_child/p11_child_common_utils.c | 6 +++---
src/p11_child/p11_child_openssl.c | 4 ++--
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 874a09c49..50692dfdd 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -507,7 +507,8 @@
<listitem><para>sha512</para></listitem>
</itemizedlist></para>
<para>
- Default: sha256
+ Default: sha1 (to allow compatibility with
+ RFC5019-compliant responder)
</para>
<para>(NSS Version) This option is
ignored, because NSS uses sha1
diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c
index 6798752c7..95791b1f0 100644
--- a/src/p11_child/p11_child_common_utils.c
+++ b/src/p11_child/p11_child_common_utils.c
@@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
cert_verify_opts->ocsp_default_responder = NULL;
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
cert_verify_opts->crl_file = NULL;
- cert_verify_opts->ocsp_dgst = CKM_SHA256;
+ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
cert_verify_opts->soft_ocsp = false;
cert_verify_opts->soft_crl = false;
@@ -174,8 +174,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unsupported digest for OCSP [%s], "
- "using default sha256.\n", &opts[c][OCSP_DGST_LEN]);
- cert_verify_opts->ocsp_dgst = CKM_SHA256;
+ "using default sha1.\n", &opts[c][OCSP_DGST_LEN]);
+ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
}
#endif
} else if (strcasecmp(opts[c], "soft_ocsp") == 0) {
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 321cf162e..04b3e1467 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -372,8 +372,8 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
ocsp_dgst = get_dgst(p11_ctx->cert_verify_opts->ocsp_dgst);
if (ocsp_dgst == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot determine configured digest function "
- "for OCSP, using default sha256.\n");
- ocsp_dgst = EVP_sha256();
+ "for OCSP, using default sha1.\n");
+ ocsp_dgst = EVP_sha1();
}
cid = OCSP_cert_to_id(ocsp_dgst, cert, issuer);
if (cid == NULL) {
--
2.21.3

181
SOURCES/0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch
View File

@ -1,181 +0,0 @@
From 69e1f5fe79806a530e90c8af09bedd3b9e6b4dac Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 10 Jul 2020 15:30:29 +0200
Subject: [PATCH] GPO: respect ad_gpo_implicit_deny when evaluation rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently if setting ad_gpo_implicit_deny to 'True' is rejected access
if no GPOs applied to the host since in this case there are obvious not
allow rules available.
But according to the man page we have to be more strict "When this
option is set to True users will be allowed access only when explicitly
allowed by a GPO rule". So if GPOs apply and no allow rules are present
we have to reject access as well.
Resolves: https://github.com/SSSD/sssd/issues/5061
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/man/sssd-ad.5.xml | 59 +++++++++++++++++++++++++++++++++++++++
src/providers/ad/ad_gpo.c | 13 +++++++--
2 files changed, 69 insertions(+), 3 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 5c2f46546..fbd4985d7 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -477,9 +477,68 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
built-in Administrators group if no GPO rules
apply to them.
</para>
+
<para>
Default: False
</para>
+
+ <para>
+ The following 2 tables should illustrate when a user
+ is allowed or rejected based on the allow and deny
+ login rights defined on the server-side and the
+ setting of ad_gpo_implicit_deny.
+ </para>
+ <informaltable frame='all'>
+ <tgroup cols='3'>
+ <colspec colname='c1' align='center'/>
+ <colspec colname='c2' align='center'/>
+ <colspec colname='c3' align='center'/>
+ <thead>
+ <row><entry namest='c1' nameend='c3' align='center'>
+ ad_gpo_implicit_deny = False (default)</entry></row>
+ <row><entry>allow-rules</entry><entry>deny-rules</entry>
+ <entry>results</entry></row>
+ </thead>
+ <tbody>
+ <row><entry>missing</entry><entry>missing</entry>
+ <entry><para>all users are allowed</para>
+ </entry></row>
+ <row><entry>missing</entry><entry>present</entry>
+ <entry><para>only users not in deny-rules are
+ allowed</para></entry></row>
+ <row><entry>present</entry><entry>missing</entry>
+ <entry><para>only users in allow-rules are
+ allowed</para></entry></row>
+ <row><entry>present</entry><entry>present</entry>
+ <entry><para>only users in allow-rules and not in
+ deny-rules are allowed</para></entry></row>
+ </tbody></tgroup></informaltable>
+
+ <informaltable frame='all'>
+ <tgroup cols='3'>
+ <colspec colname='c1' align='center'/>
+ <colspec colname='c2' align='center'/>
+ <colspec colname='c3' align='center'/>
+ <thead>
+ <row><entry namest='c1' nameend='c3' align='center'>
+ ad_gpo_implicit_deny = True</entry></row>
+ <row><entry>allow-rules</entry><entry>deny-rules</entry>
+ <entry>results</entry></row>
+ </thead>
+ <tbody>
+ <row><entry>missing</entry><entry>missing</entry>
+ <entry><para>no users are allowed</para>
+ </entry></row>
+ <row><entry>missing</entry><entry>present</entry>
+ <entry><para>no users are allowed</para>
+ </entry></row>
+ <row><entry>present</entry><entry>missing</entry>
+ <entry><para>only users in allow-rules are
+ allowed</para></entry></row>
+ <row><entry>present</entry><entry>present</entry>
+ <entry><para>only users in allow-rules and not in
+ deny-rules are allowed</para></entry></row>
+ </tbody></tgroup></informaltable>
</listitem>
</varlistentry>
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 2c6aa7fa6..0cf5da2a1 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1531,6 +1531,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
enum gpo_access_control_mode gpo_mode,
enum gpo_map_type gpo_map_type,
const char *user,
+ bool gpo_implicit_deny,
struct sss_domain_info *domain,
char **allowed_sids,
int allowed_size,
@@ -1575,7 +1576,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
group_sids[j]);
}
- if (allowed_size == 0) {
+ if (allowed_size == 0 && !gpo_implicit_deny) {
access_granted = true;
} else {
access_granted = check_rights(allowed_sids, allowed_size, user_sid,
@@ -1694,6 +1695,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
enum gpo_access_control_mode gpo_mode,
enum gpo_map_type gpo_map_type,
const char *user,
+ bool gpo_implicit_deny,
struct sss_domain_info *user_domain,
struct sss_domain_info *host_domain)
{
@@ -1732,8 +1734,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
/* perform access check with the final resultant allow_sids and deny_sids */
ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user,
- user_domain, allow_sids, allow_size, deny_sids,
- deny_size);
+ gpo_implicit_deny, user_domain,
+ allow_sids, allow_size, deny_sids, deny_size);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -1918,6 +1920,7 @@ immediately:
static errno_t
process_offline_gpos(TALLOC_CTX *mem_ctx,
const char *user,
+ bool gpo_implicit_deny,
enum gpo_access_control_mode gpo_mode,
struct sss_domain_info *user_domain,
struct sss_domain_info *host_domain,
@@ -1930,6 +1933,7 @@ process_offline_gpos(TALLOC_CTX *mem_ctx,
gpo_mode,
gpo_map_type,
user,
+ gpo_implicit_deny,
user_domain,
host_domain);
if (ret != EOK) {
@@ -1976,6 +1980,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n");
ret = process_offline_gpos(state,
state->user,
+ state->gpo_implicit_deny,
state->gpo_mode,
state->user_domain,
state->host_domain,
@@ -2102,6 +2107,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n");
ret = process_offline_gpos(state,
state->user,
+ state->gpo_implicit_deny,
state->gpo_mode,
state->user_domain,
state->host_domain,
@@ -2766,6 +2772,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
state->gpo_mode,
state->gpo_map_type,
state->user,
+ state->gpo_implicit_deny,
state->user_domain,
state->host_domain);
if (ret != EOK) {
--
2.21.3

