Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9

Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true
This commit is contained in:
Alexey Tikhonov 2023-06-23 18:36:22 +02:00
parent 2745af01b7
commit b85a9ede6e
6 changed files with 17 additions and 353 deletions

1
.gitignore vendored
View File

@ -5,3 +5,4 @@
/sssd-2.8.1.tar.gz
/sssd-2.8.2.tar.gz
/sssd-2.9.0.tar.gz
/sssd-2.9.1.tar.gz

View File

@ -1,248 +0,0 @@
From eb43c2400a34a4ab77be4f75ba7536baecda3bef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Wed, 10 May 2023 17:29:07 +0200
Subject: [PATCH] FILE WATCH: Callback not executed on link or relative path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When the watched file was a symbolic link or was a relative path,
the calback was not executed because the filename comparison
was wrongly considering the files to be different.
The solution is to normalize the filenames before comparing them.
This cannot be easily done at setup because the file could not
exist at that moment.
The test was adapted to check this situation.
Resolves: https://github.com/SSSD/sssd/issues/6718
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3)
---
src/tests/file_watch-tests.c | 83 ++++++++++++++++++++++++++----------
src/util/file_watch.c | 26 +++++++++--
2 files changed, 83 insertions(+), 26 deletions(-)
diff --git a/src/tests/file_watch-tests.c b/src/tests/file_watch-tests.c
index 3ca5b44f9..3e1aea6ce 100644
--- a/src/tests/file_watch-tests.c
+++ b/src/tests/file_watch-tests.c
@@ -36,11 +36,19 @@
#include "util/file_watch.h"
#include "tests/common.h"
-#define FW_DIR TEST_DIR "/file-watch"
-#define WATCHED_FILE_INOTIFY FW_DIR "/watched_file_inotify"
-#define WATCHED_FILE_POLL FW_DIR "/watched_file_poll"
-#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/watched_file_inotify.exists"
-#define WATCHED_EXISTING_FILE_POLL FW_DIR "/watched_file_poll.exists"
+#define FW_NAME "/file-watch-test-dir"
+#define FILE_INOTIFY_NAME "watched_file_inotify"
+#define FILE_POLL_NAME "watched_file_poll"
+#define FW_DIR TEST_DIR FW_NAME
+#define EXISTING_FILE_INOTIFY_NAME FILE_INOTIFY_NAME ".exists"
+#define EXISTING_FILE_POLL_NAME FILE_POLL_NAME ".exists"
+#define WATCHED_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" FILE_INOTIFY_NAME
+#define WATCHED_FILE_POLL FW_DIR "/.." FW_NAME "/" FILE_POLL_NAME
+#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" EXISTING_FILE_INOTIFY_NAME
+#define WATCHED_EXISTING_FILE_POLL FW_DIR "/.." FW_NAME "/" EXISTING_FILE_POLL_NAME
+#define WATCHED_EXISTING_LINK_INOTIFY FW_DIR "/" EXISTING_FILE_INOTIFY_NAME ".link"
+#define WATCHED_EXISTING_LINK_POLL FW_DIR "/" EXISTING_FILE_POLL_NAME ".link"
+#define UNWATCHED_FILE FW_DIR "/unwatched_file"
static TALLOC_CTX *test_mem_ctx;
@@ -50,34 +58,51 @@ struct fn_arg {
int counter;
};
-static void setup_file_watch(void)
+static void remove_files(void)
{
- test_mem_ctx = talloc_new(NULL);
- mkdir(FW_DIR, 0700);
unlink(WATCHED_FILE_INOTIFY);
unlink(WATCHED_FILE_POLL);
+ unlink(WATCHED_EXISTING_LINK_INOTIFY);
+ unlink(WATCHED_EXISTING_LINK_POLL);
unlink(WATCHED_EXISTING_FILE_INOTIFY);
unlink(WATCHED_EXISTING_FILE_POLL);
+ unlink(UNWATCHED_FILE);
}
+static void setup_file_watch(void)
+{
+ DEBUG(SSSDBG_TRACE_ALL, "==========================================\n");
+ test_mem_ctx = talloc_new(NULL);
+ mkdir(FW_DIR, 0700);
+ remove_files();
+}
static void teardown_file_watch(void)
{
- unlink(WATCHED_FILE_INOTIFY);
- unlink(WATCHED_FILE_POLL);
- unlink(WATCHED_EXISTING_FILE_INOTIFY);
- unlink(WATCHED_EXISTING_FILE_POLL);
talloc_free(test_mem_ctx);
+ remove_files();
+ rmdir(FW_DIR);
}
static void callback(const char *filename, void *arg)
{
- DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
+ static char received[PATH_MAX + 1];
+ static char expected[PATH_MAX + 1];
+ char *res;
struct fn_arg *data = (struct fn_arg *) arg;
+ DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
+
ck_assert_msg(data != NULL, "Callback received NULL argument");
- ck_assert_msg(strcmp(filename, data->filename) == 0,
+
+ res = realpath(data->filename, expected);
+ ck_assert_msg(res != NULL, "Failed to normalize the expected filename");
+
+ res = realpath(filename, received);
