import sssd-2.5.2-2.el8
This commit is contained in:
parent
549f5a3974
commit
ad123f85d7
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/sssd-2.4.0.tar.gz
|
SOURCES/sssd-2.5.2.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
abcf616bf894d54623bf2541afdc7018e5d150aa SOURCES/sssd-2.4.0.tar.gz
|
680a282289fdfc6e27562e0ac82933ccd1f9574e SOURCES/sssd-2.5.2.tar.gz
|
||||||
|
@ -1,64 +0,0 @@
|
|||||||
From ff24d1538af88f83d0a3cc2817952cf70e7ca580 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Sun, 22 Nov 2020 17:44:07 +0100
|
|
||||||
Subject: [PATCH] SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in
|
|
||||||
msgs[]
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL
|
|
||||||
ptrs in results of sysdb_search_with_ts_attr()
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5412
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb_search.c | 11 +++++++----
|
|
||||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
|
|
||||||
index e616fd5bc..4ff65c1ae 100644
|
|
||||||
--- a/src/db/sysdb_search.c
|
|
||||||
+++ b/src/db/sysdb_search.c
|
|
||||||
@@ -221,6 +221,7 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *attrs[])
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
+ size_t ts_cache_res_count = 0;
|
|
||||||
struct ldb_result *ts_cache_res = NULL;
|
|
||||||
|
|
||||||
if (ts_res == NULL || ctx->ldb_ts == NULL) {
|
|
||||||
@@ -231,7 +232,6 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
|
|
||||||
if (ts_cache_res == NULL) {
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
- ts_cache_res->count = ts_res->count;
|
|
||||||
ts_cache_res->msgs = talloc_zero_array(ts_cache_res,
|
|
||||||
struct ldb_message *,
|
|
||||||
ts_res->count);
|
|
||||||
@@ -244,15 +244,18 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
|
|
||||||
ret = merge_msg_sysdb_attrs(ts_cache_res->msgs,
|
|
||||||
ctx,
|
|
||||||
ts_res->msgs[c],
|
|
||||||
- &ts_cache_res->msgs[c], attrs);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
+ &ts_cache_res->msgs[ts_cache_res_count],
|
|
||||||
+ attrs);
|
|
||||||
+ if ((ret != EOK) || (ts_cache_res->msgs[ts_cache_res_count] == NULL)) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
"Cannot merge sysdb cache values for %s\n",
|
|
||||||
ldb_dn_get_linearized(ts_res->msgs[c]->dn));
|
|
||||||
- /* non-fatal, we just get only the non-timestamp attrs */
|
|
||||||
+ /* non-fatal, just skip */
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+ ts_cache_res_count += 1;
|
|
||||||
}
|
|
||||||
+ ts_cache_res->count = ts_cache_res_count;
|
|
||||||
|
|
||||||
*_ts_cache_res = ts_cache_res;
|
|
||||||
return EOK;
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
277
SOURCES/0001-TOOLS-replace-system-with-execvp.patch
Normal file
277
SOURCES/0001-TOOLS-replace-system-with-execvp.patch
Normal file
@ -0,0 +1,277 @@
|
|||||||
|
From 3861960837b996d959af504a937a03963dc21d62 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Fri, 18 Jun 2021 13:17:19 +0200
|
||||||
|
Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
|
||||||
|
user supplied command
|
||||||
|
|
||||||
|
A flaw was found in SSSD, where the sssctl command was vulnerable
|
||||||
|
to shell command injection via the logs-fetch and cache-expire
|
||||||
|
subcommands. This flaw allows an attacker to trick the root user
|
||||||
|
into running a specially crafted sssctl command, such as via sudo,
|
||||||
|
to gain root access. The highest threat from this vulnerability is
|
||||||
|
to confidentiality, integrity, as well as system availability.
|
||||||
|
|
||||||
|
:fixes: CVE-2021-3621
|
||||||
|
---
|
||||||
|
src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
|
||||||
|
src/tools/sssctl/sssctl.h | 2 +-
|
||||||
|
src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
|
||||||
|
src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
|
||||||
|
4 files changed, 73 insertions(+), 57 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
|
||||||
|
index 2997dbf96..8adaf3091 100644
|
||||||
|
--- a/src/tools/sssctl/sssctl.c
|
||||||
|
+++ b/src/tools/sssctl/sssctl.c
|
||||||
|
@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
|
||||||
|
return SSSCTL_PROMPT_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
-errno_t sssctl_run_command(const char *command)
|
||||||
|
+errno_t sssctl_run_command(const char *const argv[])
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
+ int wstatus;
|
||||||
|
|
||||||
|
- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
|
||||||
|
+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
|
||||||
|
|
||||||
|
- ret = system(command);
|
||||||
|
+ ret = fork();
|
||||||
|
if (ret == -1) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
|
||||||
|
ERROR("Error while executing external command\n");
|
||||||
|
return EFAULT;
|
||||||
|
- } else if (WEXITSTATUS(ret) != 0) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
|
||||||
|
- command, WEXITSTATUS(ret));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ret == 0) {
|
||||||
|
+ /* cast is safe - see
|
||||||
|
+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
|
||||||
|
+ "The statement about argv[] and envp[] being constants ... "
|
||||||
|
+ */
|
||||||
|
+ execvp(argv[0], discard_const_p(char * const, argv));
|
||||||
|
ERROR("Error while executing external command\n");
|
||||||
|
- return EIO;
|
||||||
|
+ _exit(1);
|
||||||
|
+ } else {
|
||||||
|
+ if (waitpid(ret, &wstatus, 0) == -1) {
|
||||||
|
+ ERROR("Error while executing external command '%s'\n", argv[0]);
|
||||||
|
+ return EFAULT;
|
||||||
|
+ } else if (WEXITSTATUS(wstatus) != 0) {
|
||||||
|
+ ERROR("Command '%s' failed with [%d]\n",
|
||||||
|
+ argv[0], WEXITSTATUS(wstatus));
|
||||||
|
+ return EIO;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return EOK;
|
||||||
|
@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
|
||||||
|
#elif defined(HAVE_SERVICE)
|
||||||
|
switch (action) {
|
||||||
|
case SSSCTL_SVC_START:
|
||||||
|
- return sssctl_run_command(SERVICE_PATH" sssd start");
|
||||||
|
+ return sssctl_run_command(
|
||||||
|
+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
|
||||||
|
case SSSCTL_SVC_STOP:
|
||||||
|
- return sssctl_run_command(SERVICE_PATH" sssd stop");
|
||||||
|
+ return sssctl_run_command(
|
||||||
|
+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
|
||||||
|
case SSSCTL_SVC_RESTART:
|
||||||
|
- return sssctl_run_command(SERVICE_PATH" sssd restart");
|
||||||
|
+ return sssctl_run_command(
|
||||||
|
+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
|
||||||
|
index 0115b2457..599ef6519 100644
|
||||||
|
--- a/src/tools/sssctl/sssctl.h
|
||||||
|
+++ b/src/tools/sssctl/sssctl.h
|
||||||
|
@@ -47,7 +47,7 @@ enum sssctl_prompt_result
|
||||||
|
sssctl_prompt(const char *message,
|
||||||
|
enum sssctl_prompt_result defval);
|
||||||
|
|
||||||
|
-errno_t sssctl_run_command(const char *command);
|
||||||
|
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
|
||||||
|
bool sssctl_start_sssd(bool force);
|
||||||
|
bool sssctl_stop_sssd(bool force);
|
||||||
|
bool sssctl_restart_sssd(bool force);
|
||||||
|
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
|
||||||
|
index 8d79b977f..bf2291341 100644
|
||||||
|
--- a/src/tools/sssctl/sssctl_data.c
|
||||||
|
+++ b/src/tools/sssctl/sssctl_data.c
|
||||||
|
@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = sssctl_run_command("sss_override user-export "
|
||||||
|
- SSS_BACKUP_USER_OVERRIDES);
|
||||||
|
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
|
||||||
|
+ SSS_BACKUP_USER_OVERRIDES, NULL});
|
||||||
|
if (ret != EOK) {
|
||||||
|
ERROR("Unable to export user overrides\n");
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = sssctl_run_command("sss_override group-export "
|
||||||
|
- SSS_BACKUP_GROUP_OVERRIDES);
|
||||||
|
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
|
||||||
|
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
|
||||||
|
if (ret != EOK) {
|
||||||
|
ERROR("Unable to export group overrides\n");
|
||||||
|
return ret;
|
||||||
|
@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
|
||||||
|
- ret = sssctl_run_command("sss_override user-import "
|
||||||
|
- SSS_BACKUP_USER_OVERRIDES);
|
||||||
|
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
|
||||||
|
+ SSS_BACKUP_USER_OVERRIDES, NULL});
|
||||||
|
if (ret != EOK) {
|
||||||
|
ERROR("Unable to import user overrides\n");
|
||||||
|
return ret;
|
||||||
|
@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
|
||||||
|
- ret = sssctl_run_command("sss_override group-import "
|
||||||
|
- SSS_BACKUP_GROUP_OVERRIDES);
|
||||||
|
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
|
||||||
|
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
|
||||||
|
if (ret != EOK) {
|
||||||
|
ERROR("Unable to import group overrides\n");
|
||||||
|
return ret;
|
||||||
|
@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
|
||||||
|
void *pvt)
|
||||||
|
{
|
||||||
|
errno_t ret;
|
||||||
|
- char *cmd_args = NULL;
|
||||||
|
- const char *cachecmd = SSS_CACHE;
|
||||||
|
- char *cmd = NULL;
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- if (cmdline->argc == 0) {
|
||||||
|
- ret = sssctl_run_command(cachecmd);
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
|
||||||
|
- cmd_args = talloc_strdup(tool_ctx, "");
|
||||||
|
- if (cmd_args == NULL) {
|
||||||
|
- ret = ENOMEM;
|
||||||
|
- goto done;
|
||||||
|
+ const char **args = talloc_array_size(tool_ctx,
|
||||||
|
+ sizeof(char *),
|
||||||
|
+ cmdline->argc + 2);
|
||||||
|
+ if (!args) {
|
||||||
|
+ return ENOMEM;
|
||||||
|
}
|
||||||
|
+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
|
||||||
|
+ args[0] = SSS_CACHE;
|
||||||
|
+ args[cmdline->argc + 1] = NULL;
|
||||||
|
|
||||||
|
- for (i = 0; i < cmdline->argc; i++) {
|
||||||
|
- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
|
||||||
|
- if (i != cmdline->argc - 1) {
|
||||||
|
- cmd_args = talloc_strdup_append(cmd_args, " ");
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
|
||||||
|
- if (cmd == NULL) {
|
||||||
|
- ret = ENOMEM;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- ret = sssctl_run_command(cmd);
|
||||||
|
-
|
||||||
|
-done:
|
||||||
|
- talloc_free(cmd_args);
|
||||||
|
- talloc_free(cmd);
|
||||||
|
+ ret = sssctl_run_command(args);
|
||||||
|
|
||||||
|
+ talloc_free(args);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
|
||||||
|
index 9ff2be05b..ebb2c4571 100644
|
||||||
|
--- a/src/tools/sssctl/sssctl_logs.c
|
||||||
|
+++ b/src/tools/sssctl/sssctl_logs.c
|
||||||
|
@@ -31,6 +31,7 @@
|
||||||
|
#include <ldb.h>
|
||||||
|
#include <popt.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
+#include <glob.h>
|
||||||
|
|
||||||
|
#include "util/util.h"
|
||||||
|
#include "tools/common/sss_process.h"
|
||||||
|
@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
|
||||||
|
{
|
||||||
|
struct sssctl_logs_opts opts = {0};
|
||||||
|
errno_t ret;
|
||||||
|
+ glob_t globbuf;
|
||||||
|
|
||||||
|
/* Parse command line. */
|
||||||
|
struct poptOption options[] = {
|
||||||
|
@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
|
||||||
|
|
||||||
|
sss_signal(SIGHUP);
|
||||||
|
} else {
|
||||||
|
+ globbuf.gl_offs = 4;
|
||||||
|
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
|
||||||
|
+ if (ret != 0) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
|
||||||
|
+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
|
||||||
|
+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
|
||||||
|
+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
|
||||||
|
+
|
||||||
|
PRINT("Truncating log files...\n");
|
||||||
|
- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
|
||||||
|
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
|
||||||
|
+ globfree(&globbuf);
|
||||||
|
if (ret != EOK) {
|
||||||
|
ERROR("Unable to truncate log files\n");
|
||||||
|
return ret;
|
||||||
|
@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
|
||||||
|
void *pvt)
|
||||||
|
{
|
||||||
|
const char *file;
|
||||||
|
- const char *cmd;
|
||||||
|
errno_t ret;
|
||||||
|
+ glob_t globbuf;
|
||||||
|
|
||||||
|
/* Parse command line. */
|
||||||
|
ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
|
||||||
|
@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
|
||||||
|
- if (cmd == NULL) {
|
||||||
|
- ERROR("Out of memory!");
|
||||||
|
+ globbuf.gl_offs = 3;
|
||||||
|
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
|
||||||
|
+ if (ret != 0) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
|
||||||
|
+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
|
||||||
|
+ globbuf.gl_pathv[2] = discard_const_p(char, file);
|
||||||
|
|
||||||
|
PRINT("Archiving log files into %s...\n", file);
|
||||||
|
- ret = sssctl_run_command(cmd);
|
||||||
|
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
|
||||||
|
+ globfree(&globbuf);
|
||||||
|
if (ret != EOK) {
|
||||||
|
ERROR("Unable to archive log files\n");
|
||||||
|
return ret;
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
10871
SOURCES/0002-po-update-translations.patch
Normal file
10871
SOURCES/0002-po-update-translations.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,29 +0,0 @@
|
|||||||
From 833034f5332d2492d413a9c97fded1480b58bf14 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Wed, 21 Oct 2020 18:47:32 +0200
|
|
||||||
Subject: [PATCH 3/4] DEBUG: journal_send() was made static
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
---
|
|
||||||
src/util/debug.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/util/debug.c b/src/util/debug.c
|
|
||||||
index 1d5f75e4d..c162987b9 100644
|
|
||||||
--- a/src/util/debug.c
|
|
||||||
+++ b/src/util/debug.c
|
|
||||||
@@ -201,7 +201,7 @@ static void debug_printf(const char *format, ...)
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef WITH_JOURNALD
|
|
||||||
-errno_t journal_send(const char *file,
|
|
||||||
+static errno_t journal_send(const char *file,
|
|
||||||
long line,
|
|
||||||
const char *function,
|
|
||||||
int level,
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,71 +0,0 @@
|
|||||||
From 18233532b72e62452eac6886652fa633ba055d8c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Wed, 21 Oct 2020 19:20:03 +0200
|
|
||||||
Subject: [PATCH 4/4] DEBUG: fixes program identifier as seen in syslog
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name`
|
|
||||||
to accomodate needs of own SSSD logs, but this affected journal/syslog
|
|
||||||
as well.
|
|
||||||
|
|
||||||
This patch amends situation:
|
|
||||||
- journal messages gets "umbrella" identifier "sssd[]"
|
|
||||||
- syslog uses default which is program name
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5384
|
|
||||||
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
---
|
|
||||||
src/util/debug.c | 2 +-
|
|
||||||
src/util/sss_log.c | 12 +++---------
|
|
||||||
2 files changed, 4 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/util/debug.c b/src/util/debug.c
|
|
||||||
index c162987b9..f05b26500 100644
|
|
||||||
--- a/src/util/debug.c
|
|
||||||
+++ b/src/util/debug.c
|
|
||||||
@@ -250,7 +250,7 @@ static errno_t journal_send(const char *file,
|
|
||||||
"MESSAGE=%s", message,
|
|
||||||
"PRIORITY=%i", LOG_DEBUG,
|
|
||||||
"SSSD_DOMAIN=%s", domain,
|
|
||||||
- "SSSD_PRG_NAME=%s", debug_prg_name,
|
|
||||||
+ "SSSD_PRG_NAME=sssd[%s]", debug_prg_name,
|
|
||||||
"SSSD_DEBUG_LEVEL=%x", level,
|
|
||||||
NULL);
|
|
||||||
ret = -res;
|
|
||||||
diff --git a/src/util/sss_log.c b/src/util/sss_log.c
|
|
||||||
index 48e73dbea..c6b7435c6 100644
|
|
||||||
--- a/src/util/sss_log.c
|
|
||||||
+++ b/src/util/sss_log.c
|
|
||||||
@@ -107,7 +107,7 @@ static void sss_log_internal(int priority, int facility, const char *format,
|
|
||||||
"SSSD_DOMAIN=%s", domain,
|
|
||||||
"PRIORITY=%i", syslog_priority,
|
|
||||||
"SYSLOG_FACILITY=%i", LOG_FAC(facility),
|
|
||||||
- "SYSLOG_IDENTIFIER=%s", debug_prg_name,
|
|
||||||
+ "SYSLOG_IDENTIFIER=sssd[%s]", debug_prg_name,
|
|
||||||
NULL);
|
|
||||||
|
|
||||||
free(message);
|
|
||||||
@@ -118,15 +118,9 @@ static void sss_log_internal(int priority, int facility, const char *format,
|
|
||||||
static void sss_log_internal(int priority, int facility, const char *format,
|
|
||||||
va_list ap)
|
|
||||||
{
|
|
||||||
- int syslog_priority;
|
|
||||||
-
|
|
||||||
- syslog_priority = sss_to_syslog(priority);
|
|
||||||
-
|
|
||||||
- openlog(debug_prg_name, 0, facility);
|
|
||||||
-
|
|
||||||
- vsyslog(syslog_priority, format, ap);
|
|
||||||
+ int syslog_priority = sss_to_syslog(priority);
|
|
||||||
|
|
||||||
- closelog();
|
|
||||||
+ vsyslog(facility|syslog_priority, format, ap);
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif /* WITH_JOURNALD */
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 8 Oct 2020 12:18:41 +0200
|
|
||||||
Subject: [PATCH 5/8] negcache: make sure domain config does not leak into
|
|
||||||
global
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5238
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/common/negcache.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
|
||||||
index ce1c0ab8c..139218420 100644
|
|
||||||
--- a/src/responder/common/negcache.c
|
|
||||||
+++ b/src/responder/common/negcache.c
|
|
||||||
@@ -1050,6 +1050,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ talloc_zfree(filter_list);
|
|
||||||
/* Populate non domain-specific negative cache user entries */
|
|
||||||
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
|
|
||||||
CONFDB_NSS_FILTER_USERS, &filter_list);
|
|
||||||
@@ -1185,6 +1186,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ talloc_zfree(filter_list);
|
|
||||||
/* Populate non domain-specific negative cache group entries */
|
|
||||||
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
|
|
||||||
CONFDB_NSS_FILTER_GROUPS, &filter_list);
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,106 +0,0 @@
|
|||||||
From 385af99ff4d5a75d0c1edc9ad830da3eb7478295 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 8 Oct 2020 17:57:29 +0200
|
|
||||||
Subject: [PATCH 6/8] utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()
|
|
||||||
|
|
||||||
To allow to only iterate over a singel domain an its sub-domains a new
|
|
||||||
flag is added to get_next_domain().
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5238
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/cmocka/test_utils.c | 31 +++++++++++++++++++++++++++++++
|
|
||||||
src/util/domain_info_utils.c | 10 +++++++---
|
|
||||||
src/util/util.h | 4 ++++
|
|
||||||
3 files changed, 42 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
|
||||||
index 945f5cb44..d77a972c1 100644
|
|
||||||
--- a/src/tests/cmocka/test_utils.c
|
|
||||||
+++ b/src/tests/cmocka/test_utils.c
|
|
||||||
@@ -877,6 +877,37 @@ static void test_get_next_domain_flags(void **state)
|
|
||||||
|
|
||||||
dom = get_next_domain(dom, gnd_flags);
|
|
||||||
assert_null(dom);
|
|
||||||
+
|
|
||||||
+ /* Descend only to subdomains */
|
|
||||||
+ gnd_flags = SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED;
|
|
||||||
+
|
|
||||||
+ dom = get_next_domain(test_ctx->dom_list, gnd_flags);
|
|
||||||
+ assert_non_null(dom);
|
|
||||||
+ assert_string_equal(dom->name, "sub1a");
|
|
||||||
+
|
|
||||||
+ dom = get_next_domain(dom, gnd_flags);
|
|
||||||
+ assert_null(dom);
|
|
||||||
+
|
|
||||||
+ dom = find_domain_by_name_ex(test_ctx->dom_list, "dom2", true,
|
|
||||||
+ SSS_GND_ALL_DOMAINS);
|
|
||||||
+ assert_non_null(dom);
|
|
||||||
+ assert_string_equal(dom->name, "dom2");
|
|
||||||
+
|
|
||||||
+ dom = get_next_domain(dom, gnd_flags);
|
|
||||||
+ assert_non_null(dom);
|
|
||||||
+ assert_string_equal(dom->name, "sub2a");
|
|
||||||
+
|
|
||||||
+ dom = get_next_domain(dom, gnd_flags);
|
|
||||||
+ assert_non_null(dom);
|
|
||||||
+ assert_string_equal(dom->name, "sub2b");
|
|
||||||
+
|
|
||||||
+ dom = get_next_domain(dom, gnd_flags);
|
|
||||||
+ assert_null(dom);
|
|
||||||
+
|
|
||||||
+ /* Expect NULL if the domain has no sub-domains */
|
|
||||||
+ test_ctx->dom_list->subdomains = NULL;
|
|
||||||
+ dom = get_next_domain(test_ctx->dom_list, gnd_flags);
|
|
||||||
+ assert_null(dom);
|
|
||||||
}
|
|
||||||
|
|
||||||
struct name_init_test_ctx {
|
|
||||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
|
||||||
index aa3582f03..4d4726daa 100644
|
|
||||||
--- a/src/util/domain_info_utils.c
|
|
||||||
+++ b/src/util/domain_info_utils.c
|
|
||||||
@@ -39,16 +39,20 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
|
|
||||||
uint32_t gnd_flags)
|
|
||||||
{
|
|
||||||
struct sss_domain_info *dom;
|
|
||||||
- bool descend = gnd_flags & SSS_GND_DESCEND;
|
|
||||||
+ bool descend = gnd_flags & (SSS_GND_DESCEND | SSS_GND_SUBDOMAINS);
|
|
||||||
bool include_disabled = gnd_flags & SSS_GND_INCLUDE_DISABLED;
|
|
||||||
+ bool only_subdomains = gnd_flags & SSS_GND_SUBDOMAINS;
|
|
||||||
|
|
||||||
dom = domain;
|
|
||||||
while (dom) {
|
|
||||||
if (descend && dom->subdomains) {
|
|
||||||
dom = dom->subdomains;
|
|
||||||
- } else if (dom->next) {
|
|
||||||
+ } else if (dom->next && only_subdomains && IS_SUBDOMAIN(dom)) {
|
|
||||||
dom = dom->next;
|
|
||||||
- } else if (descend && IS_SUBDOMAIN(dom) && dom->parent->next) {
|
|
||||||
+ } else if (dom->next && !only_subdomains) {
|
|
||||||
+ dom = dom->next;
|
|
||||||
+ } else if (descend && !only_subdomains && IS_SUBDOMAIN(dom)
|
|
||||||
+ && dom->parent->next) {
|
|
||||||
dom = dom->parent->next;
|
|
||||||
} else {
|
|
||||||
dom = NULL;
|
|
||||||
diff --git a/src/util/util.h b/src/util/util.h
|
|
||||||
index fbcac5cd0..581c0edfb 100644
|
|
||||||
--- a/src/util/util.h
|
|
||||||
+++ b/src/util/util.h
|
|
||||||
@@ -565,7 +565,11 @@ struct sss_domain_info *get_domains_head(struct sss_domain_info *domain);
|
|
||||||
|
|
||||||
#define SSS_GND_DESCEND 0x01
|
|
||||||
#define SSS_GND_INCLUDE_DISABLED 0x02
|
|
||||||
+/* Descend to sub-domains of current domain but do not go to next parent */
|
|
||||||
+#define SSS_GND_SUBDOMAINS 0x04
|
|
||||||
#define SSS_GND_ALL_DOMAINS (SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED)
|
|
||||||
+#define SSS_GND_ALL_SUBDOMAINS (SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED)
|
|
||||||
+
|
|
||||||
struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
|
|
||||||
uint32_t gnd_flags);
|
|
||||||
struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain,
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,443 +0,0 @@
|
|||||||
From 0dc81a52e2836010974e9f71b1f3e47c20fd498d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 9 Oct 2020 11:56:21 +0200
|
|
||||||
Subject: [PATCH 7/8] negcache: make sure short names are added to sub-domains
|
|
||||||
|
|
||||||
If short names are used with filter_users or filter_groups in a
|
|
||||||
[domain/...] section they should be added to the sub-domains of this
|
|
||||||
domain as well.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5238
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/common/negcache.c | 105 +++++++------
|
|
||||||
src/tests/cmocka/test_negcache.c | 254 +++++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 312 insertions(+), 47 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
|
||||||
index 139218420..9ee39ce3e 100644
|
|
||||||
--- a/src/responder/common/negcache.c
|
|
||||||
+++ b/src/responder/common/negcache.c
|
|
||||||
@@ -971,6 +971,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
char *name = NULL;
|
|
||||||
struct sss_domain_info *dom = NULL;
|
|
||||||
struct sss_domain_info *domain_list = rctx->domains;
|
|
||||||
+ struct sss_domain_info *ddom;
|
|
||||||
char *domainname = NULL;
|
|
||||||
char *conf_path = NULL;
|
|
||||||
TALLOC_CTX *tmpctx = talloc_new(NULL);
|
|
||||||
@@ -1013,39 +1014,44 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (domainname && strcmp(domainname, dom->name)) {
|
|
||||||
- DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
- "Mismatch between domain name (%s) and name "
|
|
||||||
- "set in FQN (%s), assuming %s is UPN\n",
|
|
||||||
- dom->name, domainname, filter_list[i]);
|
|
||||||
- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
|
|
||||||
+ /* Check domain and its sub-domains */
|
|
||||||
+ for (ddom = dom; ddom != NULL;
|
|
||||||
+ ddom = get_next_domain(ddom, SSS_GND_ALL_SUBDOMAINS)) {
|
|
||||||
+
|
|
||||||
+ if (domainname && strcmp(domainname, ddom->name)) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
+ "Mismatch between domain name (%s) and name "
|
|
||||||
+ "set in FQN (%s), assuming %s is UPN\n",
|
|
||||||
+ ddom->name, domainname, filter_list[i]);
|
|
||||||
+ ret = sss_ncache_set_upn(ncache, true, ddom, filter_list[i]);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sss_ncache_set_upn failed (%d [%s]), ignored\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ }
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
|
|
||||||
+ if (fqname == NULL) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sss_ncache_set_upn(ncache, true, ddom, fqname);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"sss_ncache_set_upn failed (%d [%s]), ignored\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
}
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
|
|
||||||
- if (fqname == NULL) {
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = sss_ncache_set_upn(ncache, true, dom, fqname);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
- "sss_ncache_set_upn failed (%d [%s]), ignored\n",
|
|
||||||
- ret, sss_strerror(ret));
|
|
||||||
- }
|
|
||||||
- ret = sss_ncache_set_user(ncache, true, dom, fqname);
|
|
||||||
- talloc_zfree(fqname);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Failed to store permanent user filter for [%s]"
|
|
||||||
- " (%d [%s])\n", filter_list[i],
|
|
||||||
- ret, sss_strerror(ret));
|
|
||||||
- continue;
|
|
||||||
+ ret = sss_ncache_set_user(ncache, true, ddom, fqname);
|
|
||||||
+ talloc_zfree(fqname);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to store permanent user filter for [%s]"
|
|
||||||
+ " (%d [%s])\n", filter_list[i],
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1161,27 +1167,32 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (domainname && strcmp(domainname, dom->name)) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Mismatch between domain name (%s) and name "
|
|
||||||
- "set in FQN (%s), skipping group %s\n",
|
|
||||||
- dom->name, domainname, name);
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
+ /* Check domain and its sub-domains */
|
|
||||||
+ for (ddom = dom;
|
|
||||||
+ ddom != NULL && (ddom == dom || ddom->parent != NULL);
|
|
||||||
+ ddom = get_next_domain(ddom, SSS_GND_ALL_DOMAINS)) {
|
|
||||||
+ if (domainname && strcmp(domainname, ddom->name)) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Mismatch between domain name (%s) and name "
|
|
||||||
+ "set in FQN (%s), skipping group %s\n",
|
|
||||||
+ ddom->name, domainname, name);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
|
|
||||||
- if (fqname == NULL) {
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
+ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
|
|
||||||
+ if (fqname == NULL) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ret = sss_ncache_set_group(ncache, true, dom, fqname);
|
|
||||||
- talloc_zfree(fqname);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Failed to store permanent group filter for [%s]"
|
|
||||||
- " (%d [%s])\n", filter_list[i],
|
|
||||||
- ret, strerror(ret));
|
|
||||||
- continue;
|
|
||||||
+ ret = sss_ncache_set_group(ncache, true, ddom, fqname);
|
|
||||||
+ talloc_zfree(fqname);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to store permanent group filter for [%s]"
|
|
||||||
+ " (%d [%s])\n", filter_list[i],
|
|
||||||
+ ret, strerror(ret));
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
|
|
||||||
index b3a379227..fb306b110 100644
|
|
||||||
--- a/src/tests/cmocka/test_negcache.c
|
|
||||||
+++ b/src/tests/cmocka/test_negcache.c
|
|
||||||
@@ -119,6 +119,8 @@ static int setup(void **state)
|
|
||||||
int ret;
|
|
||||||
struct test_state *ts;
|
|
||||||
|
|
||||||
+ test_dom_suite_setup(TESTS_PATH);
|
|
||||||
+
|
|
||||||
ts = talloc(NULL, struct test_state);
|
|
||||||
assert_non_null(ts);
|
|
||||||
|
|
||||||
@@ -133,6 +135,7 @@ static int setup(void **state)
|
|
||||||
static int teardown(void **state)
|
|
||||||
{
|
|
||||||
struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
|
|
||||||
+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
|
|
||||||
talloc_free(ts);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -921,6 +924,255 @@ static void test_sss_ncache_reset_prepopulate(void **state)
|
|
||||||
assert_int_equal(ret, EEXIST);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* The main purpose of test_sss_ncache_short_name_in_domain is to test that
|
|
||||||
+ * short names in the filter_users or filter_groups options in a [domain/...]