655
SOURCES/0044-pam_sss_gss-support-authentication-indicators.patch Normal file
View File

@ -0,0 +1,655 @@
From c2e8879189ecbbdfdd4b42395319a4cd91cb569f Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 12 Feb 2021 20:02:52 +0100
Subject: [PATCH] pam_sss_gss: support authentication indicators (upstream
patch 5ce7ced269c7b3dd8f75122a50f539083b5697ae by Alexander Bokovoy)
MIT Kerberos allows to associate authentication indicators with the
issued ticket based on the way how the TGT was obtained. The indicators
present in the TGT then copied to service tickets. There are two ways to
check the authentication indicators:
- when KDC issues a service ticket, a policy at KDC side can reject the
ticket issuance based on a lack of certain indicator
- when a server application presented with a service ticket from a
client, it can verify that this ticket contains intended
authentication indicators before authorizing access from the client.
Add support to validate presence of a specific (set of) authentication
indicator(s) in pam_sss_gss when validating a user's TGT.
This concept can be used to only allow access to a PAM service when user
is in possession of a ticket obtained using some of pre-authentication
mechanisms that require multiple factors: smart-cards (PKINIT), 2FA
tokens (otp/radius), etc.
Patch by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed by: Sumit Bose <sbose@redhat.com>
Adapted to 8.4 branch by: Alexey Tikhonov <atikhono@redhat.com>
---
src/confdb/confdb.c | 13 ++
src/confdb/confdb.h | 3 +
src/config/SSSDConfig/sssdoptions.py | 2 +
src/config/SSSDConfigTest.py | 6 +-
src/config/cfg_rules.ini | 3 +
src/config/etc/sssd.api.conf | 2 +
src/db/sysdb_subdomains.c | 12 ++
src/man/pam_sss_gss.8.xml | 13 ++
src/man/sssd.conf.5.xml | 64 +++++++
src/responder/pam/pamsrv.c | 21 +++
src/responder/pam/pamsrv.h | 2 +
src/responder/pam/pamsrv_gssapi.c | 250 +++++++++++++++++++++++++++
12 files changed, 389 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index befcfff..cca7615 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
}
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP,
+ NULL);
+ if (tmp != NULL && tmp[0] != '\0') {
+ ret = split_on_separator(domain, tmp, ',', true, true,
+ &domain->gssapi_indicators_map, NULL);
+ if (ret != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP);
+ goto done;
+ }
+ }
+
domain->has_views = false;
domain->view_name = NULL;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 036f9ec..a2be227 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -146,6 +146,7 @@
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
+#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
@@ -437,6 +438,8 @@ struct sss_domain_info {
/* List of PAM services that are allowed to authenticate with GSSAPI. */
char **gssapi_services;
char *gssapi_check_upn; /* true | false | NULL */
+ /* List of indicators associated with the specific PAM service */
+ char **gssapi_indicators_map;
};
/**
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index 5da52a9..0d849bc 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -106,6 +106,8 @@ class SSSDOptions(object):
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
+ 'pam_gssapi_indicators_map' : _('List of pairs <PAM service>:<authentication indicator> that '
+ 'must be enforced for PAM access with GSSAPI authentication'),
# [sudo]
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index ea4e4f6..d0422df 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -655,7 +655,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'cached_auth_timeout',
'auto_private_groups',
'pam_gssapi_services',
- 'pam_gssapi_check_upn']
+ 'pam_gssapi_check_upn',
+ 'pam_gssapi_indicators_map']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -1034,7 +1035,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'cached_auth_timeout',
'auto_private_groups',
'pam_gssapi_services',
- 'pam_gssapi_check_upn']
+ 'pam_gssapi_check_upn',
+ 'pam_gssapi_indicators_map']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 6642c63..872ceba 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -141,6 +141,7 @@ option = p11_uri
option = pam_initgroups_scheme
option = pam_gssapi_services
option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
[rule/allowed_sudo_options]
validator = ini_allowed_options
@@ -441,6 +442,7 @@ option = re_expression
option = auto_private_groups
option = pam_gssapi_services
option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
#Entry cache timeouts
option = entry_cache_user_timeout
@@ -837,6 +839,7 @@ option = use_fully_qualified_names
option = auto_private_groups
option = pam_gssapi_services
option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
[rule/sssd_checks]
validator = sssd_checks
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index d3cad73..49ced63 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -82,6 +82,7 @@ p11_uri = str, None, false
pam_initgroups_scheme = str, None, false
pam_gssapi_services = str, None, false
pam_gssapi_check_upn = bool, None, false
+pam_gssapi_indicators_map = str, None, false
[sudo]
# sudo service
@@ -203,6 +204,7 @@ re_expression = str, None, false
auto_private_groups = str, None, false
pam_gssapi_services = str, None, false
pam_gssapi_check_upn = bool, None, false
+pam_gssapi_indicators_map = str, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 03ba121..2243872 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -185,6 +185,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->override_gid = parent->override_gid;
dom->gssapi_services = parent->gssapi_services;
+ dom->gssapi_indicators_map = parent->gssapi_indicators_map;
if (parent->sysdb == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
@@ -266,6 +267,17 @@ check_subdom_config_file(struct confdb_ctx *confdb,
goto done;
}
+ /* allow to set pam_gssapi_indicators_map */
+ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP,
+ &subdomain->gssapi_indicators_map);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to get %s option for the subdomain: %s\n",
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, subdomain->name);
+ goto done;
+ }
+
ret = EOK;
done:
talloc_free(tmp_ctx);
diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml
index ce5b11b..a83369d 100644
--- a/src/man/pam_sss_gss.8.xml
+++ b/src/man/pam_sss_gss.8.xml
@@ -70,6 +70,19 @@
<manvolnum>5</manvolnum>
</citerefentry> for more details on these options.
</para>
+ <para>
+ Some Kerberos deployments allow to assocate authentication
+ indicators with a particular pre-authentication method used to
+ obtain the ticket granting ticket by the user.
+ <command>pam_sss_gss.so</command> allows to enforce presence of
+ authentication indicators in the service tickets before a particular
+ PAM service can be accessed.
+ </para>
+ <para>
+ If <option>pam_gssapi_indicators_map</option> is set in the [pam] or
+ domain section of sssd.conf, then SSSD will perform a check of the
+ presence of any configured indicators in the service ticket.
+ </para>
</refsect1>
<refsect1 id='options'>
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 8b330de..3a9955b 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1770,6 +1770,70 @@ pam_gssapi_services = sudo, sudo-i
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_gssapi_indicators_map</term>
+ <listitem>
+ <para>
+ Comma separated list of authentication indicators required
+ to be present in a Kerberos ticket to access a PAM service
+ that is allowed to try GSSAPI authentication using
+ pam_sss_gss.so module.
+ </para>
+ <para>
+ Each element of the list can be either an authentication indicator
+ name or a pair <quote>service:indicator</quote>. Indicators not
+ prefixed with the PAM service name will be required to access any
+ PAM service configured to be used with
+ <option>pam_gssapi_services</option>. A resulting list of indicators
+ per PAM service is then checked against indicators in the Kerberos
+ ticket during authentication by pam_sss_gss.so. Any indicator from the
+ ticket that matches the resulting list of indicators for the PAM service
+ would grant access. If none of the indicators in the list match, access
+ will be denied. If the resulting list of indicators for the PAM service
+ is empty, the check will not prevent the access.
+ </para>
+ <para>
+ To disable GSSAPI authentication indicator check, set this option
+ to <quote>-</quote> (dash). To disable the check for a specific PAM
+ service, add <quote>service:-</quote>.
+ </para>
+ <para>
+ Note: This option can also be set per-domain which
+ overwrites the value in [pam] section. It can also
+ be set for trusted domain which overwrites the value
+ in the domain section.
+ </para>
+ <para>
+ Following authentication indicators are supported by IPA Kerberos deployments:
+ <itemizedlist>
+ <listitem>
+ <para>pkinit -- pre-authentication using X.509 certificates -- whether stored in files or on smart cards.</para>
+ </listitem>
+ <listitem>
+ <para>hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a FAST channel.</para>
+ </listitem>
+ <listitem>
+ <para>radius -- pre-authentication with the help of a RADIUS server.</para>
+ </listitem>
+ <listitem>
+ <para>otp -- pre-authentication using integrated two-factor authentication (2FA or one-time password, OTP) in IPA.</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Example: to require access to SUDO services only