+ ck_assert_msg(res != NULL, "Failed to normalize the received filename");
+
+ ck_assert_msg(strcmp(expected, received) == 0,
"Wrong filename in the callback.");
data->counter++;
}
@@ -88,7 +113,7 @@ static void modify_file(const char *filename)
int fd;
int res;
- DEBUG(SSSDBG_TRACE_FUNC, "File modified\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Modifying file %s\n", filename);
fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
ck_assert_msg(fd != -1, "Failed to open the file.");
@@ -119,11 +144,14 @@ static void test_file_watch_no_file(bool use_inotify)
arg.filename = filename;
arg.counter = 0;
+ DEBUG(SSSDBG_TRACE_ALL, "Watching file %s\n", filename);
ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
ck_assert_msg(ctx != NULL, "Failed to watch a file.");
ck_assert_msg(arg.counter == 0, "Unexpected callback invocation.");
- // At this point the file doesn't exist, we will create it.
+ // At this point the file doesn't exist. We create the watched and an
+ // unwatched file
+ modify_file(UNWATCHED_FILE);
modify_file(filename);
if (use_inotify) {
res = tevent_loop_once(ev);
@@ -152,26 +180,35 @@ static void test_file_watch_with_file(bool use_inotify)
{
struct file_watch_ctx *ctx;
struct tevent_context *ev;
+ const char *filepath;
const char *filename;
+ const char *linkpath;
struct fn_arg arg;
int res;
if (use_inotify) {
- filename = WATCHED_EXISTING_FILE_INOTIFY;
+ filename = EXISTING_FILE_INOTIFY_NAME;
+ filepath = WATCHED_EXISTING_FILE_INOTIFY;
+ linkpath = WATCHED_EXISTING_LINK_INOTIFY;
} else {
- filename = WATCHED_EXISTING_FILE_POLL;
+ filename = EXISTING_FILE_POLL_NAME;
+ filepath = WATCHED_EXISTING_FILE_POLL;
+ linkpath = WATCHED_EXISTING_LINK_POLL;
}
- modify_file(filename);
+ modify_file(filepath);
+ res = symlink(filename, linkpath);
+ ck_assert_msg(res == 0, "Failed create the symbolic link");
ev = tevent_context_init(test_mem_ctx);
ck_assert_msg(ev != NULL, "Failed to create the tevent context.");
- arg.filename = filename;
+ arg.filename = linkpath;
arg.counter = 0;
// File already exists
- ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
- ck_assert_msg(ctx != NULL, "Failed to watch a file.");
+ DEBUG(SSSDBG_TRACE_ALL, "Watching link %s\n", linkpath);
+ ctx = fw_watch_file(test_mem_ctx, ev, linkpath, use_inotify, callback, &arg);
+ ck_assert_msg(ctx != NULL, "Failed to watch a link.");
ck_assert_msg(arg.counter >= 1, "Callback not invoked at start up.");
ck_assert_msg(arg.counter <= 1, "Callback invoked too many times at start up.");
@@ -179,7 +216,7 @@ static void test_file_watch_with_file(bool use_inotify)
if (!use_inotify) {
sleep(2); // Detection by polling is based on the file's modification time.
}
- modify_file(filename);
+ modify_file(filepath);
if (use_inotify) {
res = tevent_loop_once(ev);
ck_assert_msg(res == 0, "tevent_loop_once() failed.");
diff --git a/src/util/file_watch.c b/src/util/file_watch.c
index b994e4116..d19fdccd6 100644
--- a/src/util/file_watch.c
+++ b/src/util/file_watch.c
@@ -121,7 +121,10 @@ static int watched_file_inotify_cb(const char *filename,
uint32_t flags,
void *pvt)
{
+ static char received[PATH_MAX + 1];
+ static char expected[PATH_MAX + 1];
struct file_watch_ctx *fw_ctx;
+ char *res;
DEBUG(SSSDBG_TRACE_LIBS,
"Received inotify notification for %s\n", filename);
@@ -131,15 +134,32 @@ static int watched_file_inotify_cb(const char *filename,
return EINVAL;
}
- if (strcmp(fw_ctx->filename, filename) == 0) {
- if (access(fw_ctx->filename, F_OK) == 0) {
- fw_ctx->cb(fw_ctx->filename, fw_ctx->cb_arg);
+ res = realpath(fw_ctx->filename, expected);
+ if (res == NULL) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Normalization failed for expected %s. Skipping the callback.\n",
+ fw_ctx->filename);
+ goto done;
+ }
+
+ res = realpath(filename, received);
+ if (res == NULL) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Normalization failed for received %s. Skipping the callback.\n",
+ filename);
+ goto done;
+ }
+
+ if (strcmp(expected, received) == 0) {
+ if (access(received, F_OK) == 0) {
+ fw_ctx->cb(received, fw_ctx->cb_arg);
} else {
DEBUG(SSSDBG_TRACE_LIBS,
"File %s is missing. Skipping the callback.\n", filename);
}
}
+done:
return EOK;
}
--
2.38.1

View File

@ -1,71 +0,0 @@
From 713c646ec054b72cfaadd21f3faaa9c5acb96222 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 May 2023 15:22:04 +0200
Subject: [PATCH] MAN: fix issue with multithread build
When 'make' runs using multiple threads it can build several man pages
in parallel, executing the same '.5.xml.5:' rule. This can result in
a race condition where multiple threads access the same 'sssd_user_name.include'
file.
To avoid this make 'sssd_user_name.include' file a rule dependency.
But "Suffix rules cannot have any prerequisites of their own", and suffix
rules are obsolete anyway, so change it to pattern rules.
---
src/man/Makefile.am | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index ee44dff97..1e51aebfd 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -117,23 +117,23 @@ man_MANS += sssd-files.5
endif # BUILD_FILES_PROVIDER
endif
-SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
-.1.xml.1:
+$(builddir)/src/man/sssd_user_name.include:
+ @mkdir -p $(builddir)/src/man
+ @echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include
+
+%.1: %.1.xml
$(XMLLINT) $(XMLLINT_FLAGS) $<
$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
-.3.xml.3:
+%.3: %.3.xml
$(XMLLINT) $(XMLLINT_FLAGS) $<
$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
-.5.xml.5:
- @mkdir -p $(builddir)/src/man
- @echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include
+%.5: %.5.xml $(builddir)/src/man/sssd_user_name.include
$(XMLLINT) --path "$(srcdir)/src/man:$(builddir)/src/man" $(XMLLINT_FLAGS) $<
$(XSLTPROC) --path "$(srcdir)/src/man:$(builddir)/src/man" -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
- @rm -f $(builddir)/src/man/sssd_user_name.include
-.8.xml.8:
+%.8: %.8.xml
$(XMLLINT) $(XMLLINT_FLAGS) $<
$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
@@ -215,6 +215,7 @@ clean-local:
done
rm -f $(man_MANS)
rm -f man.stamp
+ rm -f $(builddir)/src/man/sssd_user_name.include
else
@@ -224,6 +225,7 @@ man.stamp: $(XML_DOC)
clean-local:
rm -f $(man_MANS)
rm -f man.stamp
+ rm -f $(builddir)/src/man/sssd_user_name.include
endif
--
2.38.1

View File

@ -1,28 +0,0 @@
From e5dfa2a8c3cdb4db8749ae1b37cec8185070bc69 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 23 May 2023 12:36:28 +0200
Subject: [PATCH] AD: add missing AD_AT_DOMAIN_NAME for sub-domain search
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 39b6337f32b76842be65802b0b0aa86050c8aa95)
---
src/providers/ad/ad_subdomains.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index db7f1c3c7..a8d1892cc 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1216,7 +1216,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)
int dp_error;
errno_t ret;
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
- AD_AT_SID, AD_AT_TRUST_TYPE,
+ AD_AT_SID, AD_AT_TRUST_TYPE, AD_AT_DOMAIN_NAME,
AD_AT_TRUST_ATTRS, AD_AT_TRUST_DIRECTION, NULL };
req = tevent_req_callback_data(subreq, struct tevent_req);
--
2.38.1

View File

@ -1 +1 @@
SHA512 (sssd-2.9.0.tar.gz) = cf65572cfa6468c4b3edc3a33a48ab6d58979917901662eb8b2d8fc5931494be81da13295246500a3a315b71d0395594c9a565014e5875f3cdde50da096f253d
SHA512 (sssd-2.9.1.tar.gz) = eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b

View File

@ -18,8 +18,8 @@
%global enable_systemtap_opt --enable-systemtap
Name: sssd
Version: 2.9.0
Release: 4%{?dist}
Version: 2.9.1
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -27,9 +27,7 @@ URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
Patch0002: 0002-MAN-fix-issue-with-multithread-build.patch
Patch0003: 0003-AD-add-missing-AD_AT_DOMAIN_NAME-for-sub-domain-sear.patch
#Patch0001:
### Downstream Patches ###
@ -1213,6 +1211,18 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
Rebuild against rebased Samba libs