Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9

Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true
2023-06-23 18:36:22 +02:00 · 2023-06-23 18:36:22 +02:00 · b85a9ede6e
commit b85a9ede6e
parent 2745af01b7
6 changed files with 17 additions and 353 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,3 +5,4 @@
 /sssd-2.8.1.tar.gz
 /sssd-2.8.2.tar.gz
 /sssd-2.9.0.tar.gz
 /sssd-2.9.1.tar.gz
--- a/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
+++ b/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
@ -1,248 +0,0 @@
 From eb43c2400a34a4ab77be4f75ba7536baecda3bef Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
 Date: Wed, 10 May 2023 17:29:07 +0200
 Subject: [PATCH] FILE WATCH: Callback not executed on link or relative path
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 When the watched file was a symbolic link or was a relative path,
 the calback was not executed because the filename comparison
 was wrongly considering the files to be different.
 The solution is to normalize the filenames before comparing them.
 This cannot be easily done at setup because the file could not
 exist at that moment.
 The test was adapted to check this situation.
 Resolves: https://github.com/SSSD/sssd/issues/6718
 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
 (cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3)
 ---
 src/tests/file_watch-tests.c | 83 ++++++++++++++++++++++++++----------
 src/util/file_watch.c        | 26 +++++++++--
 2 files changed, 83 insertions(+), 26 deletions(-)
 diff --git a/src/tests/file_watch-tests.c b/src/tests/file_watch-tests.c
 index 3ca5b44f9..3e1aea6ce 100644
 --- a/src/tests/file_watch-tests.c
 +++ b/src/tests/file_watch-tests.c
@@ -36,11 +36,19 @@
 #include "util/file_watch.h"
 #include "tests/common.h"
 -#define FW_DIR                            TEST_DIR "/file-watch"
 -#define WATCHED_FILE_INOTIFY              FW_DIR "/watched_file_inotify"
 -#define WATCHED_FILE_POLL                 FW_DIR "/watched_file_poll"
 -#define WATCHED_EXISTING_FILE_INOTIFY     FW_DIR "/watched_file_inotify.exists"
 -#define WATCHED_EXISTING_FILE_POLL        FW_DIR "/watched_file_poll.exists"
 +#define FW_NAME                           "/file-watch-test-dir"
 +#define FILE_INOTIFY_NAME                 "watched_file_inotify"
 +#define FILE_POLL_NAME                    "watched_file_poll"
 +#define FW_DIR                            TEST_DIR FW_NAME
 +#define EXISTING_FILE_INOTIFY_NAME        FILE_INOTIFY_NAME ".exists"
 +#define EXISTING_FILE_POLL_NAME           FILE_POLL_NAME ".exists"
 +#define WATCHED_FILE_INOTIFY              FW_DIR "/.." FW_NAME "/" FILE_INOTIFY_NAME
 +#define WATCHED_FILE_POLL                 FW_DIR "/.." FW_NAME "/" FILE_POLL_NAME
 +#define WATCHED_EXISTING_FILE_INOTIFY     FW_DIR "/.." FW_NAME "/" EXISTING_FILE_INOTIFY_NAME
 +#define WATCHED_EXISTING_FILE_POLL        FW_DIR "/.." FW_NAME "/" EXISTING_FILE_POLL_NAME
 +#define WATCHED_EXISTING_LINK_INOTIFY     FW_DIR "/" EXISTING_FILE_INOTIFY_NAME ".link"
 +#define WATCHED_EXISTING_LINK_POLL        FW_DIR "/" EXISTING_FILE_POLL_NAME ".link"
 +#define UNWATCHED_FILE                    FW_DIR "/unwatched_file"
 static TALLOC_CTX *test_mem_ctx;
@@ -50,34 +58,51 @@ struct fn_arg {
     int counter;
 };
 -static void setup_file_watch(void)
 +static void remove_files(void)
 {
 -    test_mem_ctx = talloc_new(NULL);
 -    mkdir(FW_DIR, 0700);
     unlink(WATCHED_FILE_INOTIFY);
     unlink(WATCHED_FILE_POLL);
 +    unlink(WATCHED_EXISTING_LINK_INOTIFY);
 +    unlink(WATCHED_EXISTING_LINK_POLL);
     unlink(WATCHED_EXISTING_FILE_INOTIFY);
     unlink(WATCHED_EXISTING_FILE_POLL);
 +    unlink(UNWATCHED_FILE);
 }
 +static void setup_file_watch(void)
 +{
 +    DEBUG(SSSDBG_TRACE_ALL, "==========================================\n");
 +    test_mem_ctx = talloc_new(NULL);
 +    mkdir(FW_DIR, 0700);
 +    remove_files();
 +}
 static void teardown_file_watch(void)
 {
 -    unlink(WATCHED_FILE_INOTIFY);
 -    unlink(WATCHED_FILE_POLL);
 -    unlink(WATCHED_EXISTING_FILE_INOTIFY);
 -    unlink(WATCHED_EXISTING_FILE_POLL);
     talloc_free(test_mem_ctx);
 +    remove_files();
 +    rmdir(FW_DIR);
 }
 static void callback(const char *filename, void *arg)
 {
 -    DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
 +    static char received[PATH_MAX + 1];
 +    static char expected[PATH_MAX + 1];
 +    char *res;
     struct fn_arg *data = (struct fn_arg *) arg;
 +    DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
 +
     ck_assert_msg(data != NULL, "Callback received NULL argument");
 -    ck_assert_msg(strcmp(filename, data->filename) == 0,
 +
 +    res = realpath(data->filename, expected);
 +    ck_assert_msg(res != NULL, "Failed to normalize the expected filename");
 +
 +    res = realpath(filename, received);
 +    ck_assert_msg(res != NULL, "Failed to normalize the received filename");
 +
 +    ck_assert_msg(strcmp(expected, received) == 0,
                   "Wrong filename in the callback.");
     data->counter++;
 }
@@ -88,7 +113,7 @@ static void modify_file(const char *filename)
     int fd;
     int res;
 -    DEBUG(SSSDBG_TRACE_FUNC, "File modified\n");
 +    DEBUG(SSSDBG_TRACE_FUNC, "Modifying file %s\n", filename);
     fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
     ck_assert_msg(fd != -1, "Failed to open the file.");
@@ -119,11 +144,14 @@ static void test_file_watch_no_file(bool use_inotify)
     arg.filename = filename;
     arg.counter = 0;
 +    DEBUG(SSSDBG_TRACE_ALL, "Watching file %s\n", filename);
     ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
     ck_assert_msg(ctx != NULL, "Failed to watch a file.");
     ck_assert_msg(arg.counter == 0, "Unexpected callback invocation.");
 -    // At this point the file doesn't exist, we will create it.
 +    // At this point the file doesn't exist. We create the watched and an
 +    // unwatched file
 +    modify_file(UNWATCHED_FILE);
     modify_file(filename);
     if (use_inotify) {
         res = tevent_loop_once(ev);
@@ -152,26 +180,35 @@ static void test_file_watch_with_file(bool use_inotify)
 {
     struct file_watch_ctx *ctx;
     struct tevent_context *ev;
 +    const char *filepath;
     const char *filename;
 +    const char *linkpath;
     struct fn_arg arg;
     int res;
     if (use_inotify) {
 -        filename = WATCHED_EXISTING_FILE_INOTIFY;
 +        filename = EXISTING_FILE_INOTIFY_NAME;
 +        filepath = WATCHED_EXISTING_FILE_INOTIFY;
 +        linkpath = WATCHED_EXISTING_LINK_INOTIFY;
     } else {
 -        filename = WATCHED_EXISTING_FILE_POLL;
 +        filename = EXISTING_FILE_POLL_NAME;
 +        filepath = WATCHED_EXISTING_FILE_POLL;
 +        linkpath = WATCHED_EXISTING_LINK_POLL;
     }
 -    modify_file(filename);
 +    modify_file(filepath);
 +    res = symlink(filename, linkpath);
 +    ck_assert_msg(res == 0, "Failed create the symbolic link");
     ev = tevent_context_init(test_mem_ctx);
     ck_assert_msg(ev != NULL, "Failed to create the tevent context.");
 -    arg.filename = filename;
 +    arg.filename = linkpath;
     arg.counter = 0;
     // File already exists
 -    ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
 -    ck_assert_msg(ctx != NULL, "Failed to watch a file.");
 +    DEBUG(SSSDBG_TRACE_ALL, "Watching link %s\n", linkpath);
 +    ctx = fw_watch_file(test_mem_ctx, ev, linkpath, use_inotify, callback, &arg);
 +    ck_assert_msg(ctx != NULL, "Failed to watch a link.");
     ck_assert_msg(arg.counter >= 1, "Callback not invoked at start up.");
     ck_assert_msg(arg.counter <= 1, "Callback invoked too many times at start up.");
@@ -179,7 +216,7 @@ static void test_file_watch_with_file(bool use_inotify)
     if (!use_inotify) {
         sleep(2); // Detection by polling is based on the file's modification time.
     }
 -    modify_file(filename);
 +    modify_file(filepath);
     if (use_inotify) {
         res = tevent_loop_once(ev);
         ck_assert_msg(res == 0, "tevent_loop_once() failed.");
 diff --git a/src/util/file_watch.c b/src/util/file_watch.c
 index b994e4116..d19fdccd6 100644
 --- a/src/util/file_watch.c
 +++ b/src/util/file_watch.c
@@ -121,7 +121,10 @@ static int watched_file_inotify_cb(const char *filename,
                                   uint32_t flags,
                                   void *pvt)
 {
 +    static char received[PATH_MAX + 1];
 +    static char expected[PATH_MAX + 1];
     struct file_watch_ctx *fw_ctx;
 +    char *res;
     DEBUG(SSSDBG_TRACE_LIBS,
           "Received inotify notification for %s\n", filename);
@@ -131,15 +134,32 @@ static int watched_file_inotify_cb(const char *filename,
         return EINVAL;
     }
 -    if (strcmp(fw_ctx->filename, filename) == 0) {
 -        if (access(fw_ctx->filename, F_OK) == 0) {
 -            fw_ctx->cb(fw_ctx->filename, fw_ctx->cb_arg);
 +    res = realpath(fw_ctx->filename, expected);
 +    if (res == NULL) {
 +         DEBUG(SSSDBG_TRACE_LIBS,
 +               "Normalization failed for expected %s. Skipping the callback.\n",
 +               fw_ctx->filename);
 +        goto done;
 +    }
 +
 +    res = realpath(filename, received);
 +    if (res == NULL) {
 +         DEBUG(SSSDBG_TRACE_LIBS,
 +               "Normalization failed for received %s. Skipping the callback.\n",
 +               filename);
 +        goto done;
 +    }
 +
 +    if (strcmp(expected, received) == 0) {
 +        if (access(received, F_OK) == 0) {
 +            fw_ctx->cb(received, fw_ctx->cb_arg);
         } else {
             DEBUG(SSSDBG_TRACE_LIBS,
                   "File %s is missing. Skipping the callback.\n", filename);
         }
     }
 +done:
     return EOK;
 }
 -- 
 2.38.1
--- a/0002-MAN-fix-issue-with-multithread-build.patch
+++ b/0002-MAN-fix-issue-with-multithread-build.patch
@ -1,71 +0,0 @@
 From 713c646ec054b72cfaadd21f3faaa9c5acb96222 Mon Sep 17 00:00:00 2001
 From: Alexey Tikhonov <atikhono@redhat.com>
 Date: Tue, 16 May 2023 15:22:04 +0200
 Subject: [PATCH] MAN: fix issue with multithread build
 When 'make' runs using multiple threads it can build several man pages
 in parallel, executing the same '.5.xml.5:' rule. This can result in
 a race condition where multiple threads access the same 'sssd_user_name.include'
 file.
 To avoid this make 'sssd_user_name.include' file a rule dependency.
 But "Suffix rules cannot have any prerequisites of their own", and suffix
 rules are obsolete anyway, so change it to pattern rules.
