import sssd-2.5.2-2.el8

This commit is contained in:
CentOS Sources 2021-10-06 12:00:28 -04:00 committed by Stepan Oksanichenko
parent 549f5a3974
commit ad123f85d7
53 changed files with 11229 additions and 14589 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.4.0.tar.gz
SOURCES/sssd-2.5.2.tar.gz

View File

@ -1 +1 @@
abcf616bf894d54623bf2541afdc7018e5d150aa SOURCES/sssd-2.4.0.tar.gz
680a282289fdfc6e27562e0ac82933ccd1f9574e SOURCES/sssd-2.5.2.tar.gz

View File

@ -1,64 +0,0 @@
From ff24d1538af88f83d0a3cc2817952cf70e7ca580 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sun, 22 Nov 2020 17:44:07 +0100
Subject: [PATCH] SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in
msgs[]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL
ptrs in results of sysdb_search_with_ts_attr()
Resolves: https://github.com/SSSD/sssd/issues/5412
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb_search.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index e616fd5bc..4ff65c1ae 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -221,6 +221,7 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
const char *attrs[])
{
errno_t ret;
+ size_t ts_cache_res_count = 0;
struct ldb_result *ts_cache_res = NULL;
if (ts_res == NULL || ctx->ldb_ts == NULL) {
@@ -231,7 +232,6 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
if (ts_cache_res == NULL) {
return ENOMEM;
}
- ts_cache_res->count = ts_res->count;
ts_cache_res->msgs = talloc_zero_array(ts_cache_res,
struct ldb_message *,
ts_res->count);
@@ -244,15 +244,18 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
ret = merge_msg_sysdb_attrs(ts_cache_res->msgs,
ctx,
ts_res->msgs[c],
- &ts_cache_res->msgs[c], attrs);
- if (ret != EOK) {
+ &ts_cache_res->msgs[ts_cache_res_count],
+ attrs);
+ if ((ret != EOK) || (ts_cache_res->msgs[ts_cache_res_count] == NULL)) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot merge sysdb cache values for %s\n",
ldb_dn_get_linearized(ts_res->msgs[c]->dn));
- /* non-fatal, we just get only the non-timestamp attrs */
+ /* non-fatal, just skip */
continue;
}
+ ts_cache_res_count += 1;
}
+ ts_cache_res->count = ts_cache_res_count;
*_ts_cache_res = ts_cache_res;
return EOK;
--
2.21.3

View File

@ -0,0 +1,277 @@
From 3861960837b996d959af504a937a03963dc21d62 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 18 Jun 2021 13:17:19 +0200
Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
user supplied command
A flaw was found in SSSD, where the sssctl command was vulnerable
to shell command injection via the logs-fetch and cache-expire
subcommands. This flaw allows an attacker to trick the root user
into running a specially crafted sssctl command, such as via sudo,
to gain root access. The highest threat from this vulnerability is
to confidentiality, integrity, as well as system availability.
:fixes: CVE-2021-3621
---
src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
src/tools/sssctl/sssctl.h | 2 +-
src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
4 files changed, 73 insertions(+), 57 deletions(-)
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index 2997dbf96..8adaf3091 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
return SSSCTL_PROMPT_ERROR;
}
-errno_t sssctl_run_command(const char *command)
+errno_t sssctl_run_command(const char *const argv[])
{
int ret;
+ int wstatus;
- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
- ret = system(command);
+ ret = fork();
if (ret == -1) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
ERROR("Error while executing external command\n");
return EFAULT;
- } else if (WEXITSTATUS(ret) != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
- command, WEXITSTATUS(ret));
+ }
+
+ if (ret == 0) {
+ /* cast is safe - see
+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
+ "The statement about argv[] and envp[] being constants ... "
+ */
+ execvp(argv[0], discard_const_p(char * const, argv));
ERROR("Error while executing external command\n");
- return EIO;
+ _exit(1);
+ } else {
+ if (waitpid(ret, &wstatus, 0) == -1) {
+ ERROR("Error while executing external command '%s'\n", argv[0]);
+ return EFAULT;
+ } else if (WEXITSTATUS(wstatus) != 0) {
+ ERROR("Command '%s' failed with [%d]\n",
+ argv[0], WEXITSTATUS(wstatus));
+ return EIO;
+ }
}
return EOK;
@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
#elif defined(HAVE_SERVICE)
switch (action) {
case SSSCTL_SVC_START:
- return sssctl_run_command(SERVICE_PATH" sssd start");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
case SSSCTL_SVC_STOP:
- return sssctl_run_command(SERVICE_PATH" sssd stop");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
case SSSCTL_SVC_RESTART:
- return sssctl_run_command(SERVICE_PATH" sssd restart");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
}
#endif
diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
index 0115b2457..599ef6519 100644
--- a/src/tools/sssctl/sssctl.h
+++ b/src/tools/sssctl/sssctl.h
@@ -47,7 +47,7 @@ enum sssctl_prompt_result
sssctl_prompt(const char *message,
enum sssctl_prompt_result defval);
-errno_t sssctl_run_command(const char *command);
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
bool sssctl_start_sssd(bool force);
bool sssctl_stop_sssd(bool force);
bool sssctl_restart_sssd(bool force);
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
index 8d79b977f..bf2291341 100644
--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
}
}
- ret = sssctl_run_command("sss_override user-export "
- SSS_BACKUP_USER_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
+ SSS_BACKUP_USER_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to export user overrides\n");
return ret;
}
- ret = sssctl_run_command("sss_override group-export "
- SSS_BACKUP_GROUP_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to export group overrides\n");
return ret;
@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
- ret = sssctl_run_command("sss_override user-import "
- SSS_BACKUP_USER_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
+ SSS_BACKUP_USER_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to import user overrides\n");
return ret;
@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
- ret = sssctl_run_command("sss_override group-import "
- SSS_BACKUP_GROUP_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to import group overrides\n");
return ret;
@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
void *pvt)
{
errno_t ret;
- char *cmd_args = NULL;
- const char *cachecmd = SSS_CACHE;
- char *cmd = NULL;
- int i;
-
- if (cmdline->argc == 0) {
- ret = sssctl_run_command(cachecmd);
- goto done;
- }
- cmd_args = talloc_strdup(tool_ctx, "");
- if (cmd_args == NULL) {
- ret = ENOMEM;
- goto done;
+ const char **args = talloc_array_size(tool_ctx,
+ sizeof(char *),
+ cmdline->argc + 2);
+ if (!args) {
+ return ENOMEM;
}
+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
+ args[0] = SSS_CACHE;
+ args[cmdline->argc + 1] = NULL;
- for (i = 0; i < cmdline->argc; i++) {
- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
- if (i != cmdline->argc - 1) {
- cmd_args = talloc_strdup_append(cmd_args, " ");
- }
- }
-
- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
- if (cmd == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sssctl_run_command(cmd);
-
-done:
- talloc_free(cmd_args);
- talloc_free(cmd);
+ ret = sssctl_run_command(args);
+ talloc_free(args);
return ret;
}
diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
index 9ff2be05b..ebb2c4571 100644
--- a/src/tools/sssctl/sssctl_logs.c
+++ b/src/tools/sssctl/sssctl_logs.c
@@ -31,6 +31,7 @@
#include <ldb.h>
#include <popt.h>
#include <stdio.h>
+#include <glob.h>
#include "util/util.h"
#include "tools/common/sss_process.h"
@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
{
struct sssctl_logs_opts opts = {0};
errno_t ret;
+ glob_t globbuf;
/* Parse command line. */
struct poptOption options[] = {
@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
sss_signal(SIGHUP);
} else {
+ globbuf.gl_offs = 4;
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+ return ret;
+ }
+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
+
PRINT("Truncating log files...\n");
- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+ globfree(&globbuf);
if (ret != EOK) {
ERROR("Unable to truncate log files\n");
return ret;
@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
void *pvt)
{
const char *file;
- const char *cmd;
errno_t ret;
+ glob_t globbuf;
/* Parse command line. */
ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
return ret;
}
- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
- if (cmd == NULL) {
- ERROR("Out of memory!");
+ globbuf.gl_offs = 3;
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+ return ret;
}
+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
+ globbuf.gl_pathv[2] = discard_const_p(char, file);
PRINT("Archiving log files into %s...\n", file);
- ret = sssctl_run_command(cmd);
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+ globfree(&globbuf);
if (ret != EOK) {
ERROR("Unable to archive log files\n");
return ret;
--
2.26.3

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,29 +0,0 @@
From 833034f5332d2492d413a9c97fded1480b58bf14 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 21 Oct 2020 18:47:32 +0200
Subject: [PATCH 3/4] DEBUG: journal_send() was made static
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/util/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/debug.c b/src/util/debug.c
index 1d5f75e4d..c162987b9 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -201,7 +201,7 @@ static void debug_printf(const char *format, ...)
}
#ifdef WITH_JOURNALD
-errno_t journal_send(const char *file,
+static errno_t journal_send(const char *file,
long line,
const char *function,
int level,
--
2.21.3

View File

@ -1,71 +0,0 @@
From 18233532b72e62452eac6886652fa633ba055d8c Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 21 Oct 2020 19:20:03 +0200
Subject: [PATCH 4/4] DEBUG: fixes program identifier as seen in syslog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name`
to accomodate needs of own SSSD logs, but this affected journal/syslog
as well.
This patch amends situation:
- journal messages gets "umbrella" identifier "sssd[]"
- syslog uses default which is program name
Resolves: https://github.com/SSSD/sssd/issues/5384
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/util/debug.c | 2 +-
src/util/sss_log.c | 12 +++---------
2 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/src/util/debug.c b/src/util/debug.c
index c162987b9..f05b26500 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -250,7 +250,7 @@ static errno_t journal_send(const char *file,
"MESSAGE=%s", message,
"PRIORITY=%i", LOG_DEBUG,
"SSSD_DOMAIN=%s", domain,
- "SSSD_PRG_NAME=%s", debug_prg_name,
+ "SSSD_PRG_NAME=sssd[%s]", debug_prg_name,
"SSSD_DEBUG_LEVEL=%x", level,
NULL);
ret = -res;
diff --git a/src/util/sss_log.c b/src/util/sss_log.c
index 48e73dbea..c6b7435c6 100644
--- a/src/util/sss_log.c
+++ b/src/util/sss_log.c
@@ -107,7 +107,7 @@ static void sss_log_internal(int priority, int facility, const char *format,
"SSSD_DOMAIN=%s", domain,
"PRIORITY=%i", syslog_priority,
"SYSLOG_FACILITY=%i", LOG_FAC(facility),
- "SYSLOG_IDENTIFIER=%s", debug_prg_name,
+ "SYSLOG_IDENTIFIER=sssd[%s]", debug_prg_name,
NULL);
free(message);
@@ -118,15 +118,9 @@ static void sss_log_internal(int priority, int facility, const char *format,
static void sss_log_internal(int priority, int facility, const char *format,
va_list ap)
{
- int syslog_priority;
-
- syslog_priority = sss_to_syslog(priority);
-
- openlog(debug_prg_name, 0, facility);
-
- vsyslog(syslog_priority, format, ap);
+ int syslog_priority = sss_to_syslog(priority);
- closelog();
+ vsyslog(facility|syslog_priority, format, ap);
}
#endif /* WITH_JOURNALD */
--
2.21.3

View File

@ -1,36 +0,0 @@
From 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 8 Oct 2020 12:18:41 +0200
Subject: [PATCH 5/8] negcache: make sure domain config does not leak into
global
Resolves: https://github.com/SSSD/sssd/issues/5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/negcache.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index ce1c0ab8c..139218420 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -1050,6 +1050,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}
}
+ talloc_zfree(filter_list);
/* Populate non domain-specific negative cache user entries */
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_FILTER_USERS, &filter_list);
@@ -1185,6 +1186,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}
}
+ talloc_zfree(filter_list);
/* Populate non domain-specific negative cache group entries */
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_FILTER_GROUPS, &filter_list);
--
2.21.3

View File

@ -1,106 +0,0 @@
From 385af99ff4d5a75d0c1edc9ad830da3eb7478295 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 8 Oct 2020 17:57:29 +0200
Subject: [PATCH 6/8] utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()
To allow to only iterate over a singel domain an its sub-domains a new
flag is added to get_next_domain().
Resolves: https://github.com/SSSD/sssd/issues/5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tests/cmocka/test_utils.c | 31 +++++++++++++++++++++++++++++++
src/util/domain_info_utils.c | 10 +++++++---
src/util/util.h | 4 ++++
3 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index 945f5cb44..d77a972c1 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -877,6 +877,37 @@ static void test_get_next_domain_flags(void **state)
dom = get_next_domain(dom, gnd_flags);
assert_null(dom);
+
+ /* Descend only to subdomains */
+ gnd_flags = SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED;
+
+ dom = get_next_domain(test_ctx->dom_list, gnd_flags);
+ assert_non_null(dom);
+ assert_string_equal(dom->name, "sub1a");
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_null(dom);
+
+ dom = find_domain_by_name_ex(test_ctx->dom_list, "dom2", true,
+ SSS_GND_ALL_DOMAINS);
+ assert_non_null(dom);
+ assert_string_equal(dom->name, "dom2");
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_non_null(dom);
+ assert_string_equal(dom->name, "sub2a");
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_non_null(dom);
+ assert_string_equal(dom->name, "sub2b");
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_null(dom);
+
+ /* Expect NULL if the domain has no sub-domains */
+ test_ctx->dom_list->subdomains = NULL;
+ dom = get_next_domain(test_ctx->dom_list, gnd_flags);
+ assert_null(dom);
}
struct name_init_test_ctx {
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index aa3582f03..4d4726daa 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -39,16 +39,20 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
uint32_t gnd_flags)
{
struct sss_domain_info *dom;
- bool descend = gnd_flags & SSS_GND_DESCEND;
+ bool descend = gnd_flags & (SSS_GND_DESCEND | SSS_GND_SUBDOMAINS);
bool include_disabled = gnd_flags & SSS_GND_INCLUDE_DISABLED;
+ bool only_subdomains = gnd_flags & SSS_GND_SUBDOMAINS;
dom = domain;
while (dom) {
if (descend && dom->subdomains) {
dom = dom->subdomains;
- } else if (dom->next) {
+ } else if (dom->next && only_subdomains && IS_SUBDOMAIN(dom)) {
dom = dom->next;
- } else if (descend && IS_SUBDOMAIN(dom) && dom->parent->next) {
+ } else if (dom->next && !only_subdomains) {
+ dom = dom->next;
+ } else if (descend && !only_subdomains && IS_SUBDOMAIN(dom)
+ && dom->parent->next) {
dom = dom->parent->next;
} else {
dom = NULL;
diff --git a/src/util/util.h b/src/util/util.h
index fbcac5cd0..581c0edfb 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -565,7 +565,11 @@ struct sss_domain_info *get_domains_head(struct sss_domain_info *domain);
#define SSS_GND_DESCEND 0x01
#define SSS_GND_INCLUDE_DISABLED 0x02
+/* Descend to sub-domains of current domain but do not go to next parent */
+#define SSS_GND_SUBDOMAINS 0x04
#define SSS_GND_ALL_DOMAINS (SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED)
+#define SSS_GND_ALL_SUBDOMAINS (SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED)
+
struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
uint32_t gnd_flags);
struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain,
--
2.21.3