+ for users which obtained their Kerberos tickets
+ with a X.509 certificate pre-authentication
+ (PKINIT), set
+ <programlisting>
+pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
+ </programlisting>
+ </para>
+ <para>
+ Default: not set (use of authentication indicators is not required)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 3904c09..9b4d6c1 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -370,6 +370,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
goto done;
}
+ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, "-", &tmpstr);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to determine gssapi services.\n");
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr,
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP);
+
+ if (tmpstr != NULL) {
+ ret = split_on_separator(pctx, tmpstr, ',', true, true,
+ &pctx->gssapi_indicators_map, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "split_on_separator() failed [%d]: [%s].\n", ret,
+ sss_strerror(ret));
+ goto done;
+ }
+ }
+
/* The responder is initialized. Now tell it to the monitor. */
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
SSS_PAM_SBUS_SERVICE_NAME,
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 3553296..383c7be 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -65,6 +65,8 @@ struct pam_ctx {
/* List of PAM services that are allowed to authenticate with GSSAPI. */
char **gssapi_services;
+ /* List of authentication indicators associated with a PAM service */
+ char **gssapi_indicators_map;
bool gssapi_check_upn;
};
diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c
index 2d05c78..e4da4c4 100644
--- a/src/responder/pam/pamsrv_gssapi.c
+++ b/src/responder/pam/pamsrv_gssapi.c
@@ -24,6 +24,7 @@
#include <gssapi/gssapi_krb5.h>
#include <stdint.h>
#include <stdlib.h>
+#include <string.h>
#include <talloc.h>
#include <ldb.h>
@@ -83,6 +84,117 @@ static bool pam_gssapi_should_check_upn(struct pam_ctx *pam_ctx,
return pam_ctx->gssapi_check_upn;
}
+static int pam_gssapi_check_indicators(TALLOC_CTX *mem_ctx,
+ const char *pam_service,
+ char **gssapi_indicators_map,
+ char **indicators)
+{
+ char *authind = NULL;
+ size_t pam_len = strlen(pam_service);
+ char **map = gssapi_indicators_map;
+ char **result = NULL;
+ int res;
+
+ authind = talloc_strdup(mem_ctx, "");
+ if (authind == NULL) {
+ return ENOMEM;
+ }
+
+ for (int i = 0; map[i]; i++) {
+ if (map[i][0] == '-') {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Indicators aren't used for [%s]\n",
+ pam_service);
+ talloc_free(authind);
+ return EOK;
+ }
+ if (!strchr(map[i], ':')) {
+ authind = talloc_asprintf_append(authind, "%s ", map[i]);
+ if (authind == NULL) {
+ /* Since we allocate on pam_ctx, caller will free it */
+ return ENOMEM;
+ }
+ continue;
+ }
+
+ res = strncmp(map[i], pam_service, pam_len);
+ if (res == 0) {
+ if (strlen(map[i]) > pam_len) {
+ if (map[i][pam_len] != ':') {
+ /* different PAM service, skip it */
+ continue;
+ }
+
+ if (map[i][pam_len + 1] == '-') {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Indicators aren't used for [%s]\n",
+ pam_service);
+ talloc_free(authind);
+ return EOK;
+ }
+
+ authind = talloc_asprintf_append(authind, "%s ",
+ map[i] + (pam_len + 1));
+ if (authind == NULL) {
+ /* Since we allocate on pam_ctx, caller will free it */
+ return ENOMEM;
+ }
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Invalid value for %s: [%s]\n",
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, map[i]);
+ talloc_free(authind);
+ return EINVAL;
+ }
+ }
+ }
+
+ res = ENOENT;
+ map = NULL;
+
+ if (authind[0] == '\0') {
+ /* empty list of per-service indicators -> skip */
+ goto done;
+ }
+
+ /* trim a space after the final indicator
+ * to prevent split_on_separator() to fail */
+ authind[strlen(authind) - 1] = '\0';
+
+ res = split_on_separator(mem_ctx, authind, ' ', true, true,
+ &map, NULL);
+ if (res != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot parse list of indicators: [%s]\n", authind);
+ res = EINVAL;
+ goto done;
+ }
+
+ res = diff_string_lists(mem_ctx, indicators, map, NULL, NULL, &result);
+ if (res != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,"Cannot diff lists of indicators\n");
+ res = EINVAL;
+ goto done;
+ }
+
+ if (result && result[0] != NULL) {
+ for (int i = 0; result[i]; i++) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "indicator [%s] is allowed for PAM service [%s]\n",
+ result[i], pam_service);
+ }
+ res = EOK;
+ goto done;
+ }
+
+ res = EPERM;
+
+done:
+ talloc_free(result);
+ talloc_free(authind);
+ talloc_free(map);
+ return res;
+}
+
static bool pam_gssapi_allowed(struct pam_ctx *pam_ctx,
struct sss_domain_info *domain,
const char *service)
@@ -385,12 +497,126 @@ static char *gssapi_get_name(TALLOC_CTX *mem_ctx, gss_name_t gss_name)
return exported;
}
+#define AUTH_INDICATORS_TAG "auth-indicators"
+
+static char **gssapi_get_indicators(TALLOC_CTX *mem_ctx, gss_name_t gss_name)
+{
+ gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET;
+ int is_mechname;
+ OM_uint32 major;
+ OM_uint32 minor;
+ gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc display_value = GSS_C_EMPTY_BUFFER;
+ char *exported = NULL;
+ char **map = NULL;
+ int res;
+
+ major = gss_inquire_name(&minor, gss_name, &is_mechname, NULL, &attrs);
+ if (major != GSS_S_COMPLETE) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to inquire name\n");
+ return NULL;
+ }
+
+ if (attrs == GSS_C_NO_BUFFER_SET) {
+ DEBUG(SSSDBG_TRACE_FUNC, "No krb5 attributes in the ticket\n");
+ return NULL;
+ }
+
+ exported = talloc_strdup(mem_ctx, "");
+ if (exported == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to pre-allocate indicators\n");
+ goto done;
+ }
+
+ for (int i = 0; i < attrs->count; i++) {
+ int authenticated = 0;
+ int complete = 0;
+ int more = -1;
+
+ /* skip anything but auth-indicators */
+ if (strncmp(AUTH_INDICATORS_TAG, attrs->elements[i].value,
+ sizeof(AUTH_INDICATORS_TAG) - 1) != 0)
+ continue;
+
+ /* retrieve all indicators */
+ while (more != 0) {
+ value.value = NULL;
+ display_value.value = NULL;
+
+ major = gss_get_name_attribute(&minor, gss_name,
+ &attrs->elements[i],
+ &authenticated,
+ &complete, &value,
+ &display_value,
+ &more);
+ if (major != GSS_S_COMPLETE) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to retrieve an attribute\n");
+ goto done;
+ }
+
+ if ((value.value != NULL) && authenticated) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "attribute's [%.*s] value [%.*s] authenticated\n",
+ (int) attrs->elements[i].length,
+ (char*) attrs->elements[i].value,
+ (int) value.length,
+ (char*) value.value);
+ exported = talloc_asprintf_append(exported, "%.*s ",
+ (int) value.length,
+ (char*) value.value);
+ }
+
+ if (exported == NULL) {
+ /* Since we allocate on mem_ctx, caller will free
+ * the previous version of 'exported' */
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to collect an attribute value\n");
+ goto done;
+ }
+ (void) gss_release_buffer(&minor, &value);
+ (void) gss_release_buffer(&minor, &display_value);
+ }
+ }
+
+ if (exported[0] != '\0') {
+ /* trim a space after the final indicator
+ * to prevent split_on_separator() to fail */
+ exported[strlen(exported) - 1] = '\0';
+ } else {
+ /* empty list */
+ goto done;
+ }
+
+ res = split_on_separator(mem_ctx, exported, ' ', true, true,
+ &map, NULL);
+ if (res != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot parse list of indicators: [%s]\n", exported);
+ goto done;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC, "authentication indicators: [%s]\n",
+ exported);
+ }
+
+done:
+ (void) gss_release_buffer(&minor, &value);
+ (void) gss_release_buffer(&minor, &display_value);
+ (void) gss_release_buffer_set(&minor, &attrs);
+
+ talloc_free(exported);
+ return map;
+}
+
+
struct gssapi_state {
struct cli_ctx *cli_ctx;
struct sss_domain_info *domain;
const char *username;
char *authenticated_upn;
+ char **auth_indicators;
bool established;
gss_ctx_id_t ctx;
};
@@ -568,6 +794,8 @@ gssapi_handshake(struct gssapi_state *state,
DEBUG(SSSDBG_TRACE_FUNC, "Security context established with [%s]\n",
state->authenticated_upn);
+ state->auth_indicators = gssapi_get_indicators(state, client_name);
+
state->established = true;
ret = EOK;
@@ -632,6 +860,7 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
const char *domain_name;
const char *username;
char *target;
+ char **indicators_map = NULL;
size_t gss_data_len;
uint8_t *gss_data;
errno_t ret;
@@ -699,6 +928,27 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
goto done;
}
+ /* Use map for auth-indicators from the domain, if defined and
+ * fallback to the [pam] section otherwise */
+ indicators_map = domain->gssapi_indicators_map ?
+ domain->gssapi_indicators_map :
+ (pam_ctx->gssapi_indicators_map ?
+ pam_ctx->gssapi_indicators_map : NULL);
+ if (indicators_map != NULL) {
+ ret = pam_gssapi_check_indicators(state,
+ pam_service,
+ indicators_map,
+ state->auth_indicators);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Check if acquired service ticket has req. indicators: %d\n",
+ ret);
+ if ((ret == EPERM) || (ret == ENOMEM) || (ret == EINVAL)) {
+ /* skip further checks if denied or no memory,
+ * ENOENT means the check is not applicable */
+ goto done;
+ }
+ }
+
if (!pam_gssapi_should_check_upn(pam_ctx, domain)) {
/* We are done. */
goto done;
--
2.21.3