 ---
 src/man/Makefile.am | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)
 diff --git a/src/man/Makefile.am b/src/man/Makefile.am
 index ee44dff97..1e51aebfd 100644
 --- a/src/man/Makefile.am
 +++ b/src/man/Makefile.am
@@ -117,23 +117,23 @@ man_MANS += sssd-files.5
 endif # BUILD_FILES_PROVIDER
 endif
 -SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
 -.1.xml.1:
 +$(builddir)/src/man/sssd_user_name.include:
 +	@mkdir -p $(builddir)/src/man
 +	@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include
 +
 +%.1: %.1.xml
 	$(XMLLINT) $(XMLLINT_FLAGS) $<
 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
 -.3.xml.3:
 +%.3: %.3.xml
 	$(XMLLINT) $(XMLLINT_FLAGS) $<
 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
 -.5.xml.5:
 -	@mkdir -p $(builddir)/src/man
 -	@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include
 +%.5: %.5.xml $(builddir)/src/man/sssd_user_name.include
 	$(XMLLINT) --path "$(srcdir)/src/man:$(builddir)/src/man" $(XMLLINT_FLAGS) $<
 	$(XSLTPROC) --path "$(srcdir)/src/man:$(builddir)/src/man" -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
 -	@rm -f $(builddir)/src/man/sssd_user_name.include
 -.8.xml.8:
 +%.8: %.8.xml
 	$(XMLLINT) $(XMLLINT_FLAGS) $<
 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
@@ -215,6 +215,7 @@ clean-local:
 	done
 	rm -f $(man_MANS)
 	rm -f man.stamp
 +	rm -f $(builddir)/src/man/sssd_user_name.include
 else
@@ -224,6 +225,7 @@ man.stamp: $(XML_DOC)
 clean-local:
 	rm -f $(man_MANS)
 	rm -f man.stamp
 +	rm -f $(builddir)/src/man/sssd_user_name.include
 endif
 -- 
 2.38.1
--- a/0003-AD-add-missing-AD_AT_DOMAIN_NAME-for-sub-domain-sear.patch
+++ b/0003-AD-add-missing-AD_AT_DOMAIN_NAME-for-sub-domain-sear.patch
@ -1,28 +0,0 @@
 From e5dfa2a8c3cdb4db8749ae1b37cec8185070bc69 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Tue, 23 May 2023 12:36:28 +0200
 Subject: [PATCH] AD: add missing AD_AT_DOMAIN_NAME for sub-domain search
 Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
 Reviewed-by: Justin Stephenson <jstephen@redhat.com>
 (cherry picked from commit 39b6337f32b76842be65802b0b0aa86050c8aa95)
 ---
 src/providers/ad/ad_subdomains.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
 index db7f1c3c7..a8d1892cc 100644
 --- a/src/providers/ad/ad_subdomains.c
 +++ b/src/providers/ad/ad_subdomains.c
@@ -1216,7 +1216,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)
     int dp_error;
     errno_t ret;
     const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
 -                            AD_AT_SID, AD_AT_TRUST_TYPE,
 +                            AD_AT_SID, AD_AT_TRUST_TYPE, AD_AT_DOMAIN_NAME,
                             AD_AT_TRUST_ATTRS, AD_AT_TRUST_DIRECTION, NULL };
     req = tevent_req_callback_data(subreq, struct tevent_req);
 -- 
 2.38.1
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (sssd-2.9.0.tar.gz) = cf65572cfa6468c4b3edc3a33a48ab6d58979917901662eb8b2d8fc5931494be81da13295246500a3a315b71d0395594c9a565014e5875f3cdde50da096f253d
+SHA512 (sssd-2.9.1.tar.gz) = eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b
--- a/sssd.spec
+++ b/sssd.spec
@ -18,8 +18,8 @@
 %global enable_systemtap_opt --enable-systemtap
 Name: sssd
-Version: 2.9.0
+Version: 2.9.1
-Release: 4%{?dist}
+Release: 1%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -27,9 +27,7 @@ URL: https://github.com/SSSD/sssd
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 ### Patches ###
-Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
+#Patch0001:
 Patch0002: 0002-MAN-fix-issue-with-multithread-build.patch
 Patch0003: 0003-AD-add-missing-AD_AT_DOMAIN_NAME-for-sub-domain-sear.patch
 ### Downstream Patches ###
@ -1213,6 +1211,18 @@ fi
 %systemd_postun_with_restart sssd.service
 %changelog
 * Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
 - Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
 - Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
 - Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
 - Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
 - Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
 - Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
 - Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
 - Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
 - Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
 - Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
 * Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
 - Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
  Rebuild against rebased Samba libs
`@ -1 +1 @@`
	`SHA512 (sssd-2.9.0.tar.gz) = cf65572cfa6468c4b3edc3a33a48ab6d58979917901662eb8b2d8fc5931494be81da13295246500a3a315b71d0395594c9a565014e5875f3cdde50da096f253d`	`SHA512 (sssd-2.9.1.tar.gz) = eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b`