View File

@ -1,443 +0,0 @@
From 0dc81a52e2836010974e9f71b1f3e47c20fd498d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Oct 2020 11:56:21 +0200
Subject: [PATCH 7/8] negcache: make sure short names are added to sub-domains
If short names are used with filter_users or filter_groups in a
[domain/...] section they should be added to the sub-domains of this
domain as well.
Resolves: https://github.com/SSSD/sssd/issues/5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/negcache.c | 105 +++++++------
src/tests/cmocka/test_negcache.c | 254 +++++++++++++++++++++++++++++++
2 files changed, 312 insertions(+), 47 deletions(-)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 139218420..9ee39ce3e 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -971,6 +971,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
char *name = NULL;
struct sss_domain_info *dom = NULL;
struct sss_domain_info *domain_list = rctx->domains;
+ struct sss_domain_info *ddom;
char *domainname = NULL;
char *conf_path = NULL;
TALLOC_CTX *tmpctx = talloc_new(NULL);
@@ -1013,39 +1014,44 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}
- if (domainname && strcmp(domainname, dom->name)) {
- DEBUG(SSSDBG_TRACE_FUNC,
- "Mismatch between domain name (%s) and name "
- "set in FQN (%s), assuming %s is UPN\n",
- dom->name, domainname, filter_list[i]);
- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
+ /* Check domain and its sub-domains */
+ for (ddom = dom; ddom != NULL;
+ ddom = get_next_domain(ddom, SSS_GND_ALL_SUBDOMAINS)) {
+
+ if (domainname && strcmp(domainname, ddom->name)) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Mismatch between domain name (%s) and name "
+ "set in FQN (%s), assuming %s is UPN\n",
+ ddom->name, domainname, filter_list[i]);
+ ret = sss_ncache_set_upn(ncache, true, ddom, filter_list[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_ncache_set_upn failed (%d [%s]), ignored\n",
+ ret, sss_strerror(ret));
+ }
+ continue;
+ }
+
+ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
+ if (fqname == NULL) {
+ continue;
+ }
+
+ ret = sss_ncache_set_upn(ncache, true, ddom, fqname);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sss_ncache_set_upn failed (%d [%s]), ignored\n",
ret, sss_strerror(ret));
}
- continue;
- }
-
- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
- if (fqname == NULL) {
- continue;
- }
-
- ret = sss_ncache_set_upn(ncache, true, dom, fqname);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sss_ncache_set_upn failed (%d [%s]), ignored\n",
- ret, sss_strerror(ret));
- }
- ret = sss_ncache_set_user(ncache, true, dom, fqname);
- talloc_zfree(fqname);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to store permanent user filter for [%s]"
- " (%d [%s])\n", filter_list[i],
- ret, sss_strerror(ret));
- continue;
+ ret = sss_ncache_set_user(ncache, true, ddom, fqname);
+ talloc_zfree(fqname);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to store permanent user filter for [%s]"
+ " (%d [%s])\n", filter_list[i],
+ ret, sss_strerror(ret));
+ continue;
+ }
}
}
}
@@ -1161,27 +1167,32 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}
- if (domainname && strcmp(domainname, dom->name)) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Mismatch between domain name (%s) and name "
- "set in FQN (%s), skipping group %s\n",
- dom->name, domainname, name);
- continue;
- }
+ /* Check domain and its sub-domains */
+ for (ddom = dom;
+ ddom != NULL && (ddom == dom || ddom->parent != NULL);
+ ddom = get_next_domain(ddom, SSS_GND_ALL_DOMAINS)) {
+ if (domainname && strcmp(domainname, ddom->name)) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Mismatch between domain name (%s) and name "
+ "set in FQN (%s), skipping group %s\n",
+ ddom->name, domainname, name);
+ continue;
+ }
- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
- if (fqname == NULL) {
- continue;
- }
+ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
+ if (fqname == NULL) {
+ continue;
+ }
- ret = sss_ncache_set_group(ncache, true, dom, fqname);
- talloc_zfree(fqname);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to store permanent group filter for [%s]"
- " (%d [%s])\n", filter_list[i],
- ret, strerror(ret));
- continue;
+ ret = sss_ncache_set_group(ncache, true, ddom, fqname);
+ talloc_zfree(fqname);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to store permanent group filter for [%s]"
+ " (%d [%s])\n", filter_list[i],
+ ret, strerror(ret));
+ continue;
+ }
}
}
}
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index b3a379227..fb306b110 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -119,6 +119,8 @@ static int setup(void **state)
int ret;
struct test_state *ts;
+ test_dom_suite_setup(TESTS_PATH);
+
ts = talloc(NULL, struct test_state);
assert_non_null(ts);
@@ -133,6 +135,7 @@ static int setup(void **state)
static int teardown(void **state)
{
struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
talloc_free(ts);
return 0;
}
@@ -921,6 +924,255 @@ static void test_sss_ncache_reset_prepopulate(void **state)
assert_int_equal(ret, EEXIST);
}
+/* The main purpose of test_sss_ncache_short_name_in_domain is to test that
+ * short names in the filter_users or filter_groups options in a [domain/...]
+ * section are properly added to the related sub-domains as well (if there are
+ * any) and not added to domains from other [domain/...] sections. For
+ * completeness entries with fully-qualified names of the parent and the
+ * sub-domain and the generic UPN are added as well.
+ *
+ * The result should of course be independent of the present domains. To
+ * verify this the domains are added one after the other and the negative
+ * cache is repopulated each time.
+ *
+ * With the given domains, users and group we have to following expectations:
+ * - the short name entry will be added to the domain and all sub-domains as
+ * name and as upn by expanding it to a fully-qualified name with the
+ * domain name or sub-domain name respectively
+ * - the fully-qualified name from the parent domain is added as name and upn
+ * to the parent domain and as upn to all sub-domains
+ * - the fully-qualified name from the sub-domain is added as name to the
+ * sub-domain and as upn to the parent and all sub-domains
+ * - the generic upn is nowhere added as name and as upn to the parent and all
+ * sub-domains
+ * - none of the names is added to a different parent domain
+ *
+ * The following table should illustrated the expectations:
+ *
+ * user (name):
+ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
+ *-----------------+-----------+-----------------------+--------------------------+------------
+ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING | MISSING
+ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT | MISSING
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING
+ *
+ * user (upn):
+ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
+ *-----------------+-----------+-----------------------+--------------------------+------------
+ * TEST_DOM_NAME | PRESENT | PRESENT | PRESENT | PRESENT
+ * subTEST_DOM_NAME| PRESENT | PRESENT | PRESENT | PRESENT
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING
+ *
+ *
+ *
+ * groups:
+ * | shortgroup | parentg@TEST_DOM_NAME | subdomg@subTEST_DOM_NAME
+ *-----------------+------------+-----------------------+-------------------------
+ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING
+ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT
+ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING
+ *
+ *
+ * The following expect_*() implement checks for the expextations:
+ */
+
+static void expect_in_parent(struct sss_nc_ctx *ncache,
+ struct sss_domain_info *dom)
+{
+ int ret;
+
+ ret = check_user_in_ncache(ncache, dom, "shortuser");
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_upn(ncache, dom, "shortuser@"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, dom, "parentu");
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_upn(ncache, dom, "parentu@"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, dom, "subdomu");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom, "subdomu@sub"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, dom, "upn");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom, "upn@upn.dom");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_group_in_ncache(ncache, dom, "shortgroup");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_group_in_ncache(ncache, dom, "parentg");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_group_in_ncache(ncache, dom, "subdomg");
+ assert_int_equal(ret, ENOENT);
+}
+
+static void expect_in_subdomain(struct sss_nc_ctx *ncache,
+ struct sss_domain_info *sub_dom)
+{
+ int ret;
+
+ ret = check_user_in_ncache(ncache, sub_dom, "shortuser");
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_upn(ncache, sub_dom, "shortuser@sub"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, sub_dom, "subdomu");
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_upn(ncache, sub_dom, "subdomu@sub"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, sub_dom, "upn");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, sub_dom, "upn@upn.dom");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_user_in_ncache(ncache, sub_dom, "parentu");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, sub_dom, "parentu@"TEST_DOM_NAME);
+ assert_int_equal(ret, EEXIST);
+
+
+ ret = check_group_in_ncache(ncache, sub_dom, "shortgroup");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_group_in_ncache(ncache, sub_dom, "parentg");
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_group_in_ncache(ncache, sub_dom, "subdomg");
+ assert_int_equal(ret, EEXIST);
+}
+static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
+ struct sss_domain_info *dom2)
+{
+ int ret;
+
+ ret = check_user_in_ncache(ncache, dom2, "shortuser");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom2, "shortuser"TEST_DOM_NAME);
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_user_in_ncache(ncache, dom2, "parentu");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom2, "parentu@"TEST_DOM_NAME);
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_user_in_ncache(ncache, dom2, "subdomu");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom2, "subdomu@sub"TEST_DOM_NAME);
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_user_in_ncache(ncache, dom2, "upn");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_upn(ncache, dom2, "upn@upn.dom");
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_group_in_ncache(ncache, dom2, "shortgroup");
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_group_in_ncache(ncache, dom2, "parentg");
+ assert_int_equal(ret, ENOENT);
+
+ ret = check_group_in_ncache(ncache, dom2, "subdomg");
+ assert_int_equal(ret, ENOENT);
+}
+
+static void test_sss_ncache_short_name_in_domain(void **state)
+{
+ int ret;
+ struct test_state *ts;
+ struct tevent_context *ev;
+ struct sss_nc_ctx *ncache;
+ struct sss_test_ctx *tc;
+ struct sss_domain_info *dom;
+ struct sss_domain_info *dom2;
+ struct sss_domain_info *sub_dom;
+
+ struct sss_test_conf_param params[] = {
+ { "filter_users", "shortuser, parentu@"TEST_DOM_NAME", "
+ "subdomu@sub"TEST_DOM_NAME", upn@upn.dom" },
+ { "filter_groups", "shortgroup, parentg@"TEST_DOM_NAME", "
+ "subdomg@sub"TEST_DOM_NAME },
+ { NULL, NULL },
+ };
+
+ const char *nss_filter_users[] = { params[0].value, NULL};
+ const char *nss_filter_groups[] = { params[1].value, NULL};
+
+ ts = talloc_get_type_abort(*state, struct test_state);
+
+ ev = tevent_context_init(ts);
+ assert_non_null(ev);
+
+ dom = talloc_zero(ts, struct sss_domain_info);
+ assert_non_null(dom);
+ dom->name = discard_const_p(char, TEST_DOM_NAME);
+ sss_domain_set_state(dom, DOM_ACTIVE);
+
+ ts->nctx = mock_nctx(ts);
+ assert_non_null(ts->nctx);
+
+ tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB,
+ TEST_DOM_NAME, TEST_ID_PROVIDER, params);
+ assert_non_null(tc);
+
+ ret = confdb_add_param(tc->confdb, true, "config/domain/"TEST_DOM_NAME,
+ "filter_users", nss_filter_users);
+ assert_int_equal(ret, EOK);
+
+ ret = confdb_add_param(tc->confdb, true, "config/domain"TEST_DOM_NAME,
+ "filter_groups", nss_filter_groups);
+ assert_int_equal(ret, EOK);
+
+ ncache = ts->ctx;
+ ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
+ assert_non_null(ts->rctx);
+ ts->rctx->cdb = tc->confdb;
+
+ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
+ assert_int_equal(ret, EOK);
+
+ /* Add another domain */
+ dom2 = talloc_zero(ts, struct sss_domain_info);
+ assert_non_null(dom2);
+ dom2->name = discard_const_p(char, TEST_DOM_NAME"2");
+ sss_domain_set_state(dom2, DOM_ACTIVE);
+ dom->next = dom2;
+ dom2->names = dom->names;
+
+ expect_in_parent(ncache, dom);
+ expect_no_entries_in_dom(ncache, dom2);
+
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
+ assert_int_equal(ret, EOK);
+
+ expect_in_parent(ncache, dom);
+ expect_no_entries_in_dom(ncache, dom2);
+
+ /* Add a sub domain */
+ sub_dom = talloc_zero(ts, struct sss_domain_info);
+ assert_non_null(sub_dom);
+ sub_dom->name = discard_const_p(char, "sub"TEST_DOM_NAME);
+ sss_domain_set_state(sub_dom, DOM_ACTIVE);
+ sub_dom->parent = dom;
+ dom->subdomains = sub_dom;
+ sub_dom->names = dom->names;
+
+ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
+ assert_int_equal(ret, EOK);
+
+ expect_in_parent(ncache, dom);
+ expect_in_subdomain(ncache, sub_dom);
+ expect_no_entries_in_dom(ncache, dom2);
+}
+
static void test_sss_ncache_reset(void **state)
{
errno_t ret;
@@ -1083,6 +1335,8 @@ int main(void)
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
+ setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
--
2.21.3

View File

@ -1,154 +0,0 @@
From fa4b46e7de7297da3c0e37913eab8cba7f103629 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Oct 2020 15:26:39 +0200
Subject: [PATCH 8/8] negcache: do not use default_domain_suffix
When splitting the names from the filter_users and filter_groups options
do not use the default_domain_suffix because it will hide that the
original name is a short name and should be added everywhere.
Additionally this patch fixes a typo where sss_parse_name() was used
instead of sss_parse_name_for_domains().
Resolves: https://github.com/SSSD/sssd/issues/5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/negcache.c | 29 +++++++++++++++--------------
src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++--
2 files changed, 35 insertions(+), 16 deletions(-)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 9ee39ce3e..59e8ad7e7 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -1000,13 +1000,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
- rctx->default_domain,
+ NULL,
filter_list[i],
&domainname, &name);
if (ret == EAGAIN) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "cannot add [%s] to negcache because the required or "
- "default domain are not known yet\n", filter_list[i]);
+ "Can add [%s] only as UPN to negcache because the "
+ "required domain is not known yet\n", filter_list[i]);
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid name in filterUsers list: [%s] (%d)\n",
@@ -1066,12 +1066,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
- rctx->default_domain, filter_list[i],
+ NULL, filter_list[i],
&domainname, &name);
if (ret == EAGAIN) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot add [%s] to negcache because the required or "
- "default domain are not known yet\n", filter_list[i]);
+ "Can add [%s] only as UPN to negcache because the "
+ "required domain is not known yet\n", filter_list[i]);
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid name in filterUsers list: [%s] (%d)\n",
@@ -1158,9 +1158,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
if (ret != EOK) goto done;
for (i = 0; (filter_list && filter_list[i]); i++) {
- ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
- &domainname, &name);
+ ret = sss_parse_name_for_domains(tmpctx, domain_list,
+ NULL, filter_list[i],
+ &domainname, &name);
if (ret != EOK) {
+ /* Groups do not have UPNs, so domain names, if present,
+ * must be known */
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid name in filterGroups list: [%s] (%d)\n",
filter_list[i], ret);
@@ -1207,13 +1210,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
- rctx->default_domain, filter_list[i],
+ NULL, filter_list[i],
&domainname, &name);
- if (ret == EAGAIN) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot add [%s] to negcache because the required or "
- "default domain are not known yet\n", filter_list[i]);
- } else if (ret != EOK) {
+ if (ret != EOK) {
+ /* Groups do not have UPNs, so domain names, if present,
+ * must be known */
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid name in filterGroups list: [%s] (%d)\n",
filter_list[i], ret);
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index fb306b110..30218d52a 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -933,7 +933,9 @@ static void test_sss_ncache_reset_prepopulate(void **state)
*
* The result should of course be independent of the present domains. To
* verify this the domains are added one after the other and the negative
- * cache is repopulated each time.
+ * cache is repopulated each time. The result should be also independent of
+ * the setting of default_domain_suffix option which is tested by
+ * test_sss_ncache_short_name_in_domain_with_prefix.
*
* With the given domains, users and group we have to following expectations:
* - the short name entry will be added to the domain and all sub-domains as
@@ -1081,7 +1083,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
assert_int_equal(ret, ENOENT);
}
-static void test_sss_ncache_short_name_in_domain(void **state)
+static void run_sss_ncache_short_name_in_domain(void **state,
+ bool use_default_domain_prefix)
{
int ret;
struct test_state *ts;
@@ -1131,6 +1134,9 @@ static void test_sss_ncache_short_name_in_domain(void **state)
ncache = ts->ctx;
ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
assert_non_null(ts->rctx);
+ if (use_default_domain_prefix) {
+ ts->rctx->default_domain = discard_const(TEST_DOM_NAME);
+ }
ts->rctx->cdb = tc->confdb;
ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
@@ -1173,6 +1179,16 @@ static void test_sss_ncache_short_name_in_domain(void **state)
expect_no_entries_in_dom(ncache, dom2);
}
+static void test_sss_ncache_short_name_in_domain(void **state)
+{
+ run_sss_ncache_short_name_in_domain(state, false);
+}
+
+static void test_sss_ncache_short_name_in_domain_with_prefix(void **state)
+{
+ run_sss_ncache_short_name_in_domain(state, true);
+}
+
static void test_sss_ncache_reset(void **state)
{
errno_t ret;
@@ -1337,6 +1353,8 @@ int main(void)
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix,
+ setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
--
2.21.3

View File

@ -1,43 +0,0 @@
From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 9 Dec 2020 14:07:22 +0100
Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path
Previous unefficient code encoded the secret multiple times:
secret -> base64 -> masterkey -> base64
To allow smooth upgrade for already existant ccache we need to also decode
the secret if it is still in the old format (type == simple). Otherwise
users are not able to log in.
Resolves: https://github.com/SSSD/sssd/issues/5349
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
index 726711ac4..ea5c8f9ee 100644
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
goto done;
}
+ if (strcmp(datatype, "simple") == 0) {
+ /* The secret is stored in b64 encoding, we need to decode it first. */
+ data = sss_base64_decode(tmp_ctx, (const char*)data, &len);
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n");
+ ret = EIO;
+ goto done;
+ }
+ }
+
buf = sss_iobuf_init_steal(tmp_ctx, data, len);
if (buf == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n");
--
2.21.3

View File

@ -1,112 +0,0 @@
From c87b2208b9a58c12eeceb5b8ccf9c34dcd835b8d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 17 Nov 2020 12:59:23 +0100
Subject: [PATCH] nss: check if groups are filtered during initgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If groups are filtered, i.e. SSSD should not handle them, they should
not appear in the group list returned by an initgroups request.
Resolves: https://github.com/SSSD/sssd/issues/5403
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++
src/tests/intg/test_ldap.py | 12 +++++++++
2 files changed, 47 insertions(+)
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 8f1d3fe81..135b392f7 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -326,6 +326,34 @@ done:
return EOK;
}
+static bool is_group_filtered(struct sss_nc_ctx *ncache,
+ struct sss_domain_info *domain,
+ const char *grp_name, gid_t gid)
+{
+ int ret;
+
+ if (grp_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Group with gid [%"SPRIgid"] has no name, this should never "
+ "happen, trying to continue without.\n", gid);
+ } else {
+ ret = sss_ncache_check_group(ncache, domain, grp_name);
+ if (ret == EEXIST) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! "
+ "(negative cache)", grp_name);
+ return true;
+ }
+ }
+ ret = sss_ncache_check_gid(ncache, domain, gid);
+ if (ret == EEXIST) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! "
+ "(negative cache)", gid);
+ return true;
+ }
+
+ return false;
+}
+
errno_t
nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
struct nss_cmd_ctx *cmd_ctx,
@@ -344,6 +372,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
size_t body_len;
size_t rp;
gid_t gid;
+ const char *grp_name;
gid_t orig_gid;
errno_t ret;
int i;
@@ -392,6 +421,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
0);
posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
+ grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
+ NULL);
if (gid == 0) {
if (posix != NULL && strcmp(posix, "FALSE") == 0) {
@@ -404,6 +435,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
}
}
+ if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
+ continue;
+ }
+
SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp);
num_results++;
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 194d7d9cc..6a78c960f 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter):
with pytest.raises(KeyError):
grp.getgrgid(14)
+ # test initgroups - user1 is member of group_two_one_user_groups (2019)
+ # which is filtered out
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001)
+ assert res == sssd_id.NssReturnCode.SUCCESS
+
+ user_with_group_ids = [2001, 2012, 2015, 2017, 2018]
+ assert sorted(gids) == sorted(user_with_group_ids), \
+ "result: %s\n expected %s" % (
+ ", ".join(["%s" % s for s in sorted(gids)]),
+ ", ".join(["%s" % s for s in sorted(user_with_group_ids)])
+ )
+
@pytest.fixture
def sanity_nss_filter_cached(request, ldap_conn):
--
2.21.3