121
SOURCES/0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch Normal file
View File

@ -0,0 +1,121 @@
From b100efbfabd96dcfb2825777b75b9a9dfaacb937 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 29 Jan 2021 12:41:28 +0100
Subject: [PATCH] sudo: do not search by low usn value to improve performance
This is a follow up on these two commits.
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea
The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.
This caused issues on OpenLDAP server which was fixed by the second patch.
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.
Now we omit the usn attribute from the filter if there is no meaningful value.
How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ldap/sdap.c | 4 ++--
src/providers/ldap/sdap_sudo_refresh.c | 6 ++++--
src/providers/ldap/sdap_sudo_shared.c | 21 ++++++---------------
3 files changed, 12 insertions(+), 19 deletions(-)
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 32c0144b9..c853e4dc1 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
if (rootdse) {
- if (last_usn_name) {
+ if (false) {
ret = sysdb_attrs_get_string(rootdse,
last_usn_name, &last_usn_value);
if (ret != EOK) {
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
}
}
- if (!last_usn_name) {
+ if (true) {
DEBUG(SSSDBG_FUNC_DATA,
"No known USN scheme is supported by this server!\n");
if (!entry_usn_name) {
diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c
index ddcb23781..83f944ccf 100644
--- a/src/providers/ldap/sdap_sudo_refresh.c
+++ b/src/providers/ldap/sdap_sudo_refresh.c
@@ -181,8 +181,10 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
state->sysdb = id_ctx->be->domain->sysdb;
/* Download all rules from LDAP that are newer than usn */
- if (srv_opts == NULL || srv_opts->max_sudo_value == 0) {
- DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n");
+ if (srv_opts == NULL || srv_opts->max_sudo_value == NULL
+ || strcmp(srv_opts->max_sudo_value, "0") == 0) {
+ DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero and "
+ "omitting it from the filter.\n");
usn = "0";
search_filter = talloc_asprintf(state, "(%s=%s)",
map[SDAP_AT_SUDO_OC].name,
diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
index 4f09957ea..75d1bc3d8 100644
--- a/src/providers/ldap/sdap_sudo_shared.c
+++ b/src/providers/ldap/sdap_sudo_shared.c
@@ -129,25 +129,17 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
static char *
sdap_sudo_new_usn(TALLOC_CTX *mem_ctx,
unsigned long usn,
- const char *leftover,
- bool supports_usn)
+ const char *leftover)
{
const char *str = leftover == NULL ? "" : leftover;
char *newusn;
- /* This is a fresh start and server uses modifyTimestamp. We need to
- * provide proper datetime value. */
- if (!supports_usn && usn == 0) {
- newusn = talloc_strdup(mem_ctx, "00000101000000Z");
- if (newusn == NULL) {
- DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n");
- return NULL;
- }
-
- return newusn;
+ /* Current largest USN is unknown so we keep "0" to indicate it. */
+ if (usn == 0) {
+ return talloc_strdup(mem_ctx, "0");
}
- /* We increment USN number so that we can later use simplify filter
+ /* We increment USN number so that we can later use simplified filter
* (just usn >= last+1 instead of usn >= last && usn != last).
*/
usn++;
@@ -219,8 +211,7 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
srv_opts->last_usn = usn_number;
}
- newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone,
- srv_opts->supports_usn);
+ newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone);
if (newusn == NULL) {
return;
}
--
2.21.3

34
SOURCES/0046-ldap-fix-modifytimestamp-debugging-leftovers.patch Normal file
View File

@ -0,0 +1,34 @@
From fff02bbf7967d291ccb019fae741e6591ed8fd41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 12 Feb 2021 15:30:59 +0100
Subject: [PATCH] ldap: fix modifytimestamp debugging leftovers
---
src/providers/ldap/sdap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index c853e4dc1..32c0144b9 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
if (rootdse) {
- if (false) {
+ if (last_usn_name) {
ret = sysdb_attrs_get_string(rootdse,
last_usn_name, &last_usn_value);
if (ret != EOK) {
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
}
}
- if (true) {
+ if (!last_usn_name) {
DEBUG(SSSDBG_FUNC_DATA,
"No known USN scheme is supported by this server!\n");
if (!entry_usn_name) {
--
2.21.3

49
SOURCES/0047-ssh-restore-default-debug-level.patch Normal file
View File

@ -0,0 +1,49 @@
From 2d26c95d78cf43798b54ac8c478b8a9ee41cab39 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 3 Feb 2021 18:28:29 +0100
Subject: [PATCH] ssh: restore default debug level
The recent change of the default debug level for the main SSSD
components affected the ssh helpers sss_ssh_authorizedkeys and
sss_ssh_knownhostsproxy as well.
To avoid any confusion about unexpected debug messages this patch
restores to original value for the two helpers.
Resolves: https://github.com/SSSD/sssd/issues/5488
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +-
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
index 8e80f9663..877c00299 100644
--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
@@ -32,7 +32,7 @@
int main(int argc, const char **argv)
{
TALLOC_CTX *mem_ctx = NULL;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_FATAL_FAILURE;
const char *pc_domain = NULL;
const char *pc_user = NULL;
struct poptOption long_options[] = {
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index ad6af81d8..1102fd4ab 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -174,7 +174,7 @@ connect_proxy_command(char **args)
int main(int argc, const char **argv)
{
TALLOC_CTX *mem_ctx = NULL;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_FATAL_FAILURE;
int pc_port = 22;
const char *pc_domain = NULL;
const char *pc_host = NULL;
--
2.21.3

2230
SOURCES/0048-pot-update-pot-files.patch Normal file
View File

File diff suppressed because it is too large Load Diff

6893
SOURCES/0049-Update-the-translations-for-the-2.4.1-release.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1940
SOURCES/0050-pot-update-pot-files.patch Normal file
View File

