diff --git a/0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch b/0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch new file mode 100644 index 0000000..d569dfa --- /dev/null +++ b/0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch @@ -0,0 +1,34 @@ +From c6cd2fe3f75638e8920b049ea05282f4072e9f05 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 14 Jun 2021 21:25:23 +0200 +Subject: [PATCH 02/16] krb5_child: reduce log severity in sss_send_pac() in + case PAC responder isn't running. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/providers/krb5/krb5_child.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 713e90f833c40b8da864b42c2f6be02894abf35b..4e55d9a3746c297499ad577075b59f027815ee12 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -223,7 +223,10 @@ static errno_t sss_send_pac(krb5_authdata **pac_authdata) + + ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data, + NULL, NULL, &errnop); +- if (ret != NSS_STATUS_SUCCESS || errnop != 0) { ++ if (ret == NSS_STATUS_UNAVAIL) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "failed to contact PAC responder\n"); ++ return EIO; ++ } else if (ret != NSS_STATUS_SUCCESS || errnop != 0) { + DEBUG(SSSDBG_OP_FAILURE, "sss_pac_make_request failed [%d][%d].\n", + ret, errnop); + return EIO; +-- +2.20.1 + diff --git a/0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch b/0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch new file mode 100644 index 0000000..15432ae --- /dev/null +++ b/0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch @@ -0,0 +1,31 @@ +From 0eccee18822e60393c8a4a9b99a3c80d2b1275d9 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 14 Jun 2021 21:47:52 +0200 +Subject: [PATCH 03/16] secrets: reduce log severity in local_db_create() in + case entry already exists since this is expected during normal oprations. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/util/secrets/secrets.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index 6e99e291dd355cc69b0d872f53624ca3446e18ad..f12b615f8ac8f929969d328db41876070ccc75c5 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -476,7 +476,7 @@ static int local_db_create(struct sss_sec_req *req) + ret = ldb_add(req->sctx->ldb, msg); + if (ret != LDB_SUCCESS) { + if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) { +- DEBUG(SSSDBG_OP_FAILURE, ++ DEBUG(SSSDBG_FUNC_DATA, + "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn)); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, +-- +2.20.1 + diff --git a/0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch b/0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch new file mode 100644 index 0000000..44e1d46 --- /dev/null +++ b/0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch @@ -0,0 +1,70 @@ +From 624e3fe75116e15c48e9b9455ef0abd2f1256140 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 14 Jun 2021 21:56:16 +0200 +Subject: [PATCH 04/16] KCM: use SSSDBG_MINOR_FAILURE for + ERR_KCM_OP_NOT_IMPLEMENTED +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/responder/kcm/kcmsrv_cmd.c | 13 +++++++++---- + src/responder/kcm/kcmsrv_ops.c | 2 +- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c +index 3ad17ef431bb3d42b39f56d04c97acfc25f06d2f..49518920bf8213d6c7a55f6c07aca11cbd86c406 100644 +--- a/src/responder/kcm/kcmsrv_cmd.c ++++ b/src/responder/kcm/kcmsrv_cmd.c +@@ -195,7 +195,7 @@ static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf, + + op_io->op = kcm_get_opt(be16toh(opcode_be)); + if (op_io->op == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_MINOR_FAILURE, + "Did not find a KCM operation handler for the requested opcode\n"); + return ERR_KCM_OP_NOT_IMPLEMENTED; + } +@@ -312,7 +312,8 @@ static void kcm_reply_error(struct cli_ctx *cctx, + errno_t ret; + krb5_error_code kerr; + +- DEBUG(SSSDBG_OP_FAILURE, ++ DEBUG(retcode == ERR_KCM_OP_NOT_IMPLEMENTED ? ++ SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE, + "KCM operation returns failure [%d]: %s\n", + retcode, sss_strerror(retcode)); + kerr = sss2krb5_error(retcode); +@@ -405,8 +406,12 @@ static void kcm_cmd_request_done(struct tevent_req *req) + &req_ctx->op_io.reply); + talloc_free(req); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret)); ++ if (ret == ERR_KCM_OP_NOT_IMPLEMENTED) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "%s\n", sss_strerror(ret)); ++ } else { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret)); ++ } + kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf); + return; + } +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index a8f49cedb0ce373e45a7f187ae87a82979c1a8c1..f7f80d85023d6ab3fdbf68078cd97594beb95e48 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -122,7 +122,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + } + + if (op->fn_send == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_MINOR_FAILURE, + "KCM op %s has no handler\n", kcm_opt_name(op)); + ret = ERR_KCM_OP_NOT_IMPLEMENTED; + goto immediate; +-- +2.20.1 + diff --git a/0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch b/0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch new file mode 100644 index 0000000..3c8be80 --- /dev/null +++ b/0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch @@ -0,0 +1,31 @@ +From 0646917cd826e14663691a2252be9853563331d2 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 14 Jun 2021 22:04:21 +0200 +Subject: [PATCH 05/16] KCM: reduce log severity in sec_get() in case entry not + found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index 6c8c35b865543fd47a13149a49a3be34aab31649..4631bfea09316b47a8c8b5aa6580f60536edea5b 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -58,7 +58,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + + ret = sss_sec_get(tmp_ctx, req, &data, &len, &datatype); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, ++ DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } +-- +2.20.1 + diff --git a/0005-Fix-minor-typos-in-docs.patch b/0005-Fix-minor-typos-in-docs.patch new file mode 100644 index 0000000..4dfbb5d --- /dev/null +++ b/0005-Fix-minor-typos-in-docs.patch @@ -0,0 +1,49 @@ +From b04742485dfb18d23b08f040710944d9d6e29c56 Mon Sep 17 00:00:00 2001 +From: Yuri Chornoivan +Date: Thu, 10 Jun 2021 14:46:00 +0300 +Subject: [PATCH 06/16] Fix minor typos in docs + +Reviewed-by: Pawel Polawski +--- + src/man/pam_sss_gss.8.xml | 4 ++-- + src/man/sssd-sudo.5.xml | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml +index a83369de288b1638fd63d3de8448e705bad881b5..5cde974902afddfedb8bc8934164152e8dcc0944 100644 +--- a/src/man/pam_sss_gss.8.xml ++++ b/src/man/pam_sss_gss.8.xml +@@ -71,7 +71,7 @@ + for more details on these options. + + +- Some Kerberos deployments allow to assocate authentication ++ Some Kerberos deployments allow to associate authentication + indicators with a particular pre-authentication method used to + obtain the ticket granting ticket by the user. + pam_sss_gss.so allows to enforce presence of +@@ -199,7 +199,7 @@ auth sufficient pam_sss_gss.so + + 3. Authentication does not work and syslog contains "No Kerberos + credentials available": You don't have any credentials that can be +- used to obtain the required service ticket. Use kinit or autheticate ++ used to obtain the required service ticket. Use kinit or authenticate + over SSSD to acquire those credentials. + + +diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml +index 3ad89dde3c167cce6d58f0b306b7cf6c6fc17e0c..87645204062255924ef3441a76f3798cc161c953 100644 +--- a/src/man/sssd-sudo.5.xml ++++ b/src/man/sssd-sudo.5.xml +@@ -215,7 +215,7 @@ ldap_sudo_search_base = ou=sudoers,dc=example,dc=com + SSSD uses different kinds of mechanisms with more or less complex + LDAP filters to keep the cached sudo rules up to date. The default + configuration is set to values that should satisfy most of our +- users, but the following paragraps contains few tips on how to fine ++ users, but the following paragraphs contain few tips on how to fine- + tune the configuration to your requirements. + + +-- +2.20.1 + diff --git a/0006-KCM-Unset-_SSS_LOOPS.patch b/0006-KCM-Unset-_SSS_LOOPS.patch new file mode 100644 index 0000000..9d30979 --- /dev/null +++ b/0006-KCM-Unset-_SSS_LOOPS.patch @@ -0,0 +1,37 @@ +From 2a3fb3bdbac5dd7294a2ec6f27346ae18355241a Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Thu, 10 Jun 2021 09:37:52 -0400 +Subject: [PATCH 07/16] KCM: Unset _SSS_LOOPS + +Since sssd_kcm is working independently of other SSSD components, +especially the nss responder, and the kcm client side in libkrb5 of +course does not check for _SSS_LOOPS to protect sssd_kcm from calling +into itself the variable is not needed. + +This allows repeated getpwuid() calls in KCM renewals code to succeed. + +Reviewed-by: Alexey Tikhonov +--- + src/responder/kcm/kcm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c +index 9be56b0b84b92f0cc6213509df1afc780dd1da28..09578c0cbac09a25f3ca56b19b89e7015d1b4298 100644 +--- a/src/responder/kcm/kcm.c ++++ b/src/responder/kcm/kcm.c +@@ -268,6 +268,12 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx, + kctx->rctx = rctx; + kctx->rctx->pvt_ctx = kctx; + ++ /* KCM operates independently, getpw* recursion is not a concern */ ++ ret = unsetenv("_SSS_LOOPS"); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS"); ++ } ++ + ret = kcm_get_config(kctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting KCM config\n"); +-- +2.20.1 + diff --git a/0007-kcm-terminate-client-on-bad-message.patch b/0007-kcm-terminate-client-on-bad-message.patch new file mode 100644 index 0000000..3496241 --- /dev/null +++ b/0007-kcm-terminate-client-on-bad-message.patch @@ -0,0 +1,59 @@ +From a6e5d53a358f3871d8ae646b252250d215d09883 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 16 Jun 2021 15:28:28 +0200 +Subject: [PATCH 13/16] kcm: terminate client on bad message + +The debug message clearly says that the original intention was to +abort the client, not send an error message. + +We may end up in a state where we get into an infinit loop, fo example +when the client send an message that indicates 0 lenght, but there is +actually more data written. In this case, we never read the rest of the +message but the file descriptor is still readable so the fd handler gets +fired again and again. + +More information can be seen in relevant FreeIPA ticket: +https://pagure.io/freeipa/issue/8877 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pawel Polawski +--- + src/responder/kcm/kcmsrv_cmd.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c +index 49518920bf8213d6c7a55f6c07aca11cbd86c406..9b27bbdcc4805238641ef7f9c6158a6ed784fbcc 100644 +--- a/src/responder/kcm/kcmsrv_cmd.c ++++ b/src/responder/kcm/kcmsrv_cmd.c +@@ -548,7 +548,8 @@ static void kcm_recv(struct cli_ctx *cctx) + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to parse data (%d, %s), aborting client\n", + ret, sss_strerror(ret)); +- goto fail; ++ talloc_free(cctx); ++ return; + } + + /* do not read anymore, client is done sending */ +@@ -559,15 +560,13 @@ static void kcm_recv(struct cli_ctx *cctx) + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to dispatch KCM operation [%d]: %s\n", + ret, sss_strerror(ret)); +- goto fail; ++ /* Fail with reply */ ++ kcm_reply_error(cctx, ret, &req->repbuf); ++ return; + } + + /* Dispatched request resumes in kcm_cmd_request_done */ + return; +- +-fail: +- /* Fail with reply */ +- kcm_reply_error(cctx, ret, &req->repbuf); + } + + static int kcm_send_data(struct cli_ctx *cctx) +-- +2.20.1 + diff --git a/0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch b/0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch new file mode 100644 index 0000000..f5e3c06 --- /dev/null +++ b/0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch @@ -0,0 +1,198 @@ +From 8dba7476922856e3a0f6cb935570df47b51917f1 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 18 Jun 2021 21:56:53 +0200 +Subject: [PATCH 14/16] DEBUG: don't reset debug_timestamps/microseconds to + DEFAULT in `_sss_debug_init()`. + +Otherwise `server_setup()` skips reading config settings. + +Reviewed-by: Pawel Polawski +--- + src/tests/cmocka/test_child_common.c | 2 +- + src/tests/debug-tests.c | 26 +++++++++++++------------- + src/util/debug.c | 14 +++----------- + src/util/debug.h | 8 ++++++-- + src/util/server.c | 8 ++++---- + 5 files changed, 27 insertions(+), 31 deletions(-) + +diff --git a/src/tests/cmocka/test_child_common.c b/src/tests/cmocka/test_child_common.c +index 87cae3405575a0c6d2f746359518766c20acb346..9fb26412f3e6c2553e477f72f40f0fd6a156cdab 100644 +--- a/src/tests/cmocka/test_child_common.c ++++ b/src/tests/cmocka/test_child_common.c +@@ -163,7 +163,7 @@ static void extra_args_test(struct child_test_ctx *child_tctx, + child_pid = fork(); + assert_int_not_equal(child_pid, -1); + if (child_pid == 0) { +- debug_timestamps = 1; ++ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED; + + exec_child_ex(child_tctx, + child_tctx->pipefd_to_child, +diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c +index e27fee45785a8a042922e14d562b4b6846bb8cd9..68a1fb7795ff9c247a3c5706ca479905ce55134c 100644 +--- a/src/tests/debug-tests.c ++++ b/src/tests/debug-tests.c +@@ -194,7 +194,7 @@ int test_helper_debug_check_message(int level) + } + msg[fsize] = '\0'; + +- if (debug_timestamps == 1) { ++ if (debug_timestamps == SSSDBG_TIMESTAMP_ENABLED) { + int time_hour = 0; + int time_min = 0; + int time_sec = 0; +@@ -344,8 +344,8 @@ START_TEST(test_debug_is_set_single_no_timestamp) + SSSDBG_TRACE_LDB + }; + +- debug_timestamps = 0; +- debug_microseconds = 0; ++ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; ++ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + +@@ -384,8 +384,8 @@ START_TEST(test_debug_is_set_single_timestamp) + SSSDBG_TRACE_LDB + }; + +- debug_timestamps = 1; +- debug_microseconds = 0; ++ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED; ++ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + +@@ -428,8 +428,8 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds) + SSSDBG_TRACE_LDB + }; + +- debug_timestamps = 1; +- debug_microseconds = 1; ++ debug_timestamps = SSSDBG_TIMESTAMP_ENABLED; ++ debug_microseconds = SSSDBG_MICROSECONDS_ENABLED; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + +@@ -473,8 +473,8 @@ START_TEST(test_debug_is_notset_no_timestamp) + SSSDBG_TRACE_LDB + }; + +- debug_timestamps = 0; +- debug_microseconds = 0; ++ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; ++ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + +@@ -515,8 +515,8 @@ START_TEST(test_debug_is_notset_timestamp) + SSSDBG_TRACE_LDB + }; + +- debug_timestamps = 0; +- debug_microseconds = 0; ++ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; ++ debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + +@@ -557,8 +557,8 @@ START_TEST(test_debug_is_notset_timestamp_microseconds) + SSSDBG_TRACE_LDB + }; + +- debug_timestamps = 0; +- debug_microseconds = 1; ++ debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; ++ debug_microseconds = SSSDBG_MICROSECONDS_ENABLED; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + +diff --git a/src/util/debug.c b/src/util/debug.c +index f87e85812aa243deab4683ad7d7712d527daa4a2..6f12344374ef104bde1ddd9b738270ce961d5893 100644 +--- a/src/util/debug.c ++++ b/src/util/debug.c +@@ -103,14 +103,6 @@ void _sss_debug_init(int dbg_lvl, const char *logger) + debug_level = SSSDBG_UNRESOLVED; + } + +- if (debug_timestamps == SSSDBG_TIMESTAMP_UNRESOLVED) { +- debug_timestamps = SSSDBG_TIMESTAMP_DEFAULT; +- } +- +- if (debug_microseconds == SSSDBG_MICROSECONDS_UNRESOLVED) { +- debug_microseconds = SSSDBG_MICROSECONDS_DEFAULT; +- } +- + sss_set_logger(logger); + + /* if 'FILES_LOGGER' is requested then open log file, if it wasn't +@@ -305,8 +297,8 @@ void sss_vdebug_fn(const char *file, + } + #endif + +- if (debug_timestamps) { +- if (debug_microseconds) { ++ if (debug_timestamps == SSSDBG_TIMESTAMP_ENABLED) { ++ if (debug_microseconds == SSSDBG_MICROSECONDS_ENABLED) { + gettimeofday(&tv, NULL); + t = tv.tv_sec; + } else { +@@ -320,7 +312,7 @@ void sss_vdebug_fn(const char *file, + tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, + tm.tm_hour, tm.tm_min, tm.tm_sec); + } +- if (debug_microseconds) { ++ if (debug_microseconds == SSSDBG_MICROSECONDS_ENABLED) { + sss_debug_backtrace_printf(level, "%s:%.6ld): ", + last_time_str, tv.tv_usec); + } else { +diff --git a/src/util/debug.h b/src/util/debug.h +index 97564d43e2f2e0d88ccb1e88365f6d7aaf401e81..9d3499dbdfee95931b6004b9a5ec1b9832ce1b1c 100644 +--- a/src/util/debug.h ++++ b/src/util/debug.h +@@ -29,10 +29,14 @@ + #include "util/util_errors.h" + + #define SSSDBG_TIMESTAMP_UNRESOLVED -1 +-#define SSSDBG_TIMESTAMP_DEFAULT 1 ++#define SSSDBG_TIMESTAMP_DISABLED 0 ++#define SSSDBG_TIMESTAMP_ENABLED 1 ++#define SSSDBG_TIMESTAMP_DEFAULT SSSDBG_TIMESTAMP_ENABLED + + #define SSSDBG_MICROSECONDS_UNRESOLVED -1 +-#define SSSDBG_MICROSECONDS_DEFAULT 0 ++#define SSSDBG_MICROSECONDS_DISABLED 0 ++#define SSSDBG_MICROSECONDS_ENABLED 1 ++#define SSSDBG_MICROSECONDS_DEFAULT SSSDBG_MICROSECONDS_DISABLED + + + enum sss_logger_t { +diff --git a/src/util/server.c b/src/util/server.c +index b6f450a798b84e22e493f3a32d5289e20f3fc280..4fe29f96b8176c236fc35052265dbf6974678608 100644 +--- a/src/util/server.c ++++ b/src/util/server.c +@@ -624,8 +624,8 @@ int server_setup(const char *name, int flags, + "[%s]\n", ret, strerror(ret)); + return ret; + } +- if (dt) debug_timestamps = 1; +- else debug_timestamps = 0; ++ if (dt) debug_timestamps = SSSDBG_TIMESTAMP_ENABLED; ++ else debug_timestamps = SSSDBG_TIMESTAMP_DISABLED; + } + + /* same for debug microseconds */ +@@ -639,8 +639,8 @@ int server_setup(const char *name, int flags, + "[%s]\n", ret, strerror(ret)); + return ret; + } +- if (dm) debug_microseconds = 1; +- else debug_microseconds = 0; ++ if (dm) debug_microseconds = SSSDBG_MICROSECONDS_ENABLED; ++ else debug_microseconds = SSSDBG_MICROSECONDS_DISABLED; + } + + ret = confdb_get_bool(ctx->confdb_ctx, conf_entry, +-- +2.20.1 + diff --git a/0009-SSSD-Log-invalid_argument-msg-mod.patch b/0009-SSSD-Log-invalid_argument-msg-mod.patch new file mode 100644 index 0000000..c826b68 --- /dev/null +++ b/0009-SSSD-Log-invalid_argument-msg-mod.patch @@ -0,0 +1,74 @@ +From 89a40e77a1477a3957f4ddc47890eaecbc4d5c7c Mon Sep 17 00:00:00 2001 +From: Deepak Das +Date: Sat, 19 Jun 2021 17:51:21 +0530 +Subject: [PATCH 15/16] SSSD Log: invalid_argument msg mod + +Improve invalid argument msg with additional information + +Resolves: https://github.com/SSSD/sssd/issues/5578 + +Reviewed-by: Pawel Polawski +--- + src/providers/ad/ad_gpo.c | 15 ++++++++++++--- + src/providers/ldap/sdap_idmap.c | 19 +++++++++++++++---- + 2 files changed, 27 insertions(+), 7 deletions(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 4ef6a7219c71d8beb60ef2bd1093955d6015ce04..b2df3e998bbbb882d585177e0fa896aa532bb0b5 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -4742,9 +4742,18 @@ static void gpo_cse_done(struct tevent_req *subreq) + ret = ad_gpo_parse_gpo_child_response(state->buf, state->len, + &sysvol_gpt_version, &child_result); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n", +- ret, sss_strerror(ret)); ++ if (ret == EINVAL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "ad_gpo_parse_gpo_child_response failed: [%d][%s]. " ++ "Broken GPO data received from AD. Check AD child logs for " ++ "more information.\n", ++ ret, sss_strerror(ret)); ++ } else { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n", ++ ret, sss_strerror(ret)); ++ } ++ + tevent_req_error(req, ret); + return; + } else if (child_result != 0){ +diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c +index 22ed9d301aa6722374dab36ad3580625fb8f67d8..3795ed69a58ed7f779e0694cf6f76d812f44a3d1 100644 +--- a/src/providers/ldap/sdap_idmap.c ++++ b/src/providers/ldap/sdap_idmap.c +@@ -270,10 +270,21 @@ sdap_idmap_init(TALLOC_CTX *mem_ctx, + ret = sdap_idmap_add_domain(idmap_ctx, dom_name, + sid_str, slice_num); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Could not add domain [%s][%s][%"SPRIid"] " +- "to ID map: [%s]\n", +- dom_name, sid_str, slice_num, strerror(ret)); ++ if (ret == EINVAL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Could not add domain [%s][%s][%"SPRIid"] " ++ "to ID map: [%s] " ++ "Unexpected ID map configuration. Check ID map related " ++ "parameters in sssd.conf and remove the sssd cache if " ++ "some of these parameters were changed recently.\n", ++ dom_name, sid_str, slice_num, strerror(ret)); ++ } else { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Could not add domain [%s][%s][%"SPRIid"] " ++ "to ID map: [%s]\n", ++ dom_name, sid_str, slice_num, strerror(ret)); ++ } ++ + goto done; + } + } +-- +2.20.1 + diff --git a/0010-KCM-removed-unneeded-assignment.patch b/0010-KCM-removed-unneeded-assignment.patch new file mode 100644 index 0000000..fcce55a --- /dev/null +++ b/0010-KCM-removed-unneeded-assignment.patch @@ -0,0 +1,39 @@ +From 71301ccf8aa54f7272e7ef8009402db622fe8cd9 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 22 Jun 2021 10:29:44 +0200 +Subject: [PATCH 16/16] KCM: removed unneeded assignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes following warning: +``` +Error: CLANG_WARNING: +sssd-2.5.1/src/responder/kcm/kcm_renew.c:481:9: warning[deadcode.DeadStores]: Value stored to 'ret' is never read + # 479| ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx); + # 480| if (ctx == NULL) { + # 481|-> ret = ENOMEM; + # 482| DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n"); + # 483| return; +``` + +Reviewed-by: Pavel Březina +--- + src/responder/kcm/kcm_renew.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/responder/kcm/kcm_renew.c b/src/responder/kcm/kcm_renew.c +index c619ed0a8de3b000db61866d21cb8b71764c0ac0..684d08be6affdf5e4acbd4b04b5a61f154c152cc 100644 +--- a/src/responder/kcm/kcm_renew.c ++++ b/src/responder/kcm/kcm_renew.c +@@ -478,7 +478,6 @@ static void kcm_renew_tgt(struct tevent_context *ev, + + ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx); + if (ctx == NULL) { +- ret = ENOMEM; + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n"); + return; + } +-- +2.20.1 + diff --git a/sssd.spec b/sssd.spec index 5041204..be05839 100644 --- a/sssd.spec +++ b/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.5.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -35,6 +35,17 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.5.1/sssd-2.5.1.tar.gz ### Patches ### +Patch0001: 0001-krb5_child-reduce-log-severity-in-sss_send_pac-in-ca.patch +Patch0002: 0002-secrets-reduce-log-severity-in-local_db_create-in-ca.patch +Patch0003: 0003-KCM-use-SSSDBG_MINOR_FAILURE-for-ERR_KCM_OP_NOT_IMPL.patch +Patch0004: 0004-KCM-reduce-log-severity-in-sec_get-in-case-entry-not.patch +Patch0005: 0005-Fix-minor-typos-in-docs.patch +Patch0006: 0006-KCM-Unset-_SSS_LOOPS.patch +Patch0007: 0007-kcm-terminate-client-on-bad-message.patch +Patch0008: 0008-DEBUG-don-t-reset-debug_timestamps-microseconds-to-D.patch +Patch0009: 0009-SSSD-Log-invalid_argument-msg-mod.patch +Patch0010: 0010-KCM-removed-unneeded-assignment.patch + ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -998,6 +1009,10 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Thu Jun 24 2021 Pavel Březina - 2.5.1-2 +- Multiple small fixes to reduce size of log files with debug_backtrace on +- Fix a corner case bug in KCM renewals that makes user lookup in the daemon fail + * Tue Jun 08 2021 Pavel Březina - 2.5.1-1 - Rebase to SSSD 2.5.1