View File

@ -1,36 +0,0 @@
From 81e757b7b1d69893b5725f9c148c55d89c779e7b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Nov 2020 10:12:15 +0100
Subject: [PATCH] ifp: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The variable fqdn is pointing to some data from state->res->msgs[0]. But
before fqdn is used in the next search state->res and the memory
hierarchy below is freed. As a result the location where fqdn is pointing
to might hold the expected data or other data and the search will fail
intermittently.
Resolves: https://github.com/SSSD/sssd/issues/5382
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/ifp/ifpsrv_cmd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index 9f20bf2db..d95618127 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -128,6 +128,7 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
tevent_req_error(req, ERR_INTERNAL);
return;
}
+ fqdn = talloc_steal(state, fqdn);
if (state->search_type == SSS_DP_USER) {
/* throw away the result and perform attr search */
--
2.21.3

View File

@ -1,38 +0,0 @@
From 3b158934cbb8f87cbfaf1650389b8dcd654b92ca Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 19 Nov 2020 18:05:00 +0100
Subject: [PATCH] ifp: fix original fix use-after-free
The original fix stole the fqdn too earlier. Only for SSS_DP_USER
requests the steal is important. For other request where the first
result is returned to the caller the original version
might even cause issues since the name does not belong to the memory
hierarchy of the result anymore.
Resolves: https://github.com/SSSD/sssd/issues/5382
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/ifp/ifpsrv_cmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index d95618127..8cf1ec84c 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -128,10 +128,10 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
tevent_req_error(req, ERR_INTERNAL);
return;
}
- fqdn = talloc_steal(state, fqdn);
if (state->search_type == SSS_DP_USER) {
- /* throw away the result and perform attr search */
+ /* throw away the result but keep the fqdn and perform attr search */
+ fqdn = talloc_steal(state, fqdn);
talloc_zfree(state->res);
ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn,
--
2.21.3

View File

@ -1,68 +0,0 @@
From 1b9b7f5a635ede8eee90d13bfe0e1f87e51191a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 13 Nov 2020 12:59:39 +0100
Subject: [PATCH 13/16] pam_sss: use unique id for gdm choice list
Currently the key-id read from the Smartcard is used as key value for
the gdm choice list dialog. Since it might be possible that multiple
certificates use the same key and hence the same key-id this is not a
suitable value.
With this patch the string representation of a numerical counter is used.
Resolves: https://github.com/SSSD/sssd/issues/5400
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/pam_sss.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b844d257e..04dfdb55d 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -128,6 +128,7 @@ struct cert_auth_info {
char *key_id;
char *prompt_str;
char *pam_cert_user;
+ char *choice_list_id;
struct cert_auth_info *prev;
struct cert_auth_info *next;
};
@@ -141,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai)
free(cai->module_name);
free(cai->key_id);
free(cai->prompt_str);
+ free(cai->choice_list_id);
free(cai);
}
}
@@ -1698,7 +1700,15 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi)
ret = ENOMEM;
goto done;
}
- request->list.items[c].key = cai->key_id;
+ free(cai->choice_list_id);
+ ret = asprintf(&cai->choice_list_id, "%zu", c);
+ if (ret == -1) {
+ cai->choice_list_id = NULL;
+ ret = ENOMEM;
+ goto done;
+ }
+
+ request->list.items[c].key = cai->choice_list_id;
request->list.items[c++].text = prompt;
}
@@ -1719,7 +1729,7 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi)
}
DLIST_FOR_EACH(cai, pi->cert_list) {
- if (strcmp(response->key, cai->key_id) == 0) {
+ if (strcmp(response->key, cai->choice_list_id) == 0) {
pam_info(pamh, "Certificate %s selected", cai->key_id);
pi->selected_cert = cai;
ret = 0;
--
2.21.3

File diff suppressed because it is too large Load Diff

View File

@ -1,208 +0,0 @@
From b8800d3e1b43f2eb28b2df7adb2bcb323bf2d1f1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Sat, 14 Nov 2020 17:52:35 +0100
Subject: [PATCH 15/16] pam_sss: add certificate label to reply to pam_sss
Add the certificate label to the data send back and forth to the pam
module to avoid the ambiguity if two certificates use the same key.
Resolves: https://github.com/SSSD/sssd/issues/5400
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/pam/pamsrv_p11.c | 13 ++++++++++---
src/sss_client/pam_sss.c | 15 +++++++++++++++
src/tests/cmocka/test_pam_srv.c | 20 ++++++++++++++++----
3 files changed, 41 insertions(+), 7 deletions(-)
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 23f94927a..e1fd72e64 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -1086,11 +1086,13 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
const char *token_name;
const char *module_name;
const char *key_id;
+ const char *label;
char *prompt;
size_t user_len;
size_t token_len;
size_t module_len;
size_t key_id_len;
+ size_t label_len;
size_t prompt_len;
size_t nss_name_len;
const char *username = "";
@@ -1113,16 +1115,18 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
token_name = sss_cai_get_token_name(cert_info);
module_name = sss_cai_get_module_name(cert_info);
key_id = sss_cai_get_key_id(cert_info);
+ label = sss_cai_get_label(cert_info);
user_len = strlen(username) + 1;
token_len = strlen(token_name) + 1;
module_len = strlen(module_name) + 1;
key_id_len = strlen(key_id) + 1;
+ label_len = strlen(label) + 1;
prompt_len = strlen(prompt) + 1;
nss_name_len = strlen(nss_username) +1;
- msg_len = user_len + token_len + module_len + key_id_len + prompt_len
- + nss_name_len;
+ msg_len = user_len + token_len + module_len + key_id_len + label_len
+ + prompt_len + nss_name_len;
msg = talloc_zero_size(mem_ctx, msg_len);
if (msg == NULL) {
@@ -1136,8 +1140,11 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
memcpy(msg + user_len + token_len, module_name, module_len);
memcpy(msg + user_len + token_len + module_len, key_id, key_id_len);
memcpy(msg + user_len + token_len + module_len + key_id_len,
+ label, label_len);
+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len,
prompt, prompt_len);
- memcpy(msg + user_len + token_len + module_len + key_id_len + prompt_len,
+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len
+ + prompt_len,
nss_username, nss_name_len);
talloc_free(prompt);
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index cffbfa770..c539d6de6 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -142,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai)
free(cai->token_name);
free(cai->module_name);
free(cai->key_id);
+ free(cai->label);
free(cai->prompt_str);
free(cai->choice_list_id);
free(cai);
@@ -936,6 +937,20 @@ static int parse_cert_info(struct pam_items *pi, uint8_t *buf, size_t len,
goto done;
}
+ cai->label = strdup((char *) &buf[*p + offset]);
+ if (cai->label == NULL) {
+ D(("strdup failed"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ offset += strlen(cai->label) + 1;
+ if (offset >= len) {
+ D(("Cert message size mismatch"));
+ ret = EINVAL;
+ goto done;
+ }
+
cai->prompt_str = strdup((char *) &buf[*p + offset]);
if (cai->prompt_str == NULL) {
D(("strdup failed"));
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index cb05042de..5506fbf34 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -62,13 +62,16 @@
#define TEST_TOKEN_NAME "SSSD Test Token"
#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
+#define TEST_LABEL "SSSD test cert 0001"
#define TEST_MODULE_NAME SOFTHSM2_PATH
#define TEST_PROMPT "SSSD test cert 0001\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD"
#define TEST2_PROMPT "SSSD test cert 0002\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD"
#define TEST5_PROMPT "SSSD test cert 0005\nCN=SSSD test cert 0005,OU=SSSD test,O=SSSD"
#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9"
+#define TEST2_LABEL "SSSD test cert 0002"
#define TEST5_KEY_ID "1195833C424AB00297F582FC43FFFFAB47A64CC9"
+#define TEST5_LABEL "SSSD test cert 0005"
static char CACHED_AUTH_TIMEOUT_STR[] = "4";
static const int CACHED_AUTH_TIMEOUT = 4;
@@ -673,6 +676,7 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
+ sizeof(TEST_TOKEN_NAME)
+ sizeof(TEST_MODULE_NAME)
+ sizeof(TEST_KEY_ID)
+ + sizeof(TEST_LABEL)
+ sizeof(TEST_PROMPT)
+ sizeof("pamuser")));
@@ -692,6 +696,10 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
assert_string_equal(body + rp, TEST_KEY_ID);
rp += sizeof(TEST_KEY_ID);
+ assert_int_equal(*(body + rp + sizeof(TEST_LABEL) - 1), 0);
+ assert_string_equal(body + rp, TEST_LABEL);
+ rp += sizeof(TEST_LABEL);
+
assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0);
assert_string_equal(body + rp, TEST_PROMPT);
rp += sizeof(TEST_PROMPT);
@@ -740,6 +748,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
TEST_TOKEN_NAME,
TEST_MODULE_NAME,
TEST_KEY_ID,
+ TEST_LABEL,
TEST_PROMPT,
NULL,
NULL };
@@ -749,6 +758,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
TEST_TOKEN_NAME,
TEST_MODULE_NAME,
TEST2_KEY_ID,
+ TEST2_LABEL,
TEST2_PROMPT,
NULL,
NULL };
@@ -756,10 +766,10 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
assert_int_equal(status, 0);
check_strings[0] = name;
- check_strings[5] = nss_name;
+ check_strings[6] = nss_name;
check_len = check_string_array_len(check_strings);
check2_strings[0] = name;
- check2_strings[5] = nss_name;
+ check2_strings[6] = nss_name;
check2_len = check_string_array_len(check2_strings);
@@ -843,6 +853,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
TEST_TOKEN2_NAME,
TEST_MODULE_NAME,
TEST2_KEY_ID,
+ TEST2_LABEL,
TEST2_PROMPT,
NULL,
NULL };
@@ -850,7 +861,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
assert_int_equal(status, 0);
check2_strings[0] = name;
- check2_strings[5] = nss_name;
+ check2_strings[6] = nss_name;
check2_len = check_string_array_len(check2_strings);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
@@ -895,7 +906,7 @@ static int test_pam_cert_X_token_X_check_ex(uint32_t status, uint8_t *body,
assert_int_equal(status, 0);
check_strings[0] = name;
- check_strings[5] = nss_name;
+ check_strings[6] = nss_name;
check_len = check_string_array_len(check_strings);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
@@ -946,6 +957,7 @@ static int test_pam_cert5_check(uint32_t status, uint8_t *body, size_t blen)
TEST_TOKEN_NAME,
TEST_MODULE_NAME,
TEST5_KEY_ID,
+ TEST5_LABEL,
TEST5_PROMPT,
NULL,
NULL };
--
2.21.3

View File

@ -1,265 +0,0 @@
From f633f37e712cb0f7524a2ee257e15f34468149b4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Nov 2020 09:58:52 +0100
Subject: [PATCH 16/16] add tests multiple certs same id
Add unit test for the case that two certificates use the same key.
Resolves: https://github.com/SSSD/sssd/issues/5400
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tests/cmocka/test_pam_srv.c | 116 +++++++++++++++++++
src/tests/test_CA/Makefile.am | 26 ++++-
src/tests/test_CA/SSSD_test_cert_0006.config | 20 ++++
3 files changed, 161 insertions(+), 1 deletion(-)
create mode 100644 src/tests/test_CA/SSSD_test_cert_0006.config
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 5506fbf34..8ca5abd43 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -40,12 +40,14 @@
#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
#include "tests/test_CA/SSSD_test_cert_x509_0002.h"
#include "tests/test_CA/SSSD_test_cert_x509_0005.h"
+#include "tests/test_CA/SSSD_test_cert_x509_0006.h"
#include "tests/test_ECC_CA/SSSD_test_ECC_cert_x509_0001.h"
#else
#define SSSD_TEST_CERT_0001 ""
#define SSSD_TEST_CERT_0002 ""
#define SSSD_TEST_CERT_0005 ""
+#define SSSD_TEST_CERT_0006 ""
#define SSSD_TEST_ECC_CERT_0001 ""
#endif
@@ -1093,6 +1095,13 @@ static int test_pam_creds_insufficient_check(uint32_t status,
return EOK;
}
+static int test_pam_auth_err_check(uint32_t status, uint8_t *body, size_t blen)
+{
+ /* PAM_AUTH_ERR is returned for different types of error, we use different
+ * names for the check functions to make the purpose more clear. */
+ return test_pam_wrong_pw_offline_auth_check(status, body, blen);
+}
+
static int test_pam_user_unknown_check(uint32_t status,
uint8_t *body, size_t blen)
{
@@ -2500,6 +2509,107 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
assert_int_equal(ret, EOK);
}
+/* The following three tests cover a use case where multiple certificates are
+ * using the same key-pair. According to PKCS#11 specs "The CKA_ID field is
+ * intended to distinguish among multiple keys. In the case of public and
+ * private keys, this field assists in handling multiple keys held by the same
+ * subject; the key identifier for a public key and its corresponding private
+ * key should be the same. The key identifier should also be the same as for
+ * the corresponding certificate, if one exists. Cryptoki does not enforce
+ * these associations, however." As a result certificates sharing the same
+ * key-pair will have the same id on the Smartcard. This means a second
+ * parameter is needed to distinguish them. We use the label here.
+ *
+ * The first test makes sure authentication fails is the label is missing, the
+ * second and third test make sure that each certificate can be selected with
+ * the proper label. */
+void test_pam_cert_auth_2certs_same_id_no_label(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
+ TEST_MODULE_NAME,
+ "11111111",
+ NULL, NULL,
+ NULL, SSSD_TEST_CERT_0001);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+ set_cmd_cb(test_pam_auth_err_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_cert_auth_2certs_same_id_with_label_1(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
+ TEST_MODULE_NAME,
+ "11111111",
+ "SSSD test cert 0001", NULL,
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+ set_cmd_cb(test_pam_simple_check_success);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_cert_auth_2certs_same_id_with_label_6(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
+ TEST_MODULE_NAME,
+ "11111111",
+ "SSSD test cert 0006", NULL,
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0006);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+ set_cmd_cb(test_pam_simple_check_success);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
void test_pam_cert_preauth_uri_token1(void **state)
{
int ret;
@@ -3179,6 +3289,12 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_no_label,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_1,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_6,
+ pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index 0e0122737..8765d0fd6 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -6,6 +6,7 @@ dist_noinst_DATA = \
SSSD_test_cert_0003.config \
SSSD_test_cert_0004.config \
SSSD_test_cert_0005.config \
+ SSSD_test_cert_0006.config \
SSSD_test_cert_key_0001.pem \
SSSD_test_cert_key_0002.pem \
SSSD_test_cert_key_0003.pem \
@@ -25,7 +26,7 @@ pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids)))
pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
-extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id
if HAVE_FAKETIME
extra += SSSD_test_CA_expired_crl.pem
endif
@@ -41,6 +42,14 @@ $(pwdfile):
SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
+# SSSD_test_cert_0006 should use the same key as SSSD_test_cert_0001
+.INTERMEDIATE: SSSD_test_cert_req_0006.pem
+SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSSD_test_cert_0006.config
+ if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0006.config) -eq 0 ]; then \
+ $(OPENSSL) req -new -nodes -key $< -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
+ else \
+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \
+ fi
SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config
if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_$*.config) -eq 0 ]; then \
@@ -52,6 +61,9 @@ SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test
SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem
$(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@
+SSSD_test_cert_pkcs12_0006.pem: SSSD_test_cert_x509_0006.pem $(srcdir)/SSSD_test_cert_key_0001.pem $(pwdfile)
+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_0006.pem -inkey $(srcdir)/SSSD_test_cert_key_0001.pem -nodes -passout file:$(pwdfile) -out $@
+
SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile)
$(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
@@ -130,6 +142,18 @@ softhsm2_ocsp.conf:
@echo "objectstore.backend = file" >> $@
@echo "slots.removable = true" >> $@
+softhsm2_2certs_same_id: softhsm2_2certs_same_id.conf SSSD_test_cert_x509_0001.pem SSSD_test_cert_x509_0006.pem
+ mkdir $@
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0006.pem --login --label 'SSSD test cert 0006' --id '11111111'
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id '11111111'
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id '11111111'
+
+softhsm2_2certs_same_id.conf:
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2certs_same_id" > $@
+ @echo "objectstore.backend = file" >> $@
+ @echo "slots.removable = true" >> $@
+
CLEANFILES = \
index.txt index.txt.attr \
index.txt.attr.old index.txt.old \
diff --git a/src/tests/test_CA/SSSD_test_cert_0006.config b/src/tests/test_CA/SSSD_test_cert_0006.config
new file mode 100644
index 000000000..762de55cd
--- /dev/null
+++ b/src/tests/test_CA/SSSD_test_cert_0006.config
@@ -0,0 +1,20 @@
+# This certificate is used in
+# - src/tests/cmocka/test_pam_srv.c
+# and should use the same key-pair as SSSD_test_cert_0001
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+O = SSSD
+OU = SSSD test
+CN = SSSD test cert 0006
+
+[ req_exts ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "SSSD test Certificate"
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd//
--
2.21.3

View File

@ -1,53 +0,0 @@
From 1e9abd508ea5627465d528788645d4dbe53d7d31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
Date: Wed, 2 Dec 2020 03:00:26 +0100
Subject: [PATCH 17/18] data_provider_be: Add random offset default
Replace hardcoded default value of 30 with more meaningful
OFFLINE_TIMEOUT_RANDOM_OFFSET define.
This value is used to calculate task timeout during offline
status checking by formula (from SSSD MAN page):
new_interval = (old_interval * 2) + random_offset
As it is explicite mentioned in documentation it should
be expressed in the code similar way.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/providers/data_provider_be.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 4c10d6b48..10421c6b4 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -51,6 +51,7 @@
#define ONLINE_CB_RETRY 3
#define ONLINE_CB_RETRY_MAX_DELAY 4
+#define OFFLINE_TIMEOUT_RANDOM_OFFSET 30
#define OFFLINE_TIMEOUT_DEFAULT 60
#define OFFLINE_TIMEOUT_MAX_DEFAULT 3600
@@ -152,9 +153,13 @@ void be_mark_offline(struct be_ctx *ctx)
offline_timeout = get_offline_timeout(ctx);
offline_timeout_max = get_offline_timeout_max(ctx);
- ret = be_ptask_create_sync(ctx, ctx,
- offline_timeout, offline_timeout,
- offline_timeout, 30, offline_timeout,
+ ret = be_ptask_create_sync(ctx,
+ ctx,
+ offline_timeout,
+ offline_timeout,
+ offline_timeout,
+ OFFLINE_TIMEOUT_RANDOM_OFFSET,
+ offline_timeout,
offline_timeout_max,
try_to_go_online,
ctx, "Check if online (periodic)",
--
2.21.3

View File

@ -1,59 +0,0 @@
From 171b664ec4a7c94583b35597bd7e1e72bf89d217 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
Date: Wed, 2 Dec 2020 03:10:50 +0100
Subject: [PATCH 18/18] data_provider_be: MAN page update
Updated description of parameters:
* offline_timeout
* offline_timeout_max
MAN page now explains that in some circumstances
corelation of offline_timeout and offline_timeout_max values
may lead to offline checking interval not incrementing.
This is a false positive error as in fact the value
just saturates almost instantly.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/man/sssd.conf.5.xml | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index d637e2eaa..8b330de58 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -739,12 +739,12 @@
offline_timeout + random_offset
</para>
<para>
- The random offset can increment up to 30 seconds.
+ The random offset value is from 0 to 30.
After each unsuccessful attempt to go online,
the new interval is recalculated by the following:
</para>
<para>
- new_interval = old_interval*2 + random_offset
+ new_interval = (old_interval * 2) + random_offset
</para>
<para>
Note that the maximum length of each interval
@@ -769,6 +769,16 @@
<para>
A value of 0 disables the incrementing behaviour.
</para>
+ <para>
+ The value of this parameter should be set in correlation
+ to offline_timeout parameter value.
+ </para>
+ <para>
+ With offline_timeout set to 60 (default value) there is no point
+ in setting offlinet_timeout_max to less than 120 as it will
+ saturate instantly. General rule here should be to set
+ offline_timeout_max to at least 4 times offline_timeout.
+ </para>
<para>
Although a value between 0 and offline_timeout may be
specified, it has the effect of overriding the
--
2.21.3

File diff suppressed because it is too large Load Diff

View File

@ -1,31 +0,0 @@
From 45f2eb57dc9068cba13099cab90f1be3f3455442 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 2 Oct 2020 14:04:24 +0200
Subject: [PATCH 20/27] sss_format.h: include config.h
config.h is required for the definitions to work correctly. Compilation
will fail if sss_format.h is included in a file that does not include
directly or indirectly config.h
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/sss_format.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/util/sss_format.h b/src/util/sss_format.h
index 5cf080842..9a3041704 100644
--- a/src/util/sss_format.h
+++ b/src/util/sss_format.h
@@ -27,6 +27,8 @@
#ifndef __SSS_FORMAT_H__
#define __SSS_FORMAT_H__
+#include "config.h"
+
#include <inttypes.h>
/* key_serial_t is defined in keyutils.h as typedef int32_t */
--
2.21.3

View File

@ -1,59 +0,0 @@
From 3b0e48c33c6b43688ff46fed576266cfe6362595 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Oct 2020 13:25:17 +0200
Subject: [PATCH 21/27] packet: add sss_packet_set_body
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/common/responder_packet.c | 19 +++++++++++++++++++
src/responder/common/responder_packet.h | 5 +++++
2 files changed, 24 insertions(+)
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
index ab15b1dac..f56d92276 100644
--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
@@ -302,6 +302,25 @@ void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen
*blen = sss_packet_get_len(packet) - SSS_NSS_HEADER_SIZE;
}
+errno_t sss_packet_set_body(struct sss_packet *packet,
+ uint8_t *body,
+ size_t blen)
+{
+ uint8_t *pbody;
+ size_t plen;
+ errno_t ret;
+
+ ret = sss_packet_grow(packet, blen);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ sss_packet_get_body(packet, &pbody, &plen);
+ memcpy(pbody, body, blen);
+
+ return EOK;
+}
+
void sss_packet_set_error(struct sss_packet *packet, int error)
{
SAFEALIGN_SETMEM_UINT32(packet->buffer + SSS_PACKET_ERR_OFFSET, error,
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
index afceb4aae..509a22a9a 100644
--- a/src/responder/common/responder_packet.h
+++ b/src/responder/common/responder_packet.h
@@ -42,4 +42,9 @@ uint32_t sss_packet_get_status(struct sss_packet *packet);
void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen);
void sss_packet_set_error(struct sss_packet *packet, int error);
+/* Grow packet and set its body. */
+errno_t sss_packet_set_body(struct sss_packet *packet,
+ uint8_t *body,
+ size_t blen);
+
#endif /* __SSSSRV_PACKET_H__ */
--
2.21.3

View File

@ -1,119 +0,0 @@
From 6715b31f2e12c7f76cfb477551cee46e697c7d51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Oct 2020 13:25:58 +0200
Subject: [PATCH 22/27] domain: store hostname and keytab path
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 45 +++++++++++++++++++++++++++++++++++++++
src/confdb/confdb.h | 6 ++++++
src/db/sysdb_subdomains.c | 12 +++++++++++
3 files changed, 63 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index d2fc018fd..f981ddf1e 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -871,6 +871,35 @@ done:
return ret;
}
+static char *confdb_get_domain_hostname(TALLOC_CTX *mem_ctx,
+ struct ldb_result *res,
+ const char *provider)
+{
+ char sys[HOST_NAME_MAX + 1] = {'\0'};
+ const char *opt = NULL;
+ int ret;
+
+ if (strcasecmp(provider, "ad") == 0) {
+ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ad_hostname", NULL);
+ } else if (strcasecmp(provider, "ipa") == 0) {
+ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ipa_hostname", NULL);
+ }
+
+ if (opt != NULL) {
+ return talloc_strdup(mem_ctx, opt);
+ }
+
+ ret = gethostname(sys, sizeof(sys));
+ if (ret != 0) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get hostname [%d]: %s\n", ret,
+ sss_strerror(ret));
+ return NULL;
+ }
+
+ return talloc_strdup(mem_ctx, sys);
+}
+
static int confdb_get_domain_internal(struct confdb_ctx *cdb,
TALLOC_CTX *mem_ctx,
const char *name,
@@ -1536,6 +1565,22 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
+ domain->hostname = confdb_get_domain_hostname(domain, res, domain->provider);
+ if (domain->hostname == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain hostname\n");
+ goto done;
+ }
+
+ domain->krb5_keytab = NULL;
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], "krb5_keytab", NULL);
+ if (tmp != NULL) {
+ domain->krb5_keytab = talloc_strdup(domain, tmp);
+ if (domain->krb5_keytab == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain keytab!\n");
+ goto done;
+ }
+ }
+
domain->has_views = false;
domain->view_name = NULL;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index fd6d76cde..54e3f7380 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -425,6 +425,12 @@ struct sss_domain_info {
/* Do not use the _output_fqnames property directly in new code, but rather
* use sss_domain_info_{get,set}_output_fqnames(). */
bool output_fqnames;
+
+ /* Hostname associated with this domain. */
+ const char *hostname;
+
+ /* Keytab used by this domain. */
+ const char *krb5_keytab;
};
/**
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index d256817a6..5b42f9bdc 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -125,6 +125,18 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
}
}
+ dom->hostname = talloc_strdup(dom, parent->hostname);
+ if (dom->hostname == NULL && parent->hostname != NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy hostname.\n");
+ goto fail;
+ }
+
+ dom->krb5_keytab = talloc_strdup(dom, parent->krb5_keytab);
+ if (dom->krb5_keytab == NULL && parent->krb5_keytab != NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy krb5_keytab.\n");
+ goto fail;
+ }
+
dom->enumerate = enumerate;
dom->fqnames = true;
dom->mpg_mode = mpg_mode;
--
2.21.3

View File

@ -1,70 +0,0 @@
From a3e2677f919c6b1b1649ad80cc3435b4bb2efc0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 10 Dec 2020 19:28:58 +0100
Subject: [PATCH 23/27] cache_req: add helper to call user by upn search
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/common/cache_req/cache_req.h | 13 +++++++++++
.../cache_req/plugins/cache_req_user_by_upn.c | 23 +++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index d36cb2d3b..d301a076e 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -277,6 +277,19 @@ cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
#define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \
cache_req_single_domain_recv(mem_ctx, req, _result)
+struct tevent_req *
+cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_nc_ctx *ncache,
+ int cache_refresh_percent,
+ enum cache_req_dom_type req_dom_type,
+ const char *domain,
+ const char *upn);
+
+#define cache_req_user_by_upn_recv(mem_ctx, req, _result) \
+ cache_req_single_domain_recv(mem_ctx, req, _result);
+
struct tevent_req *
cache_req_user_by_id_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
index e08ab70ae..037994c8c 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
@@ -133,3 +133,26 @@ const struct cache_req_plugin cache_req_user_by_upn = {
.dp_get_domain_send_fn = NULL,
.dp_get_domain_recv_fn = NULL,
};
+
+struct tevent_req *
+cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_nc_ctx *ncache,
+ int cache_refresh_percent,
+ enum cache_req_dom_type req_dom_type,
+ const char *domain,
+ const char *upn)
+{
+ struct cache_req_data *data;
+
+ data = cache_req_data_name(mem_ctx, CACHE_REQ_USER_BY_UPN, upn);
+ if (data == NULL) {
+ return NULL;
+ }
+
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
+ cache_refresh_percent,
+ req_dom_type, domain,
+ data);
+}
--
2.21.3

View File

@ -1,27 +0,0 @@
From dcc42015f7ada1c4e4daed17e2c8087e29cb7616 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 1 Oct 2020 14:02:44 +0200
Subject: [PATCH 24/27] pam: fix typo in debug message
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/pam/pamsrv_cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1d0251497..acbfc0c39 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1941,7 +1941,7 @@ static void pam_check_user_search_next(struct tevent_req *req)
talloc_zfree(req);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE, "Cache lookup failed, trying to get fresh "
- "data from the backened.\n");
+ "data from the backend.\n");
}
DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
--
2.21.3

View File

@ -1,280 +0,0 @@
From d63172f1277c5ed166a22f04d144bf85ded4757c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 9 Oct 2020 13:03:54 +0200
Subject: [PATCH 25/27] pam: add pam_gssapi_services option
:config: Added `pam_gssapi_services` to list PAM services
that can authenticate using GSSAPI
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 12 +++++++++++
src/confdb/confdb.h | 4 ++++
src/config/SSSDConfig/sssdoptions.py | 1 +
src/config/SSSDConfigTest.py | 6 ++++--
src/config/cfg_rules.ini | 3 +++
src/config/etc/sssd.api.conf | 2 ++
src/db/sysdb_subdomains.c | 13 ++++++++++++
src/man/sssd.conf.5.xml | 30 ++++++++++++++++++++++++++++
src/responder/pam/pamsrv.c | 21 +++++++++++++++++++
src/responder/pam/pamsrv.h | 3 +++
10 files changed, 93 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index f981ddf1e..7f1956d6d 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1581,6 +1581,18 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
}
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
+ "-");
+ if (tmp != NULL) {
+ ret = split_on_separator(domain, tmp, ',', true, true,
+ &domain->gssapi_services, NULL);
+ if (ret != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES);
+ goto done;
+ }
+ }
+
domain->has_views = false;
domain->view_name = NULL;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 54e3f7380..7a3bc8bb5 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -144,6 +144,7 @@
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
#define CONFDB_PAM_P11_URI "p11_uri"
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
+#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
@@ -431,6 +432,9 @@ struct sss_domain_info {
/* Keytab used by this domain. */
const char *krb5_keytab;
+
+ /* List of PAM services that are allowed to authenticate with GSSAPI. */
+ char **gssapi_services;
};
/**
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index de96db6f4..f59fe8d9f 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -104,6 +104,7 @@ class SSSDOptions(object):
'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
+ 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
# [sudo]
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 323be5ed3..21fffe1b6 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -653,7 +653,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'full_name_format',
're_expression',
'cached_auth_timeout',
- 'auto_private_groups']
+ 'auto_private_groups',
+ 'pam_gssapi_services']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -1030,7 +1031,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'full_name_format',
're_expression',
'cached_auth_timeout',
- 'auto_private_groups']
+ 'auto_private_groups',
+ 'pam_gssapi_services']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 773afd8bb..c6dfd5648 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -139,6 +139,7 @@ option = pam_p11_allowed_services
option = p11_wait_for_card_timeout
option = p11_uri
option = pam_initgroups_scheme
+option = pam_gssapi_services
[rule/allowed_sudo_options]
validator = ini_allowed_options
@@ -437,6 +438,7 @@ option = wildcard_limit
option = full_name_format
option = re_expression
option = auto_private_groups
+option = pam_gssapi_services
#Entry cache timeouts
option = entry_cache_user_timeout
@@ -831,6 +833,7 @@ option = ad_backup_server
option = ad_site
option = use_fully_qualified_names
option = auto_private_groups
+option = pam_gssapi_services
[rule/sssd_checks]
validator = sssd_checks
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 623160ffd..f46f3c46d 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -80,6 +80,7 @@ pam_p11_allowed_services = str, None, false
p11_wait_for_card_timeout = int, None, false
p11_uri = str, None, false
pam_initgroups_scheme = str, None, false
+pam_gssapi_services = str, None, false
[sudo]
# sudo service
@@ -199,6 +200,7 @@ cached_auth_timeout = int, None, false
full_name_format = str, None, false
re_expression = str, None, false
auto_private_groups = str, None, false
+pam_gssapi_services = str, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 5b42f9bdc..bfc6df0f5 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -184,6 +184,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->homedir_substr = parent->homedir_substr;
dom->override_gid = parent->override_gid;
+ dom->gssapi_services = parent->gssapi_services;
+
if (parent->sysdb == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
goto fail;
@@ -241,6 +243,17 @@ check_subdom_config_file(struct confdb_ctx *confdb,
sd_conf_path, CONFDB_DOMAIN_FQ,
subdomain->fqnames ? "TRUE" : "FALSE");
+ /* allow to set pam_gssapi_services */
+ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
+ CONFDB_PAM_GSSAPI_SERVICES,
+ &subdomain->gssapi_services);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to get %s option for the subdomain: %s\n",
+ CONFDB_PAM_GSSAPI_SERVICES, subdomain->name);
+ goto done;
+ }
+
ret = EOK;
done:
talloc_free(tmp_ctx);
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index d247400bf..db9dd4677 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1706,6 +1706,35 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_gssapi_services</term>
+ <listitem>
+ <para>
+ Comma separated list of PAM services that are
+ allowed to try GSSAPI authentication using
+ pam_sss_gss.so module.
+ </para>
+ <para>
+ To disable GSSAPI authentication, set this option
+ to <quote>-</quote> (dash).
+ </para>
+ <para>
+ Note: This option can also be set per-domain which
+ overwrites the value in [pam] section. It can also
+ be set for trusted domain which overwrites the value
+ in the domain section.
+ </para>
+ <para>
+ Example:
+ <programlisting>
+pam_gssapi_services = sudo, sudo-i
+ </programlisting>
+ </para>
+ <para>
+ Default: - (GSSAPI authentication is disabled)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
@@ -3780,6 +3809,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
<para>ad_backup_server,</para>
<para>ad_site,</para>
<para>use_fully_qualified_names</para>
+ <para>pam_gssapi_services</para>
<para>
For more details about these options see their individual description
in the manual page.
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 1f1ee608b..0492569c7 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -327,6 +327,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
}
}
+ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_GSSAPI_SERVICES, "-", &tmpstr);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to determine gssapi services.\n");
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr,
+ CONFDB_PAM_GSSAPI_SERVICES);
+
+ if (tmpstr != NULL) {
+ ret = split_on_separator(pctx, tmpstr, ',', true, true,
+ &pctx->gssapi_services, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "split_on_separator() failed [%d]: [%s].\n", ret,
+ sss_strerror(ret));
+ goto done;
+ }
+ }
+
/* The responder is initialized. Now tell it to the monitor. */
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
SSS_PAM_SBUS_SERVICE_NAME,
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 24d307a14..730dee288 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -62,6 +62,9 @@ struct pam_ctx {
int num_prompting_config_sections;
enum pam_initgroups_scheme initgroups_scheme;
+
+ /* List of PAM services that are allowed to authenticate with GSSAPI. */
+ char **gssapi_services;
};
struct pam_auth_req {
--
2.21.3

View File

@ -1,250 +0,0 @@
From fffe3169bb490c4b010b168c639aa6f9b2ec0c52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 10 Dec 2020 22:05:30 +0100
Subject: [PATCH 26/27] pam: add pam_gssapi_check_upn option
:config: Added `pam_gssapi_check_upn` to enforce authentication
only with principal that can be associated with target user.
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 10 ++++++++++
src/confdb/confdb.h | 2 ++
src/config/SSSDConfig/sssdoptions.py | 1 +
src/config/SSSDConfigTest.py | 6 ++++--
src/config/cfg_rules.ini | 3 +++
src/config/etc/sssd.api.conf | 2 ++
src/db/sysdb_subdomains.c | 12 ++++++++++++
src/man/sssd.conf.5.xml | 26 ++++++++++++++++++++++++++
src/responder/pam/pamsrv.c | 9 +++++++++
src/responder/pam/pamsrv.h | 1 +
10 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 7f1956d6d..2881ce5da 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1593,6 +1593,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
}
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_CHECK_UPN,
+ NULL);
+ if (tmp != NULL) {
+ domain->gssapi_check_upn = talloc_strdup(domain, tmp);
+ if (domain->gssapi_check_upn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
domain->has_views = false;
domain->view_name = NULL;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 7a3bc8bb5..036f9ecad 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -145,6 +145,7 @@
#define CONFDB_PAM_P11_URI "p11_uri"
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
+#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
@@ -435,6 +436,7 @@ struct sss_domain_info {
/* List of PAM services that are allowed to authenticate with GSSAPI. */
char **gssapi_services;
+ char *gssapi_check_upn; /* true | false | NULL */
};
/**
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index f59fe8d9f..5da52a937 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -105,6 +105,7 @@ class SSSDOptions(object):
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
+ 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
# [sudo]
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 21fffe1b6..ea4e4f6c9 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -654,7 +654,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
're_expression',
'cached_auth_timeout',
'auto_private_groups',
- 'pam_gssapi_services']
+ 'pam_gssapi_services',
+ 'pam_gssapi_check_upn']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -1032,7 +1033,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
're_expression',
'cached_auth_timeout',
'auto_private_groups',
- 'pam_gssapi_services']
+ 'pam_gssapi_services',
+ 'pam_gssapi_check_upn']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index c6dfd5648..6642c6321 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -140,6 +140,7 @@ option = p11_wait_for_card_timeout
option = p11_uri
option = pam_initgroups_scheme
option = pam_gssapi_services
+option = pam_gssapi_check_upn
[rule/allowed_sudo_options]
validator = ini_allowed_options
@@ -439,6 +440,7 @@ option = full_name_format
option = re_expression
option = auto_private_groups
option = pam_gssapi_services
+option = pam_gssapi_check_upn
#Entry cache timeouts
option = entry_cache_user_timeout
@@ -834,6 +836,7 @@ option = ad_site
option = use_fully_qualified_names
option = auto_private_groups
option = pam_gssapi_services
+option = pam_gssapi_check_upn
[rule/sssd_checks]
validator = sssd_checks
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index f46f3c46d..d3cad7380 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -81,6 +81,7 @@ p11_wait_for_card_timeout = int, None, false
p11_uri = str, None, false
pam_initgroups_scheme = str, None, false
pam_gssapi_services = str, None, false
+pam_gssapi_check_upn = bool, None, false
[sudo]
# sudo service
@@ -201,6 +202,7 @@ full_name_format = str, None, false
re_expression = str, None, false
auto_private_groups = str, None, false
pam_gssapi_services = str, None, false
+pam_gssapi_check_upn = bool, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index bfc6df0f5..03ba12164 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -254,6 +254,18 @@ check_subdom_config_file(struct confdb_ctx *confdb,
goto done;
}
+ /* allow to set pam_gssapi_check_upn */
+ ret = confdb_get_string(confdb, subdomain, sd_conf_path,
+ CONFDB_PAM_GSSAPI_CHECK_UPN,
+ subdomain->parent->gssapi_check_upn,
+ &subdomain->gssapi_check_upn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to get %s option for the subdomain: %s\n",
+ CONFDB_PAM_GSSAPI_CHECK_UPN, subdomain->name);
+ goto done;
+ }
+
ret = EOK;
done:
talloc_free(tmp_ctx);
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index db9dd4677..d637e2eaa 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1735,6 +1735,31 @@ pam_gssapi_services = sudo, sudo-i
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_gssapi_check_upn</term>
+ <listitem>
+ <para>
+ If True, SSSD will require that the Kerberos user
+ principal that successfully authenticated through
+ GSSAPI can be associated with the user who is being
+ authenticated. Authentication will fail if the check
+ fails.
+ </para>
+ <para>
+ If False, every user that is able to obtained
+ required service ticket will be authenticated.
+ </para>
+ <para>
+ Note: This option can also be set per-domain which
+ overwrites the value in [pam] section. It can also
+ be set for trusted domain which overwrites the value
+ in the domain section.
+ </para>
+ <para>
+ Default: True
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
@@ -3810,6 +3835,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
<para>ad_site,</para>
<para>use_fully_qualified_names</para>
<para>pam_gssapi_services</para>
+ <para>pam_gssapi_check_upn</para>
<para>
For more details about these options see their individual description
in the manual page.
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 0492569c7..0db2824ff 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -348,6 +348,15 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
}
}
+ ret = confdb_get_bool(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_GSSAPI_CHECK_UPN, true,
+ &pctx->gssapi_check_upn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read %s [%d]: %s\n",
+ CONFDB_PAM_GSSAPI_CHECK_UPN, ret, sss_strerror(ret));
+ goto done;
+ }
+
/* The responder is initialized. Now tell it to the monitor. */
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
SSS_PAM_SBUS_SERVICE_NAME,
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 730dee288..bf4dd75b0 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -65,6 +65,7 @@ struct pam_ctx {
/* List of PAM services that are allowed to authenticate with GSSAPI. */
char **gssapi_services;
+ bool gssapi_check_upn;
};
struct pam_auth_req {
--
2.21.3

View File

@ -1,100 +0,0 @@
From 3f0ba4c2dcf9126b0f94bca4a056b516759d25c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 6 Mar 2020 12:49:04 +0100
Subject: [PATCH 13/18] cache_req: allow cache_req to return ERR_OFFLINE if all
dp request failed
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 13 +++++++++++++
src/responder/common/cache_req/cache_req.h | 4 ++++
src/responder/common/cache_req/cache_req_data.c | 12 ++++++++++++
src/responder/common/cache_req/cache_req_private.h | 3 +++
4 files changed, 32 insertions(+)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index afb0e7cda..0c8538414 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -974,6 +974,13 @@ static void cache_req_search_domains_done(struct tevent_req *subreq)
case ERR_ID_OUTSIDE_RANGE:
case ENOENT:
if (state->check_next == false) {
+ if (state->cr->data->propogate_offline_status && !state->dp_success) {
+ /* Not found and data provider request failed so we were
+ * unable to fetch the data. */
+ ret = ERR_OFFLINE;
+ goto done;
+ }
+
/* Not found. */
ret = ENOENT;
goto done;
@@ -1002,6 +1009,12 @@ done:
case EAGAIN:
break;
default:
+ if (ret == ENOENT && state->cr->data->propogate_offline_status
+ && !state->dp_success) {
+ /* Not found and data provider request failed so we were
+ * unable to fetch the data. */
+ ret = ERR_OFFLINE;
+ }
tevent_req_error(req, ret);
break;
}
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index 72d4abe5e..d36cb2d3b 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -171,6 +171,10 @@ void
cache_req_data_set_requested_domains(struct cache_req_data *data,
char **requested_domains);
+void
+cache_req_data_set_propogate_offline_status(struct cache_req_data *data,
+ bool propogate_offline_status);
+
enum cache_req_type
cache_req_data_get_type(struct cache_req_data *data);
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
index 14c4ad14f..fe9f3db29 100644
--- a/src/responder/common/cache_req/cache_req_data.c
+++ b/src/responder/common/cache_req/cache_req_data.c
@@ -455,6 +455,18 @@ cache_req_data_set_requested_domains(struct cache_req_data *data,
data->requested_domains = requested_domains;
}
+void
+cache_req_data_set_propogate_offline_status(struct cache_req_data *data,
+ bool propogate_offline_status)
+{
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n");
+ return;
+ }
+
+ data->propogate_offline_status = propogate_offline_status;
+}
+
enum cache_req_type
cache_req_data_get_type(struct cache_req_data *data)
{
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
index bfca688b9..2d52e7600 100644
--- a/src/responder/common/cache_req/cache_req_private.h
+++ b/src/responder/common/cache_req/cache_req_private.h
@@ -103,6 +103,9 @@ struct cache_req_data {
/* if set, only search in the listed domains */
char **requested_domains;
+
+ /* if set, ERR_OFFLINE is returned if data provider is offline */
+ bool propogate_offline_status;
};
struct tevent_req *
--
2.21.3

View File

@ -1,58 +0,0 @@
From e50258da70b67ff1b0f928e2e7875bc2fa32dfde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 6 Mar 2020 13:12:46 +0100
Subject: [PATCH 14/18] autofs: return ERR_OFFLINE if we fail to get
information from backend and cache is empty
Resolves:
https://github.com/SSSD/sssd/issues/3413
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 ++
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 ++
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index cb674add6..55c9fc8b0 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -142,6 +142,8 @@ cache_req_autofs_entry_by_name_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ cache_req_data_set_propogate_offline_status(data, true);
+
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
cache_refresh_percent,
CACHE_REQ_POSIX_DOM, domain,
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 3c08eaf4f..823eb3595 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -136,6 +136,8 @@ cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ cache_req_data_set_propogate_offline_status(data, true);
+
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
cache_refresh_percent,
CACHE_REQ_POSIX_DOM, domain,
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index 1b5645fa0..3e47b1321 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -168,6 +168,8 @@ cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ cache_req_data_set_propogate_offline_status(data, true);
+
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
cache_refresh_percent,
CACHE_REQ_POSIX_DOM, domain,
--
2.21.3

View File

@ -1,51 +0,0 @@
From 9098108a7142513fa04afdf92a2c1b3ac002c56e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 6 Mar 2020 13:44:56 +0100
Subject: [PATCH 15/18] autofs: translate ERR_OFFLINE to EHOSTDOWN
So we do not publish internal error code.
Resolves:
https://github.com/SSSD/sssd/issues/3413
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/common.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 902438c86..d29332939 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -44,6 +44,7 @@
#define _(STRING) dgettext (PACKAGE, STRING)
#include "sss_cli.h"
#include "common_private.h"
+#include "util/util_errors.h"
#if HAVE_PTHREAD
#include <pthread.h>
@@ -1054,9 +1055,17 @@ int sss_autofs_make_request(enum sss_cli_command cmd,
uint8_t **repbuf, size_t *replen,
int *errnop)
{
- return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT,
- repbuf, replen, errnop,
- SSS_AUTOFS_SOCKET_NAME);
+ enum sss_status status;
+
+ status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT,
+ repbuf, replen, errnop,
+ SSS_AUTOFS_SOCKET_NAME);
+
+ if (*errnop == ERR_OFFLINE) {
+ *errnop = EHOSTDOWN;
+ }
+
+ return status;
}
int sss_ssh_make_request(enum sss_cli_command cmd,
--
2.21.3

View File

@ -1,61 +0,0 @@
From 34c519a4851194164befc150df8e768431e66405 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 22 Sep 2020 11:04:25 +0200
Subject: [PATCH 16/18] autofs: disable fast reply
If the backend is offline when autofs starts and reads auto.master map
we don't want to wait 60 seconds before the offline flag is reset. We
need to allow autofs to retry the call much sooner.
Resolves:
https://github.com/SSSD/sssd/issues/3413
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +-
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +-
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index 55c9fc8b0..cd2085187 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -84,7 +84,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_GetEntry_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
- DP_FAST_REPLY, data->name.name,
+ 0, data->name.name,
data->autofs_entry_name);
}
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 823eb3595..9d9bc3a97 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -81,7 +81,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
- DP_FAST_REPLY, data->name.name);
+ 0, data->name.name);
}
bool
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index 3e47b1321..ee0156b6a 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -113,7 +113,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
- DP_FAST_REPLY, data->name.name);
+ 0, data->name.name);
}
bool
--
2.21.3

View File

@ -1,168 +0,0 @@
From 8a22d4ad45f5fc8e888be693539495093c2b3c35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 4 Nov 2020 14:20:10 +0100
Subject: [PATCH 17/18] autofs: correlate errors for different protocol
versions
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/autofs/autofs_test_client.c | 12 ++++++++
src/sss_client/autofs/sss_autofs.c | 35 +++++++++++++++++++---
src/sss_client/autofs/sss_autofs.exports | 9 +++---
src/sss_client/autofs/sss_autofs_private.h | 5 ++++
4 files changed, 53 insertions(+), 8 deletions(-)
diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c
index c5358233f..4b285151e 100644
--- a/src/sss_client/autofs/autofs_test_client.c
+++ b/src/sss_client/autofs/autofs_test_client.c
@@ -45,10 +45,14 @@ int main(int argc, const char *argv[])
char *value = NULL;
char *pc_key = NULL;
int pc_setent = 0;
+ int pc_protocol = 1;
+ unsigned int protocol;
+ unsigned int requested_protocol = 1;
struct poptOption long_options[] = {
POPT_AUTOHELP
{ "by-name", 'n', POPT_ARG_STRING, &pc_key, 0, "Request map by name", NULL },
{ "only-setent", 's', POPT_ARG_VAL, &pc_setent, 1, "Run only setent, do not enumerate", NULL },
+ { "protocol", 'p', POPT_ARG_INT, &pc_protocol, 0, "Protocol version", NULL },
POPT_TABLEEND
};
poptContext pc = NULL;
@@ -69,6 +73,14 @@ int main(int argc, const char *argv[])
poptFreeContext(pc);
+ requested_protocol = pc_protocol;
+ protocol = _sss_auto_protocol_version(requested_protocol);
+ if (protocol != requested_protocol) {
+ fprintf(stderr, "Unsupported protocol version: %d -> %d\n",
+ requested_protocol, protocol);
+ exit(EXIT_FAILURE);
+ }
+
ret = _sss_setautomntent(mapname, &ctx);
if (ret) {
fprintf(stderr, "setautomntent failed [%d]: %s\n",
diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c
index 482ff2c40..ef27cf895 100644
--- a/src/sss_client/autofs/sss_autofs.c
+++ b/src/sss_client/autofs/sss_autofs.c
@@ -20,6 +20,7 @@
#include <errno.h>
#include <stdlib.h>
+#include <stdatomic.h>
#include "sss_client/autofs/sss_autofs_private.h"
#include "sss_client/sss_cli.h"
@@ -33,6 +34,32 @@
/* How many entries shall _sss_getautomntent_r retrieve at once */
#define GETAUTOMNTENT_MAX_ENTRIES 512
+static atomic_uint _protocol = 0;
+
+unsigned int _sss_auto_protocol_version(unsigned int requested)
+{
+ switch (requested) {
+ case 0:
+ /* EHOSTDOWN will be translated to ENOENT */
+ _protocol = 0;
+ return 0;
+ default:
+ /* There is no other protocol version at this point. */
+ _protocol = 1;
+ return 1;
+ }
+}
+
+/* Returns correct errno based on autofs version expectations. */
+static errno_t errnop_to_errno(int errnop)
+{
+ if (errnop == EHOSTDOWN && _protocol == 0) {
+ return ENOENT;
+ }
+
+ return errnop;
+}
+
struct automtent {
char *mapname;
size_t cursor;
@@ -93,7 +120,7 @@ _sss_setautomntent(const char *mapname, void **context)
&repbuf, &replen, &errnop);
if (ret != SSS_STATUS_SUCCESS) {
free(name);
- ret = errnop;
+ ret = errnop_to_errno(errnop);
goto out;
}
@@ -310,7 +337,7 @@ _sss_getautomntent_r(char **key, char **value, void *context)
&repbuf, &replen, &errnop);
free(data);
if (ret != SSS_STATUS_SUCCESS) {
- ret = errnop;
+ ret = errnop_to_errno(errnop);
goto out;
}
@@ -408,7 +435,7 @@ _sss_getautomntbyname_r(const char *key, char **value, void *context)
&repbuf, &replen, &errnop);
free(data);
if (ret != SSS_STATUS_SUCCESS) {
- ret = errnop;
+ ret = errnop_to_errno(errnop);
goto out;
}
@@ -467,7 +494,7 @@ _sss_endautomntent(void **context)
ret = sss_autofs_make_request(SSS_AUTOFS_ENDAUTOMNTENT,
NULL, NULL, NULL, &errnop);
if (ret != SSS_STATUS_SUCCESS) {
- ret = errnop;
+ ret = errnop_to_errno(errnop);
goto out;
}
diff --git a/src/sss_client/autofs/sss_autofs.exports b/src/sss_client/autofs/sss_autofs.exports
index f9ce8f5b2..ec61f715e 100644
--- a/src/sss_client/autofs/sss_autofs.exports
+++ b/src/sss_client/autofs/sss_autofs.exports
@@ -2,10 +2,11 @@ EXPORTED {
# public functions
global:
- _sss_setautomntent;
- _sss_getautomntent_r;
- _sss_getautomntbyname_r;
- _sss_endautomntent;
+ _sss_auto_protocol_version;
+ _sss_setautomntent;
+ _sss_getautomntent_r;
+ _sss_getautomntbyname_r;
+ _sss_endautomntent;
# everything else is local
local:
diff --git a/src/sss_client/autofs/sss_autofs_private.h b/src/sss_client/autofs/sss_autofs_private.h
index 6459c1cc7..7fd49db1d 100644
--- a/src/sss_client/autofs/sss_autofs_private.h
+++ b/src/sss_client/autofs/sss_autofs_private.h
@@ -21,6 +21,11 @@
#include <errno.h>
#include "util/util.h"
+/**
+ * Choose an autofs protocol version to be used between autofs and sss_autofs.
+ */
+unsigned int _sss_auto_protocol_version(unsigned int requested);
+
/**
* Selects a map for processing.
*/
--
2.21.3

View File

@ -1,28 +0,0 @@
From 075519bceca7a8f4fa28a0b7c538f2f50d552d13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 26 Nov 2020 14:56:08 +0100
Subject: [PATCH 18/18] configure: check for stdatomic.h
Recent autofs patches adds dependency on automic_uint/_Atomic type from C11
standard. This is supported in both gcc and clang for a long time now.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
configure.ac | 1 +
1 file changed, 1 insertion(+)
diff --git a/configure.ac b/configure.ac
index 1af1d1785..0d24c4b35 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,6 +42,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
AC_CHECK_HEADERS(stdint.h dlfcn.h)
+AC_CHECK_HEADERS([stdatomic.h],,AC_MSG_ERROR([C11 atomic types are not supported]))
AC_CONFIG_HEADER(config.h)
AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
--
2.21.3

View File

@ -1,131 +0,0 @@
From 2499bd145f566bfd73b8c7e284b910dd2b36c6d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 15 Jan 2021 12:04:38 +0100
Subject: [PATCH] cache_req: ignore autofs not configured error
Otherwise we return ERR_OFFLINE for domains where autofs provider is not
set (such as implicit files domain) which is undesirable.
Steps to reproduce:
1. Enable implicit files domains and LDAP domain with autofs configured
2. Setup NFS server to export `/exports` with `/exports/home/test`
3. Add autofs mount points:
```
dn: ou=mount,dc=ldap,dc=vm
ou: mount
objectClass: organizationalUnit
objectClass: top
dn: nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
objectClass: nisMap
objectClass: top
nisMapName: auto.master
dn: cn=/export/home,nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
objectClass: nisObject
objectClass: top
cn: /export/home
nisMapEntry: auto.home
nisMapName: auto.master
dn: nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
objectClass: nisMap
objectClass: top
nisMapName: auto.home
dn: cn=/,nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
objectClass: nisObject
objectClass: top
cn: /
nisMapEntry: -fstype=nfs,rw master.ldap.vm:/export/home/&
nisMapName: auto.home
```
4. Run SSSD and autofs
5. cd to /exports/home/test
The directory will not be mounted with the new autofs protocol. It
will succeed with the old protocol. In both versions, you'll see
that SSSD returned ERR_OFFLINE:
```
(2021-01-15 11:44:48): [be[implicit_files]] [sbus_issue_request_done] (0x0040): sssd.DataProvider.Autofs.GetEntry: Error [1432158215]: DP target is not configured
...
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Looking up [auto.home:test] in cache
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Object [auto.home:test] was not found in cache
(2021-01-15 11:44:49): [autofs] [cache_req_search_ncache_add_to_domain] (0x2000): CR #3: This request type does not support negative cache
(2021-01-15 11:44:49): [autofs] [cache_req_process_result] (0x0400): CR #3: Finished: Error 1432158212: SSSD is offline
```
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
.../cache_req/plugins/cache_req_autofs_entry_by_name.c | 10 +++++++++-
.../cache_req/plugins/cache_req_autofs_map_by_name.c | 10 +++++++++-
.../cache_req/plugins/cache_req_autofs_map_entries.c | 10 +++++++++-
3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index cd2085187..f411fd351 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -92,7 +92,15 @@ bool
cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq,
struct cache_req *cr)
{
- return sbus_call_dp_autofs_GetEntry_recv(subreq) == EOK;
+ errno_t ret;
+
+ ret = sbus_call_dp_autofs_GetEntry_recv(subreq);
+
+ if (ret == ERR_MISSING_DP_TARGET) {
+ ret = EOK;
+ }
+
+ return ret == EOK;
}
const struct cache_req_plugin cache_req_autofs_entry_by_name = {
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 9d9bc3a97..c22cf0c8e 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -88,7 +88,15 @@ bool
cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq,
struct cache_req *cr)
{
- return sbus_call_dp_autofs_GetMap_recv(subreq) == EOK;
+ errno_t ret;
+
+ ret = sbus_call_dp_autofs_GetMap_recv(subreq);
+
+ if (ret == ERR_MISSING_DP_TARGET) {
+ ret = EOK;
+ }
+
+ return ret == EOK;
}
const struct cache_req_plugin cache_req_autofs_map_by_name = {
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index ee0156b6a..4d9db6595 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -120,7 +120,15 @@ bool
cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq,
struct cache_req *cr)
{
- return sbus_call_dp_autofs_Enumerate_recv(subreq) == EOK;
+ errno_t ret;
+
+ ret = sbus_call_dp_autofs_Enumerate_recv(subreq);
+
+ if (ret == ERR_MISSING_DP_TARGET) {
+ ret = EOK;
+ }
+
+ return ret == EOK;
}
const struct cache_req_plugin cache_req_autofs_map_entries = {
--
2.21.3

View File

@ -1,100 +0,0 @@
From 19c2c641e669ee1c08d6706c132625dc30e64609 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 12 Jan 2021 16:40:56 +0100
Subject: [PATCH] simple: fix memory leak while reloading lists
The simple access provider will reload the access and deny lists at
runtime to make sure that users and groups from domains which are
discovered at runtime are properly processed.
While reloading the lists the original lists are not freed and an
intermediate list wasn't removed as well.
Resolves: https://github.com/SSSD/sssd/issues/5456
:fixes: Memory leak in the simple access provider
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/simple/simple_access.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
index 1868569b1..49226adf2 100644
--- a/src/providers/simple/simple_access.c
+++ b/src/providers/simple/simple_access.c
@@ -117,17 +117,13 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
const char *name;
const char *option;
char **orig_list;
- char ***ctx_list;
+ char **ctx_list;
} lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL},
{"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL},
{"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL},
{"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL},
{NULL, NULL, NULL, NULL}};
- lists[0].ctx_list = &ctx->allow_users;
- lists[1].ctx_list = &ctx->deny_users;
- lists[2].ctx_list = &ctx->allow_groups;
- lists[3].ctx_list = &ctx->deny_groups;
ret = sysdb_master_domain_update(bectx->domain);
if (ret != EOK) {
@@ -141,7 +137,6 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
lists[i].option, &lists[i].orig_list);
if (ret == ENOENT) {
DEBUG(SSSDBG_FUNC_DATA, "%s list is empty.\n", lists[i].name);
- *lists[i].ctx_list = NULL;
continue;
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string_as_list failed.\n");
@@ -149,7 +144,8 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
}
ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list,
- lists[i].ctx_list);
+ &lists[i].ctx_list);
+ talloc_free(lists[i].orig_list);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse %s list [%d]: %s\n",
lists[i].name, ret, sss_strerror(ret));
@@ -157,6 +153,18 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
}
}
+ talloc_free(ctx->allow_users);
+ ctx->allow_users = talloc_steal(ctx, lists[0].ctx_list);
+
+ talloc_free(ctx->deny_users);
+ ctx->deny_users = talloc_steal(ctx, lists[1].ctx_list);
+
+ talloc_free(ctx->allow_groups);
+ ctx->allow_groups = talloc_steal(ctx, lists[2].ctx_list);
+
+ talloc_free(ctx->deny_groups);
+ ctx->deny_groups = talloc_steal(ctx, lists[3].ctx_list);
+
if (!ctx->allow_users &&
!ctx->allow_groups &&
!ctx->deny_users &&
@@ -165,9 +173,15 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx)
"No rules supplied for simple access provider. "
"Access will be granted for all users.\n");
}
+
+
return EOK;
failed:
+ for (i = 0; lists[i].name != NULL; i++) {
+ talloc_free(lists[i].ctx_list);
+ }
+
return ret;
}
--
2.21.3

View File

@ -1,38 +0,0 @@
From bdf461c7577c458d7b2a785b2007c0ccae73e3f7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 11 Jan 2021 18:28:02 +0100
Subject: [PATCH] SBUS: do not try to del non existing sender
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/5425
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sbus/request/sbus_request_sender.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/sbus/request/sbus_request_sender.c b/src/sbus/request/sbus_request_sender.c
index cecb188b0..39cdec064 100644
--- a/src/sbus/request/sbus_request_sender.c
+++ b/src/sbus/request/sbus_request_sender.c
@@ -101,10 +101,11 @@ void
sbus_senders_delete(hash_table_t *table,
const char *name)
{
- DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n",
- name);
-
- sss_ptr_hash_delete(table, name, true);
+ if (sss_ptr_hash_has_key(table, name)) {
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n",
+ name);
+ sss_ptr_hash_delete(table, name, true);
+ }
}
errno_t
--
2.21.3

View File

@ -1,34 +0,0 @@
From c0ae6d34ff7c170ca0e6d0faa8a2daf9a77becb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 8 Jan 2021 14:00:47 +0100
Subject: [PATCH] pamsrv_gssapi: fix implicit conversion warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
src/responder/pam/pamsrv_gssapi.c: In function pam_cmd_gssapi_sec_ctx:
src/responder/pam/pamsrv_gssapi.c:716:64: error: implicit conversion from enum sss_domain_type to enum cache_req_dom_type [-Werror=enum-conversion]
716 | cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX,
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/pam/pamsrv_gssapi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c
index 099675e1c..2d05c7888 100644
--- a/src/responder/pam/pamsrv_gssapi.c
+++ b/src/responder/pam/pamsrv_gssapi.c
@@ -713,7 +713,8 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
DEBUG(SSSDBG_TRACE_FUNC, "Checking that target user matches UPN\n");
req = cache_req_user_by_upn_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx,
- cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX,
+ cli_ctx->rctx->ncache, 0,
+ CACHE_REQ_POSIX_DOM,
domain->name, state->authenticated_upn);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
--
2.21.3

View File

@ -1,34 +0,0 @@
From cc173629f30fbc885ee90e52a205554b118e0ee6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 11 Jan 2021 13:11:39 +0100
Subject: [PATCH 38/39] gssapi: default pam_gssapi_services to NULL in domain
section
We need to distinguish when the option is not set in domain section and when
it is is explicitly disabled. Now if it is not set, domain->gssapi_services
is NULL and we'll use value from the pam section.
Without this change, the value in the pam section is ignored.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/confdb/confdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 2881ce5da..befcfff2d 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1582,7 +1582,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
- "-");
+ NULL);
if (tmp != NULL) {
ret = split_on_separator(domain, tmp, ',', true, true,
&domain->gssapi_services, NULL);
--
2.21.3

View File

@ -1,133 +0,0 @@
From 111b8b4d62a4fe192c075e6f6bfacb408e6074b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 12 Jan 2021 13:50:11 +0100
Subject: [PATCH 39/39] pam_sss_gssapi: fix coverity issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
```
1. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
2. Defect type: RESOURCE_LEAK
3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to.
Expand
3. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
4. Defect type: RESOURCE_LEAK
6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to.
Expand
5. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to.
Expand
6. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to.
1. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username'
Expand
2. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn'
Expand
3. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target'
Expand
4. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain'
```
Also fix compilation warning
```
../src/sss_client/pam_sss_gss.c:339:5: warning: reply may be used uninitialized in this function [-Wmaybe-uninitialized]
339 | free(reply);
| ^~~~~~~~~~~
../src/sss_client/pam_sss_gss.c:328:14: note: reply was declared here
328 | uint8_t *reply;
| ^~~~~
../src/sss_client/pam_sss_gss.c:270:11: warning: reply_len may be used uninitialized in this function [-Wmaybe-uninitialized]
270 | upn = malloc(reply_len * sizeof(char));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/sss_client/pam_sss_gss.c:327:12: note: reply_len was declared here
327 | size_t reply_len;
| ^~~~~~~~~
```
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/sss_client/pam_sss_gss.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
index cd38db7da..51be36ece 100644
--- a/src/sss_client/pam_sss_gss.c
+++ b/src/sss_client/pam_sss_gss.c
@@ -195,6 +195,8 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
struct sss_cli_req_data req_data;
size_t service_len;
size_t user_len;
+ size_t reply_len;
+ uint8_t *reply = NULL;
uint8_t *data;
errno_t ret;
int ret_errno;
@@ -217,7 +219,7 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
req_data.data = data;
- ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len,
+ ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, &reply, &reply_len,
&ret_errno);
free(data);
if (ret != PAM_SUCCESS) {
@@ -233,6 +235,16 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh,
return (ret_errno != EOK) ? ret_errno : EIO;
}
+ if (ret_errno == EOK) {
+ *_reply = reply;
+ *_reply_len = reply_len;
+ } else {
+ /* We got PAM_SUCCESS therefore the communication with SSSD was
+ * successful and we have received a reply buffer. We just don't care
+ * about it, we are only interested in the error code. */
+ free(reply);
+ }
+
return ret_errno;
}
@@ -257,7 +269,8 @@ static errno_t sssd_gssapi_init_recv(uint8_t *reply,
target = malloc(reply_len * sizeof(char));
upn = malloc(reply_len * sizeof(char));
if (username == NULL || domain == NULL || target == NULL || upn == NULL) {
- return ENOMEM;
+ ret = ENOMEM;
+ goto done;
}
buf = (const char*)reply;
@@ -311,8 +324,8 @@ static errno_t sssd_gssapi_init(pam_handle_t *pamh,
char **_target,
char **_upn)
{
- size_t reply_len;
- uint8_t *reply;
+ size_t reply_len = 0;
+ uint8_t *reply = NULL;
errno_t ret;
ret = sssd_gssapi_init_send(pamh, pam_service, pam_user, &reply,
@@ -549,6 +562,7 @@ int pam_sm_authenticate(pam_handle_t *pamh,
done:
sss_pam_close_fd();
+ free(username);
free(domain);
free(target);
free(upn);
--
2.21.3

View File

@ -1,40 +0,0 @@
From cd48ef5071741443e3b84e100a4d4d28e3578e4f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 25 Jan 2021 15:14:05 +0200
Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When IPA allows to add AD users and groups directly to sudo rules
(FreeIPA 4.9.1 or later), external groups will already have '%' prefix.
Thus, we don't need to add additional '%'.
Resolves: https://github.com/SSSD/sssd/issues/5475
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ipa/ipa_sudo_conversion.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index cfb41d8b0..1bfee096d 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx,
const char *value,
bool *skip_entry)
{
+ if (value == NULL)
+ return NULL;
+
+ if (value[0] == '%')
+ return talloc_strdup(mem_ctx, value);
+
return talloc_asprintf(mem_ctx, "%%%s", value);
}
--
2.21.3

View File

@ -1,199 +0,0 @@
From e07eeea7df55ede36ac0978ac904c1bb11188265 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 20 Jan 2021 17:48:44 +0100
Subject: [PATCH 41/42] responders: add callback to schedule_get_domains_task()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To allow responders to run dedicated code at the end of the initial
getDomains request a callback is added.
Resolves: https://github.com/SSSD/sssd/issues/5469
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/responder/autofs/autofssrv.c | 2 +-
src/responder/common/responder.h | 5 ++++-
src/responder/common/responder_get_domains.c | 12 +++++++++++-
src/responder/ifp/ifpsrv.c | 2 +-
src/responder/nss/nsssrv.c | 3 ++-
src/responder/pac/pacsrv.c | 2 +-
src/responder/pam/pamsrv.c | 3 ++-
src/responder/ssh/sshsrv.c | 2 +-
src/responder/sudo/sudosrv.c | 2 +-
src/tests/cmocka/test_responder_common.c | 2 +-
10 files changed, 25 insertions(+), 10 deletions(-)
diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
index 27de1b44a..130eaf775 100644
--- a/src/responder/autofs/autofssrv.c
+++ b/src/responder/autofs/autofssrv.c
@@ -142,7 +142,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index f83ba1bc0..ff0559c08 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -366,10 +366,13 @@ errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
char **_domain);
+typedef void (get_domains_callback_fn_t)(void *);
errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct resp_ctx *rctx,
- struct sss_nc_ctx *optional_ncache);
+ struct sss_nc_ctx *optional_ncache,
+ get_domains_callback_fn_t *callback,
+ void *callback_pvt);
errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string,
bool allow_sss_loop,
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
index e551b0fff..12b6e9028 100644
--- a/src/responder/common/responder_get_domains.c
+++ b/src/responder/common/responder_get_domains.c
@@ -430,6 +430,8 @@ static errno_t check_last_request(struct resp_ctx *rctx, const char *hint)
struct get_domains_state {
struct resp_ctx *rctx;
struct sss_nc_ctx *optional_ncache;
+ get_domains_callback_fn_t *callback;
+ void *callback_pvt;
};
static void get_domains_at_startup_done(struct tevent_req *req)
@@ -462,6 +464,10 @@ static void get_domains_at_startup_done(struct tevent_req *req)
}
}
+ if (state->callback != NULL) {
+ state->callback(state->callback_pvt);
+ }
+
talloc_free(state);
return;
}
@@ -489,7 +495,9 @@ static void get_domains_at_startup(struct tevent_context *ev,
errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct resp_ctx *rctx,
- struct sss_nc_ctx *optional_ncache)
+ struct sss_nc_ctx *optional_ncache,
+ get_domains_callback_fn_t *callback,
+ void *callback_pvt)
{
struct tevent_immediate *imm;
struct get_domains_state *state;
@@ -500,6 +508,8 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
}
state->rctx = rctx;
state->optional_ncache = optional_ncache;
+ state->callback = callback;
+ state->callback_pvt = callback_pvt;
imm = tevent_create_immediate(mem_ctx);
if (imm == NULL) {
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
index 7407ee07b..ee1452728 100644
--- a/src/responder/ifp/ifpsrv.c
+++ b/src/responder/ifp/ifpsrv.c
@@ -266,7 +266,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
return EIO;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"schedule_get_domains_tasks failed.\n");
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index e80104e3d..2b7958e80 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -557,7 +557,8 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
}
responder_set_fd_limit(fd_limit);
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache,
+ NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
index 217f83c26..96935150b 100644
--- a/src/responder/pac/pacsrv.c
+++ b/src/responder/pac/pacsrv.c
@@ -129,7 +129,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index de1620e82..8b1ce2e92 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -246,7 +246,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
}
responder_set_fd_limit(fd_limit);
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
+ NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto done;
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index 6072a702c..e79a0438c 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -126,7 +126,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index 5951b17b1..dc4a44b2f 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -102,7 +102,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
index 5fc0d712d..29356253b 100644
--- a/src/tests/cmocka/test_responder_common.c
+++ b/src/tests/cmocka/test_responder_common.c
@@ -265,7 +265,7 @@ void test_schedule_get_domains_task(void **state)
ret = schedule_get_domains_task(dummy_ncache_ptr,
parse_inp_ctx->rctx->ev,
parse_inp_ctx->rctx,
- dummy_ncache_ptr);
+ dummy_ncache_ptr, NULL, NULL);
assert_int_equal(ret, EOK);
ret = test_ev_loop(parse_inp_ctx->tctx);
--
2.21.3

View File

@ -1,64 +0,0 @@
From cb936e92041d63f79a74c30bae8140c74a18dbc0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 20 Jan 2021 18:25:04 +0100
Subject: [PATCH 42/42] pam: refresh certificate maps at the end of initial
domains lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During startup SSSD's responders send a getDomains request to all
backends to refresh some domain related needed by the responders.
The PAM responder specifically needs the certificate mapping and
matching rules when Smartcard authentication is enable. Currently the
rules are not refreshed at the end of the initial request but the code
assumed that the related structures are initialized after the request
finished.
To avoid a race condition this patch adds a callback to the end of the
request to make sure the rules are properly refreshed even if they are
already initialized before.
Resolves: https://github.com/SSSD/sssd/issues/5469
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/responder/pam/pamsrv.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 8b1ce2e92..65370662d 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -154,6 +154,18 @@ static errno_t get_app_services(struct pam_ctx *pctx)
return EOK;
}
+static void pam_get_domains_callback(void *pvt)
+{
+ struct pam_ctx *pctx;
+ int ret;
+
+ pctx = talloc_get_type(pvt, struct pam_ctx);
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
+ }
+}
+
static int pam_process_init(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct confdb_ctx *cdb,
@@ -247,7 +259,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
responder_set_fd_limit(fd_limit);
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
- NULL, NULL);
+ pam_get_domains_callback, pctx);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto done;
--
2.21.3

View File

@ -1,134 +0,0 @@
From 0c6924b8d474daf35ee30d74e5496957e503b206 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 20 Jan 2021 15:40:34 +0100
Subject: [PATCH] SBUS: set sbus_name before dp_init_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some async task might access sbus_name before dp_initialized() was executed
Resolves: https://github.com/SSSD/sssd/issues/5466
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/data_provider/dp.c | 21 ++++-----------------
src/providers/data_provider/dp.h | 6 +++---
src/providers/data_provider_be.c | 12 ++++++++++--
3 files changed, 17 insertions(+), 22 deletions(-)
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
index 90324d74d..64fe847b2 100644
--- a/src/providers/data_provider/dp.c
+++ b/src/providers/data_provider/dp.c
@@ -134,7 +134,6 @@ static int dp_destructor(struct data_provider *provider)
struct dp_init_state {
struct be_ctx *be_ctx;
struct data_provider *provider;
- char *sbus_name;
};
static void dp_init_done(struct tevent_req *subreq);
@@ -144,7 +143,8 @@ dp_init_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
uid_t uid,
- gid_t gid)
+ gid_t gid,
+ const char *sbus_name)
{
struct dp_init_state *state;
struct tevent_req *subreq;
@@ -177,13 +177,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
state->provider->gid = gid;
state->provider->be_ctx = be_ctx;
- state->sbus_name = sss_iface_domain_bus(state, be_ctx->domain);
- if (state->sbus_name == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n");
- ret = ENOMEM;
- goto done;
- }
-
/* Initialize data provider bus. Data provider can receive client
* registration and other D-Bus methods. However no data provider
* request will be executed as long as the modules and targets
@@ -192,7 +185,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
talloc_set_destructor(state->provider, dp_destructor);
subreq = sbus_server_create_and_connect_send(state->provider, ev,
- state->sbus_name, NULL, sbus_address, true, 1000, uid, gid,
+ sbus_name, NULL, sbus_address, true, 1000, uid, gid,
(sbus_server_on_connection_cb)dp_client_init,
(sbus_server_on_connection_data)state->provider);
if (subreq == NULL) {
@@ -270,16 +263,10 @@ done:
}
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
- struct tevent_req *req,
- const char **_sbus_name)
+ struct tevent_req *req)
{
- struct dp_init_state *state;
- state = tevent_req_data(req, struct dp_init_state);
-
TEVENT_REQ_RETURN_ON_ERROR(req);
- *_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
-
return EOK;
}
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
index a8b6e9f3a..95c6588ad 100644
--- a/src/providers/data_provider/dp.h
+++ b/src/providers/data_provider/dp.h
@@ -122,11 +122,11 @@ dp_init_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
uid_t uid,
- gid_t gid);
+ gid_t gid,
+ const char *sbus_name);
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
- struct tevent_req *req,
- const char **_sbus_name);
+ struct tevent_req *req);
bool _dp_target_enabled(struct data_provider *provider,
const char *module_name,
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index f059a3f96..8458146ea 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -565,7 +565,15 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
goto done;
}
- req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
+ be_ctx->sbus_name = sss_iface_domain_bus(be_ctx, be_ctx->domain);
+ if (be_ctx->sbus_name == NULL) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid,
+ be_ctx->sbus_name);
if (req == NULL) {
ret = ENOMEM;
goto done;
@@ -612,7 +620,7 @@ static void dp_initialized(struct tevent_req *req)
be_ctx = tevent_req_callback_data(req, struct be_ctx);
- ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
+ ret = dp_init_recv(be_ctx, req);
talloc_zfree(req);
if (ret != EOK) {
goto done;
--
2.21.3

View File

@ -1,655 +0,0 @@
From c2e8879189ecbbdfdd4b42395319a4cd91cb569f Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 12 Feb 2021 20:02:52 +0100
Subject: [PATCH] pam_sss_gss: support authentication indicators (upstream
patch 5ce7ced269c7b3dd8f75122a50f539083b5697ae by Alexander Bokovoy)
MIT Kerberos allows to associate authentication indicators with the
issued ticket based on the way how the TGT was obtained. The indicators
present in the TGT then copied to service tickets. There are two ways to
check the authentication indicators:
- when KDC issues a service ticket, a policy at KDC side can reject the
ticket issuance based on a lack of certain indicator
- when a server application presented with a service ticket from a
client, it can verify that this ticket contains intended
authentication indicators before authorizing access from the client.
Add support to validate presence of a specific (set of) authentication
indicator(s) in pam_sss_gss when validating a user's TGT.
This concept can be used to only allow access to a PAM service when user
is in possession of a ticket obtained using some of pre-authentication
mechanisms that require multiple factors: smart-cards (PKINIT), 2FA
tokens (otp/radius), etc.
Patch by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed by: Sumit Bose <sbose@redhat.com>
Adapted to 8.4 branch by: Alexey Tikhonov <atikhono@redhat.com>
---
src/confdb/confdb.c | 13 ++
src/confdb/confdb.h | 3 +
src/config/SSSDConfig/sssdoptions.py | 2 +
src/config/SSSDConfigTest.py | 6 +-
src/config/cfg_rules.ini | 3 +
src/config/etc/sssd.api.conf | 2 +
src/db/sysdb_subdomains.c | 12 ++
src/man/pam_sss_gss.8.xml | 13 ++
src/man/sssd.conf.5.xml | 64 +++++++
src/responder/pam/pamsrv.c | 21 +++
src/responder/pam/pamsrv.h | 2 +
src/responder/pam/pamsrv_gssapi.c | 250 +++++++++++++++++++++++++++
12 files changed, 389 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index befcfff..cca7615 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
}
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP,
+ NULL);
+ if (tmp != NULL && tmp[0] != '\0') {
+ ret = split_on_separator(domain, tmp, ',', true, true,
+ &domain->gssapi_indicators_map, NULL);
+ if (ret != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP);
+ goto done;
+ }
+ }
+
domain->has_views = false;
domain->view_name = NULL;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 036f9ec..a2be227 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -146,6 +146,7 @@
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
+#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
@@ -437,6 +438,8 @@ struct sss_domain_info {
/* List of PAM services that are allowed to authenticate with GSSAPI. */
char **gssapi_services;
char *gssapi_check_upn; /* true | false | NULL */
+ /* List of indicators associated with the specific PAM service */
+ char **gssapi_indicators_map;
};
/**
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index 5da52a9..0d849bc 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -106,6 +106,8 @@ class SSSDOptions(object):
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
+ 'pam_gssapi_indicators_map' : _('List of pairs <PAM service>:<authentication indicator> that '
+ 'must be enforced for PAM access with GSSAPI authentication'),
# [sudo]
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index ea4e4f6..d0422df 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -655,7 +655,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'cached_auth_timeout',
'auto_private_groups',
'pam_gssapi_services',
- 'pam_gssapi_check_upn']
+ 'pam_gssapi_check_upn',
+ 'pam_gssapi_indicators_map']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -1034,7 +1035,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'cached_auth_timeout',
'auto_private_groups',
'pam_gssapi_services',
- 'pam_gssapi_check_upn']
+ 'pam_gssapi_check_upn',
+ 'pam_gssapi_indicators_map']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 6642c63..872ceba 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -141,6 +141,7 @@ option = p11_uri
option = pam_initgroups_scheme
option = pam_gssapi_services
option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
[rule/allowed_sudo_options]
validator = ini_allowed_options
@@ -441,6 +442,7 @@ option = re_expression
option = auto_private_groups
option = pam_gssapi_services
option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
#Entry cache timeouts
option = entry_cache_user_timeout
@@ -837,6 +839,7 @@ option = use_fully_qualified_names
option = auto_private_groups
option = pam_gssapi_services
option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
[rule/sssd_checks]
validator = sssd_checks
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index d3cad73..49ced63 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -82,6 +82,7 @@ p11_uri = str, None, false
pam_initgroups_scheme = str, None, false
pam_gssapi_services = str, None, false
pam_gssapi_check_upn = bool, None, false
+pam_gssapi_indicators_map = str, None, false
[sudo]
# sudo service
@@ -203,6 +204,7 @@ re_expression = str, None, false
auto_private_groups = str, None, false
pam_gssapi_services = str, None, false
pam_gssapi_check_upn = bool, None, false
+pam_gssapi_indicators_map = str, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 03ba121..2243872 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -185,6 +185,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->override_gid = parent->override_gid;
dom->gssapi_services = parent->gssapi_services;
+ dom->gssapi_indicators_map = parent->gssapi_indicators_map;
if (parent->sysdb == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
@@ -266,6 +267,17 @@ check_subdom_config_file(struct confdb_ctx *confdb,
goto done;
}
+ /* allow to set pam_gssapi_indicators_map */
+ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP,
+ &subdomain->gssapi_indicators_map);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to get %s option for the subdomain: %s\n",
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, subdomain->name);
+ goto done;
+ }
+
ret = EOK;
done:
talloc_free(tmp_ctx);
diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml
index ce5b11b..a83369d 100644
--- a/src/man/pam_sss_gss.8.xml
+++ b/src/man/pam_sss_gss.8.xml
@@ -70,6 +70,19 @@
<manvolnum>5</manvolnum>
</citerefentry> for more details on these options.
</para>
+ <para>
+ Some Kerberos deployments allow to assocate authentication
+ indicators with a particular pre-authentication method used to
+ obtain the ticket granting ticket by the user.
+ <command>pam_sss_gss.so</command> allows to enforce presence of
+ authentication indicators in the service tickets before a particular
+ PAM service can be accessed.
+ </para>
+ <para>
+ If <option>pam_gssapi_indicators_map</option> is set in the [pam] or
+ domain section of sssd.conf, then SSSD will perform a check of the
+ presence of any configured indicators in the service ticket.
+ </para>
</refsect1>
<refsect1 id='options'>
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 8b330de..3a9955b 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1770,6 +1770,70 @@ pam_gssapi_services = sudo, sudo-i
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_gssapi_indicators_map</term>
+ <listitem>
+ <para>
+ Comma separated list of authentication indicators required
+ to be present in a Kerberos ticket to access a PAM service
+ that is allowed to try GSSAPI authentication using
+ pam_sss_gss.so module.
+ </para>
+ <para>
+ Each element of the list can be either an authentication indicator
+ name or a pair <quote>service:indicator</quote>. Indicators not
+ prefixed with the PAM service name will be required to access any
+ PAM service configured to be used with
+ <option>pam_gssapi_services</option>. A resulting list of indicators
+ per PAM service is then checked against indicators in the Kerberos
+ ticket during authentication by pam_sss_gss.so. Any indicator from the
+ ticket that matches the resulting list of indicators for the PAM service
+ would grant access. If none of the indicators in the list match, access
+ will be denied. If the resulting list of indicators for the PAM service
+ is empty, the check will not prevent the access.
+ </para>
+ <para>
+ To disable GSSAPI authentication indicator check, set this option
+ to <quote>-</quote> (dash). To disable the check for a specific PAM
+ service, add <quote>service:-</quote>.
+ </para>
+ <para>
+ Note: This option can also be set per-domain which
+ overwrites the value in [pam] section. It can also
+ be set for trusted domain which overwrites the value
+ in the domain section.
+ </para>
+ <para>
+ Following authentication indicators are supported by IPA Kerberos deployments:
+ <itemizedlist>
+ <listitem>
+ <para>pkinit -- pre-authentication using X.509 certificates -- whether stored in files or on smart cards.</para>
+ </listitem>
+ <listitem>
+ <para>hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a FAST channel.</para>
+ </listitem>
+ <listitem>
+ <para>radius -- pre-authentication with the help of a RADIUS server.</para>
+ </listitem>
+ <listitem>
+ <para>otp -- pre-authentication using integrated two-factor authentication (2FA or one-time password, OTP) in IPA.</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Example: to require access to SUDO services only
+ for users which obtained their Kerberos tickets
+ with a X.509 certificate pre-authentication
+ (PKINIT), set
+ <programlisting>
+pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
+ </programlisting>
+ </para>
+ <para>
+ Default: not set (use of authentication indicators is not required)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 3904c09..9b4d6c1 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -370,6 +370,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
goto done;
}
+ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, "-", &tmpstr);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to determine gssapi services.\n");
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr,
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP);
+
+ if (tmpstr != NULL) {
+ ret = split_on_separator(pctx, tmpstr, ',', true, true,
+ &pctx->gssapi_indicators_map, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "split_on_separator() failed [%d]: [%s].\n", ret,
+ sss_strerror(ret));
+ goto done;
+ }
+ }
+
/* The responder is initialized. Now tell it to the monitor. */
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
SSS_PAM_SBUS_SERVICE_NAME,
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 3553296..383c7be 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -65,6 +65,8 @@ struct pam_ctx {
/* List of PAM services that are allowed to authenticate with GSSAPI. */
char **gssapi_services;
+ /* List of authentication indicators associated with a PAM service */
+ char **gssapi_indicators_map;
bool gssapi_check_upn;
};
diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c
index 2d05c78..e4da4c4 100644
--- a/src/responder/pam/pamsrv_gssapi.c
+++ b/src/responder/pam/pamsrv_gssapi.c
@@ -24,6 +24,7 @@
#include <gssapi/gssapi_krb5.h>
#include <stdint.h>
#include <stdlib.h>
+#include <string.h>
#include <talloc.h>
#include <ldb.h>
@@ -83,6 +84,117 @@ static bool pam_gssapi_should_check_upn(struct pam_ctx *pam_ctx,
return pam_ctx->gssapi_check_upn;
}
+static int pam_gssapi_check_indicators(TALLOC_CTX *mem_ctx,
+ const char *pam_service,
+ char **gssapi_indicators_map,
+ char **indicators)
+{
+ char *authind = NULL;
+ size_t pam_len = strlen(pam_service);
+ char **map = gssapi_indicators_map;
+ char **result = NULL;
+ int res;
+
+ authind = talloc_strdup(mem_ctx, "");
+ if (authind == NULL) {
+ return ENOMEM;
+ }
+
+ for (int i = 0; map[i]; i++) {
+ if (map[i][0] == '-') {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Indicators aren't used for [%s]\n",
+ pam_service);
+ talloc_free(authind);
+ return EOK;
+ }
+ if (!strchr(map[i], ':')) {
+ authind = talloc_asprintf_append(authind, "%s ", map[i]);
+ if (authind == NULL) {
+ /* Since we allocate on pam_ctx, caller will free it */
+ return ENOMEM;
+ }
+ continue;
+ }
+
+ res = strncmp(map[i], pam_service, pam_len);
+ if (res == 0) {
+ if (strlen(map[i]) > pam_len) {
+ if (map[i][pam_len] != ':') {
+ /* different PAM service, skip it */
+ continue;
+ }
+
+ if (map[i][pam_len + 1] == '-') {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Indicators aren't used for [%s]\n",
+ pam_service);
+ talloc_free(authind);
+ return EOK;
+ }
+
+ authind = talloc_asprintf_append(authind, "%s ",
+ map[i] + (pam_len + 1));
+ if (authind == NULL) {
+ /* Since we allocate on pam_ctx, caller will free it */
+ return ENOMEM;
+ }
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Invalid value for %s: [%s]\n",
+ CONFDB_PAM_GSSAPI_INDICATORS_MAP, map[i]);
+ talloc_free(authind);
+ return EINVAL;
+ }
+ }
+ }
+
+ res = ENOENT;
+ map = NULL;
+
+ if (authind[0] == '\0') {
+ /* empty list of per-service indicators -> skip */
+ goto done;
+ }
+
+ /* trim a space after the final indicator
+ * to prevent split_on_separator() to fail */
+ authind[strlen(authind) - 1] = '\0';
+
+ res = split_on_separator(mem_ctx, authind, ' ', true, true,
+ &map, NULL);
+ if (res != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot parse list of indicators: [%s]\n", authind);
+ res = EINVAL;
+ goto done;
+ }
+
+ res = diff_string_lists(mem_ctx, indicators, map, NULL, NULL, &result);
+ if (res != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,"Cannot diff lists of indicators\n");
+ res = EINVAL;
+ goto done;
+ }
+
+ if (result && result[0] != NULL) {
+ for (int i = 0; result[i]; i++) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "indicator [%s] is allowed for PAM service [%s]\n",
+ result[i], pam_service);
+ }
+ res = EOK;
+ goto done;
+ }
+
+ res = EPERM;
+
+done:
+ talloc_free(result);
+ talloc_free(authind);
+ talloc_free(map);
+ return res;
+}
+
static bool pam_gssapi_allowed(struct pam_ctx *pam_ctx,
struct sss_domain_info *domain,
const char *service)
@@ -385,12 +497,126 @@ static char *gssapi_get_name(TALLOC_CTX *mem_ctx, gss_name_t gss_name)
return exported;
}
+#define AUTH_INDICATORS_TAG "auth-indicators"
+
+static char **gssapi_get_indicators(TALLOC_CTX *mem_ctx, gss_name_t gss_name)
+{
+ gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET;
+ int is_mechname;
+ OM_uint32 major;
+ OM_uint32 minor;
+ gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc display_value = GSS_C_EMPTY_BUFFER;
+ char *exported = NULL;
+ char **map = NULL;
+ int res;
+
+ major = gss_inquire_name(&minor, gss_name, &is_mechname, NULL, &attrs);
+ if (major != GSS_S_COMPLETE) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to inquire name\n");
+ return NULL;
+ }
+
+ if (attrs == GSS_C_NO_BUFFER_SET) {
+ DEBUG(SSSDBG_TRACE_FUNC, "No krb5 attributes in the ticket\n");
+ return NULL;
+ }
+
+ exported = talloc_strdup(mem_ctx, "");
+ if (exported == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to pre-allocate indicators\n");
+ goto done;
+ }
+
+ for (int i = 0; i < attrs->count; i++) {
+ int authenticated = 0;
+ int complete = 0;
+ int more = -1;
+
+ /* skip anything but auth-indicators */
+ if (strncmp(AUTH_INDICATORS_TAG, attrs->elements[i].value,
+ sizeof(AUTH_INDICATORS_TAG) - 1) != 0)
+ continue;
+
+ /* retrieve all indicators */
+ while (more != 0) {
+ value.value = NULL;
+ display_value.value = NULL;
+
+ major = gss_get_name_attribute(&minor, gss_name,
+ &attrs->elements[i],
+ &authenticated,
+ &complete, &value,
+ &display_value,
+ &more);
+ if (major != GSS_S_COMPLETE) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to retrieve an attribute\n");
+ goto done;
+ }
+
+ if ((value.value != NULL) && authenticated) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "attribute's [%.*s] value [%.*s] authenticated\n",
+ (int) attrs->elements[i].length,
+ (char*) attrs->elements[i].value,
+ (int) value.length,
+ (char*) value.value);
+ exported = talloc_asprintf_append(exported, "%.*s ",
+ (int) value.length,
+ (char*) value.value);
+ }
+
+ if (exported == NULL) {
+ /* Since we allocate on mem_ctx, caller will free
+ * the previous version of 'exported' */
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to collect an attribute value\n");
+ goto done;
+ }
+ (void) gss_release_buffer(&minor, &value);
+ (void) gss_release_buffer(&minor, &display_value);
+ }
+ }
+
+ if (exported[0] != '\0') {
+ /* trim a space after the final indicator
+ * to prevent split_on_separator() to fail */
+ exported[strlen(exported) - 1] = '\0';
+ } else {
+ /* empty list */
+ goto done;
+ }
+
+ res = split_on_separator(mem_ctx, exported, ' ', true, true,
+ &map, NULL);
+ if (res != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot parse list of indicators: [%s]\n", exported);
+ goto done;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC, "authentication indicators: [%s]\n",
+ exported);
+ }
+
+done:
+ (void) gss_release_buffer(&minor, &value);
+ (void) gss_release_buffer(&minor, &display_value);
+ (void) gss_release_buffer_set(&minor, &attrs);
+
+ talloc_free(exported);
+ return map;
+}
+
+
struct gssapi_state {
struct cli_ctx *cli_ctx;
struct sss_domain_info *domain;
const char *username;
char *authenticated_upn;
+ char **auth_indicators;
bool established;
gss_ctx_id_t ctx;
};
@@ -568,6 +794,8 @@ gssapi_handshake(struct gssapi_state *state,
DEBUG(SSSDBG_TRACE_FUNC, "Security context established with [%s]\n",
state->authenticated_upn);
+ state->auth_indicators = gssapi_get_indicators(state, client_name);
+
state->established = true;
ret = EOK;
@@ -632,6 +860,7 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
const char *domain_name;
const char *username;
char *target;
+ char **indicators_map = NULL;
size_t gss_data_len;
uint8_t *gss_data;
errno_t ret;
@@ -699,6 +928,27 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx)
goto done;
}
+ /* Use map for auth-indicators from the domain, if defined and
+ * fallback to the [pam] section otherwise */
+ indicators_map = domain->gssapi_indicators_map ?
+ domain->gssapi_indicators_map :
+ (pam_ctx->gssapi_indicators_map ?
+ pam_ctx->gssapi_indicators_map : NULL);
+ if (indicators_map != NULL) {
+ ret = pam_gssapi_check_indicators(state,
+ pam_service,
+ indicators_map,
+ state->auth_indicators);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Check if acquired service ticket has req. indicators: %d\n",
+ ret);
+ if ((ret == EPERM) || (ret == ENOMEM) || (ret == EINVAL)) {
+ /* skip further checks if denied or no memory,
+ * ENOENT means the check is not applicable */
+ goto done;
+ }
+ }
+
if (!pam_gssapi_should_check_upn(pam_ctx, domain)) {
/* We are done. */
goto done;
--
2.21.3

View File

@ -1,121 +0,0 @@
From b100efbfabd96dcfb2825777b75b9a9dfaacb937 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 29 Jan 2021 12:41:28 +0100
Subject: [PATCH] sudo: do not search by low usn value to improve performance
This is a follow up on these two commits.
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea
The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.
This caused issues on OpenLDAP server which was fixed by the second patch.
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.
Now we omit the usn attribute from the filter if there is no meaningful value.
How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ldap/sdap.c | 4 ++--
src/providers/ldap/sdap_sudo_refresh.c | 6 ++++--
src/providers/ldap/sdap_sudo_shared.c | 21 ++++++---------------
3 files changed, 12 insertions(+), 19 deletions(-)
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 32c0144b9..c853e4dc1 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
if (rootdse) {
- if (last_usn_name) {
+ if (false) {
ret = sysdb_attrs_get_string(rootdse,
last_usn_name, &last_usn_value);
if (ret != EOK) {
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
}
}
- if (!last_usn_name) {
+ if (true) {
DEBUG(SSSDBG_FUNC_DATA,
"No known USN scheme is supported by this server!\n");
if (!entry_usn_name) {
diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c
index ddcb23781..83f944ccf 100644
--- a/src/providers/ldap/sdap_sudo_refresh.c
+++ b/src/providers/ldap/sdap_sudo_refresh.c
@@ -181,8 +181,10 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
state->sysdb = id_ctx->be->domain->sysdb;
/* Download all rules from LDAP that are newer than usn */
- if (srv_opts == NULL || srv_opts->max_sudo_value == 0) {
- DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n");
+ if (srv_opts == NULL || srv_opts->max_sudo_value == NULL
+ || strcmp(srv_opts->max_sudo_value, "0") == 0) {
+ DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero and "
+ "omitting it from the filter.\n");
usn = "0";
search_filter = talloc_asprintf(state, "(%s=%s)",
map[SDAP_AT_SUDO_OC].name,
diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
index 4f09957ea..75d1bc3d8 100644
--- a/src/providers/ldap/sdap_sudo_shared.c
+++ b/src/providers/ldap/sdap_sudo_shared.c
@@ -129,25 +129,17 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
static char *
sdap_sudo_new_usn(TALLOC_CTX *mem_ctx,
unsigned long usn,
- const char *leftover,
- bool supports_usn)
+ const char *leftover)
{
const char *str = leftover == NULL ? "" : leftover;
char *newusn;
- /* This is a fresh start and server uses modifyTimestamp. We need to
- * provide proper datetime value. */
- if (!supports_usn && usn == 0) {
- newusn = talloc_strdup(mem_ctx, "00000101000000Z");
- if (newusn == NULL) {
- DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n");
- return NULL;
- }
-
- return newusn;
+ /* Current largest USN is unknown so we keep "0" to indicate it. */
+ if (usn == 0) {
+ return talloc_strdup(mem_ctx, "0");
}
- /* We increment USN number so that we can later use simplify filter
+ /* We increment USN number so that we can later use simplified filter
* (just usn >= last+1 instead of usn >= last && usn != last).
*/
usn++;
@@ -219,8 +211,7 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
srv_opts->last_usn = usn_number;
}
- newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone,
- srv_opts->supports_usn);
+ newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone);
if (newusn == NULL) {
return;
}
--
2.21.3

View File

@ -1,34 +0,0 @@
From fff02bbf7967d291ccb019fae741e6591ed8fd41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 12 Feb 2021 15:30:59 +0100
Subject: [PATCH] ldap: fix modifytimestamp debugging leftovers
---
src/providers/ldap/sdap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index c853e4dc1..32c0144b9 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
if (rootdse) {
- if (false) {
+ if (last_usn_name) {
ret = sysdb_attrs_get_string(rootdse,
last_usn_name, &last_usn_value);
if (ret != EOK) {
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
}
}
- if (true) {
+ if (!last_usn_name) {
DEBUG(SSSDBG_FUNC_DATA,
"No known USN scheme is supported by this server!\n");
if (!entry_usn_name) {
--
2.21.3

View File

@ -1,49 +0,0 @@
From 2d26c95d78cf43798b54ac8c478b8a9ee41cab39 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 3 Feb 2021 18:28:29 +0100
Subject: [PATCH] ssh: restore default debug level
The recent change of the default debug level for the main SSSD
components affected the ssh helpers sss_ssh_authorizedkeys and
sss_ssh_knownhostsproxy as well.
To avoid any confusion about unexpected debug messages this patch
restores to original value for the two helpers.
Resolves: https://github.com/SSSD/sssd/issues/5488
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +-
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
index 8e80f9663..877c00299 100644
--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
@@ -32,7 +32,7 @@
int main(int argc, const char **argv)
{
TALLOC_CTX *mem_ctx = NULL;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_FATAL_FAILURE;
const char *pc_domain = NULL;
const char *pc_user = NULL;
struct poptOption long_options[] = {
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index ad6af81d8..1102fd4ab 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -174,7 +174,7 @@ connect_proxy_command(char **args)
int main(int argc, const char **argv)
{
TALLOC_CTX *mem_ctx = NULL;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_FATAL_FAILURE;
int pc_port = 22;
const char *pc_domain = NULL;
const char *pc_host = NULL;
--
2.21.3

View File

@ -1,26 +0,0 @@
From 8d38a4b28ab7af15406b244910f369ba1aff02db Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 30 Oct 2014 15:59:17 +0100
Subject: [PATCH 93/93] NOUPSTREAM: Default to root if sssd user is not
specified
---
src/monitor/monitor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 0dea327213a1ad04b6f69c0ffb0fb87254420796..20b4aef4ee94fd42de1585d7d7c2e01ea01845ac 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -925,7 +925,7 @@ static int get_service_user(struct mt_ctx *ctx)
ret = confdb_get_string(ctx->cdb, ctx, CONFDB_MONITOR_CONF_ENTRY,
CONFDB_MONITOR_USER_RUNAS,
- SSSD_USER, &user_str);
+ "root", &user_str);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get the user to run as\n");
return ret;
--
1.9.3

View File

@ -1,5 +1,5 @@
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$|%{_libdir}/%{name}/modules/libwbclient.so.*$
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
# SSSD fails to build with -Wl,-z,defs
%undefine _strict_symbol_defs_build
@ -17,76 +17,21 @@
%global enable_systemtap 1
%global enable_systemtap_opt --enable-systemtap
%global libwbc_alternatives_version 0.14
%global libwbc_lib_version %{libwbc_alternatives_version}.0
%global libwbc_alternatives_suffix %nil
%if 0%{?__isa_bits} == 64
%global libwbc_alternatives_suffix -64
%endif
Name: sssd
Version: 2.4.0
Release: 8%{?dist}
Version: 2.5.2
Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
URL: https://pagure.io/SSSD/sssd/
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch
Patch0002: 0002-KCM-perf-improvements.patch
Patch0003: 0003-DEBUG-journal_send-was-made-static.patch
Patch0004: 0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch
Patch0005: 0005-negcache-make-sure-domain-config-does-not-leak-into-.patch
Patch0006: 0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch
Patch0007: 0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch
Patch0008: 0008-negcache-do-not-use-default_domain_suffix.patch
Patch0009: 0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch
Patch0010: 0010-nss-check-if-groups-are-filtered-during-initgroups.patch
Patch0011: 0011-ifp-fix-use-after-free.patch
Patch0012: 0012-ifp-fix-original-fix-use-after-free.patch
Patch0013: 0013-pam_sss-use-unique-id-for-gdm-choice-list.patch
Patch0014: 0014-authtok-add-label-to-Smartcard-token.patch
Patch0015: 0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch
Patch0016: 0016-add-tests-multiple-certs-same-id.patch
Patch0017: 0017-data_provider_be-Add-random-offset-default.patch
Patch0018: 0018-data_provider_be-MAN-page-update.patch
Patch0019: 0019-logs-review.patch
Patch0020: 0020-sss_format.h-include-config.h.patch
Patch0021: 0021-packet-add-sss_packet_set_body.patch
Patch0022: 0022-domain-store-hostname-and-keytab-path.patch
Patch0023: 0023-cache_req-add-helper-to-call-user-by-upn-search.patch
Patch0024: 0024-pam-fix-typo-in-debug-message.patch
Patch0025: 0025-pam-add-pam_gssapi_services-option.patch
Patch0026: 0026-pam-add-pam_gssapi_check_upn-option.patch
Patch0027: 0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch
Patch0028: 0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch
Patch0029: 0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch
Patch0030: 0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch
Patch0031: 0031-autofs-disable-fast-reply.patch
Patch0032: 0032-autofs-correlate-errors-for-different-protocol-versi.patch
Patch0033: 0033-configure-check-for-stdatomic.h.patch
Patch0034: 0034-cache_req-ignore-autofs-not-configured-error.patch
Patch0035: 0035-simple-fix-memory-leak-while-reloading-lists.patch
Patch0036: 0036-SBUS-do-not-try-to-del-non-existing-sender.patch
Patch0037: 0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch
Patch0038: 0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch
Patch0039: 0039-pam_sss_gssapi-fix-coverity-issues.patch
Patch0040: 0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch
Patch0041: 0041-responders-add-callback-to-schedule_get_domains_task.patch
Patch0042: 0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch
Patch0043: 0043-SBUS-set-sbus_name-before-dp_init_send.patch
Patch0044: 0044-pam_sss_gss-support-authentication-indicators.patch
Patch0045: 0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch
Patch0046: 0046-ldap-fix-modifytimestamp-debugging-leftovers.patch
Patch0047: 0047-ssh-restore-default-debug-level.patch
Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
Patch0002: 0002-po-update-translations.patch
### Downstream Patches ###
#This patch should not be removed in RHEL-8
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@ -190,6 +135,8 @@ License: GPLv3+
# Conflicts
Conflicts: selinux-policy < 3.10.0-46
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
# sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5
Obsoletes: sssd-libwbclient < 2.5.0
# Requires
# Explicitly require RHEL-8.0 versions of the Samba libraries
# in order to prevent untested combinations of a new SSSD and
@ -391,7 +338,6 @@ Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Recommends: adcli
Suggests: sssd-libwbclient = %{version}-%{release}
Suggests: sssd-winbind-idmap = %{version}-%{release}
%description ad
@ -534,27 +480,6 @@ Requires: libsss_simpleifp = %{version}-%{release}
%description -n libsss_simpleifp-devel
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
%package libwbclient
Summary: The SSSD libwbclient implementation
Group: Applications/System
License: GPLv3+ and LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
Conflicts: libwbclient < 4.2.0-0.2.rc2
Conflicts: sssd-common < %{version}-%{release}
%description libwbclient
The SSSD libwbclient implementation.
%package libwbclient-devel
Summary: Development libraries for the SSSD libwbclient implementation
Group: Development/Libraries
License: GPLv3+ and LGPLv3+
Requires: sssd-libwbclient = %{version}-%{release}
Conflicts: libwbclient-devel < 4.2.0-0.2.rc2
%description libwbclient-devel
Development libraries for the SSSD libwbclient implementation.
%package winbind-idmap
Summary: SSSD's idmap_sss Backend for Winbind
Group: Applications/System
@ -649,7 +574,6 @@ autoreconf -ivf
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
--disable-static \
--with-crypto=libcrypto \
--with-libwbclient \
--disable-rpath \
--with-initscript=systemd \
--with-syslog=journald \
@ -677,12 +601,6 @@ sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate
make install DESTDIR=$RPM_BUILD_ROOT
if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ]
then
echo "Expected libwbclient version not found, please check if version has changed."
exit -1
fi
# Prepare language files
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
@ -881,7 +799,7 @@ done
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
%{_sysconfdir}/pam.d/sssd-shadowutils
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf
@ -1085,18 +1003,6 @@ done
%defattr(-,root,root,-)
%{python3_sitearch}/pyhbac.so
%files libwbclient
%defattr(-,root,root,-)
%dir %{_libdir}/%{name}
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/libwbclient.so.*
%files libwbclient-devel
%defattr(-,root,root,-)
%{_includedir}/wbclient_sssd.h
%{_libdir}/%{name}/modules/libwbclient.so
%{_libdir}/pkgconfig/wbclient_sssd.pc
%files winbind-idmap -f sssd_winbind_idmap.lang
%dir %{_libdir}/samba/idmap
%{_libdir}/samba/idmap/sss.so
@ -1237,30 +1143,69 @@ fi
%posttrans common
%systemd_postun_with_restart sssd.service
%posttrans libwbclient
%{_sbindir}/update-alternatives \
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} 5
/sbin/ldconfig
%preun libwbclient
%{_sbindir}/update-alternatives \
--remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version}
/sbin/ldconfig
%posttrans libwbclient-devel
%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \
libwbclient.so%{libwbc_alternatives_suffix} \
%{_libdir}/%{name}/modules/libwbclient.so 5
%preun libwbclient-devel
%{_sbindir}/update-alternatives --remove \
libwbclient.so%{libwbc_alternatives_suffix} \
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]
- Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization
* Mon Jul 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-1
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
- Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU
- Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber`
- Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling
- Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address
- Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group
- Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade
* Mon Jun 21 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.1-2
- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken
- Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument
- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)
* Tue Jun 08 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.1-1
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools
- Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory
- Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file
- Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout
- Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests
- Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust
- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection
- Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found
- Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group
- Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable
- Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory.
- Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf
* Mon May 10 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.0-1
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
- Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11
- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools
- Resolves: rhbz#1945888 - Inconsistant debug level for connection logging
- Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets
- Resolves: rhbz#1949149 - [RFE] Poor man's backtrace
- Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR
- Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail.
- Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs
- Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path
- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm
- Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries
- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection
- Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries
- Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries
- Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains.
- Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable
- Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used
- Resolves: rhbz#1703436 - sssd not thread-safe in innetgr()
- Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen
- Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page
- Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page
- Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp
- Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3)
- Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7
- Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login
- Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive
* Fri Feb 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-8
- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss
- Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0.