import sssd-2.4.0-9.el8_4.1

This commit is contained in:
CentOS Sources 2021-06-29 09:46:29 -04:00 committed by Andrew Lukoshko
parent 9e8c2ec9f3
commit f6c0b6929b
8 changed files with 940 additions and 1 deletions

View File

@ -0,0 +1,233 @@
From b6efe6b119b0c11314a324e8a2cf96fb74a9c983 Mon Sep 17 00:00:00 2001
From: Sam Morris <sam@robots.org.uk>
Date: Tue, 6 Apr 2021 18:42:19 +0100
Subject: [PATCH 1/6] responder/common/responder_packet: handle large service
tickets
Resolves: https://github.com/SSSD/sssd/issues/5568
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/responder_packet.c | 11 +++++++++++
src/responder/common/responder_packet.h | 1 +
2 files changed, 12 insertions(+)
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
index f56d92276..d091332b0 100644
--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
@@ -229,6 +229,17 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
if (ret != EOK) {
return ret;
}
+ /* Kerberos tickets can get pretty big; since Windows Server 2012, the
+ * limit is 48 KiB!
+ */
+ } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX)
+ && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE
+ && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) {
+ sss_packet_set_len(packet, 0);
+ ret = sss_packet_grow(packet, new_len);
+ if (ret != EOK) {
+ return ret;
+ }
} else {
return EINVAL;
}
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
index 509a22a9a..70bf1e8d3 100644
--- a/src/responder/common/responder_packet.h
+++ b/src/responder/common/responder_packet.h
@@ -26,6 +26,7 @@
#define SSS_PACKET_MAX_RECV_SIZE 1024
#define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 )
struct sss_packet;
--
2.26.3
From c6a76283580c25ff78b36b8b23efdabbdb3a2cc1 Mon Sep 17 00:00:00 2001
From: Sam Morris <sam@robots.org.uk>
Date: Wed, 7 Apr 2021 14:21:34 +0100
Subject: [PATCH 2/6] responder/common/responder_packet: reduce duplication of
code that handles larger-than-normal packets
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/responder_packet.c | 40 +++++++++++++------------
1 file changed, 21 insertions(+), 19 deletions(-)
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
index d091332b0..523c9ddd4 100644
--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
@@ -216,25 +216,27 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
new_len = sss_packet_get_len(packet);
if (new_len > packet->memsize) {
- /* Allow certificate based requests to use larger buffer but not
- * larger than SSS_CERT_PACKET_MAX_RECV_SIZE. Due to the way
- * sss_packet_grow() works the packet len must be set to '0' first and
- * then grow to the expected size. */
- if ((sss_packet_get_cmd(packet) == SSS_NSS_GETNAMEBYCERT
- || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT)
- && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE
- && new_len < SSS_CERT_PACKET_MAX_RECV_SIZE) {
- sss_packet_set_len(packet, 0);
- ret = sss_packet_grow(packet, new_len);
- if (ret != EOK) {
- return ret;
- }
- /* Kerberos tickets can get pretty big; since Windows Server 2012, the
- * limit is 48 KiB!
- */
- } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX)
- && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE
- && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) {
+ enum sss_cli_command cmd = sss_packet_get_cmd(packet);
+ size_t max_recv_size;
+
+ /* Allow certain packet types to use a larger buffer. */
+ switch (cmd) {
+ case SSS_NSS_GETNAMEBYCERT:
+ case SSS_NSS_GETLISTBYCERT:
+ max_recv_size = SSS_CERT_PACKET_MAX_RECV_SIZE;
+ break;
+
+ case SSS_GSSAPI_SEC_CTX:
+ max_recv_size = SSS_GSSAPI_PACKET_MAX_RECV_SIZE;
+ break;
+
+ default:
+ max_recv_size = 0;
+ }
+
+ /* Due to the way sss_packet_grow() works, the packet len must be set
+ * to 0 first, and then grown to the expected size. */
+ if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) {
sss_packet_set_len(packet, 0);
ret = sss_packet_grow(packet, new_len);
if (ret != EOK) {
--
2.26.3
From 63f318f73c933dc2cb08cad2f911a52d2281c45b Mon Sep 17 00:00:00 2001
From: Sam Morris <sam@robots.org.uk>
Date: Wed, 7 Apr 2021 14:22:25 +0100
Subject: [PATCH 3/6] responder/common/responder_packet: add debug logging to
assist with errors caused by overlarge packets
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/responder_packet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
index 523c9ddd4..01a4e640e 100644
--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
@@ -243,6 +243,9 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
return ret;
}
} else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Refusing to read overlarge packet from fd %d (length %zu bytes, cmd %#04x)",
+ fd, new_len, cmd);
return EINVAL;
}
}
--
2.26.3
From 37d331774385b2b871ba76fcdef6ceafd776efce Mon Sep 17 00:00:00 2001
From: Sam Morris <sam@robots.org.uk>
Date: Wed, 7 Apr 2021 14:23:03 +0100
Subject: [PATCH 4/6] responder/common/responder_packet: further increase
packet size for SSS_GSSAPI_SEC_CTX
Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB
provides extra overhead should that increase in the future.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/responder_packet.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
index 70bf1e8d3..fd991969b 100644
--- a/src/responder/common/responder_packet.h
+++ b/src/responder/common/responder_packet.h
@@ -26,7 +26,7 @@
#define SSS_PACKET_MAX_RECV_SIZE 1024
#define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
-#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 )
+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( 128 * 1024 )
struct sss_packet;
--
2.26.3
From 5c9fa75bd0ffa02e31cbbf19ee68134ed384229a Mon Sep 17 00:00:00 2001
From: Sam Morris <sam@robots.org.uk>
Date: Wed, 7 Apr 2021 19:59:45 +0100
Subject: [PATCH 5/6] responder/common/responder_packet: remove some
unnecessary checks before growing packet
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/responder_packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
index 01a4e640e..c4b38f71b 100644
--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
/* Due to the way sss_packet_grow() works, the packet len must be set
* to 0 first, and then grown to the expected size. */
- if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) {
+ if (new_len < max_recv_size) {
sss_packet_set_len(packet, 0);
ret = sss_packet_grow(packet, new_len);
if (ret != EOK) {
--
2.26.3
From b87619f9a917d6ed9ecdb5360c4bf242dce8e372 Mon Sep 17 00:00:00 2001
From: Sam Morris <sam@robots.org.uk>
Date: Thu, 8 Apr 2021 19:09:33 +0100
Subject: [PATCH 6/6] responder/common/responder_packet: allow packets of max
size
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/responder_packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
index c4b38f71b..f2223c665 100644
--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
/* Due to the way sss_packet_grow() works, the packet len must be set
* to 0 first, and then grown to the expected size. */
- if (new_len < max_recv_size) {
+ if (new_len <= max_recv_size) {
sss_packet_set_len(packet, 0);
ret = sss_packet_grow(packet, new_len);
if (ret != EOK) {
--
2.26.3