File diff suppressed because it is too large Load Diff

729
SOURCES/0051-po-update-translations.patch Normal file
View File

@ -0,0 +1,729 @@
From 341c5e358180d8297276a38f3cf6eb9dbbbc6c62 Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Thu, 18 Mar 2021 11:39:24 +0100
Subject: [PATCH] po: update translations
Currently translated at 2.8% (21 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
Translated using Weblate (Finnish)
Currently translated at 2.5% (68 of 2643 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
Translated using Weblate (Chinese (Simplified) (zh_CN))
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/
Translated using Weblate (Japanese)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
Translated using Weblate (French)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
Translated using Weblate (Polish)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
---
po/fr.po | 45 ++++++++++++++-------
po/ja.po | 111 ++++++++++++++++++++++++----------------------------
po/zh_CN.po | 38 +++++++++---------
3 files changed, 102 insertions(+), 92 deletions(-)
diff --git a/po/fr.po b/po/fr.po
index e2e906d35..5edfcfd16 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -11,21 +11,22 @@
# Ludek Janda <ljanda@redhat.com>, 2020. #zanata
# Pavel Brezina <pbrezina@redhat.com>, 2020. #zanata
# Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>, 2020.
+# Sundeep Anand <suanand@redhat.com>, 2021.
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
"POT-Creation-Date: 2021-02-05 11:58+0100\n"
-"PO-Revision-Date: 2020-08-04 05:55+0000\n"
-"Last-Translator: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>\n"
+"PO-Revision-Date: 2021-03-18 10:39+0000\n"
+"Last-Translator: Sundeep Anand <suanand@redhat.com>\n"
"Language-Team: French <https://translate.fedoraproject.org/projects/sssd/"
-"sssd/fr/>\n"
+"sssd-master/fr/>\n"
"Language: fr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n > 1;\n"
-"X-Generator: Weblate 4.1.1\n"
+"X-Generator: Weblate 4.5.1\n"
#: src/config/SSSDConfig/sssdoptions.py:20
#: src/config/SSSDConfig/sssdoptions.py:21
@@ -259,18 +260,24 @@ msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for passwd requests"
msgstr ""
+"Taille (en mégaoctets) de la table de données allouée dans le cache en "
+"mémoire rapide pour les demandes de mots de passe"
#: src/config/SSSDConfig/sssdoptions.py:76
msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for group requests"
msgstr ""
+"Taille (en mégaoctets) de la table de données allouée dans le cache en "
+"mémoire rapide pour les requêtes de groupe"
#: src/config/SSSDConfig/sssdoptions.py:77
msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for initgroups requests"
msgstr ""
+"Taille (en mégaoctets) de la table de données allouée dans le cache en "
+"mémoire rapide pour les demandes d'initgroups"
#: src/config/SSSDConfig/sssdoptions.py:78
msgid ""
@@ -395,11 +402,11 @@ msgstr "Quand le répondeur de PAM doit-il forcer une demande d'initgroupes"
#: src/config/SSSDConfig/sssdoptions.py:107
msgid "List of PAM services that are allowed to authenticate with GSSAPI."
-msgstr ""
+msgstr "Liste des services PAM qui sont autorisés à s'authentifier avec GSSAPI."
#: src/config/SSSDConfig/sssdoptions.py:108
msgid "Whether to match authenticated UPN with target user"
-msgstr ""
+msgstr "S'il faut faire correspondre l'UPN authentifié avec l'utilisateur cible"
#: src/config/SSSDConfig/sssdoptions.py:111
msgid "Whether to evaluate the time-based attributes in sudo rules"
@@ -588,12 +595,16 @@ msgid ""
"A comma-separated list of users to be excluded from recording, only when "
"scope=all"
msgstr ""
+"Une liste d'utilisateurs à exclure de l'enregistrement, séparés par des "
+"virgules, uniquement lorsque scope=all"
#: src/config/SSSDConfig/sssdoptions.py:168
msgid ""
"A comma-separated list of groups, members of which should be excluded from "
"recording, only when scope=all. "
msgstr ""
+"Une liste de groupes séparés par des virgules, dont les membres doivent être "
+"exclus de l'enregistrement, uniquement lorsque scope=all. "
#: src/config/SSSDConfig/sssdoptions.py:172
msgid "Identity provider"
@@ -640,9 +651,8 @@ msgid "Whether the domain is usable by the OS or by applications"
msgstr "Si le domaine est utilisable par l'OS ou par des applications"
#: src/config/SSSDConfig/sssdoptions.py:185
-#, fuzzy
msgid "Enable or disable the domain"
-msgstr "Activer ou désactiver le domaine des fichiers implicites"
+msgstr "Activer ou désactiver le domaine"
#: src/config/SSSDConfig/sssdoptions.py:186
msgid "Minimum user ID"
@@ -1202,6 +1212,7 @@ msgstr "Utiliser le port LDAPS pour les requêtes LDAP et Catalogue global"
#: src/config/SSSDConfig/sssdoptions.py:327
msgid "Do not filter domain local groups from other domains"
msgstr ""
+"Ne pas filtrer les groupes locaux d'un domaine à partir d'autres domaines"
#: src/config/SSSDConfig/sssdoptions.py:330
#: src/config/SSSDConfig/sssdoptions.py:331
@@ -1280,7 +1291,7 @@ msgstr "Active les principals d'entreprise"
#: src/config/SSSDConfig/sssdoptions.py:351
msgid "Enables using of subdomains realms for authentication"
-msgstr ""
+msgstr "Permet d'utiliser les domaines de sous-domaines pour l'authentification"
#: src/config/SSSDConfig/sssdoptions.py:352
msgid "A mapping from user names to Kerberos principal names"
@@ -1802,7 +1813,7 @@ msgstr "Combien d'entrées maximum à récupérer lors d'une demande de wildcard
#: src/config/SSSDConfig/sssdoptions.py:494
msgid "Set libldap debug level"
-msgstr ""
+msgstr "Définir le niveau de débogage de libldap"
#: src/config/SSSDConfig/sssdoptions.py:497
msgid "Policy to evaluate the password expiration"
@@ -2368,14 +2379,16 @@ msgid "The path to the proxy command must be absolute\n"
msgstr "Le chemin vers la commande de proxy doit être absolue\n"
#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326
-#, fuzzy, c-format
+#, c-format
msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n"
-msgstr "sss_ssh_knownhostsproxy : Impossible de résoudre le nom d'hôte %s\n"
+msgstr ""
+"sss_ssh_knownhostsproxy : impossible de transmettre des données par proxy : %"
+"s\n"
#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330
-#, fuzzy, c-format
+#, c-format
msgid "sss_ssh_knownhostsproxy: connect to host %s port %d: %s\n"
-msgstr "sss_ssh_knownhostsproxy : Impossible de résoudre le nom d'hôte %s\n"
+msgstr "sss_ssh_knownhostsproxy : se connecter à l'hôte %s port %d: %s\n"
#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:334
#, c-format
@@ -3052,6 +3065,10 @@ msgid ""
"where the main config file is located. For example if the config is set to "
"\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)"
msgstr ""
+"Spécifiez un répertoire (dir) de snippet non par défaut (par défaut, il doit "
+"se trouver au même endroit que le fichier de configuration principal. Par "
+"exemple, si la configuration est définie sur \"/my/path/sssd.conf\", le "
+"répertoire d'extrait \"/my/path/conf.d\" sera utilisé)"
#: src/tools/sssctl/sssctl_config.c:118
#, c-format
diff --git a/po/ja.po b/po/ja.po
index 25b456e8d..1a5341757 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -8,21 +8,22 @@
# Keiko Moriguchi <kemorigu@redhat.com>, 2019. #zanata
# Ludek Janda <ljanda@redhat.com>, 2020. #zanata
# Pavel Brezina <pbrezina@redhat.com>, 2020. #zanata
+# Sundeep Anand <suanand@redhat.com>, 2021.
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
"POT-Creation-Date: 2021-02-05 11:58+0100\n"
-"PO-Revision-Date: 2020-07-22 07:46-0400\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
-"Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/"
-"ja/)\n"
+"PO-Revision-Date: 2021-03-18 10:39+0000\n"
+"Last-Translator: Sundeep Anand <suanand@redhat.com>\n"
+"Language-Team: Japanese <https://translate.fedoraproject.org/projects/sssd/"
+"sssd-master/ja/>\n"
"Language: ja\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Zanata 4.6.2\n"
+"X-Generator: Weblate 4.5.1\n"
#: src/config/SSSDConfig/sssdoptions.py:20
#: src/config/SSSDConfig/sssdoptions.py:21
@@ -85,9 +86,7 @@ msgstr ""
msgid ""
"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
"version 2."
