rpms
/
sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS sssd-2.9.1-2.el9_3

This commit is contained in:
eabdullin 2023-11-08 08:15:06 +00:00
parent d24f6f093a
commit c31b9d577e
8 changed files with 200 additions and 285 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.8.2.tar.gz
SOURCES/sssd-2.9.1.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz
5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz

158
SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
View File

@ -1,158 +0,0 @@
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Dec 2022 15:14:05 +0100
Subject: [PATCH] ldap: update shadow last change in sysdb as well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.
Resolves: https://github.com/SSSD/sssd/issues/6477
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
---
src/db/sysdb.h | 4 ++++
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
3 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 7c666f5c4..06b44f5ba 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
struct sysdb_attrs *attrs,
int mod_op);
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname);
+
/* Replace group attrs */
int sysdb_set_group_attr(struct sss_domain_info *domain,
const char *name,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0d6f2d5cd..ed0df9872 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1485,6 +1485,38 @@ done:
return ret;
}
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname)
+{
+ struct sysdb_attrs *attrs;
+ char *value;
+ errno_t ret;
+
+ attrs = sysdb_new_attrs(NULL);
+ if (attrs == NULL) {
+ return ENOMEM;
+ }
+
+ /* The attribute contains number of days since the epoch */
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
+ if (value == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
+
+done:
+ talloc_free(attrs);
+ return ret;
+}
+
/* =Replace-Attributes-On-Group=========================================== */
int sysdb_set_group_attr(struct sss_domain_info *domain,
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 6404a9d3a..96b9d6df4 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
struct pam_data *pd;
struct sdap_handle *sh;
char *dn;
+ enum pwexpire pw_expire_type;
};
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
{
struct sdap_pam_chpass_handler_state *state;
struct tevent_req *req;
- enum pwexpire pw_expire_type;
void *pw_expire_data;
size_t msg_len;
uint8_t *msg;
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
ret = auth_recv(subreq, state, &state->sh, &state->dn,
- &pw_expire_type, &pw_expire_data);
+ &state->pw_expire_type, &pw_expire_data);
talloc_free(subreq);
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
}
if (ret == EOK) {
- switch (pw_expire_type) {
+ switch (state->pw_expire_type) {
case PWEXPIRE_SHADOW:
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
break;
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
- "Unknown password expiration type %d.\n", pw_expire_type);
+ "Unknown password expiration type %d.\n",
+ state->pw_expire_type);
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
case ERR_PASSWORD_EXPIRED:
DEBUG(SSSDBG_TRACE_LIBS,
"user [%s] successfully authenticated.\n", state->dn);
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
+ ret = sdap_pam_chpass_handler_change_step(state, req,
+ state->pw_expire_type);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sdap_pam_chpass_handler_change_step() failed.\n");
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
switch (ret) {
case EOK:
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
+ if (ret != EOK) {
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ }
+
state->pd->pam_status = PAM_SUCCESS;
break;
case ERR_CHPASS_DENIED:
--
2.37.3