|
|
||||||
+ * section are properly added to the related sub-domains as well (if there are
|
|
||||||
+ * any) and not added to domains from other [domain/...] sections. For
|
|
||||||
+ * completeness entries with fully-qualified names of the parent and the
|
|
||||||
+ * sub-domain and the generic UPN are added as well.
|
|
||||||
+ *
|
|
||||||
+ * The result should of course be independent of the present domains. To
|
|
||||||
+ * verify this the domains are added one after the other and the negative
|
|
||||||
+ * cache is repopulated each time.
|
|
||||||
+ *
|
|
||||||
+ * With the given domains, users and group we have to following expectations:
|
|
||||||
+ * - the short name entry will be added to the domain and all sub-domains as
|
|
||||||
+ * name and as upn by expanding it to a fully-qualified name with the
|
|
||||||
+ * domain name or sub-domain name respectively
|
|
||||||
+ * - the fully-qualified name from the parent domain is added as name and upn
|
|
||||||
+ * to the parent domain and as upn to all sub-domains
|
|
||||||
+ * - the fully-qualified name from the sub-domain is added as name to the
|
|
||||||
+ * sub-domain and as upn to the parent and all sub-domains
|
|
||||||
+ * - the generic upn is nowhere added as name and as upn to the parent and all
|
|
||||||
+ * sub-domains
|
|
||||||
+ * - none of the names is added to a different parent domain
|
|
||||||
+ *
|
|
||||||
+ * The following table should illustrated the expectations:
|
|
||||||
+ *
|
|
||||||
+ * user (name):
|
|
||||||
+ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
|
|
||||||
+ *-----------------+-----------+-----------------------+--------------------------+------------
|
|
||||||
+ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING | MISSING
|
|
||||||
+ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT | MISSING
|
|
||||||
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING
|
|
||||||
+ *
|
|
||||||
+ * user (upn):
|
|
||||||
+ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
|
|
||||||
+ *-----------------+-----------+-----------------------+--------------------------+------------
|
|
||||||
+ * TEST_DOM_NAME | PRESENT | PRESENT | PRESENT | PRESENT
|
|
||||||
+ * subTEST_DOM_NAME| PRESENT | PRESENT | PRESENT | PRESENT
|
|
||||||
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING
|
|
||||||
+ *
|
|
||||||
+ *
|
|
||||||
+ *
|
|
||||||
+ * groups:
|
|
||||||
+ * | shortgroup | parentg@TEST_DOM_NAME | subdomg@subTEST_DOM_NAME
|
|
||||||
+ *-----------------+------------+-----------------------+-------------------------
|
|
||||||
+ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING
|
|
||||||
+ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT
|
|
||||||
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING
|
|
||||||
+ *
|
|
||||||
+ *
|
|
||||||
+ * The following expect_*() implement checks for the expextations:
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+static void expect_in_parent(struct sss_nc_ctx *ncache,
|
|
||||||
+ struct sss_domain_info *dom)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, dom, "shortuser");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, dom, "shortuser@"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, dom, "parentu");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, dom, "parentu@"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, dom, "subdomu");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, dom, "subdomu@sub"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, dom, "upn");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, dom, "upn@upn.dom");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, dom, "shortgroup");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, dom, "parentg");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, dom, "subdomg");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void expect_in_subdomain(struct sss_nc_ctx *ncache,
|
|
||||||
+ struct sss_domain_info *sub_dom)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, sub_dom, "shortuser");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, sub_dom, "shortuser@sub"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, sub_dom, "subdomu");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, sub_dom, "subdomu@sub"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, sub_dom, "upn");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, sub_dom, "upn@upn.dom");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, sub_dom, "parentu");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, sub_dom, "parentu@"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, sub_dom, "shortgroup");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, sub_dom, "parentg");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, sub_dom, "subdomg");
|
|
||||||
+ assert_int_equal(ret, EEXIST);
|
|
||||||
+}
|
|
||||||
+static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
|
|
||||||
+ struct sss_domain_info *dom2)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, dom2, "shortuser");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, dom2, "shortuser"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, dom2, "parentu");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, dom2, "parentu@"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, dom2, "subdomu");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, dom2, "subdomu@sub"TEST_DOM_NAME);
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+
|
|
||||||
+ ret = check_user_in_ncache(ncache, dom2, "upn");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+ ret = sss_ncache_check_upn(ncache, dom2, "upn@upn.dom");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, dom2, "shortgroup");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, dom2, "parentg");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+
|
|
||||||
+ ret = check_group_in_ncache(ncache, dom2, "subdomg");
|
|
||||||
+ assert_int_equal(ret, ENOENT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_sss_ncache_short_name_in_domain(void **state)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ struct test_state *ts;
|
|
||||||
+ struct tevent_context *ev;
|
|
||||||
+ struct sss_nc_ctx *ncache;
|
|
||||||
+ struct sss_test_ctx *tc;
|
|
||||||
+ struct sss_domain_info *dom;
|
|
||||||
+ struct sss_domain_info *dom2;
|
|
||||||
+ struct sss_domain_info *sub_dom;
|
|
||||||
+
|
|
||||||
+ struct sss_test_conf_param params[] = {
|
|
||||||
+ { "filter_users", "shortuser, parentu@"TEST_DOM_NAME", "
|
|
||||||
+ "subdomu@sub"TEST_DOM_NAME", upn@upn.dom" },
|
|
||||||
+ { "filter_groups", "shortgroup, parentg@"TEST_DOM_NAME", "
|
|
||||||
+ "subdomg@sub"TEST_DOM_NAME },
|
|
||||||
+ { NULL, NULL },
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ const char *nss_filter_users[] = { params[0].value, NULL};
|
|
||||||
+ const char *nss_filter_groups[] = { params[1].value, NULL};
|
|
||||||
+
|
|
||||||
+ ts = talloc_get_type_abort(*state, struct test_state);
|
|
||||||
+
|
|
||||||
+ ev = tevent_context_init(ts);
|
|
||||||
+ assert_non_null(ev);
|
|
||||||
+
|
|
||||||
+ dom = talloc_zero(ts, struct sss_domain_info);
|
|
||||||
+ assert_non_null(dom);
|
|
||||||
+ dom->name = discard_const_p(char, TEST_DOM_NAME);
|
|
||||||
+ sss_domain_set_state(dom, DOM_ACTIVE);
|
|
||||||
+
|
|
||||||
+ ts->nctx = mock_nctx(ts);
|
|
||||||
+ assert_non_null(ts->nctx);
|
|
||||||
+
|
|
||||||
+ tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB,
|
|
||||||
+ TEST_DOM_NAME, TEST_ID_PROVIDER, params);
|
|
||||||
+ assert_non_null(tc);
|
|
||||||
+
|
|
||||||
+ ret = confdb_add_param(tc->confdb, true, "config/domain/"TEST_DOM_NAME,
|
|
||||||
+ "filter_users", nss_filter_users);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ ret = confdb_add_param(tc->confdb, true, "config/domain"TEST_DOM_NAME,
|
|
||||||
+ "filter_groups", nss_filter_groups);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ ncache = ts->ctx;
|
|
||||||
+ ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
|
|
||||||
+ assert_non_null(ts->rctx);
|
|
||||||
+ ts->rctx->cdb = tc->confdb;
|
|
||||||
+
|
|
||||||
+ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* Add another domain */
|
|
||||||
+ dom2 = talloc_zero(ts, struct sss_domain_info);
|
|
||||||
+ assert_non_null(dom2);
|
|
||||||
+ dom2->name = discard_const_p(char, TEST_DOM_NAME"2");
|
|
||||||
+ sss_domain_set_state(dom2, DOM_ACTIVE);
|
|
||||||
+ dom->next = dom2;
|
|
||||||
+ dom2->names = dom->names;
|
|
||||||
+
|
|
||||||
+ expect_in_parent(ncache, dom);
|
|
||||||
+ expect_no_entries_in_dom(ncache, dom2);
|
|
||||||
+
|
|
||||||
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ expect_in_parent(ncache, dom);
|
|
||||||
+ expect_no_entries_in_dom(ncache, dom2);
|
|
||||||
+
|
|
||||||
+ /* Add a sub domain */
|
|
||||||
+ sub_dom = talloc_zero(ts, struct sss_domain_info);
|
|
||||||
+ assert_non_null(sub_dom);
|
|
||||||
+ sub_dom->name = discard_const_p(char, "sub"TEST_DOM_NAME);
|
|
||||||
+ sss_domain_set_state(sub_dom, DOM_ACTIVE);
|
|
||||||
+ sub_dom->parent = dom;
|
|
||||||
+ dom->subdomains = sub_dom;
|
|
||||||
+ sub_dom->names = dom->names;
|
|
||||||
+
|
|
||||||
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ expect_in_parent(ncache, dom);
|
|
||||||
+ expect_in_subdomain(ncache, sub_dom);
|
|
||||||
+ expect_no_entries_in_dom(ncache, dom2);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void test_sss_ncache_reset(void **state)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
@@ -1083,6 +1335,8 @@ int main(void)
|
|
||||||
setup, teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
|
|
||||||
setup, teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
|
|
||||||
+ setup, teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
|
|
||||||
setup, teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,154 +0,0 @@
|
|||||||
From fa4b46e7de7297da3c0e37913eab8cba7f103629 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 9 Oct 2020 15:26:39 +0200
|
|
||||||
Subject: [PATCH 8/8] negcache: do not use default_domain_suffix
|
|
||||||
|
|
||||||
When splitting the names from the filter_users and filter_groups options
|
|
||||||
do not use the default_domain_suffix because it will hide that the
|
|
||||||
original name is a short name and should be added everywhere.
|
|
||||||
|
|
||||||
Additionally this patch fixes a typo where sss_parse_name() was used
|
|
||||||
instead of sss_parse_name_for_domains().
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5238
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/common/negcache.c | 29 +++++++++++++++--------------
|
|
||||||
src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++--
|
|
||||||
2 files changed, 35 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
|
||||||
index 9ee39ce3e..59e8ad7e7 100644
|
|
||||||
--- a/src/responder/common/negcache.c
|
|
||||||
+++ b/src/responder/common/negcache.c
|
|
||||||
@@ -1000,13 +1000,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
|
|
||||||
for (i = 0; (filter_list && filter_list[i]); i++) {
|
|
||||||
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
|
||||||
- rctx->default_domain,
|
|
||||||
+ NULL,
|
|
||||||
filter_list[i],
|
|
||||||
&domainname, &name);
|
|
||||||
if (ret == EAGAIN) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "cannot add [%s] to negcache because the required or "
|
|
||||||
- "default domain are not known yet\n", filter_list[i]);
|
|
||||||
+ "Can add [%s] only as UPN to negcache because the "
|
|
||||||
+ "required domain is not known yet\n", filter_list[i]);
|
|
||||||
} else if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Invalid name in filterUsers list: [%s] (%d)\n",
|
|
||||||
@@ -1066,12 +1066,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
|
|
||||||
for (i = 0; (filter_list && filter_list[i]); i++) {
|
|
||||||
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
|
||||||
- rctx->default_domain, filter_list[i],
|
|
||||||
+ NULL, filter_list[i],
|
|
||||||
&domainname, &name);
|
|
||||||
if (ret == EAGAIN) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "Cannot add [%s] to negcache because the required or "
|
|
||||||
- "default domain are not known yet\n", filter_list[i]);
|
|
||||||
+ "Can add [%s] only as UPN to negcache because the "
|
|
||||||
+ "required domain is not known yet\n", filter_list[i]);
|
|
||||||
} else if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Invalid name in filterUsers list: [%s] (%d)\n",
|
|
||||||
@@ -1158,9 +1158,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
|
|
||||||
for (i = 0; (filter_list && filter_list[i]); i++) {
|
|
||||||
- ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
|
|
||||||
- &domainname, &name);
|
|
||||||
+ ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
|
||||||
+ NULL, filter_list[i],
|
|
||||||
+ &domainname, &name);
|
|
||||||
if (ret != EOK) {
|
|
||||||
+ /* Groups do not have UPNs, so domain names, if present,
|
|
||||||
+ * must be known */
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Invalid name in filterGroups list: [%s] (%d)\n",
|
|
||||||
filter_list[i], ret);
|
|
||||||
@@ -1207,13 +1210,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
||||||
|
|
||||||
for (i = 0; (filter_list && filter_list[i]); i++) {
|
|
||||||
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
|
||||||
- rctx->default_domain, filter_list[i],
|
|
||||||
+ NULL, filter_list[i],
|
|
||||||
&domainname, &name);
|
|
||||||
- if (ret == EAGAIN) {
|
|
||||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "Cannot add [%s] to negcache because the required or "
|
|
||||||
- "default domain are not known yet\n", filter_list[i]);
|
|
||||||
- } else if (ret != EOK) {
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ /* Groups do not have UPNs, so domain names, if present,
|
|
||||||
+ * must be known */
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Invalid name in filterGroups list: [%s] (%d)\n",
|
|
||||||
filter_list[i], ret);
|
|
||||||
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
|
|
||||||
index fb306b110..30218d52a 100644
|
|
||||||
--- a/src/tests/cmocka/test_negcache.c
|
|
||||||
+++ b/src/tests/cmocka/test_negcache.c
|
|
||||||
@@ -933,7 +933,9 @@ static void test_sss_ncache_reset_prepopulate(void **state)
|
|
||||||
*
|
|
||||||
* The result should of course be independent of the present domains. To
|
|
||||||
* verify this the domains are added one after the other and the negative
|
|
||||||
- * cache is repopulated each time.
|
|
||||||
+ * cache is repopulated each time. The result should be also independent of
|
|
||||||
+ * the setting of default_domain_suffix option which is tested by
|
|
||||||
+ * test_sss_ncache_short_name_in_domain_with_prefix.
|
|
||||||
*
|
|
||||||
* With the given domains, users and group we have to following expectations:
|
|
||||||
* - the short name entry will be added to the domain and all sub-domains as
|
|
||||||
@@ -1081,7 +1083,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
|
|
||||||
assert_int_equal(ret, ENOENT);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void test_sss_ncache_short_name_in_domain(void **state)
|
|
||||||
+static void run_sss_ncache_short_name_in_domain(void **state,
|
|
||||||
+ bool use_default_domain_prefix)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
struct test_state *ts;
|
|
||||||
@@ -1131,6 +1134,9 @@ static void test_sss_ncache_short_name_in_domain(void **state)
|
|
||||||
ncache = ts->ctx;
|
|
||||||
ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
|
|
||||||
assert_non_null(ts->rctx);
|
|
||||||
+ if (use_default_domain_prefix) {
|
|
||||||
+ ts->rctx->default_domain = discard_const(TEST_DOM_NAME);
|
|
||||||
+ }
|
|
||||||
ts->rctx->cdb = tc->confdb;
|
|
||||||
|
|
||||||
ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
|
|
||||||
@@ -1173,6 +1179,16 @@ static void test_sss_ncache_short_name_in_domain(void **state)
|
|
||||||
expect_no_entries_in_dom(ncache, dom2);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void test_sss_ncache_short_name_in_domain(void **state)
|
|
||||||
+{
|
|
||||||
+ run_sss_ncache_short_name_in_domain(state, false);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_sss_ncache_short_name_in_domain_with_prefix(void **state)
|
|
||||||
+{
|
|
||||||
+ run_sss_ncache_short_name_in_domain(state, true);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void test_sss_ncache_reset(void **state)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
@@ -1337,6 +1353,8 @@ int main(void)
|
|
||||||
setup, teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
|
|
||||||
setup, teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix,
|
|
||||||
+ setup, teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
|
|
||||||
setup, teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,43 +0,0 @@
|
|||||||
From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 9 Dec 2020 14:07:22 +0100
|
|
||||||
Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path
|
|
||||||
|
|
||||||
Previous unefficient code encoded the secret multiple times:
|
|
||||||
secret -> base64 -> masterkey -> base64
|
|
||||||
|
|
||||||
To allow smooth upgrade for already existant ccache we need to also decode
|
|
||||||
the secret if it is still in the old format (type == simple). Otherwise
|
|
||||||
users are not able to log in.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5349
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++
|
|
||||||
1 file changed, 10 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
||||||
index 726711ac4..ea5c8f9ee 100644
|
|
||||||
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
||||||
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
||||||
@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (strcmp(datatype, "simple") == 0) {
|
|
||||||
+ /* The secret is stored in b64 encoding, we need to decode it first. */
|
|
||||||
+ data = sss_base64_decode(tmp_ctx, (const char*)data, &len);
|
|
||||||
+ if (data == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
buf = sss_iobuf_init_steal(tmp_ctx, data, len);
|
|
||||||
if (buf == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n");
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,112 +0,0 @@
|
|||||||
From c87b2208b9a58c12eeceb5b8ccf9c34dcd835b8d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 17 Nov 2020 12:59:23 +0100
|
|
||||||
Subject: [PATCH] nss: check if groups are filtered during initgroups
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
If groups are filtered, i.e. SSSD should not handle them, they should
|
|
||||||
not appear in the group list returned by an initgroups request.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5403
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++
|
|
||||||
src/tests/intg/test_ldap.py | 12 +++++++++
|
|
||||||
2 files changed, 47 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
|
|
||||||
index 8f1d3fe81..135b392f7 100644
|
|
||||||
--- a/src/responder/nss/nss_protocol_grent.c
|
|
||||||
+++ b/src/responder/nss/nss_protocol_grent.c
|
|
||||||
@@ -326,6 +326,34 @@ done:
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static bool is_group_filtered(struct sss_nc_ctx *ncache,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ const char *grp_name, gid_t gid)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ if (grp_name == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Group with gid [%"SPRIgid"] has no name, this should never "
|
|
||||||
+ "happen, trying to continue without.\n", gid);
|
|
||||||
+ } else {
|
|
||||||
+ ret = sss_ncache_check_group(ncache, domain, grp_name);
|
|
||||||
+ if (ret == EEXIST) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! "
|
|
||||||
+ "(negative cache)", grp_name);
|
|
||||||
+ return true;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ ret = sss_ncache_check_gid(ncache, domain, gid);
|
|
||||||
+ if (ret == EEXIST) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! "
|
|
||||||
+ "(negative cache)", gid);
|
|
||||||
+ return true;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return false;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
errno_t
|
|
||||||
nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
||||||
struct nss_cmd_ctx *cmd_ctx,
|
|
||||||
@@ -344,6 +372,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
||||||
size_t body_len;
|
|
||||||
size_t rp;
|
|
||||||
gid_t gid;
|
|
||||||
+ const char *grp_name;
|
|
||||||
gid_t orig_gid;
|
|
||||||
errno_t ret;
|
|
||||||
int i;
|
|
||||||
@@ -392,6 +421,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
||||||
gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
|
|
||||||
0);
|
|
||||||
posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
|
|
||||||
+ grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
|
|
||||||
+ NULL);
|
|
||||||
|
|
||||||
if (gid == 0) {
|
|
||||||
if (posix != NULL && strcmp(posix, "FALSE") == 0) {
|
|
||||||
@@ -404,6 +435,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp);
|
|
||||||
num_results++;
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
|
|
||||||
index 194d7d9cc..6a78c960f 100644
|
|
||||||
--- a/src/tests/intg/test_ldap.py
|
|
||||||
+++ b/src/tests/intg/test_ldap.py
|
|
||||||
@@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter):
|
|
||||||
with pytest.raises(KeyError):
|
|
||||||
grp.getgrgid(14)
|
|
||||||
|
|
||||||
+ # test initgroups - user1 is member of group_two_one_user_groups (2019)
|
|
||||||
+ # which is filtered out
|
|
||||||
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001)
|
|
||||||
+ assert res == sssd_id.NssReturnCode.SUCCESS
|
|
||||||
+
|
|
||||||
+ user_with_group_ids = [2001, 2012, 2015, 2017, 2018]
|
|
||||||
+ assert sorted(gids) == sorted(user_with_group_ids), \
|
|
||||||
+ "result: %s\n expected %s" % (
|
|
||||||
+ ", ".join(["%s" % s for s in sorted(gids)]),
|
|
||||||
+ ", ".join(["%s" % s for s in sorted(user_with_group_ids)])
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
|
|
||||||
@pytest.fixture
|
|
||||||
def sanity_nss_filter_cached(request, ldap_conn):
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 81e757b7b1d69893b5725f9c148c55d89c779e7b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 3 Nov 2020 10:12:15 +0100
|
|
||||||
Subject: [PATCH] ifp: fix use-after-free
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The variable fqdn is pointing to some data from state->res->msgs[0]. But
|
|
||||||
before fqdn is used in the next search state->res and the memory
|
|
||||||
hierarchy below is freed. As a result the location where fqdn is pointing
|
|
||||||
to might hold the expected data or other data and the search will fail
|
|
||||||
intermittently.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5382
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/ifp/ifpsrv_cmd.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
|
|
||||||
index 9f20bf2db..d95618127 100644
|
|
||||||
--- a/src/responder/ifp/ifpsrv_cmd.c
|
|
||||||
+++ b/src/responder/ifp/ifpsrv_cmd.c
|
|
||||||
@@ -128,6 +128,7 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
|
|
||||||
tevent_req_error(req, ERR_INTERNAL);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+ fqdn = talloc_steal(state, fqdn);
|
|
||||||
|
|
||||||
if (state->search_type == SSS_DP_USER) {
|
|
||||||
/* throw away the result and perform attr search */
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From 3b158934cbb8f87cbfaf1650389b8dcd654b92ca Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 19 Nov 2020 18:05:00 +0100
|
|
||||||
Subject: [PATCH] ifp: fix original fix use-after-free
|
|
||||||
|
|
||||||
The original fix stole the fqdn too earlier. Only for SSS_DP_USER
|
|
||||||
requests the steal is important. For other request where the first
|
|
||||||
result is returned to the caller the original version
|
|
||||||
might even cause issues since the name does not belong to the memory
|
|
||||||
hierarchy of the result anymore.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5382
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/ifp/ifpsrv_cmd.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
|
|
||||||
index d95618127..8cf1ec84c 100644
|
|
||||||
--- a/src/responder/ifp/ifpsrv_cmd.c
|
|
||||||
+++ b/src/responder/ifp/ifpsrv_cmd.c
|
|
||||||
@@ -128,10 +128,10 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
|
|
||||||
tevent_req_error(req, ERR_INTERNAL);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
- fqdn = talloc_steal(state, fqdn);
|
|
||||||
|
|
||||||
if (state->search_type == SSS_DP_USER) {
|
|
||||||
- /* throw away the result and perform attr search */
|
|
||||||
+ /* throw away the result but keep the fqdn and perform attr search */
|
|
||||||
+ fqdn = talloc_steal(state, fqdn);
|
|
||||||
talloc_zfree(state->res);
|
|
||||||
|
|
||||||
ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn,
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,68 +0,0 @@
|
|||||||
From 1b9b7f5a635ede8eee90d13bfe0e1f87e51191a9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 13 Nov 2020 12:59:39 +0100
|
|
||||||
Subject: [PATCH 13/16] pam_sss: use unique id for gdm choice list
|
|
||||||
|
|
||||||
Currently the key-id read from the Smartcard is used as key value for
|
|
||||||
the gdm choice list dialog. Since it might be possible that multiple
|
|
||||||
certificates use the same key and hence the same key-id this is not a
|
|
||||||
suitable value.