-msgstr ""
-"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
-"version 2."
+msgstr "設定ファイルの構文を示します。SSSD 0.6.0 以降はバージョン 2 を使用します。"
#: src/config/SSSDConfig/sssdoptions.py:39
msgid "SSSD Services to start"
@@ -161,27 +160,25 @@ msgid ""
"this, and will fall back to polling resolv.conf every five seconds if "
"inotify cannot be used."
msgstr ""
-"SSSD monitors the state of resolv.conf to identify when it needs to update "
-"its internal DNS resolver. By default, we will attempt to use inotify for "
-"this, and will fall back to polling resolv.conf every five seconds if "
-"inotify cannot be used."
+"SSSD は、内部 DNSリゾルバーを更新する必要があるときを識別するために resolv.conf の状態を監視します。デフォルトでは、inotify "
+"の使用を試行します。また、inotify が使用できない場合は、5 秒ごとに resolv.conf のポーリングにフォールバックします。"
#: src/config/SSSDConfig/sssdoptions.py:59
msgid "Enumeration cache timeout length (seconds)"
-msgstr "列挙キャッシュのタイムアウト(秒)"
+msgstr "列挙キャッシュのタイムアウト (秒)"
#: src/config/SSSDConfig/sssdoptions.py:60
msgid "Entry cache background update timeout length (seconds)"
-msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)"
+msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間 (秒)"
#: src/config/SSSDConfig/sssdoptions.py:61
#: src/config/SSSDConfig/sssdoptions.py:117
msgid "Negative cache timeout length (seconds)"
-msgstr "ネガティブキャッシュのタイムアウト(秒)"
+msgstr "ネガティブキャッシュのタイムアウト (秒)"
#: src/config/SSSDConfig/sssdoptions.py:62
msgid "Files negative cache timeout length (seconds)"
-msgstr "ファイルネガティブキャッシュのタイムアウト時間(秒)"
+msgstr "ファイルネガティブキャッシュのタイムアウト時間 (秒)"
#: src/config/SSSDConfig/sssdoptions.py:63
msgid "Users that SSSD should explicitly ignore"
@@ -243,19 +240,19 @@ msgstr "メモリー内のキャッシュレコードが有効な期間"
msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for passwd requests"
-msgstr ""
+msgstr "パスワード要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)"
#: src/config/SSSDConfig/sssdoptions.py:76
msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for group requests"
-msgstr ""
+msgstr "グループ要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)"
#: src/config/SSSDConfig/sssdoptions.py:77
msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for initgroups requests"
-msgstr ""
+msgstr "initgroups 要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)"
#: src/config/SSSDConfig/sssdoptions.py:78
msgid ""
@@ -277,13 +274,12 @@ msgid ""
"if they are requested beyond a percentage of the entry_cache_timeout value "
"for the domain."
msgstr ""
-"The entry cache can be set to automatically update entries in the background "
-"if they are requested beyond a percentage of the entry_cache_timeout value "
-"for the domain."
+"エントリーキャッシュは、ドメインの entry_cache_timeout "
+"値のパーセントを超えるリクエストが行われた場合に、バックグラウンドでエントリーを自動的に更新するように設定できます。"
#: src/config/SSSDConfig/sssdoptions.py:87
msgid "How long to allow cached logins between online logins (days)"
-msgstr "オンラインログイン中にキャッシュによるログインが許容される期間(日数)"
+msgstr "オンラインログイン中にキャッシュによるログインが許容される期間 (日数)"
#: src/config/SSSDConfig/sssdoptions.py:88
msgid "How many failed logins attempts are allowed when offline"
@@ -293,7 +289,7 @@ msgstr "オフラインの時に許容されるログイン試行失敗回数"
msgid ""
"How long (minutes) to deny login after offline_failed_login_attempts has "
"been reached"
-msgstr "offline_failed_login_attempts に達した後にログインを拒否する時間(分)"
+msgstr "offline_failed_login_attempts に達した後にログインを拒否する時間 (分)"
#: src/config/SSSDConfig/sssdoptions.py:91
msgid "What kind of messages are displayed to the user during authentication"
@@ -362,11 +358,11 @@ msgstr "PAM レスポンダーが initgroups リクエストを強制すると
#: src/config/SSSDConfig/sssdoptions.py:107
msgid "List of PAM services that are allowed to authenticate with GSSAPI."
-msgstr ""
+msgstr "GSSAPI での認証が許可される PAM サービスの一覧。"
#: src/config/SSSDConfig/sssdoptions.py:108
msgid "Whether to match authenticated UPN with target user"
-msgstr ""
+msgstr "ターゲットユーザーと認証された UPN に一致するかどうか"
#: src/config/SSSDConfig/sssdoptions.py:111
msgid "Whether to evaluate the time-based attributes in sudo rules"
@@ -540,13 +536,13 @@ msgstr ""
msgid ""
"A comma-separated list of users to be excluded from recording, only when "
"scope=all"
-msgstr ""
+msgstr "録画から除外されるユーザーのコンマ区切りリスト。scope=all の場合のみ"
#: src/config/SSSDConfig/sssdoptions.py:168
msgid ""
"A comma-separated list of groups, members of which should be excluded from "
"recording, only when scope=all. "
-msgstr ""
+msgstr "scope=all の場合にのみ記録から除外されるべきメンバーから成るグループのコンマ区切りリスト。 "
#: src/config/SSSDConfig/sssdoptions.py:172
msgid "Identity provider"
@@ -593,9 +589,8 @@ msgid "Whether the domain is usable by the OS or by applications"
msgstr "OS またはアプリケーションがドメインを使用できるかどうか"
#: src/config/SSSDConfig/sssdoptions.py:185
-#, fuzzy
msgid "Enable or disable the domain"
-msgstr "暗黙のファイルドメインを有効化または無効化する"
+msgstr "ドメインを有効または無効にする"
#: src/config/SSSDConfig/sssdoptions.py:186
msgid "Minimum user ID"
@@ -630,7 +625,7 @@ msgstr "グループ検索にグループメンバーを含めない"
#: src/config/SSSDConfig/sssdoptions.py:207
#: src/config/SSSDConfig/sssdoptions.py:208
msgid "Entry cache timeout length (seconds)"
-msgstr "エントリーキャッシュのタイムアウト長(秒)"
+msgstr "エントリーキャッシュのタイムアウト長 (秒)"
#: src/config/SSSDConfig/sssdoptions.py:193
msgid ""
@@ -655,7 +650,7 @@ msgstr "単一の DNS クエリーの解決を試行する時間 (秒)"
#: src/config/SSSDConfig/sssdoptions.py:198
msgid "How long to wait for replies from DNS when resolving servers (seconds)"
-msgstr "サーバーを名前解決する時に DNS から応答を待つ時間(秒)"
+msgstr "サーバーを名前解決する時に DNS から応答を待つ時間 (秒)"
#: src/config/SSSDConfig/sssdoptions.py:199
msgid "The domain part of service discovery DNS query"
@@ -734,7 +729,7 @@ msgstr "ユーザーにプライベートグループを自動的に作成する
#: src/config/SSSDConfig/sssdoptions.py:224
msgid "Display a warning N days before the password expires."
-msgstr "Display a warning N days before the password expires."
+msgstr "パスワードの期限が切れる N 日前の警告を表示します。"
#: src/config/SSSDConfig/sssdoptions.py:225
msgid ""
@@ -894,7 +889,7 @@ msgstr "ネットグループの NIS ドメイン名を含む LDAP 属性。"
#: src/config/SSSDConfig/sssdoptions.py:270
msgid "The LDAP attribute that contains the names of the netgroup's members."
-msgstr "The LDAP attribute that contains the names of the netgroup's members."
+msgstr "ネットグループのメンバーの名前を含む LDAP 属性。"
#: src/config/SSSDConfig/sssdoptions.py:271
msgid ""
@@ -1105,7 +1100,7 @@ msgstr "LDAP およびグローバルカタログのリクエストに LDAPS ポ
#: src/config/SSSDConfig/sssdoptions.py:327
msgid "Do not filter domain local groups from other domains"
-msgstr ""
+msgstr "他のドメインからのドメインローカルグループをフィルターしない"
#: src/config/SSSDConfig/sssdoptions.py:330
#: src/config/SSSDConfig/sssdoptions.py:331
@@ -1182,7 +1177,7 @@ msgstr "エンタープライズ・プリンシパルの有効化"
#: src/config/SSSDConfig/sssdoptions.py:351
msgid "Enables using of subdomains realms for authentication"
-msgstr ""
+msgstr "認証にサブドメインレルムの使用を有効化"
#: src/config/SSSDConfig/sssdoptions.py:352
msgid "A mapping from user names to Kerberos principal names"
@@ -1432,7 +1427,7 @@ msgstr "ID マッピングの Active Directory プライマリーグループ属
#: src/config/SSSDConfig/sssdoptions.py:424
msgid "User principal attribute (for Kerberos)"
-msgstr "ユーザープリンシパルの属性Kerberos 用)"
+msgstr "ユーザープリンシパルの属性 (Kerberos 用)"
#: src/config/SSSDConfig/sssdoptions.py:425
msgid "Full Name"
@@ -1688,7 +1683,7 @@ msgstr "ワイルドカードの要求の間に取得する最大エントリー
#: src/config/SSSDConfig/sssdoptions.py:494
msgid "Set libldap debug level"
-msgstr ""
+msgstr "libldap デバッグレベルの設定"
#: src/config/SSSDConfig/sssdoptions.py:497
msgid "Policy to evaluate the password expiration"
@@ -1893,9 +1888,7 @@ msgstr "禁止ユーザーのカンマ区切り一覧"
msgid ""
"Comma separated list of groups that are allowed to log in. This applies only "
"to groups within this SSSD domain. Local groups are not evaluated."
-msgstr ""
-"Comma separated list of groups that are allowed to log in. This applies only "
-"to groups within this SSSD domain. Local groups are not evaluated."
+msgstr "ログインが許可されるグループのカンマ区切りの一覧。これは、SSSDドメイン内のグループにのみ適用されます。ローカルグループは評価されません。"
#: src/config/SSSDConfig/sssdoptions.py:560
msgid ""
@@ -1903,9 +1896,8 @@ msgid ""
"applies only to groups within this SSSD domain. Local groups are not "
"evaluated."
msgstr ""
-"Comma separated list of groups that are explicitly denied access. This "
-"applies only to groups within this SSSD domain. Local groups are not "
-"evaluated."
+"排他的にアクセスが拒否されたグループのカンマ区切りの一覧。これは、この SSSD "
+"ドメイン内のグループにのみ適用されます。ローカルグループは評価されません。"