106
SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch Normal file
View File

@ -0,0 +1,106 @@
From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 12:31:39 +0200
Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Those two new calls can be used if there are requests stuck by e.g.
waiting on replies where there is no other way to handle the timeout and
get the system back into a stable state. They should be only used as a
last resort.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 75f2b35ad3b9256de905d05c5108400d35688554)
---
src/util/util.h | 12 ++++++++++++
src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++--
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/util/util.h b/src/util/util.h
index a8356e0cd..9dbcf3301 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -756,6 +756,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
void teardown_watchdog(void);
int get_watchdog_ticks(void);
+/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable
+ * the watchdog reset, respectively. This means that after arm_watchdog() is
+ * called the watchdog will not be resetted anymore and it will kill the
+ * process if disarm_watchdog() wasn't called before.
+ * Those calls should only be used when there is no other way to handle
+ * waiting request and recover into a stable state.
+ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should
+ * not be called a second time in a different request because then
+ * disarm_watchdog() will disable the watchdog coverage for both. */
+void arm_watchdog(void);
+void disarm_watchdog(void);
+
/* from files.c */
int sss_remove_tree(const char *root);
int sss_remove_subtree(const char *root);
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index b1534e499..abafd94b9 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -40,6 +40,7 @@ struct watchdog_ctx {
time_t timestamp;
struct tevent_fd *tfd;
int pipefd[2];
+ bool armed; /* if 'true' ticks counter will not be reset */
} watchdog_ctx;
static void watchdog_detect_timeshift(void)
@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev,
struct timeval current_time,
void *private_data)
{
- /* first thing reset the watchdog ticks */
- watchdog_reset();
+ if (!watchdog_ctx.armed) {
+ /* first thing reset the watchdog ticks */
+ watchdog_reset();
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Watchdog armed, process might be terminated soon.\n");
+ }
/* then set a new watchodg event */
watchdog_ctx.te = tevent_add_timer(ev, ev,
@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval)
watchdog_ctx.ev = ev;
watchdog_ctx.input_interval = interval;
watchdog_ctx.timestamp = time(NULL);
+ watchdog_ctx.armed = false;
ret = pipe(watchdog_ctx.pipefd);
if (ret == -1) {
@@ -264,3 +271,20 @@ int get_watchdog_ticks(void)
{
return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
}
+
+void arm_watchdog(void)
+{
+ if (watchdog_ctx.armed) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "arm_watchdog() is called although the watchdog is already armed. "
+ "This indicates a programming error and should be avoided because "
+ "it will most probably not work as expected.\n");
+ }
+
+ watchdog_ctx.armed = true;
+}
+
+void disarm_watchdog(void)
+{
+ watchdog_ctx.armed = false;
+}
--
2.38.1

29
SOURCES/0002-MAN-mention-attributes-in-see-also.patch
View File

@ -1,29 +0,0 @@
From 897ccf40b2e7ab30c3b8a3fb42584d1d5b8c4bb3 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 13 Jan 2023 18:58:05 +0100
Subject: [PATCH] MAN: mention `attributes` in 'see also'
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit b631c3174a3f8f5c169e9507969015dd79fdfd80)
---
src/man/include/seealso.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
index 9999496fa..7f0bbe9df 100644
--- a/src/man/include/seealso.xml
+++ b/src/man/include/seealso.xml
@@ -10,6 +10,9 @@
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-ldap-attributes</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
<citerefentry>
<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
--
2.37.3

53
SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch Normal file
View File

@ -0,0 +1,53 @@
From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 13:01:47 +0200
Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There seem to be conditions where the reply in the
sbus_call_DBus_Hello_send() request gets lost and the backend cannot
properly initialize its sbus/DBus server. Since the backend cannot be
connected by the frontends in this state the best way to recover would
be a restart. Since the event-loop is active in this state, e.g. waiting
for the reply, the watchdog will not consider the process as hung and
will not restart the process.
To make the watchdog handle this case arm_watchdog() and
disarm_watchdog() are called before and after the request, respectively.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
---
src/sbus/connection/sbus_connection_connect.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
index 45a0fa491..edc090e15 100644
--- a/src/sbus/connection/sbus_connection_connect.c
+++ b/src/sbus/connection/sbus_connection_connect.c
@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req);
+ arm_watchdog();
+
return req;
}
@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq)
uint32_t res;
errno_t ret;
+ disarm_watchdog();
+
req = tevent_req_callback_data(subreq, struct tevent_req);
ret = sbus_call_DBus_RequestName_recv(subreq, &res);
--
2.38.1