|
|
||||||
|
|
||||||
With this patch the string representation of a numerical counter is used.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5400
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/sss_client/pam_sss.c | 14 ++++++++++++--
|
|
||||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
||||||
index b844d257e..04dfdb55d 100644
|
|
||||||
--- a/src/sss_client/pam_sss.c
|
|
||||||
+++ b/src/sss_client/pam_sss.c
|
|
||||||
@@ -128,6 +128,7 @@ struct cert_auth_info {
|
|
||||||
char *key_id;
|
|
||||||
char *prompt_str;
|
|
||||||
char *pam_cert_user;
|
|
||||||
+ char *choice_list_id;
|
|
||||||
struct cert_auth_info *prev;
|
|
||||||
struct cert_auth_info *next;
|
|
||||||
};
|
|
||||||
@@ -141,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai)
|
|
||||||
free(cai->module_name);
|
|
||||||
free(cai->key_id);
|
|
||||||
free(cai->prompt_str);
|
|
||||||
+ free(cai->choice_list_id);
|
|
||||||
free(cai);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1698,7 +1700,15 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi)
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- request->list.items[c].key = cai->key_id;
|
|
||||||
+ free(cai->choice_list_id);
|
|
||||||
+ ret = asprintf(&cai->choice_list_id, "%zu", c);
|
|
||||||
+ if (ret == -1) {
|
|
||||||
+ cai->choice_list_id = NULL;
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ request->list.items[c].key = cai->choice_list_id;
|
|
||||||
request->list.items[c++].text = prompt;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1719,7 +1729,7 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi)
|
|
||||||
}
|
|
||||||
|
|
||||||
DLIST_FOR_EACH(cai, pi->cert_list) {
|
|
||||||
- if (strcmp(response->key, cai->key_id) == 0) {
|
|
||||||
+ if (strcmp(response->key, cai->choice_list_id) == 0) {
|
|
||||||
pam_info(pamh, "Certificate ‘%s’ selected", cai->key_id);
|
|
||||||
pi->selected_cert = cai;
|
|
||||||
ret = 0;
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,208 +0,0 @@
|
|||||||
From b8800d3e1b43f2eb28b2df7adb2bcb323bf2d1f1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Sat, 14 Nov 2020 17:52:35 +0100
|
|
||||||
Subject: [PATCH 15/16] pam_sss: add certificate label to reply to pam_sss
|
|
||||||
|
|
||||||
Add the certificate label to the data send back and forth to the pam
|
|
||||||
module to avoid the ambiguity if two certificates use the same key.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5400
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv_p11.c | 13 ++++++++++---
|
|
||||||
src/sss_client/pam_sss.c | 15 +++++++++++++++
|
|
||||||
src/tests/cmocka/test_pam_srv.c | 20 ++++++++++++++++----
|
|
||||||
3 files changed, 41 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
||||||
index 23f94927a..e1fd72e64 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_p11.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_p11.c
|
|
||||||
@@ -1086,11 +1086,13 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
|
||||||
const char *token_name;
|
|
||||||
const char *module_name;
|
|
||||||
const char *key_id;
|
|
||||||
+ const char *label;
|
|
||||||
char *prompt;
|
|
||||||
size_t user_len;
|
|
||||||
size_t token_len;
|
|
||||||
size_t module_len;
|
|
||||||
size_t key_id_len;
|
|
||||||
+ size_t label_len;
|
|
||||||
size_t prompt_len;
|
|
||||||
size_t nss_name_len;
|
|
||||||
const char *username = "";
|
|
||||||
@@ -1113,16 +1115,18 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
|
||||||
token_name = sss_cai_get_token_name(cert_info);
|
|
||||||
module_name = sss_cai_get_module_name(cert_info);
|
|
||||||
key_id = sss_cai_get_key_id(cert_info);
|
|
||||||
+ label = sss_cai_get_label(cert_info);
|
|
||||||
|
|
||||||
user_len = strlen(username) + 1;
|
|
||||||
token_len = strlen(token_name) + 1;
|
|
||||||
module_len = strlen(module_name) + 1;
|
|
||||||
key_id_len = strlen(key_id) + 1;
|
|
||||||
+ label_len = strlen(label) + 1;
|
|
||||||
prompt_len = strlen(prompt) + 1;
|
|
||||||
nss_name_len = strlen(nss_username) +1;
|
|
||||||
|
|
||||||
- msg_len = user_len + token_len + module_len + key_id_len + prompt_len
|
|
||||||
- + nss_name_len;
|
|
||||||
+ msg_len = user_len + token_len + module_len + key_id_len + label_len
|
|
||||||
+ + prompt_len + nss_name_len;
|
|
||||||
|
|
||||||
msg = talloc_zero_size(mem_ctx, msg_len);
|
|
||||||
if (msg == NULL) {
|
|
||||||
@@ -1136,8 +1140,11 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
|
||||||
memcpy(msg + user_len + token_len, module_name, module_len);
|
|
||||||
memcpy(msg + user_len + token_len + module_len, key_id, key_id_len);
|
|
||||||
memcpy(msg + user_len + token_len + module_len + key_id_len,
|
|
||||||
+ label, label_len);
|
|
||||||
+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len,
|
|
||||||
prompt, prompt_len);
|
|
||||||
- memcpy(msg + user_len + token_len + module_len + key_id_len + prompt_len,
|
|
||||||
+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len
|
|
||||||
+ + prompt_len,
|
|
||||||
nss_username, nss_name_len);
|
|
||||||
talloc_free(prompt);
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
||||||
index cffbfa770..c539d6de6 100644
|
|
||||||
--- a/src/sss_client/pam_sss.c
|
|
||||||
+++ b/src/sss_client/pam_sss.c
|
|
||||||
@@ -142,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai)
|
|
||||||
free(cai->token_name);
|
|
||||||
free(cai->module_name);
|
|
||||||
free(cai->key_id);
|
|
||||||
+ free(cai->label);
|
|
||||||
free(cai->prompt_str);
|
|
||||||
free(cai->choice_list_id);
|
|
||||||
free(cai);
|
|
||||||
@@ -936,6 +937,20 @@ static int parse_cert_info(struct pam_items *pi, uint8_t *buf, size_t len,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ cai->label = strdup((char *) &buf[*p + offset]);
|
|
||||||
+ if (cai->label == NULL) {
|
|
||||||
+ D(("strdup failed"));
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ offset += strlen(cai->label) + 1;
|
|
||||||
+ if (offset >= len) {
|
|
||||||
+ D(("Cert message size mismatch"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
cai->prompt_str = strdup((char *) &buf[*p + offset]);
|
|
||||||
if (cai->prompt_str == NULL) {
|
|
||||||
D(("strdup failed"));
|
|
||||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
index cb05042de..5506fbf34 100644
|
|
||||||
--- a/src/tests/cmocka/test_pam_srv.c
|
|
||||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
@@ -62,13 +62,16 @@
|
|
||||||
#define TEST_TOKEN_NAME "SSSD Test Token"
|
|
||||||
#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
|
|
||||||
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
|
|
||||||
+#define TEST_LABEL "SSSD test cert 0001"
|
|
||||||
#define TEST_MODULE_NAME SOFTHSM2_PATH
|
|
||||||
#define TEST_PROMPT "SSSD test cert 0001\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD"
|
|
||||||
#define TEST2_PROMPT "SSSD test cert 0002\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD"
|
|
||||||
#define TEST5_PROMPT "SSSD test cert 0005\nCN=SSSD test cert 0005,OU=SSSD test,O=SSSD"
|
|
||||||
|
|
||||||
#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9"
|
|
||||||
+#define TEST2_LABEL "SSSD test cert 0002"
|
|
||||||
#define TEST5_KEY_ID "1195833C424AB00297F582FC43FFFFAB47A64CC9"
|
|
||||||
+#define TEST5_LABEL "SSSD test cert 0005"
|
|
||||||
|
|
||||||
static char CACHED_AUTH_TIMEOUT_STR[] = "4";
|
|
||||||
static const int CACHED_AUTH_TIMEOUT = 4;
|
|
||||||
@@ -673,6 +676,7 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
|
||||||
+ sizeof(TEST_TOKEN_NAME)
|
|
||||||
+ sizeof(TEST_MODULE_NAME)
|
|
||||||
+ sizeof(TEST_KEY_ID)
|
|
||||||
+ + sizeof(TEST_LABEL)
|
|
||||||
+ sizeof(TEST_PROMPT)
|
|
||||||
+ sizeof("pamuser")));
|
|
||||||
|
|
||||||
@@ -692,6 +696,10 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
|
||||||
assert_string_equal(body + rp, TEST_KEY_ID);
|
|
||||||
rp += sizeof(TEST_KEY_ID);
|
|
||||||
|
|
||||||
+ assert_int_equal(*(body + rp + sizeof(TEST_LABEL) - 1), 0);
|
|
||||||
+ assert_string_equal(body + rp, TEST_LABEL);
|
|
||||||
+ rp += sizeof(TEST_LABEL);
|
|
||||||
+
|
|
||||||
assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0);
|
|
||||||
assert_string_equal(body + rp, TEST_PROMPT);
|
|
||||||
rp += sizeof(TEST_PROMPT);
|
|
||||||
@@ -740,6 +748,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
|
||||||
TEST_TOKEN_NAME,
|
|
||||||
TEST_MODULE_NAME,
|
|
||||||
TEST_KEY_ID,
|
|
||||||
+ TEST_LABEL,
|
|
||||||
TEST_PROMPT,
|
|
||||||
NULL,
|
|
||||||
NULL };
|
|
||||||
@@ -749,6 +758,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
|
||||||
TEST_TOKEN_NAME,
|
|
||||||
TEST_MODULE_NAME,
|
|
||||||
TEST2_KEY_ID,
|
|
||||||
+ TEST2_LABEL,
|
|
||||||
TEST2_PROMPT,
|
|
||||||
NULL,
|
|
||||||
NULL };
|
|
||||||
@@ -756,10 +766,10 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
|
||||||
assert_int_equal(status, 0);
|
|
||||||
|
|
||||||
check_strings[0] = name;
|
|
||||||
- check_strings[5] = nss_name;
|
|
||||||
+ check_strings[6] = nss_name;
|
|
||||||
check_len = check_string_array_len(check_strings);
|
|
||||||
check2_strings[0] = name;
|
|
||||||
- check2_strings[5] = nss_name;
|
|
||||||
+ check2_strings[6] = nss_name;
|
|
||||||
check2_len = check_string_array_len(check2_strings);
|
|
||||||
|
|
||||||
|
|
||||||
@@ -843,6 +853,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
|
|
||||||
TEST_TOKEN2_NAME,
|
|
||||||
TEST_MODULE_NAME,
|
|
||||||
TEST2_KEY_ID,
|
|
||||||
+ TEST2_LABEL,
|
|
||||||
TEST2_PROMPT,
|
|
||||||
NULL,
|
|
||||||
NULL };
|
|
||||||
@@ -850,7 +861,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
|
|
||||||
assert_int_equal(status, 0);
|
|
||||||
|
|
||||||
check2_strings[0] = name;
|
|
||||||
- check2_strings[5] = nss_name;
|
|
||||||
+ check2_strings[6] = nss_name;
|
|
||||||
check2_len = check_string_array_len(check2_strings);
|
|
||||||
|
|
||||||
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
@@ -895,7 +906,7 @@ static int test_pam_cert_X_token_X_check_ex(uint32_t status, uint8_t *body,
|
|
||||||
assert_int_equal(status, 0);
|
|
||||||
|
|
||||||
check_strings[0] = name;
|
|
||||||
- check_strings[5] = nss_name;
|
|
||||||
+ check_strings[6] = nss_name;
|
|
||||||
check_len = check_string_array_len(check_strings);
|
|
||||||
|
|
||||||
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
@@ -946,6 +957,7 @@ static int test_pam_cert5_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
TEST_TOKEN_NAME,
|
|
||||||
TEST_MODULE_NAME,
|
|
||||||
TEST5_KEY_ID,
|
|
||||||
+ TEST5_LABEL,
|
|
||||||
TEST5_PROMPT,
|
|
||||||
NULL,
|
|
||||||
NULL };
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,265 +0,0 @@
|
|||||||
From f633f37e712cb0f7524a2ee257e15f34468149b4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 3 Nov 2020 09:58:52 +0100
|
|
||||||
Subject: [PATCH 16/16] add tests multiple certs same id
|
|
||||||
|
|
||||||
Add unit test for the case that two certificates use the same key.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5400
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/cmocka/test_pam_srv.c | 116 +++++++++++++++++++
|
|
||||||
src/tests/test_CA/Makefile.am | 26 ++++-
|
|
||||||
src/tests/test_CA/SSSD_test_cert_0006.config | 20 ++++
|
|
||||||
3 files changed, 161 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 src/tests/test_CA/SSSD_test_cert_0006.config
|
|
||||||
|
|
||||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
index 5506fbf34..8ca5abd43 100644
|
|
||||||
--- a/src/tests/cmocka/test_pam_srv.c
|
|
||||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
@@ -40,12 +40,14 @@
|
|
||||||
#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
|
|
||||||
#include "tests/test_CA/SSSD_test_cert_x509_0002.h"
|
|
||||||
#include "tests/test_CA/SSSD_test_cert_x509_0005.h"
|
|
||||||
+#include "tests/test_CA/SSSD_test_cert_x509_0006.h"
|
|
||||||
|
|
||||||
#include "tests/test_ECC_CA/SSSD_test_ECC_cert_x509_0001.h"
|
|
||||||
#else
|
|
||||||
#define SSSD_TEST_CERT_0001 ""
|
|
||||||
#define SSSD_TEST_CERT_0002 ""
|
|
||||||
#define SSSD_TEST_CERT_0005 ""
|
|
||||||
+#define SSSD_TEST_CERT_0006 ""
|
|
||||||
|
|
||||||
#define SSSD_TEST_ECC_CERT_0001 ""
|
|
||||||
#endif
|
|
||||||
@@ -1093,6 +1095,13 @@ static int test_pam_creds_insufficient_check(uint32_t status,
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_pam_auth_err_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
+{
|
|
||||||
+ /* PAM_AUTH_ERR is returned for different types of error, we use different
|
|
||||||
+ * names for the check functions to make the purpose more clear. */
|
|
||||||
+ return test_pam_wrong_pw_offline_auth_check(status, body, blen);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int test_pam_user_unknown_check(uint32_t status,
|
|
||||||
uint8_t *body, size_t blen)
|
|
||||||
{
|
|
||||||
@@ -2500,6 +2509,107 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
|
|
||||||
assert_int_equal(ret, EOK);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* The following three tests cover a use case where multiple certificates are
|
|
||||||
+ * using the same key-pair. According to PKCS#11 specs "The CKA_ID field is
|
|
||||||
+ * intended to distinguish among multiple keys. In the case of public and
|
|
||||||
+ * private keys, this field assists in handling multiple keys held by the same
|
|
||||||
+ * subject; the key identifier for a public key and its corresponding private
|
|
||||||
+ * key should be the same. The key identifier should also be the same as for
|
|
||||||
+ * the corresponding certificate, if one exists. Cryptoki does not enforce
|
|
||||||
+ * these associations, however." As a result certificates sharing the same
|
|
||||||
+ * key-pair will have the same id on the Smartcard. This means a second
|
|
||||||
+ * parameter is needed to distinguish them. We use the label here.
|
|
||||||
+ *
|
|
||||||
+ * The first test makes sure authentication fails is the label is missing, the
|
|
||||||
+ * second and third test make sure that each certificate can be selected with
|
|
||||||
+ * the proper label. */
|
|
||||||
+void test_pam_cert_auth_2certs_same_id_no_label(void **state)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
||||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
|
|
||||||
+
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
|
|
||||||
+ TEST_MODULE_NAME,
|
|
||||||
+ "11111111",
|
|
||||||
+ NULL, NULL,
|
|
||||||
+ NULL, SSSD_TEST_CERT_0001);
|
|
||||||
+
|
|
||||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
||||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
+
|
|
||||||
+ /* Assume backend cannot handle Smartcard credentials */
|
|
||||||
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
|
||||||
+
|
|
||||||
+ set_cmd_cb(test_pam_auth_err_check);
|
|
||||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
|
||||||
+ pam_test_ctx->pam_cmds);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* Wait until the test finishes with EOK */
|
|
||||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_pam_cert_auth_2certs_same_id_with_label_1(void **state)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
||||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
|
|
||||||
+
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
|
|
||||||
+ TEST_MODULE_NAME,
|
|
||||||
+ "11111111",
|
|
||||||
+ "SSSD test cert 0001", NULL,
|
|
||||||
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001);
|
|
||||||
+
|
|
||||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
||||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
+
|
|
||||||
+ /* Assume backend cannot handle Smartcard credentials */
|
|
||||||
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
|
||||||
+
|
|
||||||
+ set_cmd_cb(test_pam_simple_check_success);
|
|
||||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
|
||||||
+ pam_test_ctx->pam_cmds);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* Wait until the test finishes with EOK */
|
|
||||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_pam_cert_auth_2certs_same_id_with_label_6(void **state)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
||||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
|
|
||||||
+
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
|
|
||||||
+ TEST_MODULE_NAME,
|
|
||||||
+ "11111111",
|
|
||||||
+ "SSSD test cert 0006", NULL,
|
|
||||||
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0006);
|
|
||||||
+
|
|
||||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
||||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
+
|
|
||||||
+ /* Assume backend cannot handle Smartcard credentials */
|
|
||||||
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
|
||||||
+
|
|
||||||
+ set_cmd_cb(test_pam_simple_check_success);
|
|
||||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
|
||||||
+ pam_test_ctx->pam_cmds);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* Wait until the test finishes with EOK */
|
|
||||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void test_pam_cert_preauth_uri_token1(void **state)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
@@ -3179,6 +3289,12 @@ int main(int argc, const char *argv[])
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_no_label,
|
|
||||||
+ pam_test_setup, pam_test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_1,
|
|
||||||
+ pam_test_setup, pam_test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_6,
|
|
||||||
+ pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
|
|
||||||
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
|
|
||||||
index 0e0122737..8765d0fd6 100644
|
|
||||||
--- a/src/tests/test_CA/Makefile.am
|
|
||||||
+++ b/src/tests/test_CA/Makefile.am
|
|
||||||
@@ -6,6 +6,7 @@ dist_noinst_DATA = \
|
|
||||||
SSSD_test_cert_0003.config \
|
|
||||||
SSSD_test_cert_0004.config \
|
|
||||||
SSSD_test_cert_0005.config \
|
|
||||||
+ SSSD_test_cert_0006.config \
|
|
||||||
SSSD_test_cert_key_0001.pem \
|
|
||||||
SSSD_test_cert_key_0002.pem \
|
|
||||||
SSSD_test_cert_key_0003.pem \
|
|
||||||
@@ -25,7 +26,7 @@ pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
|
|
||||||
pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids)))
|
|
||||||
pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
|
|
||||||
|
|
||||||
-extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp
|
|
||||||
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id
|
|
||||||
if HAVE_FAKETIME
|
|
||||||
extra += SSSD_test_CA_expired_crl.pem
|
|
||||||
endif
|
|
||||||
@@ -41,6 +42,14 @@ $(pwdfile):
|
|
||||||
SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
|
|
||||||
$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
|
|
||||||
|
|
||||||
+# SSSD_test_cert_0006 should use the same key as SSSD_test_cert_0001
|
|
||||||
+.INTERMEDIATE: SSSD_test_cert_req_0006.pem
|
|
||||||
+SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSSD_test_cert_0006.config
|
|
||||||
+ if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0006.config) -eq 0 ]; then \
|
|
||||||
+ $(OPENSSL) req -new -nodes -key $< -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
|
|
||||||
+ else \
|
|
||||||
+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
|
|
||||||
+ fi
|
|
||||||
|
|
||||||
SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config
|
|
||||||
if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_$*.config) -eq 0 ]; then \
|
|
||||||
@@ -52,6 +61,9 @@ SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test
|
|
||||||
SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem
|
|
||||||
$(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@
|
|
||||||
|
|
||||||
+SSSD_test_cert_pkcs12_0006.pem: SSSD_test_cert_x509_0006.pem $(srcdir)/SSSD_test_cert_key_0001.pem $(pwdfile)
|
|
||||||
+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_0006.pem -inkey $(srcdir)/SSSD_test_cert_key_0001.pem -nodes -passout file:$(pwdfile) -out $@
|
|
||||||
+
|
|
||||||
SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile)
|
|
||||||
$(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
|
|
||||||
|
|
||||||
@@ -130,6 +142,18 @@ softhsm2_ocsp.conf:
|
|
||||||
@echo "objectstore.backend = file" >> $@
|
|
||||||
@echo "slots.removable = true" >> $@
|
|
||||||
|
|
||||||
+softhsm2_2certs_same_id: softhsm2_2certs_same_id.conf SSSD_test_cert_x509_0001.pem SSSD_test_cert_x509_0006.pem
|
|
||||||
+ mkdir $@
|
|
||||||
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
|
|
||||||
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0006.pem --login --label 'SSSD test cert 0006' --id '11111111'
|
|
||||||
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id '11111111'
|
|
||||||
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id '11111111'
|
|
||||||
+
|
|
||||||
+softhsm2_2certs_same_id.conf:
|
|
||||||
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2certs_same_id" > $@
|
|
||||||
+ @echo "objectstore.backend = file" >> $@
|
|
||||||
+ @echo "slots.removable = true" >> $@
|
|
||||||
+
|
|
||||||
CLEANFILES = \
|
|
||||||
index.txt index.txt.attr \
|
|
||||||
index.txt.attr.old index.txt.old \
|
|
||||||
diff --git a/src/tests/test_CA/SSSD_test_cert_0006.config b/src/tests/test_CA/SSSD_test_cert_0006.config
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..762de55cd
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/tests/test_CA/SSSD_test_cert_0006.config
|
|
||||||
@@ -0,0 +1,20 @@
|
|
||||||
+# This certificate is used in
|
|
||||||
+# - src/tests/cmocka/test_pam_srv.c
|
|
||||||
+# and should use the same key-pair as SSSD_test_cert_0001
|
|
||||||
+[ req ]
|
|
||||||
+distinguished_name = req_distinguished_name
|
|
||||||
+prompt = no
|
|
||||||
+
|
|
||||||
+[ req_distinguished_name ]
|
|
||||||
+O = SSSD
|
|
||||||
+OU = SSSD test
|
|
||||||
+CN = SSSD test cert 0006
|
|
||||||
+
|
|
||||||
+[ req_exts ]
|
|
||||||
+basicConstraints = CA:FALSE
|
|
||||||
+nsCertType = client, email
|
|
||||||
+nsComment = "SSSD test Certificate"
|
|
||||||
+subjectKeyIdentifier = hash
|
|
||||||
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
|
||||||
+extendedKeyUsage = clientAuth, emailProtection
|
|
||||||
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd//
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,53 +0,0 @@
|
|||||||
From 1e9abd508ea5627465d528788645d4dbe53d7d31 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
|
|
||||||
Date: Wed, 2 Dec 2020 03:00:26 +0100
|
|
||||||
Subject: [PATCH 17/18] data_provider_be: Add random offset default
|
|
||||||
|
|
||||||
Replace hardcoded default value of 30 with more meaningful
|
|
||||||
OFFLINE_TIMEOUT_RANDOM_OFFSET define.
|
|
||||||
|
|
||||||
This value is used to calculate task timeout during offline
|
|
||||||
status checking by formula (from SSSD MAN page):
|
|
||||||
|
|
||||||
new_interval = (old_interval * 2) + random_offset
|
|
||||||
|
|
||||||
As it is explicite mentioned in documentation it should
|
|
||||||
be expressed in the code similar way.
|
|
||||||
|
|
||||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/data_provider_be.c | 11 ++++++++---
|
|
||||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
|
||||||
index 4c10d6b48..10421c6b4 100644
|
|
||||||
--- a/src/providers/data_provider_be.c
|
|
||||||
+++ b/src/providers/data_provider_be.c
|
|
||||||
@@ -51,6 +51,7 @@
|
|
||||||
#define ONLINE_CB_RETRY 3
|
|
||||||
#define ONLINE_CB_RETRY_MAX_DELAY 4
|
|
||||||
|
|
||||||
+#define OFFLINE_TIMEOUT_RANDOM_OFFSET 30
|
|
||||||
#define OFFLINE_TIMEOUT_DEFAULT 60
|
|
||||||
#define OFFLINE_TIMEOUT_MAX_DEFAULT 3600
|
|
||||||
|
|
||||||
@@ -152,9 +153,13 @@ void be_mark_offline(struct be_ctx *ctx)
|
|
||||||
offline_timeout = get_offline_timeout(ctx);
|
|
||||||
offline_timeout_max = get_offline_timeout_max(ctx);
|
|
||||||
|
|
||||||
- ret = be_ptask_create_sync(ctx, ctx,
|
|
||||||
- offline_timeout, offline_timeout,
|
|
||||||
- offline_timeout, 30, offline_timeout,
|
|
||||||
+ ret = be_ptask_create_sync(ctx,
|
|
||||||
+ ctx,
|
|
||||||
+ offline_timeout,
|
|
||||||
+ offline_timeout,
|
|
||||||
+ offline_timeout,
|
|
||||||
+ OFFLINE_TIMEOUT_RANDOM_OFFSET,
|
|
||||||
+ offline_timeout,
|
|
||||||
offline_timeout_max,
|
|
||||||
try_to_go_online,
|
|
||||||
ctx, "Check if online (periodic)",
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
From 171b664ec4a7c94583b35597bd7e1e72bf89d217 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
|
|
||||||
Date: Wed, 2 Dec 2020 03:10:50 +0100
|
|
||||||
Subject: [PATCH 18/18] data_provider_be: MAN page update
|
|
||||||
|
|
||||||
Updated description of parameters:
|
|
||||||
* offline_timeout
|
|
||||||
* offline_timeout_max
|
|
||||||
|
|
||||||
MAN page now explains that in some circumstances
|
|
||||||
corelation of offline_timeout and offline_timeout_max values
|
|
||||||
may lead to offline checking interval not incrementing.
|
|
||||||
This is a false positive error as in fact the value
|
|
||||||
just saturates almost instantly.
|
|
||||||
|
|
||||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/sssd.conf.5.xml | 14 ++++++++++++--
|
|
||||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index d637e2eaa..8b330de58 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -739,12 +739,12 @@
|
|
||||||
offline_timeout + random_offset
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- The random offset can increment up to 30 seconds.
|
|
||||||
+ The random offset value is from 0 to 30.
|
|
||||||
After each unsuccessful attempt to go online,
|
|
||||||
the new interval is recalculated by the following:
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- new_interval = old_interval*2 + random_offset
|
|
||||||
+ new_interval = (old_interval * 2) + random_offset
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
Note that the maximum length of each interval
|
|
||||||
@@ -769,6 +769,16 @@
|
|
||||||
<para>
|
|
||||||
A value of 0 disables the incrementing behaviour.