#: src/config/SSSDConfig/sssdoptions.py:564
msgid "Base for home directories"
@@ -1959,19 +1951,19 @@ msgstr "使用する PAM スタック"
#: src/config/SSSDConfig/sssdoptions.py:584
msgid "Path of passwd file sources."
-msgstr "passwd ファイルソースへのパス"
+msgstr "passwd ファイルソースへのパス。"
#: src/config/SSSDConfig/sssdoptions.py:585
msgid "Path of group file sources."
-msgstr "グループファイルソースへのパス"
+msgstr "グループファイルソースへのパス。"
#: src/monitor/monitor.c:2381
msgid "Become a daemon (default)"
-msgstr "デーモンとして実行(デフォルト)"
+msgstr "デーモンとして実行 (デフォルト)"
#: src/monitor/monitor.c:2383
msgid "Run interactive (not a daemon)"
-msgstr "対話的に実行(デーモンではない)"
+msgstr "対話的に実行 (デーモンではない)"
#: src/monitor/monitor.c:2386
msgid "Disable netlink interface"
@@ -2092,7 +2084,7 @@ msgstr "エラーの説明を検索中に予期しないエラーが発生しま
#: src/sss_client/pam_sss.c:68
msgid "Permission denied. "
-msgstr "パーミッションが拒否されました。"
+msgstr "パーミッションが拒否されました。 "
#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785
#: src/sss_client/pam_sss.c:796
@@ -2143,7 +2135,7 @@ msgstr ""
#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
msgid "Password change failed. "
-msgstr "パスワードの変更に失敗しました。"
+msgstr "パスワードの変更に失敗しました。 "
#: src/sss_client/pam_sss.c:2044
msgid "New Password: "
@@ -2236,14 +2228,14 @@ msgid "The path to the proxy command must be absolute\n"
msgstr "プロキシコマンドへのパスは絶対パスにする必要があります\n"
#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326
-#, fuzzy, c-format
+#, c-format
msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n"
-msgstr "sss_ssh_knownhostsproxy: ホスト名 %s を解決できませんでした\n"
+msgstr "sss_ssh_knownhostsproxy: データをプロキシーできません: %s\n"
#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330
-#, fuzzy, c-format
+#, c-format
msgid "sss_ssh_knownhostsproxy: connect to host %s port %d: %s\n"
-msgstr "sss_ssh_knownhostsproxy: ホスト名 %s を解決できませんでした\n"
+msgstr "sss_ssh_knownhostsproxy: ホスト %s ポート %d に接続: %s\n"
#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:334
#, c-format
@@ -2644,8 +2636,7 @@ msgid ""
"Set an attribute to a name/value pair. The format is attrname=value. For "
"multi-valued attributes, the command replaces the values already present"
msgstr ""
-"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属"
-"性の場合、コマンドがすでに存在する値に置き換えられます。"
+"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属性の場合、コマンドがすでに存在する値に置き換えられます"
#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126
#: src/tools/sss_usermod.c:135
@@ -2660,9 +2651,7 @@ msgstr "変更するユーザーを指定してください\n"
msgid ""
"Cannot find user in local domain, modifying users is allowed only in local "
"domain\n"
-msgstr ""
-"ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメイ"
-"ンにおいてのみ許可されます。\n"
+msgstr "ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメインにおいてのみ許可されます\n"
#: src/tools/sss_usermod.c:322
msgid "Could not modify user - check if group names are correct\n"
@@ -2841,7 +2830,7 @@ msgstr "SSSD は再起動が必要です。SSSD を今、再起動しますか?"
#: src/tools/sssctl/sssctl_cache.c:31
#, c-format
msgid " %s is not present in cache.\n"
-msgstr " %s はキャッシュにありません\n"
+msgstr " %s はキャッシュにありません。\n"
#: src/tools/sssctl/sssctl_cache.c:33
msgid "Name"
@@ -2904,6 +2893,8 @@ msgid ""
"where the main config file is located. For example if the config is set to "
"\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)"
msgstr ""
+"デフォルト以外のスニペットディレクトリーを指定します (デフォルトでは、メインの設定ファイルが存在する場所と同じ場所を検索します)。たとえば、設定が \""
+"/my/path/sssd.conf\" に設定されている場合は、スニペット dir \"/my/path/conf.d\" が使用されます"
#: src/tools/sssctl/sssctl_config.c:118
#, c-format
diff --git a/po/zh_CN.po b/po/zh_CN.po
index ee38f25e3..e3f018d97 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -7,13 +7,14 @@
# Ludek Janda <ljanda@redhat.com>, 2020. #zanata
# Pavel Brezina <pbrezina@redhat.com>, 2020. #zanata
# Charles Lee <lchopn@gmail.com>, 2020.
+# Sundeep Anand <suanand@redhat.com>, 2021.
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
"POT-Creation-Date: 2021-02-05 11:58+0100\n"
-"PO-Revision-Date: 2020-08-20 14:29+0000\n"
-"Last-Translator: Charles Lee <lchopn@gmail.com>\n"
+"PO-Revision-Date: 2021-03-18 10:39+0000\n"
+"Last-Translator: Sundeep Anand <suanand@redhat.com>\n"
"Language-Team: Chinese (Simplified) <https://translate.fedoraproject.org/"
"projects/sssd/sssd-master/zh_CN/>\n"
"Language: zh_CN\n"
@@ -21,7 +22,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Weblate 4.1.1\n"
+"X-Generator: Weblate 4.5.1\n"
#: src/config/SSSDConfig/sssdoptions.py:20
#: src/config/SSSDConfig/sssdoptions.py:21
@@ -230,19 +231,19 @@ msgstr "内存缓存记录有效期的长度"
msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for passwd requests"
-msgstr ""
+msgstr "为 passwd 请求在快速内存缓存in-memory cache中分配的数据表的大小以 MB 为单位)"
#: src/config/SSSDConfig/sssdoptions.py:76
msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for group requests"
-msgstr ""
+msgstr "为组请求在快速内存缓存in-memory cache中分配的数据表的大小以 MB 为单位)"
#: src/config/SSSDConfig/sssdoptions.py:77
msgid ""
"Size (in megabytes) of the data table allocated inside fast in-memory cache "
"for initgroups requests"
-msgstr ""
+msgstr "为 initgroups 请求在快速内存缓存in-memory cache中分配的数据表的大小以 MB 为单位)"
#: src/config/SSSDConfig/sssdoptions.py:78
msgid ""
@@ -349,11 +350,11 @@ msgstr "什么时候 PAM 响应者要强制发起 initgroups 请求?"
#: src/config/SSSDConfig/sssdoptions.py:107
msgid "List of PAM services that are allowed to authenticate with GSSAPI."
-msgstr ""
+msgstr "允许使用 GSSAPI 验证的 PAM 服务列表。"
#: src/config/SSSDConfig/sssdoptions.py:108
msgid "Whether to match authenticated UPN with target user"
-msgstr ""
+msgstr "是否与目标用户匹配认证的 UPN"
#: src/config/SSSDConfig/sssdoptions.py:111
msgid "Whether to evaluate the time-based attributes in sudo rules"
@@ -517,13 +518,13 @@ msgstr ""
msgid ""
"A comma-separated list of users to be excluded from recording, only when "
"scope=all"
-msgstr ""
+msgstr "要从记录中排除的用逗号分开的用户列表,仅当 scope=all 时"
#: src/config/SSSDConfig/sssdoptions.py:168
msgid ""
"A comma-separated list of groups, members of which should be excluded from "
"recording, only when scope=all. "
-msgstr ""
+msgstr "用逗号分隔的组列表,其中的成员应不记录中排除,仅在 scope=all 时。 "
#: src/config/SSSDConfig/sssdoptions.py:172
msgid "Identity provider"
@@ -570,9 +571,8 @@ msgid "Whether the domain is usable by the OS or by applications"
msgstr "域是否可以被 OS 或应用程序使用"
#: src/config/SSSDConfig/sssdoptions.py:185
-#, fuzzy
msgid "Enable or disable the domain"
-msgstr "启用或禁用隐式文件域"
+msgstr "启用或禁用域"
#: src/config/SSSDConfig/sssdoptions.py:186
msgid "Minimum user ID"
@@ -1057,7 +1057,7 @@ msgstr "将 LDAPS 端口用于 LDAP 和 Global Catalog 请求"
#: src/config/SSSDConfig/sssdoptions.py:327
msgid "Do not filter domain local groups from other domains"
-msgstr ""
+msgstr "不要从其它域过滤域本地组"
#: src/config/SSSDConfig/sssdoptions.py:330
#: src/config/SSSDConfig/sssdoptions.py:331
@@ -1134,7 +1134,7 @@ msgstr "启用企业主体"
#: src/config/SSSDConfig/sssdoptions.py:351
msgid "Enables using of subdomains realms for authentication"
-msgstr ""
+msgstr "启用使用子域域进行验证"
#: src/config/SSSDConfig/sssdoptions.py:352
msgid "A mapping from user names to Kerberos principal names"
@@ -1636,7 +1636,7 @@ msgstr "在通配符请求期间要提取多少个最大条目"
#: src/config/SSSDConfig/sssdoptions.py:494
msgid "Set libldap debug level"
-msgstr ""
+msgstr "设置 libldap debug 级别"
#: src/config/SSSDConfig/sssdoptions.py:497
msgid "Policy to evaluate the password expiration"
@@ -2172,9 +2172,9 @@ msgid "The path to the proxy command must be absolute\n"
msgstr "到 proxy 命令的路径必须是绝对路径\n"
#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326
-#, fuzzy, c-format
+#, c-format
msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n"
-msgstr "sss_ssh_knownhostsproxy无法解析主机名 %s\n"
+msgstr "sss_ssh_knownhostsproxy无法到代理数据%s\n"
#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330
#, c-format
@@ -2812,6 +2812,8 @@ msgid ""
"where the main config file is located. For example if the config is set to "
"\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)"
msgstr ""
+"指定非默认 snippet dir默认为在主配置文件所在的相同位置查找。例如如果配置被设置为 \"/my/path/sssd.conf\", "
+"snippet dir 为 \"/my/path/conf.d\" "
#: src/tools/sssctl/sssctl_config.c:118
#, c-format
@@ -3009,7 +3011,7 @@ msgstr "无法获取服务器列表\n"
#: src/tools/sssctl/sssctl_logs.c:46
msgid "\n"
-msgstr ""
+msgstr "\n"
#: src/tools/sssctl/sssctl_logs.c:236
msgid "Delete log files instead of truncating"
--
2.21.3