90
SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
View File

@ -1,90 +0,0 @@
From 45a5630e0cfe95ab90bf4a7dd1b32f418c4c759e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 23 Dec 2022 16:36:58 +0100
Subject: [PATCH] SSS_CLIENT: delete key in lib destructor
pthread_key_delete() disables thread at-exit destructors.
Otherwise an attempt to execute already unloaded `sss_at_thread_exit()`
would trigger segfault.
This doesn't solve an issue with leaking on `dlclose()` FDs initialized in
multiple threads, but better than crash.
Resolves: https://github.com/SSSD/sssd/issues/6505
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 08ccd23fb2c831d6ea918a59b777a0073d414858)
---
src/sss_client/common.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index d762dff49..2c888faa9 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -27,6 +27,7 @@
#include <nss.h>
#include <security/pam_modules.h>
#include <errno.h>
+#include <stdatomic.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
@@ -63,7 +64,8 @@
#ifdef HAVE_PTHREAD_EXT
static pthread_key_t sss_sd_key;
-static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
+static pthread_once_t sss_sd_key_init = PTHREAD_ONCE_INIT;
+static atomic_bool sss_sd_key_initialized = false;
static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
#else
@@ -71,9 +73,6 @@ static int sss_cli_sd = -1; /* the sss client socket descriptor */
static struct stat sss_cli_sb; /* the sss client stat buffer */
#endif
-#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
-__attribute__((destructor))
-#endif
void sss_cli_close_socket(void)
{
if (sss_cli_sd != -1) {
@@ -91,9 +90,24 @@ static void sss_at_thread_exit(void *v)
static void init_sd_key(void)
{
pthread_key_create(&sss_sd_key, sss_at_thread_exit);
+ sss_sd_key_initialized = true;
+}
+#endif
+
+#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
+__attribute__((destructor)) void sss_at_lib_unload(void)
+{
+#ifdef HAVE_PTHREAD_EXT
+ if (sss_sd_key_initialized) {
+ sss_sd_key_initialized = false;
+ pthread_key_delete(sss_sd_key);
+ }
+#endif
+ sss_cli_close_socket();
}
#endif
+
/* Requests:
*
* byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
@@ -572,7 +586,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
}
#ifdef HAVE_PTHREAD_EXT
- pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
+ pthread_once(&sss_sd_key_init, init_sd_key); /* once for all threads */
/* It actually doesn't matter what value to set for a key.
* The only important thing: key must be non-NULL to ensure
--
2.37.3

45
SPECS/sssd.spec
View File

@ -26,7 +26,7 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd
Version: 2.8.2
Version: 2.9.1
Release: 2%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
@ -34,9 +34,8 @@ URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
Patch0002: 0002-MAN-mention-attributes-in-see-also.patch
Patch0003: 0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch
### Dependencies ###
@ -523,8 +522,9 @@ autoreconf -ivf
--with-syslog=journald \
--with-test-dir=/dev/shm \
--with-subid \
--with-files-provider \
--with-libsifp \
%if 0%{?fedora}
--enable-files-domain \
--disable-polkit-rules-path \
%endif
%{nil}
@ -830,7 +830,7 @@ done
%{_mandir}/man5/sssd-ifp.5*
%{_unitdir}/sssd-ifp.service
# InfoPipe DBus plumbing
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
%files -n libsss_simpleifp
@ -1062,6 +1062,39 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
- Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3
- Resolves: rhbz#2196816 - [RHEL9] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
- Resolves: rhbz#2162552 - sssd client caches old data after removing netgroup member on IDM
- Resolves: rhbz#2189542 - [sssd] RHEL 9.3 Tier 0 Localization
- Resolves: rhbz#2133854 - [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete
- Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
* Tue Jun 6 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-5
- Related: rhbz#2190415 - Rebase Samba to the latest 4.18.x release
Rebuild against rebased Samba libs.
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
- Related: rhbz#2190415 - Rebase Samba to the latest 4.18.x release
Rebuild against rebased Samba libs.
* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3
- Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
- Resolves: rhbz#1913839 - filter_groups doesn't filter GID from 'id' output: AD + 'ldap_id_mapping = True' corner case
- Resolves: rhbz#2100789 - [Improvement] sssctl config-check command does not show an error when we don't have id_provider in the domain section
- Resolves: rhbz#2152177 - [RFE] Add support for ldapi:// URLs
- Resolves: rhbz#2164852 - man page entry should make clear that a nested group needs a name
- Resolves: rhbz#2166627 - Improvement: sss_client: add 'getsidbyusername()' and 'getsidbygroupname()' and corresponding python bindings
- Resolves: rhbz#2166943 - kinit switches KCM away from the newly issued ticket
- Resolves: rhbz#2167728 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
* Mon Jan 16 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
- Resolves: rhbz#2160001 - Reference to 'sssd-ldap-attributes' man page is missing in 'sssd-ldap', etc man pages
- Resolves: rhbz#2143159 - automount killed by SIGSEGV