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ The value of this parameter should be set in correlation
|
|
||||||
+ to offline_timeout parameter value.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ With offline_timeout set to 60 (default value) there is no point
|
|
||||||
+ in setting offlinet_timeout_max to less than 120 as it will
|
|
||||||
+ saturate instantly. General rule here should be to set
|
|
||||||
+ offline_timeout_max to at least 4 times offline_timeout.
|
|
||||||
+ </para>
|
|
||||||
<para>
|
|
||||||
Although a value between 0 and offline_timeout may be
|
|
||||||
specified, it has the effect of overriding the
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,31 +0,0 @@
|
|||||||
From 45f2eb57dc9068cba13099cab90f1be3f3455442 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 2 Oct 2020 14:04:24 +0200
|
|
||||||
Subject: [PATCH 20/27] sss_format.h: include config.h
|
|
||||||
|
|
||||||
config.h is required for the definitions to work correctly. Compilation
|
|
||||||
will fail if sss_format.h is included in a file that does not include
|
|
||||||
directly or indirectly config.h
|
|
||||||
|
|
||||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/util/sss_format.h | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/util/sss_format.h b/src/util/sss_format.h
|
|
||||||
index 5cf080842..9a3041704 100644
|
|
||||||
--- a/src/util/sss_format.h
|
|
||||||
+++ b/src/util/sss_format.h
|
|
||||||
@@ -27,6 +27,8 @@
|
|
||||||
#ifndef __SSS_FORMAT_H__
|
|
||||||
#define __SSS_FORMAT_H__
|
|
||||||
|
|
||||||
+#include "config.h"
|
|
||||||
+
|
|
||||||
#include <inttypes.h>
|
|
||||||
|
|
||||||
/* key_serial_t is defined in keyutils.h as typedef int32_t */
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
From 3b0e48c33c6b43688ff46fed576266cfe6362595 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 8 Oct 2020 13:25:17 +0200
|
|
||||||
Subject: [PATCH 21/27] packet: add sss_packet_set_body
|
|
||||||
|
|
||||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/common/responder_packet.c | 19 +++++++++++++++++++
|
|
||||||
src/responder/common/responder_packet.h | 5 +++++
|
|
||||||
2 files changed, 24 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
|
||||||
index ab15b1dac..f56d92276 100644
|
|
||||||
--- a/src/responder/common/responder_packet.c
|
|
||||||
+++ b/src/responder/common/responder_packet.c
|
|
||||||
@@ -302,6 +302,25 @@ void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen
|
|
||||||
*blen = sss_packet_get_len(packet) - SSS_NSS_HEADER_SIZE;
|
|
||||||
}
|
|
||||||
|
|
||||||
+errno_t sss_packet_set_body(struct sss_packet *packet,
|
|
||||||
+ uint8_t *body,
|
|
||||||
+ size_t blen)
|
|
||||||
+{
|
|
||||||
+ uint8_t *pbody;
|
|
||||||
+ size_t plen;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ ret = sss_packet_grow(packet, blen);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ sss_packet_get_body(packet, &pbody, &plen);
|
|
||||||
+ memcpy(pbody, body, blen);
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void sss_packet_set_error(struct sss_packet *packet, int error)
|
|
||||||
{
|
|
||||||
SAFEALIGN_SETMEM_UINT32(packet->buffer + SSS_PACKET_ERR_OFFSET, error,
|
|
||||||
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
|
|
||||||
index afceb4aae..509a22a9a 100644
|
|
||||||
--- a/src/responder/common/responder_packet.h
|
|
||||||
+++ b/src/responder/common/responder_packet.h
|
|
||||||
@@ -42,4 +42,9 @@ uint32_t sss_packet_get_status(struct sss_packet *packet);
|
|
||||||
void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen);
|
|
||||||
void sss_packet_set_error(struct sss_packet *packet, int error);
|
|
||||||
|
|
||||||
+/* Grow packet and set its body. */
|
|
||||||
+errno_t sss_packet_set_body(struct sss_packet *packet,
|
|
||||||
+ uint8_t *body,
|
|
||||||
+ size_t blen);
|
|
||||||
+
|
|
||||||
#endif /* __SSSSRV_PACKET_H__ */
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,119 +0,0 @@
|
|||||||
From 6715b31f2e12c7f76cfb477551cee46e697c7d51 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 8 Oct 2020 13:25:58 +0200
|
|
||||||
Subject: [PATCH 22/27] domain: store hostname and keytab path
|
|
||||||
|
|
||||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 45 +++++++++++++++++++++++++++++++++++++++
|
|
||||||
src/confdb/confdb.h | 6 ++++++
|
|
||||||
src/db/sysdb_subdomains.c | 12 +++++++++++
|
|
||||||
3 files changed, 63 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index d2fc018fd..f981ddf1e 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -871,6 +871,35 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static char *confdb_get_domain_hostname(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct ldb_result *res,
|
|
||||||
+ const char *provider)
|
|
||||||
+{
|
|
||||||
+ char sys[HOST_NAME_MAX + 1] = {'\0'};
|
|
||||||
+ const char *opt = NULL;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ if (strcasecmp(provider, "ad") == 0) {
|
|
||||||
+ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ad_hostname", NULL);
|
|
||||||
+ } else if (strcasecmp(provider, "ipa") == 0) {
|
|
||||||
+ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ipa_hostname", NULL);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (opt != NULL) {
|
|
||||||
+ return talloc_strdup(mem_ctx, opt);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = gethostname(sys, sizeof(sys));
|
|
||||||
+ if (ret != 0) {
|
|
||||||
+ ret = errno;
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get hostname [%d]: %s\n", ret,
|
|
||||||
+ sss_strerror(ret));
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return talloc_strdup(mem_ctx, sys);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
TALLOC_CTX *mem_ctx,
|
|
||||||
const char *name,
|
|
||||||
@@ -1536,6 +1565,22 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ domain->hostname = confdb_get_domain_hostname(domain, res, domain->provider);
|
|
||||||
+ if (domain->hostname == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain hostname\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ domain->krb5_keytab = NULL;
|
|
||||||
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], "krb5_keytab", NULL);
|
|
||||||
+ if (tmp != NULL) {
|
|
||||||
+ domain->krb5_keytab = talloc_strdup(domain, tmp);
|
|
||||||
+ if (domain->krb5_keytab == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain keytab!\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
domain->has_views = false;
|
|
||||||
domain->view_name = NULL;
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index fd6d76cde..54e3f7380 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -425,6 +425,12 @@ struct sss_domain_info {
|
|
||||||
/* Do not use the _output_fqnames property directly in new code, but rather
|
|
||||||
* use sss_domain_info_{get,set}_output_fqnames(). */
|
|
||||||
bool output_fqnames;
|
|
||||||
+
|
|
||||||
+ /* Hostname associated with this domain. */
|
|
||||||
+ const char *hostname;
|
|
||||||
+
|
|
||||||
+ /* Keytab used by this domain. */
|
|
||||||
+ const char *krb5_keytab;
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
|
||||||
index d256817a6..5b42f9bdc 100644
|
|
||||||
--- a/src/db/sysdb_subdomains.c
|
|
||||||
+++ b/src/db/sysdb_subdomains.c
|
|
||||||
@@ -125,6 +125,18 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ dom->hostname = talloc_strdup(dom, parent->hostname);
|
|
||||||
+ if (dom->hostname == NULL && parent->hostname != NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy hostname.\n");
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ dom->krb5_keytab = talloc_strdup(dom, parent->krb5_keytab);
|
|
||||||
+ if (dom->krb5_keytab == NULL && parent->krb5_keytab != NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy krb5_keytab.\n");
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
dom->enumerate = enumerate;
|
|
||||||
dom->fqnames = true;
|
|
||||||
dom->mpg_mode = mpg_mode;
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,70 +0,0 @@
|
|||||||
From a3e2677f919c6b1b1649ad80cc3435b4bb2efc0d Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 10 Dec 2020 19:28:58 +0100
|
|
||||||
Subject: [PATCH 23/27] cache_req: add helper to call user by upn search
|
|
||||||
|
|
||||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/common/cache_req/cache_req.h | 13 +++++++++++
|
|
||||||
.../cache_req/plugins/cache_req_user_by_upn.c | 23 +++++++++++++++++++
|
|
||||||
2 files changed, 36 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
|
|
||||||
index d36cb2d3b..d301a076e 100644
|
|
||||||
--- a/src/responder/common/cache_req/cache_req.h
|
|
||||||
+++ b/src/responder/common/cache_req/cache_req.h
|
|
||||||
@@ -277,6 +277,19 @@ cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
|
|
||||||
#define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \
|
|
||||||
cache_req_single_domain_recv(mem_ctx, req, _result)
|
|
||||||
|
|
||||||
+struct tevent_req *
|
|
||||||
+cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct tevent_context *ev,
|
|
||||||
+ struct resp_ctx *rctx,
|
|
||||||
+ struct sss_nc_ctx *ncache,
|
|
||||||
+ int cache_refresh_percent,
|
|
||||||
+ enum cache_req_dom_type req_dom_type,
|
|
||||||
+ const char *domain,
|
|
||||||
+ const char *upn);
|
|
||||||
+
|
|
||||||
+#define cache_req_user_by_upn_recv(mem_ctx, req, _result) \
|
|
||||||
+ cache_req_single_domain_recv(mem_ctx, req, _result);
|
|
||||||
+
|
|
||||||
struct tevent_req *
|
|
||||||
cache_req_user_by_id_send(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_context *ev,
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
|
||||||
index e08ab70ae..037994c8c 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
|
||||||
@@ -133,3 +133,26 @@ const struct cache_req_plugin cache_req_user_by_upn = {
|
|
||||||
.dp_get_domain_send_fn = NULL,
|
|
||||||
.dp_get_domain_recv_fn = NULL,
|
|
||||||
};
|
|
||||||
+
|
|
||||||
+struct tevent_req *
|
|
||||||
+cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct tevent_context *ev,
|
|
||||||
+ struct resp_ctx *rctx,
|
|
||||||
+ struct sss_nc_ctx *ncache,
|
|
||||||
+ int cache_refresh_percent,
|
|
||||||
+ enum cache_req_dom_type req_dom_type,
|
|
||||||
+ const char *domain,
|
|
||||||
+ const char *upn)
|
|
||||||
+{
|
|
||||||
+ struct cache_req_data *data;
|
|
||||||
+
|
|
||||||
+ data = cache_req_data_name(mem_ctx, CACHE_REQ_USER_BY_UPN, upn);
|
|
||||||
+ if (data == NULL) {
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
|
||||||
+ cache_refresh_percent,
|
|
||||||
+ req_dom_type, domain,
|
|
||||||
+ data);
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From dcc42015f7ada1c4e4daed17e2c8087e29cb7616 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 1 Oct 2020 14:02:44 +0200
|
|
||||||
Subject: [PATCH 24/27] pam: fix typo in debug message
|
|
||||||
|
|
||||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index 1d0251497..acbfc0c39 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -1941,7 +1941,7 @@ static void pam_check_user_search_next(struct tevent_req *req)
|
|
||||||
talloc_zfree(req);
|
|
||||||
if (ret != EOK && ret != ENOENT) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Cache lookup failed, trying to get fresh "
|
|
||||||
- "data from the backened.\n");
|
|
||||||
+ "data from the backend.\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,280 +0,0 @@
|
|||||||
From d63172f1277c5ed166a22f04d144bf85ded4757c Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 9 Oct 2020 13:03:54 +0200
|
|
||||||
Subject: [PATCH 25/27] pam: add pam_gssapi_services option
|
|
||||||
|
|
||||||
:config: Added `pam_gssapi_services` to list PAM services
|
|
||||||
that can authenticate using GSSAPI
|
|
||||||
|
|
||||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 12 +++++++++++
|
|
||||||
src/confdb/confdb.h | 4 ++++
|
|
||||||
src/config/SSSDConfig/sssdoptions.py | 1 +
|
|
||||||
src/config/SSSDConfigTest.py | 6 ++++--
|
|
||||||
src/config/cfg_rules.ini | 3 +++
|
|
||||||
src/config/etc/sssd.api.conf | 2 ++
|
|
||||||
src/db/sysdb_subdomains.c | 13 ++++++++++++
|
|
||||||
src/man/sssd.conf.5.xml | 30 ++++++++++++++++++++++++++++
|
|
||||||
src/responder/pam/pamsrv.c | 21 +++++++++++++++++++
|
|
||||||
src/responder/pam/pamsrv.h | 3 +++
|
|
||||||
10 files changed, 93 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index f981ddf1e..7f1956d6d 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -1581,6 +1581,18 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
|
|
||||||
+ "-");
|
|
||||||
+ if (tmp != NULL) {
|
|
||||||
+ ret = split_on_separator(domain, tmp, ',', true, true,
|
|
||||||
+ &domain->gssapi_services, NULL);
|
|
||||||
+ if (ret != 0) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
domain->has_views = false;
|
|
||||||
domain->view_name = NULL;
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 54e3f7380..7a3bc8bb5 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -144,6 +144,7 @@
|
|
||||||
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
|
|
||||||
#define CONFDB_PAM_P11_URI "p11_uri"
|
|
||||||
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
|
|
||||||
+#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
|
|
||||||
|
|
||||||
/* SUDO */
|
|
||||||
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
|
|
||||||
@@ -431,6 +432,9 @@ struct sss_domain_info {
|
|
||||||
|
|
||||||
/* Keytab used by this domain. */
|
|
||||||
const char *krb5_keytab;
|
|
||||||
+
|
|
||||||
+ /* List of PAM services that are allowed to authenticate with GSSAPI. */
|
|
||||||
+ char **gssapi_services;
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
index de96db6f4..f59fe8d9f 100644
|
|
||||||
--- a/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
+++ b/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
@@ -104,6 +104,7 @@ class SSSDOptions(object):
|
|
||||||
'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
|
|
||||||
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
|
|
||||||
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
|
|
||||||
+ 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
|
|
||||||
|
|
||||||
# [sudo]
|
|
||||||
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index 323be5ed3..21fffe1b6 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -653,7 +653,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'full_name_format',
|
|
||||||
're_expression',
|
|
||||||
'cached_auth_timeout',
|
|
||||||
- 'auto_private_groups']
|
|
||||||
+ 'auto_private_groups',
|
|
||||||
+ 'pam_gssapi_services']
|
|
||||||
|
|
||||||
self.assertTrue(type(options) == dict,
|
|
||||||
"Options should be a dictionary")
|
|
||||||
@@ -1030,7 +1031,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'full_name_format',
|
|
||||||
're_expression',
|
|
||||||
'cached_auth_timeout',
|
|
||||||
- 'auto_private_groups']
|
|
||||||
+ 'auto_private_groups',
|
|
||||||
+ 'pam_gssapi_services']
|
|
||||||
|
|
||||||
self.assertTrue(type(options) == dict,
|
|
||||||
"Options should be a dictionary")
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index 773afd8bb..c6dfd5648 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -139,6 +139,7 @@ option = pam_p11_allowed_services
|
|
||||||
option = p11_wait_for_card_timeout
|
|
||||||
option = p11_uri
|
|
||||||
option = pam_initgroups_scheme
|
|
||||||
+option = pam_gssapi_services
|
|
||||||
|
|
||||||
[rule/allowed_sudo_options]
|
|
||||||
validator = ini_allowed_options
|
|
||||||
@@ -437,6 +438,7 @@ option = wildcard_limit
|
|
||||||
option = full_name_format
|
|
||||||
option = re_expression
|
|
||||||
option = auto_private_groups
|
|
||||||
+option = pam_gssapi_services
|
|
||||||
|
|
||||||
#Entry cache timeouts
|
|
||||||
option = entry_cache_user_timeout
|
|
||||||
@@ -831,6 +833,7 @@ option = ad_backup_server
|
|
||||||
option = ad_site
|
|
||||||
option = use_fully_qualified_names
|
|
||||||
option = auto_private_groups
|
|
||||||
+option = pam_gssapi_services
|
|
||||||
|
|
||||||
[rule/sssd_checks]
|
|
||||||
validator = sssd_checks
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index 623160ffd..f46f3c46d 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -80,6 +80,7 @@ pam_p11_allowed_services = str, None, false
|
|
||||||
p11_wait_for_card_timeout = int, None, false
|
|
||||||
p11_uri = str, None, false
|
|
||||||
pam_initgroups_scheme = str, None, false
|
|
||||||
+pam_gssapi_services = str, None, false
|
|
||||||
|
|
||||||
[sudo]
|
|
||||||
# sudo service
|
|
||||||
@@ -199,6 +200,7 @@ cached_auth_timeout = int, None, false
|
|
||||||
full_name_format = str, None, false
|
|
||||||
re_expression = str, None, false
|
|
||||||
auto_private_groups = str, None, false
|
|
||||||
+pam_gssapi_services = str, None, false
|
|
||||||
|
|
||||||
#Entry cache timeouts
|
|
||||||
entry_cache_user_timeout = int, None, false
|
|
||||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
|
||||||
index 5b42f9bdc..bfc6df0f5 100644
|
|
||||||
--- a/src/db/sysdb_subdomains.c
|
|
||||||
+++ b/src/db/sysdb_subdomains.c
|
|
||||||
@@ -184,6 +184,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
|
||||||
dom->homedir_substr = parent->homedir_substr;
|
|
||||||
dom->override_gid = parent->override_gid;
|
|
||||||
|
|
||||||
+ dom->gssapi_services = parent->gssapi_services;
|
|
||||||
+
|
|
||||||
if (parent->sysdb == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
|
|
||||||
goto fail;
|
|
||||||
@@ -241,6 +243,17 @@ check_subdom_config_file(struct confdb_ctx *confdb,
|
|
||||||
sd_conf_path, CONFDB_DOMAIN_FQ,
|
|
||||||
subdomain->fqnames ? "TRUE" : "FALSE");
|
|
||||||
|
|
||||||
+ /* allow to set pam_gssapi_services */
|
|
||||||
+ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
|
|
||||||
+ CONFDB_PAM_GSSAPI_SERVICES,
|
|
||||||
+ &subdomain->gssapi_services);
|
|
||||||
+ if (ret != EOK && ret != ENOENT) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "Failed to get %s option for the subdomain: %s\n",
|
|
||||||
+ CONFDB_PAM_GSSAPI_SERVICES, subdomain->name);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = EOK;
|
|
||||||
done:
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index d247400bf..db9dd4677 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -1706,6 +1706,35 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>pam_gssapi_services</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Comma separated list of PAM services that are
|
|
||||||
+ allowed to try GSSAPI authentication using
|
|
||||||
+ pam_sss_gss.so module.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ To disable GSSAPI authentication, set this option
|
|
||||||
+ to <quote>-</quote> (dash).
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Note: This option can also be set per-domain which
|
|
||||||
+ overwrites the value in [pam] section. It can also
|
|
||||||
+ be set for trusted domain which overwrites the value
|
|
||||||
+ in the domain section.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Example:
|
|
||||||
+ <programlisting>
|
|
||||||
+pam_gssapi_services = sudo, sudo-i
|
|
||||||
+ </programlisting>
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: - (GSSAPI authentication is disabled)
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect2>
|
|
||||||
|
|
||||||
@@ -3780,6 +3809,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
|
|
||||||
<para>ad_backup_server,</para>
|
|
||||||
<para>ad_site,</para>
|
|
||||||
<para>use_fully_qualified_names</para>
|
|
||||||
+ <para>pam_gssapi_services</para>
|
|
||||||
<para>
|
|
||||||
For more details about these options see their individual description
|
|
||||||
in the manual page.
|
|
||||||
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
|
||||||
index 1f1ee608b..0492569c7 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.c
|
|
||||||
+++ b/src/responder/pam/pamsrv.c
|
|
||||||
@@ -327,6 +327,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY,
|
|
||||||
+ CONFDB_PAM_GSSAPI_SERVICES, "-", &tmpstr);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ "Failed to determine gssapi services.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr,
|
|
||||||
+ CONFDB_PAM_GSSAPI_SERVICES);
|
|
||||||
+
|
|
||||||
+ if (tmpstr != NULL) {
|
|
||||||
+ ret = split_on_separator(pctx, tmpstr, ',', true, true,
|
|
||||||
+ &pctx->gssapi_services, NULL);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
+ "split_on_separator() failed [%d]: [%s].\n", ret,
|
|
||||||
+ sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* The responder is initialized. Now tell it to the monitor. */
|
|
||||||
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
|
|
||||||
SSS_PAM_SBUS_SERVICE_NAME,
|
|
||||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
||||||
index 24d307a14..730dee288 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.h
|
|
||||||
+++ b/src/responder/pam/pamsrv.h
|
|
||||||
@@ -62,6 +62,9 @@ struct pam_ctx {
|
|
||||||
int num_prompting_config_sections;
|
|
||||||
|
|
||||||
enum pam_initgroups_scheme initgroups_scheme;
|
|
||||||
+
|
|
||||||
+ /* List of PAM services that are allowed to authenticate with GSSAPI. */
|
|
||||||
+ char **gssapi_services;
|
|
||||||
};
|
|
||||||
|
|
||||||
struct pam_auth_req {
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,250 +0,0 @@
|
|||||||
From fffe3169bb490c4b010b168c639aa6f9b2ec0c52 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 10 Dec 2020 22:05:30 +0100
|
|
||||||
Subject: [PATCH 26/27] pam: add pam_gssapi_check_upn option
|
|
||||||
|
|
||||||
:config: Added `pam_gssapi_check_upn` to enforce authentication
|
|
||||||
only with principal that can be associated with target user.
|
|
||||||
|
|
||||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 10 ++++++++++
|
|
||||||
src/confdb/confdb.h | 2 ++
|
|
||||||
src/config/SSSDConfig/sssdoptions.py | 1 +
|
|
||||||
src/config/SSSDConfigTest.py | 6 ++++--
|
|
||||||
src/config/cfg_rules.ini | 3 +++
|
|
||||||
src/config/etc/sssd.api.conf | 2 ++
|
|
||||||
src/db/sysdb_subdomains.c | 12 ++++++++++++
|
|
||||||
src/man/sssd.conf.5.xml | 26 ++++++++++++++++++++++++++
|
|
||||||
src/responder/pam/pamsrv.c | 9 +++++++++
|
|
||||||
src/responder/pam/pamsrv.h | 1 +
|
|
||||||
10 files changed, 70 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index 7f1956d6d..2881ce5da 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -1593,6 +1593,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_CHECK_UPN,
|
|
||||||
+ NULL);
|
|
||||||
+ if (tmp != NULL) {
|
|
||||||
+ domain->gssapi_check_upn = talloc_strdup(domain, tmp);
|
|
||||||
+ if (domain->gssapi_check_upn == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
domain->has_views = false;
|
|
||||||
domain->view_name = NULL;
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 7a3bc8bb5..036f9ecad 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -145,6 +145,7 @@
|
|
||||||
#define CONFDB_PAM_P11_URI "p11_uri"
|
|
||||||
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
|
|
||||||
#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
|
|
||||||
+#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
|
|
||||||
|
|
||||||
/* SUDO */
|
|
||||||
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
|
|
||||||
@@ -435,6 +436,7 @@ struct sss_domain_info {
|
|
||||||
|
|
||||||
/* List of PAM services that are allowed to authenticate with GSSAPI. */
|
|
||||||
char **gssapi_services;
|
|
||||||
+ char *gssapi_check_upn; /* true | false | NULL */
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
index f59fe8d9f..5da52a937 100644
|
|
||||||
--- a/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
+++ b/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
@@ -105,6 +105,7 @@ class SSSDOptions(object):
|
|
||||||
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
|
|
||||||
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
|
|
||||||
'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
|
|
||||||
+ 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
|
|
||||||
|
|
||||||
# [sudo]
|
|
||||||
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index 21fffe1b6..ea4e4f6c9 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -654,7 +654,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
're_expression',
|
|
||||||
'cached_auth_timeout',
|
|
||||||
'auto_private_groups',
|
|
||||||
- 'pam_gssapi_services']
|
|
||||||
+ 'pam_gssapi_services',
|
|
||||||
+ 'pam_gssapi_check_upn']
|
|
||||||
|
|
||||||
self.assertTrue(type(options) == dict,
|
|
||||||
"Options should be a dictionary")
|
|
||||||
@@ -1032,7 +1033,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
're_expression',
|
|
||||||
'cached_auth_timeout',
|
|
||||||
'auto_private_groups',
|
|
||||||
- 'pam_gssapi_services']
|
|
||||||
+ 'pam_gssapi_services',
|
|
||||||
+ 'pam_gssapi_check_upn']
|
|
||||||
|
|
||||||
self.assertTrue(type(options) == dict,
|
|
||||||
"Options should be a dictionary")
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index c6dfd5648..6642c6321 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -140,6 +140,7 @@ option = p11_wait_for_card_timeout
|
|
||||||
option = p11_uri
|
|
||||||
option = pam_initgroups_scheme
|
|
||||||
option = pam_gssapi_services
|
|
||||||
+option = pam_gssapi_check_upn
|
|
||||||
|
|
||||||
[rule/allowed_sudo_options]
|
|
||||||
validator = ini_allowed_options
|
|
||||||
@@ -439,6 +440,7 @@ option = full_name_format
|
|
||||||
option = re_expression
|
|
||||||
option = auto_private_groups
|
|
||||||
option = pam_gssapi_services
|
|
||||||
+option = pam_gssapi_check_upn
|
|
||||||
|
|
||||||
#Entry cache timeouts
|
|
||||||
option = entry_cache_user_timeout
|
|
||||||
@@ -834,6 +836,7 @@ option = ad_site
|
|
||||||
option = use_fully_qualified_names
|
|
||||||
option = auto_private_groups
|
|
||||||
option = pam_gssapi_services
|
|
||||||
+option = pam_gssapi_check_upn
|
|
||||||
|
|
||||||
[rule/sssd_checks]
|
|
||||||
validator = sssd_checks
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index f46f3c46d..d3cad7380 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -81,6 +81,7 @@ p11_wait_for_card_timeout = int, None, false
|
|
||||||
p11_uri = str, None, false
|
|
||||||
pam_initgroups_scheme = str, None, false
|
|
||||||
pam_gssapi_services = str, None, false
|
|
||||||
+pam_gssapi_check_upn = bool, None, false
|
|
||||||
|
|
||||||
[sudo]
|
|
||||||
# sudo service
|
|
||||||
@@ -201,6 +202,7 @@ full_name_format = str, None, false
|
|
||||||
re_expression = str, None, false
|
|
||||||
auto_private_groups = str, None, false
|
|
||||||
pam_gssapi_services = str, None, false
|
|
||||||
+pam_gssapi_check_upn = bool, None, false
|
|
||||||
|
|
||||||
#Entry cache timeouts
|
|
||||||
entry_cache_user_timeout = int, None, false
|
|
||||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
|
||||||
index bfc6df0f5..03ba12164 100644
|
|
||||||
--- a/src/db/sysdb_subdomains.c
|
|
||||||
+++ b/src/db/sysdb_subdomains.c
|
|
||||||
@@ -254,6 +254,18 @@ check_subdom_config_file(struct confdb_ctx *confdb,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* allow to set pam_gssapi_check_upn */
|
|
||||||
+ ret = confdb_get_string(confdb, subdomain, sd_conf_path,
|
|
||||||
+ CONFDB_PAM_GSSAPI_CHECK_UPN,
|
|
||||||
+ subdomain->parent->gssapi_check_upn,
|
|
||||||
+ &subdomain->gssapi_check_upn);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "Failed to get %s option for the subdomain: %s\n",
|
|
||||||
+ CONFDB_PAM_GSSAPI_CHECK_UPN, subdomain->name);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = EOK;
|
|
||||||
done:
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index db9dd4677..d637e2eaa 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -1735,6 +1735,31 @@ pam_gssapi_services = sudo, sudo-i
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>pam_gssapi_check_upn</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ If True, SSSD will require that the Kerberos user
|
|
||||||
+ principal that successfully authenticated through
|
|
||||||
+ GSSAPI can be associated with the user who is being
|
|
||||||
+ authenticated. Authentication will fail if the check
|
|
||||||
+ fails.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ If False, every user that is able to obtained
|
|
||||||
+ required service ticket will be authenticated.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Note: This option can also be set per-domain which
|
|
||||||
+ overwrites the value in [pam] section. It can also
|
|
||||||
+ be set for trusted domain which overwrites the value
|
|
||||||
+ in the domain section.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: True
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect2>
|
|
||||||
|
|
||||||
@@ -3810,6 +3835,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
|
|
||||||
<para>ad_site,</para>
|
|
||||||
<para>use_fully_qualified_names</para>
|
|
||||||
<para>pam_gssapi_services</para>
|
|
||||||
+ <para>pam_gssapi_check_upn</para>
|
|
||||||
<para>
|
|
||||||
For more details about these options see their individual description
|
|
||||||
in the manual page.