167
SPECS/sssd.spec
View File

@ -25,7 +25,7 @@
%endif
Name: sssd
Version: 2.3.0
Version: 2.4.0
Release: 9%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
@ -34,50 +34,57 @@ URL: https://pagure.io/SSSD/sssd/
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
### Patches ###
Patch0001: 0001-ad_gpo_ndr.c-more-ndr-updates.patch
Patch0002: 0002-test-avoid-endian-issues-in-network-tests.patch
Patch0003: 0003-sssctl-sssctl-config-check-alternative-config-file.patch
Patch0004: 0004-DEBUG-only-open-child-process-log-files-when-require.patch
Patch0005: 0005-DEBUG-use-new-exec_child-_ex-interface-in-tests.patch
Patch0006: 0006-NEGCACHE-skip-permanent-entries-in-users-groups-rese.patch
Patch0007: 0007-util-inotify-fixed-CLANG_WARNING.patch
Patch0008: 0008-util-inotify-fixed-bug-in-inotify-event-processing.patch
Patch0009: 0009-Replaced-enter-with-insert.patch
Patch0010: 0010-NSS-client-preserve-errno-during-_nss_sss_end-calls.patch
Patch0011: 0011-ipa-add-failover-to-subdomain-override-lookups.patch
Patch0012: 0012-GPO-fix-link-order-in-a-SOM.patch
Patch0013: 0013-sysdb-make-sysdb_update_subdomains-more-robust.patch
Patch0014: 0014-ad-rename-ad_master_domain_-to-ad_domain_info_.patch
Patch0015: 0015-sysdb-make-new_subdomain-public.patch
Patch0016: 0016-ad-rename-ads_get_root_id_ctx-to-ads_get_dom_id_ctx.patch
Patch0017: 0017-ad-remove-unused-trust_type-from-ad_subdom_store.patch
Patch0018: 0018-ad-add-ad_check_domain_-send-recv.patch
Patch0019: 0019-ad-check-forest-root-directly-if-not-present-on-loca.patch
Patch0020: 0020-man-Document-invalid-selinux-context-for-homedirs.patch
Patch0021: 0021-pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch
Patch0022: 0022-pam_sss-special-handling-for-gdm-smartcard.patch
Patch0023: 0023-pam_sss-make-sure-old-certificate-data-is-removed-be.patch
Patch0024: 0024-systemtap-Missing-a-comma.patch
Patch0025: 0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch
Patch0026: 0026-files-allow-root-membership.patch
Patch0027: 0027-PAM-do-not-treat-error-for-cache-only-lookups-as-fat.patch
Patch0028: 0028-mem-cache-sizes-of-free-and-data-tables-were-made-co.patch
Patch0029: 0029-NSS-make-memcache-size-configurable.patch
Patch0030: 0030-NSS-avoid-excessive-log-messages.patch
Patch0031: 0031-NSS-enhanced-debug-during-mem-cache-initialization.patch
Patch0032: 0032-mem-cache-added-log-message-in-case-cache-is-full.patch
Patch0033: 0033-NSS-make-memcache-size-configurable-in-megabytes.patch
Patch0034: 0034-mem-cache-comment-added.patch
Patch0035: 0035-mem-cache-always-cleanup-old-content.patch
Patch0036: 0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch
Patch0037: 0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch
Patch0038: 0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch
Patch0039: 0039-certmap-sanitize-LDAP-search-filter.patch
Patch0040: 0040-AD-Enforcing-GPO-rule-restriction-on-user.patch
Patch0041: 0041-man-clarify-AD-certificate-rule.patch
Patch0042: 0042-config-allow-prompting-options-in-configuration.patch
Patch0043: 0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch
Patch0044: 0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch
Patch0001: 0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch
Patch0002: 0002-KCM-perf-improvements.patch
Patch0003: 0003-DEBUG-journal_send-was-made-static.patch
Patch0004: 0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch
Patch0005: 0005-negcache-make-sure-domain-config-does-not-leak-into-.patch
Patch0006: 0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch
Patch0007: 0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch
Patch0008: 0008-negcache-do-not-use-default_domain_suffix.patch
Patch0009: 0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch
Patch0010: 0010-nss-check-if-groups-are-filtered-during-initgroups.patch
Patch0011: 0011-ifp-fix-use-after-free.patch
Patch0012: 0012-ifp-fix-original-fix-use-after-free.patch
Patch0013: 0013-pam_sss-use-unique-id-for-gdm-choice-list.patch
Patch0014: 0014-authtok-add-label-to-Smartcard-token.patch
Patch0015: 0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch
Patch0016: 0016-add-tests-multiple-certs-same-id.patch
Patch0017: 0017-data_provider_be-Add-random-offset-default.patch
Patch0018: 0018-data_provider_be-MAN-page-update.patch
Patch0019: 0019-logs-review.patch
Patch0020: 0020-sss_format.h-include-config.h.patch
Patch0021: 0021-packet-add-sss_packet_set_body.patch
Patch0022: 0022-domain-store-hostname-and-keytab-path.patch
Patch0023: 0023-cache_req-add-helper-to-call-user-by-upn-search.patch
Patch0024: 0024-pam-fix-typo-in-debug-message.patch
Patch0025: 0025-pam-add-pam_gssapi_services-option.patch
Patch0026: 0026-pam-add-pam_gssapi_check_upn-option.patch
Patch0027: 0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch
Patch0028: 0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch
Patch0029: 0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch
Patch0030: 0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch
Patch0031: 0031-autofs-disable-fast-reply.patch
Patch0032: 0032-autofs-correlate-errors-for-different-protocol-versi.patch
Patch0033: 0033-configure-check-for-stdatomic.h.patch
Patch0034: 0034-cache_req-ignore-autofs-not-configured-error.patch
Patch0035: 0035-simple-fix-memory-leak-while-reloading-lists.patch
Patch0036: 0036-SBUS-do-not-try-to-del-non-existing-sender.patch
Patch0037: 0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch
Patch0038: 0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch
Patch0039: 0039-pam_sss_gssapi-fix-coverity-issues.patch
Patch0040: 0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch
Patch0041: 0041-responders-add-callback-to-schedule_get_domains_task.patch
Patch0042: 0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch
Patch0043: 0043-SBUS-set-sbus_name-before-dp_init_send.patch
Patch0044: 0044-pam_sss_gss-support-authentication-indicators.patch
Patch0045: 0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch
Patch0046: 0046-ldap-fix-modifytimestamp-debugging-leftovers.patch
Patch0047: 0047-ssh-restore-default-debug-level.patch
Patch0048: 0048-pot-update-pot-files.patch
Patch0049: 0049-Update-the-translations-for-the-2.4.1-release.patch
Patch0050: 0050-pot-update-pot-files.patch
Patch0051: 0051-po-update-translations.patch
### Downstream Patches ###
@ -169,6 +176,7 @@ BuildRequires: systemtap-sdt-devel
BuildRequires: libuuid-devel
BuildRequires: jansson-devel
BuildRequires: gdm-pam-extensions-devel
BuildRequires: po4a
%description
Provides a set of daemons to manage access to remote directories and
@ -202,6 +210,7 @@ Recommends: libsss_sudo = %{version}-%{release}
Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
Recommends: sssd-nfs-idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Requires(pre): shadow-utils
%{?systemd_requires}
@ -258,6 +267,7 @@ Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: sssd-dbus
%description tools
@ -312,6 +322,7 @@ Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch identity data
@ -362,6 +373,7 @@ Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
@ -381,6 +393,7 @@ Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Recommends: adcli
Suggests: sssd-libwbclient = %{version}-%{release}
@ -641,6 +654,7 @@ autoreconf -ivf
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
--disable-static \
--with-crypto=libcrypto \
--with-libwbclient \
--disable-rpath \
--with-initscript=systemd \
--with-syslog=journald \
@ -655,7 +669,7 @@ autoreconf -ivf
make %{?_smp_mflags} all docs
make -C po ja.gmo
make -C po fr.gmo
make -C po zh_CN.po
make -C po zh_CN.gmo
%check
export CK_TIMEOUT_MULTIPLIER=10
@ -975,6 +989,7 @@ done
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libnss_sss.so.2
%{_libdir}/security/pam_sss.so
%{_libdir}/security/pam_sss_gss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
%dir %{_libdir}/cifs-utils
@ -985,6 +1000,7 @@ done
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
%{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/pam_sss_gss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
%files -n libsss_sudo
@ -1250,6 +1266,65 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Fri Mar 19 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-9
- Resolves: rhbz#1899712 - [sssd] RHEL 8.4 Tier 0 Localization
* Fri Feb 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-8
- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss
- Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0.
- Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch)
* Tue Jan 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-7
- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules
- Resolves: rhbz#1918433 - sssd unable to lookup certmap rules
- Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11
* Mon Jan 18 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-6
- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched
- Resolves: rhbz#1915395 - Memory leak in the simple access provider
- Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup
- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches)
* Mon Dec 28 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-5
- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value
- Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches)
- Resolves: rhbz#1893159 - Default debug level should report all errors / failures
- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication
* Mon Dec 21 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-4
- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process
- Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8]
- Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently
* Mon Dec 07 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-3
- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr()
- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process
- Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal
- Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior
* Thu Nov 12 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-2
- This is to bump version to allow rebuild against rebased libldb.
* Fri Oct 23 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-1
- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4
- Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI
- Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search()
- Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording
- Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x
- Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD.
- Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process
- Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL
- Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase)
- Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page
- Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals"
- Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains
- Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file
- Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes
- Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level
- Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff
- Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command
- Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate
* Mon Sep 14 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.3.0-9
- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied