rpms/sssd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-95058 - Rebase SSSD for RHEL 10.1

Browse Source 
Resolves: RHEL-4976 - [RFE] Continue searching other PKCS#11 tokens if certificates are not found
Resolves: RHEL-87200 - SSSD fails to connect with ipv4_first when on a machine with only IPv6 and server is dual-stack
Resolves: RHEL-25593 - Improve sssd-simple man page description
Resolves: RHEL-14752 - [RFE] Add IPA subdomain support to allow IPA-IPA trust
Resolves: RHEL-92569 - SSSD LDAPU1 Mapping braces problem
Resolves: RHEL-4981 - p11_child currently has an infinite timeout
Resolves: RHEL-5042 - IDM homedir %%o is not working, returns /home/domain/user instead of AD POSIX unixHomeDir
Resolves: RHEL-13086 - [RFE] Anonymous bind requests on RootDSE
Resolves: RHEL-45824 - SSSD unable to enumerate LDAP groups if LDAP server contains any group with # character in their names
This commit is contained in:
Alexey Tikhonov 2025-06-05 14:07:57 +02:00
parent f7b406456c
commit a143a7d9c0
7 changed files with 30 additions and 748 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -116,3 +116,4 @@ sssd-1.2.91.tar.gz
/sssd-2.10.0.tar.gz
/sssd-2.10.1.tar.gz
/sssd-2.10.2.tar.gz
/sssd-2.11.0.tar.gz

113
0001-KCM-fix-memory-leak.patch
View File

@ -1,113 +0,0 @@
From 50f703f25914254d2a545f52f504dfa5a6f65546 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 4 Feb 2025 18:59:36 +0100
Subject: [PATCH] KCM: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The copy of 'secret' argument - `secret_val.data` - was left hanging
on `sss_sec_ctx`, effectively resulting in a memory leak.
But this copy isn't actually required as this data isn't modified in
below operations.
Skipping alloc+memcpy+erase is also beneficial performance wise.
:fixes:'sssd_kcm' memory leak was fixed.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 7f1b7c9689827df92e8b2166423d4e80688dbacb)
---
src/responder/kcm/secrets/secrets.c | 34 ++++++++++-------------------
1 file changed, 12 insertions(+), 22 deletions(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 625a09f39..fe7410cb3 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -979,7 +979,7 @@ errno_t sss_sec_put(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val = { .data = NULL };
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
bool erase_msg = false;
int ret;
@@ -1029,13 +1029,11 @@ errno_t sss_sec_put(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -1069,9 +1067,6 @@ errno_t sss_sec_put(struct sss_sec_req *req,
ret = EOK;
done:
- if (secret_val.data != NULL) {
- sss_erase_mem_securely(secret_val.data, secret_val.length);
- }
if (erase_msg) {
db_result_erase_message_securely(msg, SEC_ATTR_SECRET);
}
@@ -1084,7 +1079,7 @@ errno_t sss_sec_update(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val = { .data = NULL };
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
bool erase_msg = false;
int ret;
@@ -1134,13 +1129,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
/* FIXME - should we have a lastUpdate timestamp? */
ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL);
if (ret != LDB_SUCCESS) {
@@ -1150,6 +1138,11 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_MINOR_FAILURE,
@@ -1174,9 +1167,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
ret = EOK;
done:
- if (secret_val.data != NULL) {
- sss_erase_mem_securely(secret_val.data, secret_val.length);
- }
if (erase_msg) {
db_result_erase_message_securely(msg, SEC_ATTR_SECRET);
}
--
2.47.0

58
0002-KCM-another-memory-leak-fixed.patch
View File

@ -1,58 +0,0 @@
From 9e72bc242b600158d7920b2b98644efa42fd1ffa Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 12 Feb 2025 11:30:22 +0100
Subject: [PATCH] KCM: another memory leak fixed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
```
...
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520
...
```
Reviewed-by: Alejandro López <allopez@redhat.com>
---
src/responder/kcm/kcmsrv_ccache.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index f614156cc..bf8daffd0 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -407,7 +407,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
- goto done;
+ goto fail;
}
for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) {
@@ -420,7 +420,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
cred_list[i] = kcm_cred_to_krb5(krb_context, cred);
if (cred_list[i] == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
- goto done;
+ goto fail;
}
}
@@ -429,8 +429,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
talloc_steal(mem_ctx, cred_list);
+ talloc_free(tmp_ctx);
return cred_list;
-done:
+
+fail:
talloc_free(tmp_ctx);
return NULL;
#endif
--
2.47.0

440
0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
View File

@ -1,440 +0,0 @@
From 281d9c3ed66ee28a9572433a629eb0d72525ca46 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 14 Feb 2025 21:15:16 +0100
Subject: [PATCH] SYSDB: don't add group members if 'ignore_group_members ==
true'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7793
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/db/sysdb.h | 51 ++++++---
src/db/sysdb_search.c | 6 +-
src/db/sysdb_views.c | 10 +-
src/tests/cmocka/test_responder_cache_req.c | 112 +++++++-------------
src/tests/cmocka/test_sysdb_ts_cache.c | 6 +-
src/tools/sss_override.c | 2 +-
6 files changed, 90 insertions(+), 97 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 1b827caf9..319b88e25 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -277,19 +277,44 @@
SYSDB_ORIG_DN, \
NULL}
-#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \
- SYSDB_MEMBERUID, \
- SYSDB_MEMBER, \
- SYSDB_GHOST, \
- SYSDB_DEFAULT_ATTRS, \
- SYSDB_SID_STR, \
- SYSDB_OVERRIDE_DN, \
- SYSDB_OVERRIDE_OBJECT_DN, \
- SYSDB_DEFAULT_OVERRIDE_NAME, \
- SYSDB_UUID, \
- ORIGINALAD_PREFIX SYSDB_NAME, \
- ORIGINALAD_PREFIX SYSDB_GIDNUM, \
- NULL}
+/* Strictly speaking it should return 'const char * const *' but
+ * that gets really unreadable.
+ */
+__attribute__((always_inline))
+static inline const char **SYSDB_GRSRC_ATTRS(const struct sss_domain_info *domain)
+{
+ static const char * __SYSDB_GRSRC_ATTRS_NO_MEMBERS[] = {
+ SYSDB_NAME, SYSDB_GIDNUM,
+ SYSDB_DEFAULT_ATTRS,
+ SYSDB_SID_STR,
+ SYSDB_OVERRIDE_DN,
+ SYSDB_OVERRIDE_OBJECT_DN,
+ SYSDB_DEFAULT_OVERRIDE_NAME,
+ SYSDB_UUID,
+ NULL
+ };
+ static const char * __SYSDB_GRSRC_ATTRS_WITH_MEMBERS[] = {
+ SYSDB_NAME, SYSDB_GIDNUM,
+ SYSDB_MEMBERUID,
+ SYSDB_MEMBER,
+ SYSDB_GHOST,
+ SYSDB_DEFAULT_ATTRS,
+ SYSDB_SID_STR,
+ SYSDB_OVERRIDE_DN,
+ SYSDB_OVERRIDE_OBJECT_DN,
+ SYSDB_DEFAULT_OVERRIDE_NAME,
+ SYSDB_UUID,
+ ORIGINALAD_PREFIX SYSDB_NAME,
+ ORIGINALAD_PREFIX SYSDB_GIDNUM,
+ NULL
+ };
+
+ if (domain && domain->ignore_group_members) {
+ return __SYSDB_GRSRC_ATTRS_NO_MEMBERS;
+ } else {
+ return __SYSDB_GRSRC_ATTRS_WITH_MEMBERS;
+ }
+}
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
SYSDB_NETGROUP_MEMBER, \
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index e4c53b853..7f34ddbcb 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1176,7 +1176,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *fmt_filter;
char *sanitized_name;
struct ldb_dn *base_dn;
@@ -1378,7 +1378,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
struct ldb_dn *base_dn;
struct ldb_result *res = NULL;
int ret;
- static const char *default_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **default_attrs = SYSDB_GRSRC_ATTRS(domain);
const char **attrs = NULL;
tmp_ctx = talloc_new(NULL);
@@ -1484,7 +1484,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *filter = NULL;
const char *ts_filter = NULL;
const char *base_filter;
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 19c10977b..71f627974 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -1237,7 +1237,7 @@ errno_t sysdb_search_group_override_by_name(TALLOC_CTX *mem_ctx,
struct ldb_result **override_obj,
struct ldb_result **orig_obj)
{
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
return sysdb_search_override_by_name(mem_ctx, domain, name,
SYSDB_GROUP_NAME_OVERRIDE_FILTER,
@@ -1253,7 +1253,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
{
TALLOC_CTX *tmp_ctx;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain);
const char **attrs;
struct ldb_dn *base_dn;
struct ldb_result *override_res;
@@ -1417,7 +1417,7 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain,
struct ldb_message *override;
uint64_t uid;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); /* members don't matter */
const char **attrs;
struct attr_map {
const char *attr;
@@ -1551,6 +1551,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
char *val;
struct sss_domain_info *orig_dom;
+ if (domain->ignore_group_members) {
+ return EOK;
+ }
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 32718c1f1..fcc7eca35 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -3267,10 +3267,8 @@ void test_object_by_sid_user_multiple_domains_notfound(void **state)
void test_object_by_sid_group_cache_valid(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
@@ -3283,10 +3281,8 @@ void test_object_by_sid_group_cache_valid(void **state)
void test_object_by_sid_group_cache_expired(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
@@ -3305,10 +3301,8 @@ void test_object_by_sid_group_cache_expired(void **state)
void test_object_by_sid_group_cache_midpoint(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
@@ -3326,12 +3320,10 @@ void test_object_by_sid_group_cache_midpoint(void **state)
void test_object_by_sid_group_ncache(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
errno_t ret;
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
/* Setup user. */
ret = sss_ncache_set_sid(test_ctx->ncache, false, test_ctx->tctx->dom, groups[0].sid);
assert_int_equal(ret, EOK);
@@ -3344,10 +3336,8 @@ void test_object_by_sid_group_ncache(void **state)
void test_object_by_sid_group_missing_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3365,10 +3355,8 @@ void test_object_by_sid_group_missing_found(void **state)
void test_object_by_sid_group_missing_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3382,17 +3370,13 @@ void test_object_by_sid_group_missing_notfound(void **state)
void test_object_by_sid_group_multiple_domains_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- struct sss_domain_info *domain = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
- /* Setup user. */
- domain = find_domain_by_name(test_ctx->tctx->dom,
- "responder_cache_req_test_d", true);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
assert_non_null(domain);
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ /* Setup user. */
prepare_group(domain, &groups[0], 1000, time(NULL));
/* Mock values. */
@@ -3408,10 +3392,8 @@ void test_object_by_sid_group_multiple_domains_found(void **state)
void test_object_by_sid_group_multiple_domains_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3590,10 +3572,8 @@ void test_object_by_id_user_multiple_domains_notfound(void **state)
void test_object_by_id_group_cache_valid(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
@@ -3605,10 +3585,8 @@ void test_object_by_id_group_cache_valid(void **state)
void test_object_by_id_group_cache_expired(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
@@ -3626,10 +3604,8 @@ void test_object_by_id_group_cache_expired(void **state)
void test_object_by_id_group_cache_midpoint(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
@@ -3646,12 +3622,10 @@ void test_object_by_id_group_cache_midpoint(void **state)
void test_object_by_id_group_ncache(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
errno_t ret;
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
/* Setup group. We explicitly add the UID into BOTH UID and GID
* namespaces, because otherwise the cache_req plugin would
* search the Data Provider anyway, because it can't be sure
@@ -3678,10 +3652,8 @@ void test_object_by_id_group_ncache(void **state)
void test_object_by_id_group_missing_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3698,10 +3670,8 @@ void test_object_by_id_group_missing_found(void **state)
void test_object_by_id_group_missing_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3714,17 +3684,13 @@ void test_object_by_id_group_missing_notfound(void **state)
void test_object_by_id_group_multiple_domains_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- struct sss_domain_info *domain = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
- /* Setup user. */
- domain = find_domain_by_name(test_ctx->tctx->dom,
- "responder_cache_req_test_d", true);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
assert_non_null(domain);
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ /* Setup user. */
prepare_group(domain, &groups[0], 1000, time(NULL));
/* Mock values. */
@@ -3740,10 +3706,8 @@ void test_object_by_id_group_multiple_domains_found(void **state)
void test_object_by_id_group_multiple_domains_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
index 24b26d950..f349b7061 100644
--- a/src/tests/cmocka/test_sysdb_ts_cache.c
+++ b/src/tests/cmocka/test_sysdb_ts_cache.c
@@ -694,7 +694,7 @@ static void test_sysdb_getgr_merges(void **state)
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
struct sysdb_attrs *group_attrs = NULL;
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
char *filter = NULL;
struct ldb_result *res = NULL;
size_t msgs_count;
@@ -783,7 +783,7 @@ static void test_merge_ldb_results(void **state)
int ret;
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
char *filter;
struct ldb_result *res;
struct ldb_result *res1;
@@ -856,7 +856,7 @@ static void test_group_bysid(void **state)
int ret;
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
struct sysdb_attrs *group_attrs = NULL;
struct ldb_result *res;
struct ldb_message *msg = NULL;
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index e4bad848e..1968dde3a 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -1218,7 +1218,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
size_t count;
size_t i;
errno_t ret;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *fqname;
char *name;
--
2.47.0

91
0004-configure-Require-valgrind-devel-when-valgrind-is-en.patch
View File

@ -1,91 +0,0 @@
From 3aab117ea3c543e5711577456c5bb87ae6b8fbd3 Mon Sep 17 00:00:00 2001
From: Andrea Bolognani <abologna@redhat.com>
Date: Thu, 20 Feb 2025 18:16:21 +0100
Subject: [PATCH] configure: Require valgrind-devel when valgrind is enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently we include <valgrind/valgrind.h> unconditionally to
access the RUNNING_ON_VALGRIND macro, which allows us to skip
one of the tests which is known not to work correctly under
valgrind.
However, if only the runtime part of valgrind in installed on
the system and the devel part is missing, this will result in
a very late compilation error. Checking for the header's
presence at configure time allows us to provide better
diagnostics, earlier.
More importantly, this makes it possible to build sssd at all
on architectures where valgrind is not yet available, such as
riscv64.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit 8477aa0658f5af5133a694bba09e0a68fbedc649)
---
configure.ac | 7 +++++++
src/tests/cmocka/test_iobuf.c | 6 ++++++
2 files changed, 13 insertions(+)
diff --git a/configure.ac b/configure.ac
index 90cb1f3ec..804c150de 100644
--- a/configure.ac
+++ b/configure.ac
@@ -543,6 +543,13 @@ AM_CHECK_PAM_WRAPPER
AM_CHECK_TEST_CA
AX_VALGRIND_CHECK
+AS_IF([test x$VALGRIND_ENABLED = xyes], [
+ AC_CHECK_HEADERS([valgrind/valgrind.h],,AC_MSG_ERROR([valgrind-devel required with valgrind enabled]))
+], [
+ AC_CHECK_HEADERS([valgrind/valgrind.h])
+])
+
+
# Check if the user wants SSSD to be compiled with systemtap probes
AM_CHECK_SYSTEMTAP
diff --git a/src/tests/cmocka/test_iobuf.c b/src/tests/cmocka/test_iobuf.c
index 7b4de54f5..145bee07e 100644
--- a/src/tests/cmocka/test_iobuf.c
+++ b/src/tests/cmocka/test_iobuf.c
@@ -20,6 +20,8 @@
*/
#define _GNU_SOURCE /* For memmem() */
+#include "config.h"
+
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
@@ -28,7 +30,9 @@
#include <string.h>
#include <stddef.h>
#include <setjmp.h>
+#ifdef HAVE_VALGRIND_VALGRIND_H
#include <valgrind/valgrind.h>
+#endif
#include <cmocka.h>
#include <sys/mman.h>
#include <sys/stat.h>
@@ -187,11 +191,13 @@ static void test_sss_iobuf_secure(void **state)
struct sss_iobuf *iobuf_secret_2;
struct sss_iobuf *iobuf_nosecret;
+#ifdef HAVE_VALGRIND_VALGRIND_H
/* Valgrind interferes with this test by somehow making disappear the heap.
* So don't run it on Valgrind. */
if (RUNNING_ON_VALGRIND) {
skip();
}
+#endif
mem_ctx = talloc_new(NULL);
--
2.48.1

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-2.10.2.tar.gz) = 14ad222802e5426b0959ee32602e04ce24b3eb8d3bdd5e188cf29e3c7d32e0631b41c386fdbd129acf281317538460015d35410a688ea48dd546f9ae28522eac
SHA512 (sssd-2.11.0.tar.gz) = cf273853170ff8fa8767eb7f760ee205d7b0b9c725f81de51c44463b96b66b509c5e257a4e9c9a633bd7080fde42b11164579291664de4629654ffa9989352fb

73
sssd.spec
View File

@ -1,48 +1,14 @@
# SSSD SPEC file for Fedora 34+ and RHEL-9+
# SSSD SPEC file for RHEL-10
# define SSSD user
%if 0%{?fedora} >= 41 || 0%{?rhel}
%global use_sssd_user 1
%global sssd_user sssd
%else
%global use_sssd_user 0
%global sssd_user root
%endif
# sysusers depends on presence of sssd user
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
%global use_sysusers 1
%else
%global use_sysusers 0
%endif
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
%global build_subid 1
%else
%global build_subid 0
%endif
%if 0%{?fedora} >= 34
%global build_kcm_renewals 1
%global krb5_version 1.19.1
%elif 0%{?rhel} >= 8
%global build_kcm_renewals 1
%global krb5_version 1.18.2
%else
%global build_kcm_renewals 0
%endif
%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9
%global build_passkey 1
%else
%global build_passkey 0
%endif
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
%global build_idp 0
%global build_ssh_known_hosts_proxy 0
%else
%global build_ssh_known_hosts_proxy 1
%endif
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
@ -56,19 +22,16 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
Name: sssd
Version: 2.10.2
Release: 4%{?dist}
Version: 2.11.0
Release: 1%{?dist}
Summary: System Security Services Daemon
License: GPL-3.0-or-later
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/2.10.2/sssd-2.10.2.tar.gz
Source0: https://github.com/SSSD/sssd/releases/download/2.11.0/sssd-2.11.0.tar.gz
Source1: sssd.sysusers
### Patches ###
Patch0001: 0001-KCM-fix-memory-leak.patch
Patch0002: 0002-KCM-another-memory-leak-fixed.patch
Patch0003: 0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
Patch0004: 0004-configure-Require-valgrind-devel-when-valgrind-is-en.patch
# Patch0001:
### Dependencies ###
@ -535,7 +498,7 @@ enable authentication with passkey token.
%endif
%prep
%autosetup -n sssd-2.10.2 -p1
%autosetup -n sssd-2.11.0 -p1
%build
@ -570,6 +533,9 @@ autoreconf -ivf
%endif
%if %{build_ssh_known_hosts_proxy}
--with-ssh-known-hosts-proxy \
%endif
%if ! %{build_idp}
--with-id-provider-idp=no
%endif
%{nil}
@ -1015,6 +981,10 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%{_mandir}/man8/sssd-kcm.8*
%files idp
%if %{build_idp}
%{_libdir}/%{name}/libsss_idp.so
%{_mandir}/man5/sssd-idp.5*
%endif
%{_libexecdir}/%{servicename}/oidc_child
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
@ -1033,7 +1003,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%if %{use_sssd_user}
%pre common
! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null || true
! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null 2>&1 || true
%if %{use_sysusers}
%sysusers_create_compat %{SOURCE1}
%else
@ -1054,6 +1024,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%__rm -f %{pubconfpath}/known_hosts
%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
%__chmod -f -R g+r %{_sysconfdir}/sssd || true
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
@ -1121,6 +1092,18 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Thu Jun 5 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.11.0-1
- Resolves: RHEL-95058 - Rebase SSSD for RHEL 10.1
- Resolves: RHEL-4976 - [RFE] Continue searching other PKCS#11 tokens if certificates are not found
- Resolves: RHEL-87200 - SSSD fails to connect with ipv4_first when on a machine with only IPv6 and server is dual-stack
- Resolves: RHEL-25593 - Improve sssd-simple man page description
- Resolves: RHEL-14752 - [RFE] Add IPA subdomain support to allow IPA-IPA trust
- Resolves: RHEL-92569 - SSSD LDAPU1 Mapping braces problem
- Resolves: RHEL-4981 - p11_child currently has an infinite timeout
- Resolves: RHEL-5042 - IDM homedir %%o is not working, returns /home/domain/user instead of AD POSIX unixHomeDir
- Resolves: RHEL-13086 - [RFE] Anonymous bind requests on RootDSE
- Resolves: RHEL-45824 - SSSD unable to enumerate LDAP groups if LDAP server contains any group with # character in their names
* Fri May 2 2025 Andrea Bolognani <abologna@redhat.com> - 2.10.2-4
- Resolves: RHEL-89474 - Fails to build on riscv64