|
|
||||||
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
|
||||||
index 0492569c7..0db2824ff 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.c
|
|
||||||
+++ b/src/responder/pam/pamsrv.c
|
|
||||||
@@ -348,6 +348,15 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = confdb_get_bool(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
|
|
||||||
+ CONFDB_PAM_GSSAPI_CHECK_UPN, true,
|
|
||||||
+ &pctx->gssapi_check_upn);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read %s [%d]: %s\n",
|
|
||||||
+ CONFDB_PAM_GSSAPI_CHECK_UPN, ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* The responder is initialized. Now tell it to the monitor. */
|
|
||||||
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
|
|
||||||
SSS_PAM_SBUS_SERVICE_NAME,
|
|
||||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
||||||
index 730dee288..bf4dd75b0 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.h
|
|
||||||
+++ b/src/responder/pam/pamsrv.h
|
|
||||||
@@ -65,6 +65,7 @@ struct pam_ctx {
|
|
||||||
|
|
||||||
/* List of PAM services that are allowed to authenticate with GSSAPI. */
|
|
||||||
char **gssapi_services;
|
|
||||||
+ bool gssapi_check_upn;
|
|
||||||
};
|
|
||||||
|
|
||||||
struct pam_auth_req {
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,100 +0,0 @@
|
|||||||
From 3f0ba4c2dcf9126b0f94bca4a056b516759d25c1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 6 Mar 2020 12:49:04 +0100
|
|
||||||
Subject: [PATCH 13/18] cache_req: allow cache_req to return ERR_OFFLINE if all
|
|
||||||
dp request failed
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/common/cache_req/cache_req.c | 13 +++++++++++++
|
|
||||||
src/responder/common/cache_req/cache_req.h | 4 ++++
|
|
||||||
src/responder/common/cache_req/cache_req_data.c | 12 ++++++++++++
|
|
||||||
src/responder/common/cache_req/cache_req_private.h | 3 +++
|
|
||||||
4 files changed, 32 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
|
||||||
index afb0e7cda..0c8538414 100644
|
|
||||||
--- a/src/responder/common/cache_req/cache_req.c
|
|
||||||
+++ b/src/responder/common/cache_req/cache_req.c
|
|
||||||
@@ -974,6 +974,13 @@ static void cache_req_search_domains_done(struct tevent_req *subreq)
|
|
||||||
case ERR_ID_OUTSIDE_RANGE:
|
|
||||||
case ENOENT:
|
|
||||||
if (state->check_next == false) {
|
|
||||||
+ if (state->cr->data->propogate_offline_status && !state->dp_success) {
|
|
||||||
+ /* Not found and data provider request failed so we were
|
|
||||||
+ * unable to fetch the data. */
|
|
||||||
+ ret = ERR_OFFLINE;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Not found. */
|
|
||||||
ret = ENOENT;
|
|
||||||
goto done;
|
|
||||||
@@ -1002,6 +1009,12 @@ done:
|
|
||||||
case EAGAIN:
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
+ if (ret == ENOENT && state->cr->data->propogate_offline_status
|
|
||||||
+ && !state->dp_success) {
|
|
||||||
+ /* Not found and data provider request failed so we were
|
|
||||||
+ * unable to fetch the data. */
|
|
||||||
+ ret = ERR_OFFLINE;
|
|
||||||
+ }
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
|
|
||||||
index 72d4abe5e..d36cb2d3b 100644
|
|
||||||
--- a/src/responder/common/cache_req/cache_req.h
|
|
||||||
+++ b/src/responder/common/cache_req/cache_req.h
|
|
||||||
@@ -171,6 +171,10 @@ void
|
|
||||||
cache_req_data_set_requested_domains(struct cache_req_data *data,
|
|
||||||
char **requested_domains);
|
|
||||||
|
|
||||||
+void
|
|
||||||
+cache_req_data_set_propogate_offline_status(struct cache_req_data *data,
|
|
||||||
+ bool propogate_offline_status);
|
|
||||||
+
|
|
||||||
enum cache_req_type
|
|
||||||
cache_req_data_get_type(struct cache_req_data *data);
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
|
|
||||||
index 14c4ad14f..fe9f3db29 100644
|
|
||||||
--- a/src/responder/common/cache_req/cache_req_data.c
|
|
||||||
+++ b/src/responder/common/cache_req/cache_req_data.c
|
|
||||||
@@ -455,6 +455,18 @@ cache_req_data_set_requested_domains(struct cache_req_data *data,
|
|
||||||
data->requested_domains = requested_domains;
|
|
||||||
}
|
|
||||||
|
|
||||||
+void
|
|
||||||
+cache_req_data_set_propogate_offline_status(struct cache_req_data *data,
|
|
||||||
+ bool propogate_offline_status)
|
|
||||||
+{
|
|
||||||
+ if (data == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data->propogate_offline_status = propogate_offline_status;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
enum cache_req_type
|
|
||||||
cache_req_data_get_type(struct cache_req_data *data)
|
|
||||||
{
|
|
||||||
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
|
|
||||||
index bfca688b9..2d52e7600 100644
|
|
||||||
--- a/src/responder/common/cache_req/cache_req_private.h
|
|
||||||
+++ b/src/responder/common/cache_req/cache_req_private.h
|
|
||||||
@@ -103,6 +103,9 @@ struct cache_req_data {
|
|
||||||
|
|
||||||
/* if set, only search in the listed domains */
|
|
||||||
char **requested_domains;
|
|
||||||
+
|
|
||||||
+ /* if set, ERR_OFFLINE is returned if data provider is offline */
|
|
||||||
+ bool propogate_offline_status;
|
|
||||||
};
|
|
||||||
|
|
||||||
struct tevent_req *
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From e50258da70b67ff1b0f928e2e7875bc2fa32dfde Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 6 Mar 2020 13:12:46 +0100
|
|
||||||
Subject: [PATCH 14/18] autofs: return ERR_OFFLINE if we fail to get
|
|
||||||
information from backend and cache is empty
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://github.com/SSSD/sssd/issues/3413
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 ++
|
|
||||||
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 ++
|
|
||||||
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 ++
|
|
||||||
3 files changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
index cb674add6..55c9fc8b0 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
@@ -142,6 +142,8 @@ cache_req_autofs_entry_by_name_send(TALLOC_CTX *mem_ctx,
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ cache_req_data_set_propogate_offline_status(data, true);
|
|
||||||
+
|
|
||||||
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
|
||||||
cache_refresh_percent,
|
|
||||||
CACHE_REQ_POSIX_DOM, domain,
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
index 3c08eaf4f..823eb3595 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
@@ -136,6 +136,8 @@ cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx,
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ cache_req_data_set_propogate_offline_status(data, true);
|
|
||||||
+
|
|
||||||
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
|
||||||
cache_refresh_percent,
|
|
||||||
CACHE_REQ_POSIX_DOM, domain,
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
index 1b5645fa0..3e47b1321 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
@@ -168,6 +168,8 @@ cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx,
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ cache_req_data_set_propogate_offline_status(data, true);
|
|
||||||
+
|
|
||||||
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
|
||||||
cache_refresh_percent,
|
|
||||||
CACHE_REQ_POSIX_DOM, domain,
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,51 +0,0 @@
|
|||||||
From 9098108a7142513fa04afdf92a2c1b3ac002c56e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 6 Mar 2020 13:44:56 +0100
|
|
||||||
Subject: [PATCH 15/18] autofs: translate ERR_OFFLINE to EHOSTDOWN
|
|
||||||
|
|
||||||
So we do not publish internal error code.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://github.com/SSSD/sssd/issues/3413
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/sss_client/common.c | 15 ++++++++++++---
|
|
||||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
|
||||||
index 902438c86..d29332939 100644
|
|
||||||
--- a/src/sss_client/common.c
|
|
||||||
+++ b/src/sss_client/common.c
|
|
||||||
@@ -44,6 +44,7 @@
|
|
||||||
#define _(STRING) dgettext (PACKAGE, STRING)
|
|
||||||
#include "sss_cli.h"
|
|
||||||
#include "common_private.h"
|
|
||||||
+#include "util/util_errors.h"
|
|
||||||
|
|
||||||
#if HAVE_PTHREAD
|
|
||||||
#include <pthread.h>
|
|
||||||
@@ -1054,9 +1055,17 @@ int sss_autofs_make_request(enum sss_cli_command cmd,
|
|
||||||
uint8_t **repbuf, size_t *replen,
|
|
||||||
int *errnop)
|
|
||||||
{
|
|
||||||
- return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT,
|
|
||||||
- repbuf, replen, errnop,
|
|
||||||
- SSS_AUTOFS_SOCKET_NAME);
|
|
||||||
+ enum sss_status status;
|
|
||||||
+
|
|
||||||
+ status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT,
|
|
||||||
+ repbuf, replen, errnop,
|
|
||||||
+ SSS_AUTOFS_SOCKET_NAME);
|
|
||||||
+
|
|
||||||
+ if (*errnop == ERR_OFFLINE) {
|
|
||||||
+ *errnop = EHOSTDOWN;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return status;
|
|
||||||
}
|
|
||||||
|
|
||||||
int sss_ssh_make_request(enum sss_cli_command cmd,
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,61 +0,0 @@
|
|||||||
From 34c519a4851194164befc150df8e768431e66405 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Tue, 22 Sep 2020 11:04:25 +0200
|
|
||||||
Subject: [PATCH 16/18] autofs: disable fast reply
|
|
||||||
|
|
||||||
If the backend is offline when autofs starts and reads auto.master map
|
|
||||||
we don't want to wait 60 seconds before the offline flag is reset. We
|
|
||||||
need to allow autofs to retry the call much sooner.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://github.com/SSSD/sssd/issues/3413
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +-
|
|
||||||
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +-
|
|
||||||
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +-
|
|
||||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
index 55c9fc8b0..cd2085187 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
@@ -84,7 +84,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
return sbus_call_dp_autofs_GetEntry_send(mem_ctx, be_conn->conn,
|
|
||||||
be_conn->bus_name, SSS_BUS_PATH,
|
|
||||||
- DP_FAST_REPLY, data->name.name,
|
|
||||||
+ 0, data->name.name,
|
|
||||||
data->autofs_entry_name);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
index 823eb3595..9d9bc3a97 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
@@ -81,7 +81,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
|
|
||||||
be_conn->bus_name, SSS_BUS_PATH,
|
|
||||||
- DP_FAST_REPLY, data->name.name);
|
|
||||||
+ 0, data->name.name);
|
|
||||||
}
|
|
||||||
|
|
||||||
bool
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
index 3e47b1321..ee0156b6a 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
@@ -113,7 +113,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
|
|
||||||
be_conn->bus_name, SSS_BUS_PATH,
|
|
||||||
- DP_FAST_REPLY, data->name.name);
|
|
||||||
+ 0, data->name.name);
|
|
||||||
}
|
|
||||||
|
|
||||||
bool
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,168 +0,0 @@
|
|||||||
From 8a22d4ad45f5fc8e888be693539495093c2b3c35 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 4 Nov 2020 14:20:10 +0100
|
|
||||||
Subject: [PATCH 17/18] autofs: correlate errors for different protocol
|
|
||||||
versions
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/sss_client/autofs/autofs_test_client.c | 12 ++++++++
|
|
||||||
src/sss_client/autofs/sss_autofs.c | 35 +++++++++++++++++++---
|
|
||||||
src/sss_client/autofs/sss_autofs.exports | 9 +++---
|
|
||||||
src/sss_client/autofs/sss_autofs_private.h | 5 ++++
|
|
||||||
4 files changed, 53 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c
|
|
||||||
index c5358233f..4b285151e 100644
|
|
||||||
--- a/src/sss_client/autofs/autofs_test_client.c
|
|
||||||
+++ b/src/sss_client/autofs/autofs_test_client.c
|
|
||||||
@@ -45,10 +45,14 @@ int main(int argc, const char *argv[])
|
|
||||||
char *value = NULL;
|
|
||||||
char *pc_key = NULL;
|
|
||||||
int pc_setent = 0;
|
|
||||||
+ int pc_protocol = 1;
|
|
||||||
+ unsigned int protocol;
|
|
||||||
+ unsigned int requested_protocol = 1;
|
|
||||||
struct poptOption long_options[] = {
|
|
||||||
POPT_AUTOHELP
|
|
||||||
{ "by-name", 'n', POPT_ARG_STRING, &pc_key, 0, "Request map by name", NULL },
|
|
||||||
{ "only-setent", 's', POPT_ARG_VAL, &pc_setent, 1, "Run only setent, do not enumerate", NULL },
|
|
||||||
+ { "protocol", 'p', POPT_ARG_INT, &pc_protocol, 0, "Protocol version", NULL },
|
|
||||||
POPT_TABLEEND
|
|
||||||
};
|
|
||||||
poptContext pc = NULL;
|
|
||||||
@@ -69,6 +73,14 @@ int main(int argc, const char *argv[])
|
|
||||||
|
|
||||||
poptFreeContext(pc);
|
|
||||||
|
|
||||||
+ requested_protocol = pc_protocol;
|
|
||||||
+ protocol = _sss_auto_protocol_version(requested_protocol);
|
|
||||||
+ if (protocol != requested_protocol) {
|
|
||||||
+ fprintf(stderr, "Unsupported protocol version: %d -> %d\n",
|
|
||||||
+ requested_protocol, protocol);
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = _sss_setautomntent(mapname, &ctx);
|
|
||||||
if (ret) {
|
|
||||||
fprintf(stderr, "setautomntent failed [%d]: %s\n",
|
|
||||||
diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c
|
|
||||||
index 482ff2c40..ef27cf895 100644
|
|
||||||
--- a/src/sss_client/autofs/sss_autofs.c
|
|
||||||
+++ b/src/sss_client/autofs/sss_autofs.c
|
|
||||||
@@ -20,6 +20,7 @@
|
|
||||||
|
|
||||||
#include <errno.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
+#include <stdatomic.h>
|
|
||||||
|
|
||||||
#include "sss_client/autofs/sss_autofs_private.h"
|
|
||||||
#include "sss_client/sss_cli.h"
|
|
||||||
@@ -33,6 +34,32 @@
|
|
||||||
/* How many entries shall _sss_getautomntent_r retrieve at once */
|
|
||||||
#define GETAUTOMNTENT_MAX_ENTRIES 512
|
|
||||||
|
|
||||||
+static atomic_uint _protocol = 0;
|
|
||||||
+
|
|
||||||
+unsigned int _sss_auto_protocol_version(unsigned int requested)
|
|
||||||
+{
|
|
||||||
+ switch (requested) {
|
|
||||||
+ case 0:
|
|
||||||
+ /* EHOSTDOWN will be translated to ENOENT */
|
|
||||||
+ _protocol = 0;
|
|
||||||
+ return 0;
|
|
||||||
+ default:
|
|
||||||
+ /* There is no other protocol version at this point. */
|
|
||||||
+ _protocol = 1;
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Returns correct errno based on autofs version expectations. */
|
|
||||||
+static errno_t errnop_to_errno(int errnop)
|
|
||||||
+{
|
|
||||||
+ if (errnop == EHOSTDOWN && _protocol == 0) {
|
|
||||||
+ return ENOENT;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return errnop;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
struct automtent {
|
|
||||||
char *mapname;
|
|
||||||
size_t cursor;
|
|
||||||
@@ -93,7 +120,7 @@ _sss_setautomntent(const char *mapname, void **context)
|
|
||||||
&repbuf, &replen, &errnop);
|
|
||||||
if (ret != SSS_STATUS_SUCCESS) {
|
|
||||||
free(name);
|
|
||||||
- ret = errnop;
|
|
||||||
+ ret = errnop_to_errno(errnop);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -310,7 +337,7 @@ _sss_getautomntent_r(char **key, char **value, void *context)
|
|
||||||
&repbuf, &replen, &errnop);
|
|
||||||
free(data);
|
|
||||||
if (ret != SSS_STATUS_SUCCESS) {
|
|
||||||
- ret = errnop;
|
|
||||||
+ ret = errnop_to_errno(errnop);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -408,7 +435,7 @@ _sss_getautomntbyname_r(const char *key, char **value, void *context)
|
|
||||||
&repbuf, &replen, &errnop);
|
|
||||||
free(data);
|
|
||||||
if (ret != SSS_STATUS_SUCCESS) {
|
|
||||||
- ret = errnop;
|
|
||||||
+ ret = errnop_to_errno(errnop);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -467,7 +494,7 @@ _sss_endautomntent(void **context)
|
|
||||||
ret = sss_autofs_make_request(SSS_AUTOFS_ENDAUTOMNTENT,
|
|
||||||
NULL, NULL, NULL, &errnop);
|
|
||||||
if (ret != SSS_STATUS_SUCCESS) {
|
|
||||||
- ret = errnop;
|
|
||||||
+ ret = errnop_to_errno(errnop);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/autofs/sss_autofs.exports b/src/sss_client/autofs/sss_autofs.exports
|
|
||||||
index f9ce8f5b2..ec61f715e 100644
|
|
||||||
--- a/src/sss_client/autofs/sss_autofs.exports
|
|
||||||
+++ b/src/sss_client/autofs/sss_autofs.exports
|
|
||||||
@@ -2,10 +2,11 @@ EXPORTED {
|
|
||||||
|
|
||||||
# public functions
|
|
||||||
global:
|
|
||||||
- _sss_setautomntent;
|
|
||||||
- _sss_getautomntent_r;
|
|
||||||
- _sss_getautomntbyname_r;
|
|
||||||
- _sss_endautomntent;
|
|
||||||
+ _sss_auto_protocol_version;
|
|
||||||
+ _sss_setautomntent;
|
|
||||||
+ _sss_getautomntent_r;
|
|
||||||
+ _sss_getautomntbyname_r;
|
|
||||||
+ _sss_endautomntent;
|
|
||||||
|
|
||||||
# everything else is local
|
|
||||||
local:
|
|
||||||
diff --git a/src/sss_client/autofs/sss_autofs_private.h b/src/sss_client/autofs/sss_autofs_private.h
|
|
||||||
index 6459c1cc7..7fd49db1d 100644
|
|
||||||
--- a/src/sss_client/autofs/sss_autofs_private.h
|
|
||||||
+++ b/src/sss_client/autofs/sss_autofs_private.h
|
|
||||||
@@ -21,6 +21,11 @@
|
|
||||||
#include <errno.h>
|
|
||||||
#include "util/util.h"
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Choose an autofs protocol version to be used between autofs and sss_autofs.
|
|
||||||
+ */
|
|
||||||
+unsigned int _sss_auto_protocol_version(unsigned int requested);
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* Selects a map for processing.
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
From 075519bceca7a8f4fa28a0b7c538f2f50d552d13 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 26 Nov 2020 14:56:08 +0100
|
|
||||||
Subject: [PATCH 18/18] configure: check for stdatomic.h
|
|
||||||
|
|
||||||
Recent autofs patches adds dependency on automic_uint/_Atomic type from C11
|
|
||||||
standard. This is supported in both gcc and clang for a long time now.
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
configure.ac | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 1af1d1785..0d24c4b35 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -42,6 +42,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
|
|
||||||
AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
|
|
||||||
|
|
||||||
AC_CHECK_HEADERS(stdint.h dlfcn.h)
|
|
||||||
+AC_CHECK_HEADERS([stdatomic.h],,AC_MSG_ERROR([C11 atomic types are not supported]))
|
|
||||||
AC_CONFIG_HEADER(config.h)
|
|
||||||
|
|
||||||
AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,131 +0,0 @@
|
|||||||
From 2499bd145f566bfd73b8c7e284b910dd2b36c6d1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 15 Jan 2021 12:04:38 +0100
|
|
||||||
Subject: [PATCH] cache_req: ignore autofs not configured error
|
|
||||||
|
|
||||||
Otherwise we return ERR_OFFLINE for domains where autofs provider is not
|
|
||||||
set (such as implicit files domain) which is undesirable.
|
|
||||||
|
|
||||||
Steps to reproduce:
|
|
||||||
1. Enable implicit files domains and LDAP domain with autofs configured
|
|
||||||
2. Setup NFS server to export `/exports` with `/exports/home/test`
|
|
||||||
3. Add autofs mount points:
|
|
||||||
```
|
|
||||||
dn: ou=mount,dc=ldap,dc=vm
|
|
||||||
ou: mount
|
|
||||||
objectClass: organizationalUnit
|
|
||||||
objectClass: top
|
|
||||||
|
|
||||||
dn: nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
|
|
||||||
objectClass: nisMap
|
|
||||||
objectClass: top
|
|
||||||
nisMapName: auto.master
|
|
||||||
|
|
||||||
dn: cn=/export/home,nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
|
|
||||||
objectClass: nisObject
|
|
||||||
objectClass: top
|
|
||||||
cn: /export/home
|
|
||||||
nisMapEntry: auto.home
|
|
||||||
nisMapName: auto.master
|
|
||||||
|
|
||||||
dn: nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
|
|
||||||
objectClass: nisMap
|
|
||||||
objectClass: top
|
|
||||||
nisMapName: auto.home
|
|
||||||
|
|
||||||
dn: cn=/,nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
|
|
||||||
objectClass: nisObject
|
|
||||||
objectClass: top
|
|
||||||
cn: /
|
|
||||||
nisMapEntry: -fstype=nfs,rw master.ldap.vm:/export/home/&
|
|
||||||
nisMapName: auto.home
|
|
||||||
```
|
|
||||||
4. Run SSSD and autofs
|
|
||||||
5. cd to /exports/home/test
|
|
||||||
|
|
||||||
The directory will not be mounted with the new autofs protocol. It
|
|
||||||
will succeed with the old protocol. In both versions, you'll see
|
|
||||||
that SSSD returned ERR_OFFLINE:
|
|
||||||
|
|
||||||
```
|
|
||||||
(2021-01-15 11:44:48): [be[implicit_files]] [sbus_issue_request_done] (0x0040): sssd.DataProvider.Autofs.GetEntry: Error [1432158215]: DP target is not configured
|
|
||||||
...
|
|
||||||
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Looking up [auto.home:test] in cache
|
|
||||||
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Object [auto.home:test] was not found in cache
|
|
||||||
(2021-01-15 11:44:49): [autofs] [cache_req_search_ncache_add_to_domain] (0x2000): CR #3: This request type does not support negative cache
|
|
||||||
(2021-01-15 11:44:49): [autofs] [cache_req_process_result] (0x0400): CR #3: Finished: Error 1432158212: SSSD is offline
|
|
||||||
```
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
.../cache_req/plugins/cache_req_autofs_entry_by_name.c | 10 +++++++++-
|
|
||||||
.../cache_req/plugins/cache_req_autofs_map_by_name.c | 10 +++++++++-
|
|
||||||
.../cache_req/plugins/cache_req_autofs_map_entries.c | 10 +++++++++-
|
|
||||||
3 files changed, 27 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
index cd2085187..f411fd351 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
|
||||||
@@ -92,7 +92,15 @@ bool
|
|
||||||
cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq,
|
|
||||||
struct cache_req *cr)
|
|
||||||
{
|
|
||||||
- return sbus_call_dp_autofs_GetEntry_recv(subreq) == EOK;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ ret = sbus_call_dp_autofs_GetEntry_recv(subreq);
|
|
||||||
+
|
|
||||||
+ if (ret == ERR_MISSING_DP_TARGET) {
|
|
||||||
+ ret = EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return ret == EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
const struct cache_req_plugin cache_req_autofs_entry_by_name = {
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
index 9d9bc3a97..c22cf0c8e 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
|
||||||
@@ -88,7 +88,15 @@ bool
|
|
||||||
cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq,
|
|
||||||
struct cache_req *cr)
|
|
||||||
{
|
|
||||||
- return sbus_call_dp_autofs_GetMap_recv(subreq) == EOK;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ ret = sbus_call_dp_autofs_GetMap_recv(subreq);
|
|
||||||
+
|
|
||||||
+ if (ret == ERR_MISSING_DP_TARGET) {
|
|
||||||
+ ret = EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return ret == EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
const struct cache_req_plugin cache_req_autofs_map_by_name = {
|
|
||||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
index ee0156b6a..4d9db6595 100644
|
|
||||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
|
||||||
@@ -120,7 +120,15 @@ bool
|
|
||||||
cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq,
|
|
||||||
struct cache_req *cr)
|
|
||||||
{
|
|
||||||
- return sbus_call_dp_autofs_Enumerate_recv(subreq) == EOK;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ ret = sbus_call_dp_autofs_Enumerate_recv(subreq);
|
|
||||||
+
|
|
||||||
+ if (ret == ERR_MISSING_DP_TARGET) {
|
|
||||||
+ ret = EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return ret == EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
const struct cache_req_plugin cache_req_autofs_map_entries = {
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,100 +0,0 @@
|
|||||||
From 19c2c641e669ee1c08d6706c132625dc30e64609 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 12 Jan 2021 16:40:56 +0100
|
|
||||||
Subject: [PATCH] simple: fix memory leak while reloading lists
|
|
||||||
|
|
||||||
The simple access provider will reload the access and deny lists at
|
|
||||||
runtime to make sure that users and groups from domains which are
|
|
||||||
discovered at runtime are properly processed.
|
|
||||||
|
|
||||||
While reloading the lists the original lists are not freed and an
|
|
||||||
intermediate list wasn't removed as well.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5456
|
|
||||||
|
|
||||||
:fixes: Memory leak in the simple access provider
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/simple/simple_access.c | 28 +++++++++++++++++++++-------
|
|
||||||
1 file changed, 21 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
|
|
||||||
index 1868569b1..49226adf2 100644
|
|
||||||
--- a/src/providers/simple/simple_access.c
|
|
||||||
+++ b/src/providers/simple/simple_access.c
|
|
||||||
@@ -117,17 +117,13 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
|
|
||||||
const char *name;
|
|
||||||
const char *option;
|
|
||||||
char **orig_list;
|
|
||||||
- char ***ctx_list;
|
|
||||||
+ char **ctx_list;
|
|
||||||
} lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
|
|
||||||
{"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
|
|
||||||
{"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
|
|
||||||
{"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
|
|
||||||
{NULL, NULL, NULL, NULL}};
|
|
||||||
|
|
||||||
- lists[0].ctx_list = &ctx->allow_users;
|
|
||||||
- lists[1].ctx_list = &ctx->deny_users;
|
|
||||||
- lists[2].ctx_list = &ctx->allow_groups;
|
|
||||||
- lists[3].ctx_list = &ctx->deny_groups;
|
|
||||||
|
|
||||||
ret = sysdb_master_domain_update(bectx->domain);
|
|
||||||
if (ret != EOK) {
|
|
||||||
@@ -141,7 +137,6 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
|
|
||||||
lists[i].option, &lists[i].orig_list);
|
|
||||||
if (ret == ENOENT) {
|
|
||||||
DEBUG(SSSDBG_FUNC_DATA, "%s list is empty.\n", lists[i].name);
|
|
||||||
- *lists[i].ctx_list = NULL;
|
|
||||||
continue;
|
|
||||||
} else if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string_as_list failed.\n");
|
|
||||||
@@ -149,7 +144,8 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
|
|
||||||
- lists[i].ctx_list);
|
|
||||||
+ &lists[i].ctx_list);
|
|
||||||
+ talloc_free(lists[i].orig_list);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse %s list [%d]: %s\n",
|
|
||||||
lists[i].name, ret, sss_strerror(ret));
|
|
||||||
@@ -157,6 +153,18 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ talloc_free(ctx->allow_users);
|
|
||||||
+ ctx->allow_users = talloc_steal(ctx, lists[0].ctx_list);
|
|
||||||
+
|
|
||||||
+ talloc_free(ctx->deny_users);
|
|
||||||
+ ctx->deny_users = talloc_steal(ctx, lists[1].ctx_list);
|
|
||||||
+
|
|
||||||
+ talloc_free(ctx->allow_groups);
|
|
||||||
+ ctx->allow_groups = talloc_steal(ctx, lists[2].ctx_list);
|
|
||||||
+
|
|
||||||
+ talloc_free(ctx->deny_groups);
|
|
||||||
+ ctx->deny_groups = talloc_steal(ctx, lists[3].ctx_list);
|
|
||||||
+
|
|
||||||
if (!ctx->allow_users &&
|
|
||||||
!ctx->allow_groups &&
|
|
||||||
!ctx->deny_users &&
|
|
||||||
@@ -165,9 +173,15 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
|
|
||||||
"No rules supplied for simple access provider. "
|
|
||||||
"Access will be granted for all users.\n");
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
return EOK;
|
|
||||||
|
|
||||||
failed:
|
|
||||||
+ for (i = 0; lists[i].name != NULL; i++) {
|
|
||||||
+ talloc_free(lists[i].ctx_list);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From bdf461c7577c458d7b2a785b2007c0ccae73e3f7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Mon, 11 Jan 2021 18:28:02 +0100
|
|
||||||
Subject: [PATCH] SBUS: do not try to del non existing sender
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5425
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/request/sbus_request_sender.c | 9 +++++----
|
|
||||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/request/sbus_request_sender.c b/src/sbus/request/sbus_request_sender.c
|
|
||||||
index cecb188b0..39cdec064 100644
|
|
||||||
--- a/src/sbus/request/sbus_request_sender.c
|
|
||||||
+++ b/src/sbus/request/sbus_request_sender.c
|
|
||||||
@@ -101,10 +101,11 @@ void
|
|
||||||
sbus_senders_delete(hash_table_t *table,
|
|
||||||
const char *name)
|
|
||||||
{
|
|
||||||
- DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n",
|
|
||||||
- name);
|
|
||||||
-
|
|
||||||
- sss_ptr_hash_delete(table, name, true);
|
|
||||||
+ if (sss_ptr_hash_has_key(table, name)) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n",
|
|
||||||
+ name);
|
|
||||||
+ sss_ptr_hash_delete(table, name, true);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From c0ae6d34ff7c170ca0e6d0faa8a2daf9a77becb7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 8 Jan 2021 14:00:47 +0100
|
|
||||||
Subject: [PATCH] pamsrv_gssapi: fix implicit conversion warning
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
src/responder/pam/pamsrv_gssapi.c: In function ‘pam_cmd_gssapi_sec_ctx’:
|
|
||||||
src/responder/pam/pamsrv_gssapi.c:716:64: error: implicit conversion from ‘enum sss_domain_type’ to ‘enum cache_req_dom_type’ [-Werror=enum-conversion]
|
|
||||||
716 | cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX,
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv_gssapi.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c
|
|
||||||
index 099675e1c..2d05c7888 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_gssapi.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_gssapi.c
|
|
||||||
@@ -713,7 +713,8 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
|
|
||||||
DEBUG(SSSDBG_TRACE_FUNC, "Checking that target user matches UPN\n");
|
|
||||||
|
|
||||||
req = cache_req_user_by_upn_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx,
|
|
||||||
- cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX,
|
|
||||||
+ cli_ctx->rctx->ncache, 0,
|
|
||||||
+ CACHE_REQ_POSIX_DOM,
|
|
||||||
domain->name, state->authenticated_upn);
|
|
||||||
if (req == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From cc173629f30fbc885ee90e52a205554b118e0ee6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Mon, 11 Jan 2021 13:11:39 +0100
|
|
||||||
Subject: [PATCH 38/39] gssapi: default pam_gssapi_services to NULL in domain
|
|
||||||
section
|
|
||||||
|
|
||||||
We need to distinguish when the option is not set in domain section and when
|
|
||||||
it is is explicitly disabled. Now if it is not set, domain->gssapi_services
|
|
||||||
is NULL and we'll use value from the pam section.
|
|
||||||
|
|
||||||
Without this change, the value in the pam section is ignored.
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index 2881ce5da..befcfff2d 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -1582,7 +1582,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
}
|
|
||||||
|
|
||||||
tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
|
|
||||||
- "-");
|
|
||||||
+ NULL);
|
|
||||||
if (tmp != NULL) {
|
|
||||||
ret = split_on_separator(domain, tmp, ',', true, true,
|
|
||||||
&domain->gssapi_services, NULL);
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,133 +0,0 @@
|
|||||||
From 111b8b4d62a4fe192c075e6f6bfacb408e6074b3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Tue, 12 Jan 2021 13:50:11 +0100
|
|
||||||
Subject: [PATCH 39/39] pam_sss_gssapi: fix coverity issues
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
```
|
|
||||||
1. Defect type: RESOURCE_LEAK
|
|
||||||
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
|
|
||||||
Expand
|
|
||||||
2. Defect type: RESOURCE_LEAK
|
|
||||||
3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to.
|
|
||||||
Expand
|
|
||||||
3. Defect type: RESOURCE_LEAK
|
|
||||||
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
|
|
||||||
Expand
|
|
||||||
4. Defect type: RESOURCE_LEAK
|
|
||||||
6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to.
|
|
||||||
Expand
|
|
||||||
5. Defect type: RESOURCE_LEAK
|
|
||||||
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to.
|
|
||||||
Expand
|
|
||||||
6. Defect type: RESOURCE_LEAK
|
|
||||||
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to.
|
|
||||||
|
|
||||||
1. Defect type: CLANG_WARNING
|
|
||||||
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username'
|
|
||||||
Expand
|
|
||||||
2. Defect type: CLANG_WARNING
|
|
||||||
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn'
|
|
||||||
Expand
|
|
||||||
3. Defect type: CLANG_WARNING
|
|
||||||
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target'
|
|
||||||
Expand
|
|
||||||
4. Defect type: CLANG_WARNING
|
|
||||||
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain'
|
|
||||||
```
|
|
||||||
|
|
||||||
Also fix compilation warning
|
|
||||||
```
|
|
||||||
../src/sss_client/pam_sss_gss.c:339:5: warning: ‘reply’ may be used uninitialized in this function [-Wmaybe-uninitialized]
|
|
||||||
339 | free(reply);
|
|
||||||
| ^~~~~~~~~~~
|
|
||||||
../src/sss_client/pam_sss_gss.c:328:14: note: ‘reply’ was declared here
|
|
||||||
328 | uint8_t *reply;
|
|
||||||
| ^~~~~
|
|
||||||
../src/sss_client/pam_sss_gss.c:270:11: warning: ‘reply_len’ may be used uninitialized in this function [-Wmaybe-uninitialized]
|
|
||||||
270 | upn = malloc(reply_len * sizeof(char));
|
|
||||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
../src/sss_client/pam_sss_gss.c:327:12: note: ‘reply_len’ was declared here
|
|
||||||
327 | size_t reply_len;
|
|
||||||
| ^~~~~~~~~
|
|
||||||
```
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/sss_client/pam_sss_gss.c | 22 ++++++++++++++++++----
|
|
||||||
1 file changed, 18 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
|
|
||||||
index cd38db7da..51be36ece 100644
|
|
||||||
--- a/src/sss_client/pam_sss_gss.c
|
|
||||||
+++ b/src/sss_client/pam_sss_gss.c
|
|
||||||
@@ -195,6 +195,8 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
|
|
||||||
struct sss_cli_req_data req_data;
|
|
||||||
size_t service_len;
|
|
||||||
size_t user_len;
|
|
||||||
+ size_t reply_len;
|
|
||||||
+ uint8_t *reply = NULL;
|
|
||||||
uint8_t *data;
|
|
||||||
errno_t ret;
|
|
||||||
int ret_errno;
|
|
||||||
@@ -217,7 +219,7 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
|
|
||||||
|
|
||||||
req_data.data = data;
|
|
||||||
|
|
||||||
- ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len,
|
|
||||||
+ ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, &reply, &reply_len,
|
|
||||||
&ret_errno);
|
|
||||||
free(data);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
@@ -233,6 +235,16 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
|
|
||||||
return (ret_errno != EOK) ? ret_errno : EIO;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (ret_errno == EOK) {
|
|
||||||
+ *_reply = reply;
|
|
||||||
+ *_reply_len = reply_len;
|
|
||||||
+ } else {
|
|
||||||
+ /* We got PAM_SUCCESS therefore the communication with SSSD was
|
|
||||||
+ * successful and we have received a reply buffer. We just don't care
|
|
||||||
+ * about it, we are only interested in the error code. */
|
|
||||||
+ free(reply);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return ret_errno;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -257,7 +269,8 @@ static errno_t sssd_gssapi_init_recv(uint8_t *reply,
|
|
||||||
target = malloc(reply_len * sizeof(char));
|
|
||||||
upn = malloc(reply_len * sizeof(char));
|
|
||||||
if (username == NULL || domain == NULL || target == NULL || upn == NULL) {
|
|
||||||
- return ENOMEM;
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
buf = (const char*)reply;
|
|
||||||
@@ -311,8 +324,8 @@ static errno_t sssd_gssapi_init(pam_handle_t *pamh,
|
|
||||||
char **_target,
|
|
||||||
char **_upn)
|
|
||||||
{
|
|
||||||
- size_t reply_len;
|
|
||||||
- uint8_t *reply;
|
|
||||||
+ size_t reply_len = 0;
|
|
||||||
+ uint8_t *reply = NULL;
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
ret = sssd_gssapi_init_send(pamh, pam_service, pam_user, &reply,
|
|
||||||
@@ -549,6 +562,7 @@ int pam_sm_authenticate(pam_handle_t *pamh,
|
|
||||||
|
|
||||||
done:
|
|
||||||
sss_pam_close_fd();
|
|
||||||
+ free(username);
|
|
||||||
free(domain);
|
|
||||||
free(target);
|
|
||||||
free(upn);
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
From cd48ef5071741443e3b84e100a4d4d28e3578e4f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Mon, 25 Jan 2021 15:14:05 +0200
|
|
||||||
Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
When IPA allows to add AD users and groups directly to sudo rules
|
|
||||||
(FreeIPA 4.9.1 or later), external groups will already have '%' prefix.
|
|
||||||
Thus, we don't need to add additional '%'.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5475
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ipa/ipa_sudo_conversion.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
|
|
||||||
index cfb41d8b0..1bfee096d 100644
|
|
||||||
--- a/src/providers/ipa/ipa_sudo_conversion.c
|
|
||||||
+++ b/src/providers/ipa/ipa_sudo_conversion.c
|
|
||||||
@@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *value,
|
|
||||||
bool *skip_entry)
|
|
||||||
{
|
|
||||||
+ if (value == NULL)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ if (value[0] == '%')
|
|
||||||
+ return talloc_strdup(mem_ctx, value);
|
|
||||||
+
|
|
||||||
return talloc_asprintf(mem_ctx, "%%%s", value);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,199 +0,0 @@
|
|||||||
From e07eeea7df55ede36ac0978ac904c1bb11188265 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 20 Jan 2021 17:48:44 +0100
|
|
||||||
Subject: [PATCH 41/42] responders: add callback to schedule_get_domains_task()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
To allow responders to run dedicated code at the end of the initial
|
|
||||||
getDomains request a callback is added.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5469
|
|
||||||
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/autofs/autofssrv.c | 2 +-
|
|
||||||
src/responder/common/responder.h | 5 ++++-
|
|
||||||
src/responder/common/responder_get_domains.c | 12 +++++++++++-
|
|
||||||
src/responder/ifp/ifpsrv.c | 2 +-
|
|
||||||
src/responder/nss/nsssrv.c | 3 ++-
|
|
||||||
src/responder/pac/pacsrv.c | 2 +-
|
|
||||||
src/responder/pam/pamsrv.c | 3 ++-
|
|
||||||
src/responder/ssh/sshsrv.c | 2 +-
|
|
||||||
src/responder/sudo/sudosrv.c | 2 +-
|
|
||||||
src/tests/cmocka/test_responder_common.c | 2 +-
|
|
||||||
10 files changed, 25 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
|
|
||||||
index 27de1b44a..130eaf775 100644
|
|
||||||
--- a/src/responder/autofs/autofssrv.c
|
|
||||||
+++ b/src/responder/autofs/autofssrv.c
|
|
||||||
@@ -142,7 +142,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
|
|
||||||
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
||||||
goto fail;
|
|
||||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
|
||||||
index f83ba1bc0..ff0559c08 100644
|
|
||||||
--- a/src/responder/common/responder.h
|
|
||||||
+++ b/src/responder/common/responder.h
|
|
||||||
@@ -366,10 +366,13 @@ errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_req *req,
|
|
||||||
char **_domain);
|
|
||||||
|
|
||||||
+typedef void (get_domains_callback_fn_t)(void *);
|
|
||||||
errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_context *ev,
|
|
||||||
struct resp_ctx *rctx,
|
|
||||||
- struct sss_nc_ctx *optional_ncache);
|
|
||||||
+ struct sss_nc_ctx *optional_ncache,
|
|
||||||
+ get_domains_callback_fn_t *callback,
|
|
||||||
+ void *callback_pvt);
|
|
||||||
|
|
||||||
errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string,
|
|
||||||
bool allow_sss_loop,
|
|
||||||
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
|
|
||||||
index e551b0fff..12b6e9028 100644
|
|
||||||
--- a/src/responder/common/responder_get_domains.c
|
|
||||||
+++ b/src/responder/common/responder_get_domains.c
|
|
||||||
@@ -430,6 +430,8 @@ static errno_t check_last_request(struct resp_ctx *rctx, const char *hint)
|
|
||||||
struct get_domains_state {
|
|
||||||
struct resp_ctx *rctx;
|
|
||||||
struct sss_nc_ctx *optional_ncache;
|
|
||||||
+ get_domains_callback_fn_t *callback;
|
|
||||||
+ void *callback_pvt;
|
|
||||||
};
|
|
||||||
|
|
||||||
static void get_domains_at_startup_done(struct tevent_req *req)
|
|
||||||
@@ -462,6 +464,10 @@ static void get_domains_at_startup_done(struct tevent_req *req)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (state->callback != NULL) {
|
|
||||||
+ state->callback(state->callback_pvt);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
talloc_free(state);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
@@ -489,7 +495,9 @@ static void get_domains_at_startup(struct tevent_context *ev,
|
|
||||||
errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_context *ev,
|
|
||||||
struct resp_ctx *rctx,
|
|
||||||
- struct sss_nc_ctx *optional_ncache)
|
|
||||||
+ struct sss_nc_ctx *optional_ncache,
|
|
||||||
+ get_domains_callback_fn_t *callback,
|
|
||||||
+ void *callback_pvt)
|
|
||||||
{
|
|
||||||
struct tevent_immediate *imm;
|
|
||||||
struct get_domains_state *state;
|
|
||||||
@@ -500,6 +508,8 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
state->rctx = rctx;
|
|
||||||
state->optional_ncache = optional_ncache;
|
|
||||||
+ state->callback = callback;
|
|
||||||
+ state->callback_pvt = callback_pvt;
|
|
||||||
|
|
||||||
imm = tevent_create_immediate(mem_ctx);
|
|
||||||
if (imm == NULL) {
|
|
||||||
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
|
|
||||||
index 7407ee07b..ee1452728 100644
|
|
||||||
--- a/src/responder/ifp/ifpsrv.c
|
|
||||||
+++ b/src/responder/ifp/ifpsrv.c
|
|
||||||
@@ -266,7 +266,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
return EIO;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
|
|
||||||
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
"schedule_get_domains_tasks failed.\n");
|
|
||||||
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
|
|
||||||
index e80104e3d..2b7958e80 100644
|
|
||||||
--- a/src/responder/nss/nsssrv.c
|
|
||||||
+++ b/src/responder/nss/nsssrv.c
|
|
||||||
@@ -557,7 +557,8 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
responder_set_fd_limit(fd_limit);
|
|
||||||
|
|
||||||
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache);
|
|
||||||
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache,
|
|
||||||
+ NULL, NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
||||||
goto fail;
|
|
||||||
diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
|
|
||||||
index 217f83c26..96935150b 100644
|
|
||||||
--- a/src/responder/pac/pacsrv.c
|
|
||||||
+++ b/src/responder/pac/pacsrv.c
|
|
||||||
@@ -129,7 +129,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
|
|
||||||
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
||||||
goto fail;
|
|
||||||
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
|
||||||
index de1620e82..8b1ce2e92 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.c
|
|
||||||
+++ b/src/responder/pam/pamsrv.c
|
|
||||||
@@ -246,7 +246,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
responder_set_fd_limit(fd_limit);
|
|
||||||
|
|
||||||
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache);
|
|
||||||
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
|
|
||||||
+ NULL, NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
||||||
goto done;
|
|
||||||
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
|
|
||||||
index 6072a702c..e79a0438c 100644
|
|
||||||
--- a/src/responder/ssh/sshsrv.c
|
|
||||||
+++ b/src/responder/ssh/sshsrv.c
|
|
||||||
@@ -126,7 +126,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
|
|
||||||
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
||||||
goto fail;
|
|
||||||
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
|
||||||
index 5951b17b1..dc4a44b2f 100644
|
|
||||||
--- a/src/responder/sudo/sudosrv.c
|
|
||||||
+++ b/src/responder/sudo/sudosrv.c
|
|
||||||
@@ -102,7 +102,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
|
|
||||||
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
||||||
goto fail;
|
|
||||||
diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
|
|
||||||
index 5fc0d712d..29356253b 100644
|
|
||||||
--- a/src/tests/cmocka/test_responder_common.c
|
|
||||||
+++ b/src/tests/cmocka/test_responder_common.c
|
|
||||||
@@ -265,7 +265,7 @@ void test_schedule_get_domains_task(void **state)
|
|
||||||
ret = schedule_get_domains_task(dummy_ncache_ptr,
|
|
||||||
parse_inp_ctx->rctx->ev,
|
|
||||||
parse_inp_ctx->rctx,
|
|
||||||
- dummy_ncache_ptr);
|
|
||||||
+ dummy_ncache_ptr, NULL, NULL);
|
|
||||||
assert_int_equal(ret, EOK);
|
|
||||||
|
|
||||||
ret = test_ev_loop(parse_inp_ctx->tctx);
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,64 +0,0 @@
|
|||||||
From cb936e92041d63f79a74c30bae8140c74a18dbc0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 20 Jan 2021 18:25:04 +0100
|
|
||||||
Subject: [PATCH 42/42] pam: refresh certificate maps at the end of initial
|
|
||||||
domains lookup
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
During startup SSSD's responders send a getDomains request to all
|
|
||||||
backends to refresh some domain related needed by the responders.
|
|
||||||
|
|
||||||
The PAM responder specifically needs the certificate mapping and
|
|
||||||
matching rules when Smartcard authentication is enable. Currently the
|
|
||||||
rules are not refreshed at the end of the initial request but the code
|
|
||||||
assumed that the related structures are initialized after the request
|
|
||||||
finished.
|
|
||||||
|
|
||||||
To avoid a race condition this patch adds a callback to the end of the
|
|
||||||
request to make sure the rules are properly refreshed even if they are
|
|
||||||
already initialized before.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5469
|
|
||||||
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv.c | 14 +++++++++++++-
|
|
||||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
|
||||||
index 8b1ce2e92..65370662d 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.c
|
|
||||||
+++ b/src/responder/pam/pamsrv.c
|
|
||||||
@@ -154,6 +154,18 @@ static errno_t get_app_services(struct pam_ctx *pctx)
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void pam_get_domains_callback(void *pvt)
|
|
||||||
+{
|
|
||||||
+ struct pam_ctx *pctx;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ pctx = talloc_get_type(pvt, struct pam_ctx);
|
|
||||||
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_context *ev,
|
|
||||||
struct confdb_ctx *cdb,
|
|
||||||
@@ -247,7 +259,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
responder_set_fd_limit(fd_limit);
|
|
||||||
|
|
||||||
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
|
|
||||||
- NULL, NULL);
|
|
||||||
+ pam_get_domains_callback, pctx);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
||||||
goto done;
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,134 +0,0 @@
|
|||||||
From 0c6924b8d474daf35ee30d74e5496957e503b206 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Wed, 20 Jan 2021 15:40:34 +0100
|
|
||||||
Subject: [PATCH] SBUS: set sbus_name before dp_init_send()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Some async task might access sbus_name before dp_initialized() was executed
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5466
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/data_provider/dp.c | 21 ++++-----------------
|
|
||||||
src/providers/data_provider/dp.h | 6 +++---
|
|
||||||
src/providers/data_provider_be.c | 12 ++++++++++--
|
|
||||||
3 files changed, 17 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
|
|
||||||
index 90324d74d..64fe847b2 100644
|
|
||||||
--- a/src/providers/data_provider/dp.c
|
|
||||||
+++ b/src/providers/data_provider/dp.c
|
|
||||||
@@ -134,7 +134,6 @@ static int dp_destructor(struct data_provider *provider)
|
|
||||||
struct dp_init_state {
|
|
||||||
struct be_ctx *be_ctx;
|
|
||||||
struct data_provider *provider;
|
|
||||||
- char *sbus_name;
|
|
||||||
};
|
|
||||||
|
|
||||||
static void dp_init_done(struct tevent_req *subreq);
|
|
||||||
@@ -144,7 +143,8 @@ dp_init_send(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_context *ev,
|
|
||||||
struct be_ctx *be_ctx,
|
|
||||||
uid_t uid,
|
|
||||||
- gid_t gid)
|
|
||||||
+ gid_t gid,
|
|
||||||
+ const char *sbus_name)
|
|
||||||
{
|
|
||||||
struct dp_init_state *state;
|
|
||||||
struct tevent_req *subreq;
|
|
||||||
@@ -177,13 +177,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
|
|
||||||
state->provider->gid = gid;
|
|
||||||
state->provider->be_ctx = be_ctx;
|
|
||||||
|
|
||||||
- state->sbus_name = sss_iface_domain_bus(state, be_ctx->domain);
|
|
||||||
- if (state->sbus_name == NULL) {
|
|
||||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* Initialize data provider bus. Data provider can receive client
|
|
||||||
* registration and other D-Bus methods. However no data provider
|
|
||||||
* request will be executed as long as the modules and targets
|
|
||||||
@@ -192,7 +185,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
|
|
||||||
talloc_set_destructor(state->provider, dp_destructor);
|
|
||||||
|
|
||||||
subreq = sbus_server_create_and_connect_send(state->provider, ev,
|
|
||||||
- state->sbus_name, NULL, sbus_address, true, 1000, uid, gid,
|
|
||||||
+ sbus_name, NULL, sbus_address, true, 1000, uid, gid,
|
|
||||||
(sbus_server_on_connection_cb)dp_client_init,
|
|
||||||
(sbus_server_on_connection_data)state->provider);
|
|
||||||
if (subreq == NULL) {
|
|
||||||
@@ -270,16 +263,10 @@ done:
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
- struct tevent_req *req,
|
|
||||||
- const char **_sbus_name)
|
|
||||||
+ struct tevent_req *req)
|
|
||||||
{
|
|
||||||
- struct dp_init_state *state;
|
|
||||||
- state = tevent_req_data(req, struct dp_init_state);
|
|
||||||
-
|
|
||||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
|
||||||
|
|
||||||
- *_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
|
|
||||||
-
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
|
||||||
index a8b6e9f3a..95c6588ad 100644
|
|
||||||
--- a/src/providers/data_provider/dp.h
|
|
||||||
+++ b/src/providers/data_provider/dp.h
|
|
||||||
@@ -122,11 +122,11 @@ dp_init_send(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_context *ev,
|
|
||||||
struct be_ctx *be_ctx,
|
|
||||||
uid_t uid,
|
|
||||||
- gid_t gid);
|
|
||||||
+ gid_t gid,
|
|
||||||
+ const char *sbus_name);
|
|
||||||
|
|
||||||
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
- struct tevent_req *req,
|
|
||||||
- const char **_sbus_name);
|
|
||||||
+ struct tevent_req *req);
|
|
||||||
|
|
||||||
bool _dp_target_enabled(struct data_provider *provider,
|
|
||||||
const char *module_name,
|
|
||||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
|
||||||
index f059a3f96..8458146ea 100644
|
|
||||||
--- a/src/providers/data_provider_be.c
|
|
||||||
+++ b/src/providers/data_provider_be.c
|
|
||||||
@@ -565,7 +565,15 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
|
|
||||||
+ be_ctx->sbus_name = sss_iface_domain_bus(be_ctx, be_ctx->domain);
|
|
||||||
+ if (be_ctx->sbus_name == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid,
|
|
||||||
+ be_ctx->sbus_name);
|
|
||||||
if (req == NULL) {
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto done;
|
|
||||||
@@ -612,7 +620,7 @@ static void dp_initialized(struct tevent_req *req)
|
|
||||||
|
|
||||||
be_ctx = tevent_req_callback_data(req, struct be_ctx);
|
|
||||||
|
|
||||||
- ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
|
|
||||||
+ ret = dp_init_recv(be_ctx, req);
|
|
||||||
talloc_zfree(req);
|
|
||||||
if (ret != EOK) {
|
|
||||||
goto done;
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,655 +0,0 @@
|
|||||||
From c2e8879189ecbbdfdd4b42395319a4cd91cb569f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Fri, 12 Feb 2021 20:02:52 +0100
|
|
||||||
Subject: [PATCH] pam_sss_gss: support authentication indicators (upstream
|
|
||||||
patch 5ce7ced269c7b3dd8f75122a50f539083b5697ae by Alexander Bokovoy)
|
|
||||||
|
|
||||||
MIT Kerberos allows to associate authentication indicators with the
|
|
||||||
issued ticket based on the way how the TGT was obtained. The indicators
|
|
||||||
present in the TGT then copied to service tickets. There are two ways to
|
|
||||||
check the authentication indicators:
|
|
||||||
|
|
||||||
- when KDC issues a service ticket, a policy at KDC side can reject the
|
|
||||||
ticket issuance based on a lack of certain indicator
|
|
||||||
|
|
||||||
- when a server application presented with a service ticket from a
|
|
||||||
client, it can verify that this ticket contains intended
|
|
||||||
authentication indicators before authorizing access from the client.
|
|
||||||
|
|
||||||
Add support to validate presence of a specific (set of) authentication
|
|
||||||
indicator(s) in pam_sss_gss when validating a user's TGT.
|
|
||||||
|
|
||||||
This concept can be used to only allow access to a PAM service when user
|
|
||||||
is in possession of a ticket obtained using some of pre-authentication
|
|
||||||
mechanisms that require multiple factors: smart-cards (PKINIT), 2FA
|
|
||||||
tokens (otp/radius), etc.
|
|
||||||
|
|
||||||
Patch by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
|
|
||||||
Reviewed by: Sumit Bose <sbose@redhat.com>
|
|
||||||
|
|
||||||
Adapted to 8.4 branch by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 13 ++
|
|
||||||
src/confdb/confdb.h | 3 +
|
|
||||||
src/config/SSSDConfig/sssdoptions.py | 2 +
|
|
||||||
src/config/SSSDConfigTest.py | 6 +-
|
|
||||||
src/config/cfg_rules.ini | 3 +
|
|
||||||
src/config/etc/sssd.api.conf | 2 +
|
|
||||||
src/db/sysdb_subdomains.c | 12 ++
|
|
||||||
src/man/pam_sss_gss.8.xml | 13 ++
|
|
||||||
src/man/sssd.conf.5.xml | 64 +++++++
|
|
||||||
src/responder/pam/pamsrv.c | 21 +++
|
|
||||||
src/responder/pam/pamsrv.h | 2 +
|
|
||||||
src/responder/pam/pamsrv_gssapi.c | 250 +++++++++++++++++++++++++++
|
|
||||||
12 files changed, 389 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index befcfff..cca7615 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0],
|
|
||||||
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP,
|
|
||||||
+ NULL);
|
|
||||||
+ if (tmp != NULL && tmp[0] != '\0') {
|
|
||||||
+ ret = split_on_separator(domain, tmp, ',', true, true,
|
|
||||||
+ &domain->gssapi_indicators_map, NULL);
|
|
||||||
+ if (ret != 0) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
domain->has_views = false;
|
|
||||||
domain->view_name = NULL;
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 036f9ec..a2be227 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -146,6 +146,7 @@
|
|
||||||
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
|
|
||||||
#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
|
|
||||||
#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
|
|
||||||
+#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map"
|
|
||||||
|
|
||||||
/* SUDO */
|
|
||||||
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
|
|
||||||
@@ -437,6 +438,8 @@ struct sss_domain_info {
|
|
||||||
/* List of PAM services that are allowed to authenticate with GSSAPI. */
|
|
||||||
char **gssapi_services;
|
|
||||||
char *gssapi_check_upn; /* true | false | NULL */
|
|
||||||
+ /* List of indicators associated with the specific PAM service */
|
|
||||||
+ char **gssapi_indicators_map;
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
index 5da52a9..0d849bc 100644
|
|
||||||
--- a/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
+++ b/src/config/SSSDConfig/sssdoptions.py
|
|
||||||
@@ -106,6 +106,8 @@ class SSSDOptions(object):
|
|
||||||
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
|
|
||||||
'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
|
|
||||||
'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
|
|
||||||
+ 'pam_gssapi_indicators_map' : _('List of pairs <PAM service>:<authentication indicator> that '
|
|
||||||
+ 'must be enforced for PAM access with GSSAPI authentication'),
|
|
||||||
|
|
||||||
# [sudo]
|
|
||||||
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index ea4e4f6..d0422df 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -655,7 +655,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'cached_auth_timeout',
|
|
||||||
'auto_private_groups',
|
|
||||||
'pam_gssapi_services',
|
|
||||||
- 'pam_gssapi_check_upn']
|
|
||||||
+ 'pam_gssapi_check_upn',
|
|
||||||
+ 'pam_gssapi_indicators_map']
|
|
||||||
|
|
||||||
self.assertTrue(type(options) == dict,
|
|
||||||
"Options should be a dictionary")
|
|
||||||
@@ -1034,7 +1035,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'cached_auth_timeout',
|
|
||||||
'auto_private_groups',
|
|
||||||
'pam_gssapi_services',
|
|
||||||
- 'pam_gssapi_check_upn']
|
|
||||||
+ 'pam_gssapi_check_upn',
|
|
||||||
+ 'pam_gssapi_indicators_map']
|
|
||||||
|
|
||||||
self.assertTrue(type(options) == dict,
|
|
||||||
"Options should be a dictionary")
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index 6642c63..872ceba 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -141,6 +141,7 @@ option = p11_uri
|
|
||||||
option = pam_initgroups_scheme
|
|
||||||
option = pam_gssapi_services
|
|
||||||
option = pam_gssapi_check_upn
|
|
||||||
+option = pam_gssapi_indicators_map
|
|
||||||
|
|
||||||
[rule/allowed_sudo_options]
|
|
||||||
validator = ini_allowed_options
|
|
||||||
@@ -441,6 +442,7 @@ option = re_expression
|
|
||||||
option = auto_private_groups
|
|
||||||
option = pam_gssapi_services
|
|
||||||
option = pam_gssapi_check_upn
|
|
||||||
+option = pam_gssapi_indicators_map
|
|
||||||
|
|
||||||
#Entry cache timeouts
|
|
||||||
option = entry_cache_user_timeout
|
|
||||||
@@ -837,6 +839,7 @@ option = use_fully_qualified_names
|
|
||||||
option = auto_private_groups
|
|
||||||
option = pam_gssapi_services
|
|
||||||
option = pam_gssapi_check_upn
|
|
||||||
+option = pam_gssapi_indicators_map
|
|
||||||
|
|
||||||
[rule/sssd_checks]
|
|
||||||
validator = sssd_checks
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index d3cad73..49ced63 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -82,6 +82,7 @@ p11_uri = str, None, false
|
|
||||||
pam_initgroups_scheme = str, None, false
|
|
||||||
pam_gssapi_services = str, None, false
|
|
||||||
pam_gssapi_check_upn = bool, None, false
|
|
||||||
+pam_gssapi_indicators_map = str, None, false
|
|
||||||
|
|
||||||
[sudo]
|
|
||||||
# sudo service
|
|
||||||
@@ -203,6 +204,7 @@ re_expression = str, None, false
|
|
||||||
auto_private_groups = str, None, false
|
|
||||||
pam_gssapi_services = str, None, false
|
|
||||||
pam_gssapi_check_upn = bool, None, false
|
|
||||||
+pam_gssapi_indicators_map = str, None, false
|
|
||||||
|
|
||||||
#Entry cache timeouts
|
|
||||||
entry_cache_user_timeout = int, None, false
|
|
||||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
|
||||||
index 03ba121..2243872 100644
|
|
||||||
--- a/src/db/sysdb_subdomains.c
|
|
||||||
+++ b/src/db/sysdb_subdomains.c
|
|
||||||
@@ -185,6 +185,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
|
||||||
dom->override_gid = parent->override_gid;
|
|
||||||
|
|
||||||
dom->gssapi_services = parent->gssapi_services;
|
|
||||||
+ dom->gssapi_indicators_map = parent->gssapi_indicators_map;
|
|
||||||
|
|
||||||
if (parent->sysdb == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
|
|
||||||
@@ -266,6 +267,17 @@ check_subdom_config_file(struct confdb_ctx *confdb,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* allow to set pam_gssapi_indicators_map */
|
|
||||||
+ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
|
|
||||||
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP,
|
|
||||||
+ &subdomain->gssapi_indicators_map);
|
|
||||||
+ if (ret != EOK && ret != ENOENT) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "Failed to get %s option for the subdomain: %s\n",
|
|
||||||
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, subdomain->name);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = EOK;
|
|
||||||
done:
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml
|
|
||||||
index ce5b11b..a83369d 100644
|
|
||||||
--- a/src/man/pam_sss_gss.8.xml
|
|
||||||
+++ b/src/man/pam_sss_gss.8.xml
|
|
||||||
@@ -70,6 +70,19 @@
|
|
||||||
<manvolnum>5</manvolnum>
|
|
||||||
</citerefentry> for more details on these options.
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ Some Kerberos deployments allow to assocate authentication
|
|
||||||
+ indicators with a particular pre-authentication method used to
|
|
||||||
+ obtain the ticket granting ticket by the user.
|
|
||||||
+ <command>pam_sss_gss.so</command> allows to enforce presence of
|
|
||||||
+ authentication indicators in the service tickets before a particular
|
|
||||||
+ PAM service can be accessed.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ If <option>pam_gssapi_indicators_map</option> is set in the [pam] or
|
|
||||||
+ domain section of sssd.conf, then SSSD will perform a check of the
|
|
||||||
+ presence of any configured indicators in the service ticket.
|
|
||||||
+ </para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1 id='options'>
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index 8b330de..3a9955b 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -1770,6 +1770,70 @@ pam_gssapi_services = sudo, sudo-i
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>pam_gssapi_indicators_map</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Comma separated list of authentication indicators required
|
|
||||||
+ to be present in a Kerberos ticket to access a PAM service
|
|
||||||
+ that is allowed to try GSSAPI authentication using
|
|
||||||
+ pam_sss_gss.so module.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Each element of the list can be either an authentication indicator
|
|
||||||
+ name or a pair <quote>service:indicator</quote>. Indicators not
|
|
||||||
+ prefixed with the PAM service name will be required to access any
|
|
||||||
+ PAM service configured to be used with
|
|
||||||
+ <option>pam_gssapi_services</option>. A resulting list of indicators
|
|
||||||
+ per PAM service is then checked against indicators in the Kerberos
|
|
||||||
+ ticket during authentication by pam_sss_gss.so. Any indicator from the
|
|
||||||
+ ticket that matches the resulting list of indicators for the PAM service
|
|
||||||
+ would grant access. If none of the indicators in the list match, access
|
|
||||||
+ will be denied. If the resulting list of indicators for the PAM service
|
|
||||||
+ is empty, the check will not prevent the access.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ To disable GSSAPI authentication indicator check, set this option
|
|
||||||
+ to <quote>-</quote> (dash). To disable the check for a specific PAM
|
|
||||||
+ service, add <quote>service:-</quote>.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Note: This option can also be set per-domain which
|
|
||||||
+ overwrites the value in [pam] section. It can also
|
|
||||||
+ be set for trusted domain which overwrites the value
|
|
||||||
+ in the domain section.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Following authentication indicators are supported by IPA Kerberos deployments:
|
|
||||||
+ <itemizedlist>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>pkinit -- pre-authentication using X.509 certificates -- whether stored in files or on smart cards.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a FAST channel.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>radius -- pre-authentication with the help of a RADIUS server.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>otp -- pre-authentication using integrated two-factor authentication (2FA or one-time password, OTP) in IPA.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </itemizedlist>
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Example: to require access to SUDO services only
|
|
||||||
+ for users which obtained their Kerberos tickets
|
|
||||||
+ with a X.509 certificate pre-authentication
|
|
||||||
+ (PKINIT), set
|
|
||||||
+ <programlisting>
|
|
||||||
+pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
|
||||||
+ </programlisting>
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: not set (use of authentication indicators is not required)
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect2>
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
|
||||||
index 3904c09..9b4d6c1 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.c
|
|
||||||
+++ b/src/responder/pam/pamsrv.c
|
|
||||||
@@ -370,6 +370,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY,
|
|
||||||
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, "-", &tmpstr);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ "Failed to determine gssapi services.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr,
|
|
||||||
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP);
|
|
||||||
+
|
|
||||||
+ if (tmpstr != NULL) {
|
|
||||||
+ ret = split_on_separator(pctx, tmpstr, ',', true, true,
|
|
||||||
+ &pctx->gssapi_indicators_map, NULL);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
+ "split_on_separator() failed [%d]: [%s].\n", ret,
|
|
||||||
+ sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* The responder is initialized. Now tell it to the monitor. */
|
|
||||||
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
|
|
||||||
SSS_PAM_SBUS_SERVICE_NAME,
|
|
||||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
||||||
index 3553296..383c7be 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.h
|
|
||||||
+++ b/src/responder/pam/pamsrv.h
|
|
||||||
@@ -65,6 +65,8 @@ struct pam_ctx {
|
|
||||||
|
|
||||||
/* List of PAM services that are allowed to authenticate with GSSAPI. */
|
|
||||||
char **gssapi_services;
|
|
||||||
+ /* List of authentication indicators associated with a PAM service */
|
|
||||||
+ char **gssapi_indicators_map;
|
|
||||||
bool gssapi_check_upn;
|
|
||||||
};
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c
|
|
||||||
index 2d05c78..e4da4c4 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_gssapi.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_gssapi.c
|
|
||||||
@@ -24,6 +24,7 @@
|
|
||||||
#include <gssapi/gssapi_krb5.h>
|
|
||||||
#include <stdint.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
#include <talloc.h>
|
|
||||||
#include <ldb.h>
|
|
||||||
|
|
||||||
@@ -83,6 +84,117 @@ static bool pam_gssapi_should_check_upn(struct pam_ctx *pam_ctx,
|
|
||||||
return pam_ctx->gssapi_check_upn;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int pam_gssapi_check_indicators(TALLOC_CTX *mem_ctx,
|
|
||||||
+ const char *pam_service,
|
|
||||||
+ char **gssapi_indicators_map,
|
|
||||||
+ char **indicators)
|
|
||||||
+{
|
|
||||||
+ char *authind = NULL;
|
|
||||||
+ size_t pam_len = strlen(pam_service);
|
|
||||||
+ char **map = gssapi_indicators_map;
|
|
||||||
+ char **result = NULL;
|
|
||||||
+ int res;
|
|
||||||
+
|
|
||||||
+ authind = talloc_strdup(mem_ctx, "");
|
|
||||||
+ if (authind == NULL) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (int i = 0; map[i]; i++) {
|
|
||||||
+ if (map[i][0] == '-') {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
+ "Indicators aren't used for [%s]\n",
|
|
||||||
+ pam_service);
|
|
||||||
+ talloc_free(authind);
|
|
||||||
+ return EOK;
|
|
||||||
+ }
|
|
||||||
+ if (!strchr(map[i], ':')) {
|
|
||||||
+ authind = talloc_asprintf_append(authind, "%s ", map[i]);
|
|
||||||
+ if (authind == NULL) {
|
|
||||||
+ /* Since we allocate on pam_ctx, caller will free it */
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ res = strncmp(map[i], pam_service, pam_len);
|
|
||||||
+ if (res == 0) {
|
|
||||||
+ if (strlen(map[i]) > pam_len) {
|
|
||||||
+ if (map[i][pam_len] != ':') {
|
|
||||||
+ /* different PAM service, skip it */
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (map[i][pam_len + 1] == '-') {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
+ "Indicators aren't used for [%s]\n",
|
|
||||||
+ pam_service);
|
|
||||||
+ talloc_free(authind);
|
|
||||||
+ return EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ authind = talloc_asprintf_append(authind, "%s ",
|
|
||||||
+ map[i] + (pam_len + 1));
|
|
||||||
+ if (authind == NULL) {
|
|
||||||
+ /* Since we allocate on pam_ctx, caller will free it */
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "Invalid value for %s: [%s]\n",
|
|
||||||
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, map[i]);
|
|
||||||
+ talloc_free(authind);
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ res = ENOENT;
|
|
||||||
+ map = NULL;
|
|
||||||
+
|
|
||||||
+ if (authind[0] == '\0') {
|
|
||||||
+ /* empty list of per-service indicators -> skip */
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* trim a space after the final indicator
|
|
||||||
+ * to prevent split_on_separator() to fail */
|
|
||||||
+ authind[strlen(authind) - 1] = '\0';
|
|
||||||
+
|
|
||||||
+ res = split_on_separator(mem_ctx, authind, ' ', true, true,
|
|
||||||
+ &map, NULL);
|
|
||||||
+ if (res != 0) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ "Cannot parse list of indicators: [%s]\n", authind);
|
|
||||||
+ res = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ res = diff_string_lists(mem_ctx, indicators, map, NULL, NULL, &result);
|
|
||||||
+ if (res != 0) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,"Cannot diff lists of indicators\n");
|
|
||||||
+ res = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (result && result[0] != NULL) {
|
|
||||||
+ for (int i = 0; result[i]; i++) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
+ "indicator [%s] is allowed for PAM service [%s]\n",
|
|
||||||
+ result[i], pam_service);
|
|
||||||
+ }
|
|
||||||
+ res = EOK;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ res = EPERM;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(result);
|
|
||||||
+ talloc_free(authind);
|
|
||||||
+ talloc_free(map);
|
|
||||||
+ return res;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static bool pam_gssapi_allowed(struct pam_ctx *pam_ctx,
|
|
||||||
struct sss_domain_info *domain,
|
|
||||||
const char *service)
|
|
||||||
@@ -385,12 +497,126 @@ static char *gssapi_get_name(TALLOC_CTX *mem_ctx, gss_name_t gss_name)
|
|
||||||
return exported;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#define AUTH_INDICATORS_TAG "auth-indicators"
|
|
||||||
+
|
|
||||||
+static char **gssapi_get_indicators(TALLOC_CTX *mem_ctx, gss_name_t gss_name)
|
|
||||||
+{
|
|
||||||
+ gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET;
|
|
||||||
+ int is_mechname;
|
|
||||||
+ OM_uint32 major;
|
|
||||||
+ OM_uint32 minor;
|
|
||||||
+ gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
|
|
||||||
+ gss_buffer_desc display_value = GSS_C_EMPTY_BUFFER;
|
|
||||||
+ char *exported = NULL;
|
|
||||||
+ char **map = NULL;
|
|
||||||
+ int res;
|
|
||||||
+
|
|
||||||
+ major = gss_inquire_name(&minor, gss_name, &is_mechname, NULL, &attrs);
|
|
||||||
+ if (major != GSS_S_COMPLETE) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to inquire name\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (attrs == GSS_C_NO_BUFFER_SET) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "No krb5 attributes in the ticket\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ exported = talloc_strdup(mem_ctx, "");
|
|
||||||
+ if (exported == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Unable to pre-allocate indicators\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (int i = 0; i < attrs->count; i++) {
|
|
||||||
+ int authenticated = 0;
|
|
||||||
+ int complete = 0;
|
|
||||||
+ int more = -1;
|
|
||||||
+
|
|
||||||
+ /* skip anything but auth-indicators */
|
|
||||||
+ if (strncmp(AUTH_INDICATORS_TAG, attrs->elements[i].value,
|
|
||||||
+ sizeof(AUTH_INDICATORS_TAG) - 1) != 0)
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ /* retrieve all indicators */
|
|
||||||
+ while (more != 0) {
|
|
||||||
+ value.value = NULL;
|
|
||||||
+ display_value.value = NULL;
|
|
||||||
+
|
|
||||||
+ major = gss_get_name_attribute(&minor, gss_name,
|
|
||||||
+ &attrs->elements[i],
|
|
||||||
+ &authenticated,
|
|
||||||
+ &complete, &value,
|
|
||||||
+ &display_value,
|
|
||||||
+ &more);
|
|
||||||
+ if (major != GSS_S_COMPLETE) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Unable to retrieve an attribute\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((value.value != NULL) && authenticated) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
+ "attribute's [%.*s] value [%.*s] authenticated\n",
|
|
||||||
+ (int) attrs->elements[i].length,
|
|
||||||
+ (char*) attrs->elements[i].value,
|
|
||||||
+ (int) value.length,
|
|
||||||
+ (char*) value.value);
|
|
||||||
+ exported = talloc_asprintf_append(exported, "%.*s ",
|
|
||||||
+ (int) value.length,
|
|
||||||
+ (char*) value.value);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (exported == NULL) {
|
|
||||||
+ /* Since we allocate on mem_ctx, caller will free
|
|
||||||
+ * the previous version of 'exported' */
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Unable to collect an attribute value\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ (void) gss_release_buffer(&minor, &value);
|
|
||||||
+ (void) gss_release_buffer(&minor, &display_value);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (exported[0] != '\0') {
|
|
||||||
+ /* trim a space after the final indicator
|
|
||||||
+ * to prevent split_on_separator() to fail */
|
|
||||||
+ exported[strlen(exported) - 1] = '\0';
|
|
||||||
+ } else {
|
|
||||||
+ /* empty list */
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ res = split_on_separator(mem_ctx, exported, ' ', true, true,
|
|
||||||
+ &map, NULL);
|
|
||||||
+ if (res != 0) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ "Cannot parse list of indicators: [%s]\n", exported);
|
|
||||||
+ goto done;
|
|
||||||
+ } else {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "authentication indicators: [%s]\n",
|
|
||||||
+ exported);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ (void) gss_release_buffer(&minor, &value);
|
|
||||||
+ (void) gss_release_buffer(&minor, &display_value);
|
|
||||||
+ (void) gss_release_buffer_set(&minor, &attrs);
|
|
||||||
+
|
|
||||||
+ talloc_free(exported);
|
|
||||||
+ return map;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
struct gssapi_state {
|
|
||||||
struct cli_ctx *cli_ctx;
|
|
||||||
struct sss_domain_info *domain;
|
|
||||||
const char *username;
|
|
||||||
|
|
||||||
char *authenticated_upn;
|
|
||||||
+ char **auth_indicators;
|
|
||||||
bool established;
|
|
||||||
gss_ctx_id_t ctx;
|
|
||||||
};
|
|
||||||
@@ -568,6 +794,8 @@ gssapi_handshake(struct gssapi_state *state,
|
|
||||||
DEBUG(SSSDBG_TRACE_FUNC, "Security context established with [%s]\n",
|
|
||||||
state->authenticated_upn);
|
|
||||||
|
|
||||||
+ state->auth_indicators = gssapi_get_indicators(state, client_name);
|
|
||||||
+
|
|
||||||
state->established = true;
|
|
||||||
ret = EOK;
|
|
||||||
|
|
||||||
@@ -632,6 +860,7 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
|
|
||||||
const char *domain_name;
|
|
||||||
const char *username;
|
|
||||||
char *target;
|
|
||||||
+ char **indicators_map = NULL;
|
|
||||||
size_t gss_data_len;
|
|
||||||
uint8_t *gss_data;
|
|
||||||
errno_t ret;
|
|
||||||
@@ -699,6 +928,27 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Use map for auth-indicators from the domain, if defined and
|
|
||||||
+ * fallback to the [pam] section otherwise */
|
|
||||||
+ indicators_map = domain->gssapi_indicators_map ?
|
|
||||||
+ domain->gssapi_indicators_map :
|
|
||||||
+ (pam_ctx->gssapi_indicators_map ?
|
|
||||||
+ pam_ctx->gssapi_indicators_map : NULL);
|
|
||||||
+ if (indicators_map != NULL) {
|
|
||||||
+ ret = pam_gssapi_check_indicators(state,
|
|
||||||
+ pam_service,
|
|
||||||
+ indicators_map,
|
|
||||||
+ state->auth_indicators);
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
+ "Check if acquired service ticket has req. indicators: %d\n",
|
|
||||||
+ ret);
|
|
||||||
+ if ((ret == EPERM) || (ret == ENOMEM) || (ret == EINVAL)) {
|
|
||||||
+ /* skip further checks if denied or no memory,
|
|
||||||
+ * ENOENT means the check is not applicable */
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (!pam_gssapi_should_check_upn(pam_ctx, domain)) {
|
|
||||||
/* We are done. */
|
|
||||||
goto done;
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,121 +0,0 @@
|
|||||||
From b100efbfabd96dcfb2825777b75b9a9dfaacb937 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 29 Jan 2021 12:41:28 +0100
|
|
||||||
Subject: [PATCH] sudo: do not search by low usn value to improve performance
|
|
||||||
|
|
||||||
This is a follow up on these two commits.
|
|
||||||
|
|
||||||
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
|
|
||||||
- 6815844daa7701c76e31addbbdff74656cd30bea
|
|
||||||
|
|
||||||
The first one improved the search filter little bit to achieve better
|
|
||||||
performance, however it also changed the behavior: we started to search
|
|
||||||
for `usn >= 1` in the filter if no usn number was known.
|
|
||||||
|
|
||||||
This caused issues on OpenLDAP server which was fixed by the second patch.
|
|
||||||
However, the fix was wrong and searching by this meaningfully low number
|
|
||||||
can cause performance issues depending on how the filter is optimized and
|
|
||||||
evaluated on the server.
|
|
||||||
|
|
||||||
Now we omit the usn attribute from the filter if there is no meaningful value.
|
|
||||||
|
|
||||||
How to test:
|
|
||||||
1. Setup LDAP with no sudo rules defined
|
|
||||||
2. Make sure that the LDAP server does not support USN or use the following diff
|
|
||||||
to enforce modifyTimestamp (last USN is always available from rootDSE)
|
|
||||||
```diff
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ldap/sdap.c | 4 ++--
|
|
||||||
src/providers/ldap/sdap_sudo_refresh.c | 6 ++++--
|
|
||||||
src/providers/ldap/sdap_sudo_shared.c | 21 ++++++---------------
|
|
||||||
3 files changed, 12 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
|
||||||
index 32c0144b9..c853e4dc1 100644
|
|
||||||
--- a/src/providers/ldap/sdap.c
|
|
||||||
+++ b/src/providers/ldap/sdap.c
|
|
||||||
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
|
|
||||||
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
|
|
||||||
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
|
|
||||||
if (rootdse) {
|
|
||||||
- if (last_usn_name) {
|
|
||||||
+ if (false) {
|
|
||||||
ret = sysdb_attrs_get_string(rootdse,
|
|
||||||
last_usn_name, &last_usn_value);
|
|
||||||
if (ret != EOK) {
|
|
||||||
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!last_usn_name) {
|
|
||||||
+ if (true) {
|
|
||||||
DEBUG(SSSDBG_FUNC_DATA,
|
|
||||||
"No known USN scheme is supported by this server!\n");
|
|
||||||
if (!entry_usn_name) {
|
|
||||||
diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c
|
|
||||||
index ddcb23781..83f944ccf 100644
|
|
||||||
--- a/src/providers/ldap/sdap_sudo_refresh.c
|
|
||||||
+++ b/src/providers/ldap/sdap_sudo_refresh.c
|
|
||||||
@@ -181,8 +181,10 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
|
|
||||||
state->sysdb = id_ctx->be->domain->sysdb;
|
|
||||||
|
|
||||||
/* Download all rules from LDAP that are newer than usn */
|
|
||||||
- if (srv_opts == NULL || srv_opts->max_sudo_value == 0) {
|
|
||||||
- DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n");
|
|
||||||
+ if (srv_opts == NULL || srv_opts->max_sudo_value == NULL
|
|
||||||
+ || strcmp(srv_opts->max_sudo_value, "0") == 0) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero and "
|
|
||||||
+ "omitting it from the filter.\n");
|
|
||||||
usn = "0";
|
|
||||||
search_filter = talloc_asprintf(state, "(%s=%s)",
|
|
||||||
map[SDAP_AT_SUDO_OC].name,
|
|
||||||
diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
|
|
||||||
index 4f09957ea..75d1bc3d8 100644
|
|
||||||
--- a/src/providers/ldap/sdap_sudo_shared.c
|
|
||||||
+++ b/src/providers/ldap/sdap_sudo_shared.c
|
|
||||||
@@ -129,25 +129,17 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
|
|
||||||
static char *
|
|
||||||
sdap_sudo_new_usn(TALLOC_CTX *mem_ctx,
|
|
||||||
unsigned long usn,
|
|
||||||
- const char *leftover,
|
|
||||||
- bool supports_usn)
|
|
||||||
+ const char *leftover)
|
|
||||||
{
|
|
||||||
const char *str = leftover == NULL ? "" : leftover;
|
|
||||||
char *newusn;
|
|
||||||
|
|
||||||
- /* This is a fresh start and server uses modifyTimestamp. We need to
|
|
||||||
- * provide proper datetime value. */
|
|
||||||
- if (!supports_usn && usn == 0) {
|
|
||||||
- newusn = talloc_strdup(mem_ctx, "00000101000000Z");
|
|
||||||
- if (newusn == NULL) {
|
|
||||||
- DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n");
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return newusn;
|
|
||||||
+ /* Current largest USN is unknown so we keep "0" to indicate it. */
|
|
||||||
+ if (usn == 0) {
|
|
||||||
+ return talloc_strdup(mem_ctx, "0");
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* We increment USN number so that we can later use simplify filter
|
|
||||||
+ /* We increment USN number so that we can later use simplified filter
|
|
||||||
* (just usn >= last+1 instead of usn >= last && usn != last).
|
|
||||||
*/
|
|
||||||
usn++;
|
|
||||||
@@ -219,8 +211,7 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
|
|
||||||
srv_opts->last_usn = usn_number;
|
|
||||||
}
|
|
||||||
|
|
||||||
- newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone,
|
|
||||||
- srv_opts->supports_usn);
|
|
||||||
+ newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone);
|
|
||||||
if (newusn == NULL) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From fff02bbf7967d291ccb019fae741e6591ed8fd41 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 12 Feb 2021 15:30:59 +0100
|
|
||||||
Subject: [PATCH] ldap: fix modifytimestamp debugging leftovers
|
|
||||||
|
|
||||||
---
|
|
||||||
src/providers/ldap/sdap.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
|
||||||
index c853e4dc1..32c0144b9 100644
|
|
||||||
--- a/src/providers/ldap/sdap.c
|
|
||||||
+++ b/src/providers/ldap/sdap.c
|
|
||||||
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
|
|
||||||
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
|
|
||||||
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
|
|
||||||
if (rootdse) {
|
|
||||||
- if (false) {
|
|
||||||
+ if (last_usn_name) {
|
|
||||||
ret = sysdb_attrs_get_string(rootdse,
|
|
||||||
last_usn_name, &last_usn_value);
|
|
||||||
if (ret != EOK) {
|
|
||||||
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (true) {
|
|
||||||
+ if (!last_usn_name) {
|
|
||||||
DEBUG(SSSDBG_FUNC_DATA,
|
|
||||||
"No known USN scheme is supported by this server!\n");
|
|
||||||
if (!entry_usn_name) {
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
From 2d26c95d78cf43798b54ac8c478b8a9ee41cab39 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 3 Feb 2021 18:28:29 +0100
|
|
||||||
Subject: [PATCH] ssh: restore default debug level
|
|
||||||
|
|
||||||
The recent change of the default debug level for the main SSSD
|
|
||||||
components affected the ssh helpers sss_ssh_authorizedkeys and
|
|
||||||
sss_ssh_knownhostsproxy as well.
|
|
||||||
|
|
||||||
To avoid any confusion about unexpected debug messages this patch
|
|
||||||
restores to original value for the two helpers.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5488
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +-
|
|
||||||
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
|
|
||||||
index 8e80f9663..877c00299 100644
|
|
||||||
--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c
|
|
||||||
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
|
|
||||||
@@ -32,7 +32,7 @@
|
|
||||||
int main(int argc, const char **argv)
|
|
||||||
{
|
|
||||||
TALLOC_CTX *mem_ctx = NULL;
|
|
||||||
- int pc_debug = SSSDBG_DEFAULT;
|
|
||||||
+ int pc_debug = SSSDBG_FATAL_FAILURE;
|
|
||||||
const char *pc_domain = NULL;
|
|
||||||
const char *pc_user = NULL;
|
|
||||||
struct poptOption long_options[] = {
|
|
||||||
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
|
||||||
index ad6af81d8..1102fd4ab 100644
|
|
||||||
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
|
||||||
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
|
||||||
@@ -174,7 +174,7 @@ connect_proxy_command(char **args)
|
|
||||||
int main(int argc, const char **argv)
|
|
||||||
{
|
|
||||||
TALLOC_CTX *mem_ctx = NULL;
|
|
||||||
- int pc_debug = SSSDBG_DEFAULT;
|
|
||||||
+ int pc_debug = SSSDBG_FATAL_FAILURE;
|
|
||||||
int pc_port = 22;
|
|
||||||
const char *pc_domain = NULL;
|
|
||||||
const char *pc_host = NULL;
|
|
||||||
--
|
|
||||||
2.21.3
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From 8d38a4b28ab7af15406b244910f369ba1aff02db Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Thu, 30 Oct 2014 15:59:17 +0100
|
|
||||||
Subject: [PATCH 93/93] NOUPSTREAM: Default to root if sssd user is not
|
|
||||||
specified
|
|
||||||
|
|
||||||
---
|
|
||||||
src/monitor/monitor.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
|
||||||
index 0dea327213a1ad04b6f69c0ffb0fb87254420796..20b4aef4ee94fd42de1585d7d7c2e01ea01845ac 100644
|
|
||||||
--- a/src/monitor/monitor.c
|
|
||||||
+++ b/src/monitor/monitor.c
|
|
||||||
@@ -925,7 +925,7 @@ static int get_service_user(struct mt_ctx *ctx)
|
|
||||||
|
|
||||||
ret = confdb_get_string(ctx->cdb, ctx, CONFDB_MONITOR_CONF_ENTRY,
|
|
||||||
CONFDB_MONITOR_USER_RUNAS,
|
|
||||||
- SSSD_USER, &user_str);
|
|
||||||
+ "root", &user_str);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get the user to run as\n");
|
|
||||||
return ret;
|
|
||||||
--
|
|
||||||
1.9.3
|
|
||||||
|
|
213
SPECS/sssd.spec
213
SPECS/sssd.spec
@ -1,5 +1,5 @@
|
|||||||
# we don't want to provide private python extension libs
|
# we don't want to provide private python extension libs
|
||||||
%define __provides_exclude_from %{python3_sitearch}/.*\.so$|%{_libdir}/%{name}/modules/libwbclient.so.*$
|
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
|
||||||
|
|
||||||
# SSSD fails to build with -Wl,-z,defs
|
# SSSD fails to build with -Wl,-z,defs
|
||||||
%undefine _strict_symbol_defs_build
|
%undefine _strict_symbol_defs_build
|
||||||
@ -17,76 +17,21 @@
|
|||||||
%global enable_systemtap 1
|
%global enable_systemtap 1
|
||||||
%global enable_systemtap_opt --enable-systemtap
|
%global enable_systemtap_opt --enable-systemtap
|
||||||
|
|
||||||
%global libwbc_alternatives_version 0.14
|
|
||||||
%global libwbc_lib_version %{libwbc_alternatives_version}.0
|
|
||||||
%global libwbc_alternatives_suffix %nil
|
|
||||||
%if 0%{?__isa_bits} == 64
|
|
||||||
%global libwbc_alternatives_suffix -64
|
|
||||||
%endif
|
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.4.0
|
Version: 2.5.2
|
||||||
Release: 8%{?dist}
|
Release: 2%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: https://pagure.io/SSSD/sssd/
|
URL: https://github.com/SSSD/sssd
|
||||||
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
Patch0001: 0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch
|
Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
|
||||||
Patch0002: 0002-KCM-perf-improvements.patch
|
Patch0002: 0002-po-update-translations.patch
|
||||||
Patch0003: 0003-DEBUG-journal_send-was-made-static.patch
|
|
||||||
Patch0004: 0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch
|
|
||||||
Patch0005: 0005-negcache-make-sure-domain-config-does-not-leak-into-.patch
|
|
||||||
Patch0006: 0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch
|
|
||||||
Patch0007: 0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch
|
|
||||||
Patch0008: 0008-negcache-do-not-use-default_domain_suffix.patch
|
|
||||||
Patch0009: 0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch
|
|
||||||
Patch0010: 0010-nss-check-if-groups-are-filtered-during-initgroups.patch
|
|
||||||
Patch0011: 0011-ifp-fix-use-after-free.patch
|
|
||||||
Patch0012: 0012-ifp-fix-original-fix-use-after-free.patch
|
|
||||||
Patch0013: 0013-pam_sss-use-unique-id-for-gdm-choice-list.patch
|
|
||||||
Patch0014: 0014-authtok-add-label-to-Smartcard-token.patch
|
|
||||||
Patch0015: 0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch
|
|
||||||
Patch0016: 0016-add-tests-multiple-certs-same-id.patch
|
|
||||||
Patch0017: 0017-data_provider_be-Add-random-offset-default.patch
|
|
||||||
Patch0018: 0018-data_provider_be-MAN-page-update.patch
|
|
||||||
Patch0019: 0019-logs-review.patch
|
|
||||||
Patch0020: 0020-sss_format.h-include-config.h.patch
|
|
||||||
Patch0021: 0021-packet-add-sss_packet_set_body.patch
|
|
||||||
Patch0022: 0022-domain-store-hostname-and-keytab-path.patch
|
|
||||||
Patch0023: 0023-cache_req-add-helper-to-call-user-by-upn-search.patch
|
|
||||||
Patch0024: 0024-pam-fix-typo-in-debug-message.patch
|
|
||||||
Patch0025: 0025-pam-add-pam_gssapi_services-option.patch
|
|
||||||
Patch0026: 0026-pam-add-pam_gssapi_check_upn-option.patch
|
|
||||||
Patch0027: 0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch
|
|
||||||
Patch0028: 0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch
|
|
||||||
Patch0029: 0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch
|
|
||||||
Patch0030: 0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch
|
|
||||||
Patch0031: 0031-autofs-disable-fast-reply.patch
|
|
||||||
Patch0032: 0032-autofs-correlate-errors-for-different-protocol-versi.patch
|
|
||||||
Patch0033: 0033-configure-check-for-stdatomic.h.patch
|
|
||||||
Patch0034: 0034-cache_req-ignore-autofs-not-configured-error.patch
|
|
||||||
Patch0035: 0035-simple-fix-memory-leak-while-reloading-lists.patch
|
|
||||||
Patch0036: 0036-SBUS-do-not-try-to-del-non-existing-sender.patch
|
|
||||||
Patch0037: 0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch
|
|
||||||
Patch0038: 0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch
|
|
||||||
Patch0039: 0039-pam_sss_gssapi-fix-coverity-issues.patch
|
|
||||||
Patch0040: 0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch
|
|
||||||
Patch0041: 0041-responders-add-callback-to-schedule_get_domains_task.patch
|
|
||||||
Patch0042: 0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch
|
|
||||||
Patch0043: 0043-SBUS-set-sbus_name-before-dp_init_send.patch
|
|
||||||
Patch0044: 0044-pam_sss_gss-support-authentication-indicators.patch
|
|
||||||
Patch0045: 0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch
|
|
||||||
Patch0046: 0046-ldap-fix-modifytimestamp-debugging-leftovers.patch
|
|
||||||
Patch0047: 0047-ssh-restore-default-debug-level.patch
|
|
||||||
|
|
||||||
### Downstream Patches ###
|
### Downstream Patches ###
|
||||||
|
|
||||||
#This patch should not be removed in RHEL-8
|
|
||||||
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
|
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
@ -190,6 +135,8 @@ License: GPLv3+
|
|||||||
# Conflicts
|
# Conflicts
|
||||||
Conflicts: selinux-policy < 3.10.0-46
|
Conflicts: selinux-policy < 3.10.0-46
|
||||||
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
|
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
|
||||||
|
# sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5
|
||||||
|
Obsoletes: sssd-libwbclient < 2.5.0
|
||||||
# Requires
|
# Requires
|
||||||
# Explicitly require RHEL-8.0 versions of the Samba libraries
|
# Explicitly require RHEL-8.0 versions of the Samba libraries
|
||||||
# in order to prevent untested combinations of a new SSSD and
|
# in order to prevent untested combinations of a new SSSD and
|
||||||
@ -391,7 +338,6 @@ Requires: libsss_idmap = %{version}-%{release}
|
|||||||
Requires: libsss_certmap = %{version}-%{release}
|
Requires: libsss_certmap = %{version}-%{release}
|
||||||
Recommends: bind-utils
|
Recommends: bind-utils
|
||||||
Recommends: adcli
|
Recommends: adcli
|
||||||
Suggests: sssd-libwbclient = %{version}-%{release}
|
|
||||||
Suggests: sssd-winbind-idmap = %{version}-%{release}
|
Suggests: sssd-winbind-idmap = %{version}-%{release}
|
||||||
|
|
||||||
%description ad
|
%description ad
|
||||||
@ -534,27 +480,6 @@ Requires: libsss_simpleifp = %{version}-%{release}
|
|||||||
%description -n libsss_simpleifp-devel
|
%description -n libsss_simpleifp-devel
|
||||||
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
|
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
|
||||||
|
|
||||||
%package libwbclient
|
|
||||||
Summary: The SSSD libwbclient implementation
|
|
||||||
Group: Applications/System
|
|
||||||
License: GPLv3+ and LGPLv3+
|
|
||||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
|
||||||
Conflicts: libwbclient < 4.2.0-0.2.rc2
|
|
||||||
Conflicts: sssd-common < %{version}-%{release}
|
|
||||||
|
|
||||||
%description libwbclient
|
|
||||||
The SSSD libwbclient implementation.
|
|
||||||
|
|
||||||
%package libwbclient-devel
|
|
||||||
Summary: Development libraries for the SSSD libwbclient implementation
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: GPLv3+ and LGPLv3+
|
|
||||||
Requires: sssd-libwbclient = %{version}-%{release}
|
|
||||||
Conflicts: libwbclient-devel < 4.2.0-0.2.rc2
|
|
||||||
|
|
||||||
%description libwbclient-devel
|
|
||||||
Development libraries for the SSSD libwbclient implementation.
|
|
||||||
|
|
||||||
%package winbind-idmap
|
%package winbind-idmap
|
||||||
Summary: SSSD's idmap_sss Backend for Winbind
|
Summary: SSSD's idmap_sss Backend for Winbind
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
@ -649,7 +574,6 @@ autoreconf -ivf
|
|||||||
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
|
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
|
||||||
--disable-static \
|
--disable-static \
|
||||||
--with-crypto=libcrypto \
|
--with-crypto=libcrypto \
|
||||||
--with-libwbclient \
|
|
||||||
--disable-rpath \
|
--disable-rpath \
|
||||||
--with-initscript=systemd \
|
--with-initscript=systemd \
|
||||||
--with-syslog=journald \
|
--with-syslog=journald \
|
||||||
@ -677,12 +601,6 @@ sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate
|
|||||||
|
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
make install DESTDIR=$RPM_BUILD_ROOT
|
||||||
|
|
||||||
if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ]
|
|
||||||
then
|
|
||||||
echo "Expected libwbclient version not found, please check if version has changed."
|
|
||||||
exit -1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Prepare language files
|
# Prepare language files
|
||||||
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
|
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
|
||||||
|
|
||||||
@ -881,7 +799,7 @@ done
|
|||||||
%dir %{_sysconfdir}/rwtab.d
|
%dir %{_sysconfdir}/rwtab.d
|
||||||
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
||||||
%dir %{_datadir}/sssd
|
%dir %{_datadir}/sssd
|
||||||
%{_sysconfdir}/pam.d/sssd-shadowutils
|
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
|
||||||
%dir %{_libdir}/%{name}/conf
|
%dir %{_libdir}/%{name}/conf
|
||||||
%{_libdir}/%{name}/conf/sssd.conf
|
%{_libdir}/%{name}/conf/sssd.conf
|
||||||
|
|
||||||
@ -1085,18 +1003,6 @@ done
|
|||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%{python3_sitearch}/pyhbac.so
|
%{python3_sitearch}/pyhbac.so
|
||||||
|
|
||||||
%files libwbclient
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%dir %{_libdir}/%{name}
|
|
||||||
%dir %{_libdir}/%{name}/modules
|
|
||||||
%{_libdir}/%{name}/modules/libwbclient.so.*
|
|
||||||
|
|
||||||
%files libwbclient-devel
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%{_includedir}/wbclient_sssd.h
|
|
||||||
%{_libdir}/%{name}/modules/libwbclient.so
|
|
||||||
%{_libdir}/pkgconfig/wbclient_sssd.pc
|
|
||||||
|
|
||||||
%files winbind-idmap -f sssd_winbind_idmap.lang
|
%files winbind-idmap -f sssd_winbind_idmap.lang
|
||||||
%dir %{_libdir}/samba/idmap
|
%dir %{_libdir}/samba/idmap
|
||||||
%{_libdir}/samba/idmap/sss.so
|
%{_libdir}/samba/idmap/sss.so
|
||||||
@ -1237,30 +1143,69 @@ fi
|
|||||||
%posttrans common
|
%posttrans common
|
||||||
%systemd_postun_with_restart sssd.service
|
%systemd_postun_with_restart sssd.service
|
||||||
|
|
||||||
%posttrans libwbclient
|
|
||||||
%{_sbindir}/update-alternatives \
|
|
||||||
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
|
|
||||||
libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
|
|
||||||
%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} 5
|
|
||||||
/sbin/ldconfig
|
|
||||||
|
|
||||||
%preun libwbclient
|
|
||||||
%{_sbindir}/update-alternatives \
|
|
||||||
--remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
|
|
||||||
%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version}
|
|
||||||
/sbin/ldconfig
|
|
||||||
|
|
||||||
%posttrans libwbclient-devel
|
|
||||||
%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \
|
|
||||||
libwbclient.so%{libwbc_alternatives_suffix} \
|
|
||||||
%{_libdir}/%{name}/modules/libwbclient.so 5
|
|
||||||
|
|
||||||
%preun libwbclient-devel
|
|
||||||
%{_sbindir}/update-alternatives --remove \
|
|
||||||
libwbclient.so%{libwbc_alternatives_suffix} \
|
|
||||||
%{_libdir}/%{name}/modules/libwbclient.so
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
|
||||||
|
- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]
|
||||||
|
- Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization
|
||||||
|
|
||||||
|
* Mon Jul 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-1
|
||||||
|
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
|
||||||
|
- Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU
|
||||||
|
- Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber`
|
||||||
|
- Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling
|
||||||
|
- Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address
|
||||||
|
- Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group
|
||||||
|
- Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade
|
||||||
|
|
||||||
|
* Mon Jun 21 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.1-2
|
||||||
|
- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken
|
||||||
|
- Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument
|
||||||
|
- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)
|
||||||
|
|
||||||
|
* Tue Jun 08 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.1-1
|
||||||
|
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
|
||||||
|
- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools
|
||||||
|
- Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory
|
||||||
|
- Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file
|
||||||
|
- Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout
|
||||||
|
- Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests
|
||||||
|
- Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust
|
||||||
|
- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection
|
||||||
|
- Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found
|
||||||
|
- Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group
|
||||||
|
- Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable
|
||||||
|
- Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory.
|
||||||
|
- Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf
|
||||||
|
|
||||||
|
* Mon May 10 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.0-1
|
||||||
|
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
|
||||||
|
- Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11
|
||||||
|
- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools
|
||||||
|
- Resolves: rhbz#1945888 - Inconsistant debug level for connection logging
|
||||||
|
- Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets
|
||||||
|
- Resolves: rhbz#1949149 - [RFE] Poor man's backtrace
|
||||||
|
- Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR
|
||||||
|
- Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail.
|
||||||
|
- Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs
|
||||||
|
- Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path
|
||||||
|
- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm
|
||||||
|
- Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries
|
||||||
|
- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection
|
||||||
|
- Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries
|
||||||
|
- Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries
|
||||||
|
- Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains.
|
||||||
|
- Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable
|
||||||
|
- Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used
|
||||||
|
- Resolves: rhbz#1703436 - sssd not thread-safe in innetgr()
|
||||||
|
- Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen
|
||||||
|
- Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page
|
||||||
|
- Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page
|
||||||
|
- Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp
|
||||||
|
- Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3)
|
||||||
|
- Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7
|
||||||
|
- Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login
|
||||||
|
- Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive
|
||||||
|
|
||||||
* Fri Feb 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-8
|
* Fri Feb 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-8
|
||||||
- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss
|
- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss
|
||||||
- Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0.
|
- Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0.
|
||||||
@ -1419,10 +1364,10 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
* Thu Dec 19 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-8
|
* Thu Dec 19 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-8
|
||||||
* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect
|
* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect
|
||||||
|
|
||||||
* Thu Dec 19 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-7
|
* Thu Dec 19 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-7
|
||||||
* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect
|
* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect
|
||||||
|
|
||||||
* Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-6
|
* Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-6
|
||||||
* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized
|
* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized
|
||||||
@ -1478,7 +1423,7 @@ fi
|
|||||||
|
|
||||||
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-13
|
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-13
|
||||||
- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the
|
- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the
|
||||||
systemd-user service in the account phase in RHEL-8
|
systemd-user service in the account phase in RHEL-8
|
||||||
|
|
||||||
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-12
|
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-12
|
||||||
- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets
|
- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets
|
||||||
@ -1526,11 +1471,11 @@ fi
|
|||||||
|
|
||||||
* Fri Jun 14 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
|
* Fri Jun 14 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
|
||||||
- Resolves: rhbz#1687281
|
- Resolves: rhbz#1687281
|
||||||
Rebase sssd in RHEL-8.1 to the latest upstream release
|
Rebase sssd in RHEL-8.1 to the latest upstream release
|
||||||
|
|
||||||
* Wed Jun 12 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-1
|
* Wed Jun 12 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-1
|
||||||
- Resolves: rhbz#1687281
|
- Resolves: rhbz#1687281
|
||||||
Rebase sssd in RHEL-8.1 to the latest upstream release
|
Rebase sssd in RHEL-8.1 to the latest upstream release
|
||||||
|
|
||||||
* Thu May 30 2019 Michal Židek <mzidek@redhat.com> - 2.0.0-45
|
* Thu May 30 2019 Michal Židek <mzidek@redhat.com> - 2.0.0-45
|
||||||
- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is
|
- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is
|
||||||
@ -1581,14 +1526,14 @@ fi
|
|||||||
|
|
||||||
* Mon Dec 17 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-32
|
* Mon Dec 17 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-32
|
||||||
- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc
|
- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc
|
||||||
and libtevent to avoid an issue in GPO processing
|
and libtevent to avoid an issue in GPO processing
|
||||||
|
|
||||||
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-31
|
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-31
|
||||||
- Resolves: 1658813 - PKINIT with KCM does not work
|
- Resolves: 1658813 - PKINIT with KCM does not work
|
||||||
|
|
||||||
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-30
|
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-30
|
||||||
- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to
|
- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to
|
||||||
retrieve AD users through IPA Trust
|
retrieve AD users through IPA Trust
|
||||||
|
|
||||||
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-29
|
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-29
|
||||||
- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise():
|
- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise():
|
||||||
|
Loading…
Reference in New Issue
Block a user