View File

@ -0,0 +1,46 @@
From e865b008aa8947efca0116deb95e29cc2309256f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 30 Mar 2021 15:31:17 +0200
Subject: [PATCH] AD GPO: respect ad_gpo_implicit_deny if no GPO is present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at
all for the given client. With this patch this case is handled as
expected as well.
Resolves: https://github.com/SSSD/sssd/issues/5561
:fixes: `ad_gpo_implicit_deny` is now respected even if there are no
applicable GPOs present
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_gpo.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index b15e0f345..4ef6a7219 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2472,7 +2472,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
}
}
- ret = EOK;
+ if (state->gpo_implicit_deny == true) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
+ " is set to 'true'. The user will be denied access.\n");
+ ret = ERR_ACCESS_DENIED;
+ } else {
+ ret = EOK;
+ }
+
goto done;
}
--
2.26.3

View File

@ -0,0 +1,64 @@
From 5d65411f1aa16af929ae2271ee4d3d9101728a67 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 14 Apr 2021 17:22:06 +0200
Subject: [PATCH 54/55] sss_domain_info: add not_found_counter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This new counter should be used to track how often a domain could not be
found while discovering the environment so that it can be deleted after
a number of failed attempts.
Resolves: https://github.com/SSSD/sssd/issues/5528
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb.c | 1 +
src/confdb/confdb.h | 4 ++++
src/db/sysdb_subdomains.c | 2 ++
3 files changed, 7 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index cca76159b..c554edda0 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1620,6 +1620,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
domain->view_name = NULL;
domain->state = DOM_ACTIVE;
+ domain->not_found_counter = 0;
*_domain = domain;
ret = EOK;
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 81b68a0f1..c6c2514f8 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -441,6 +441,10 @@ struct sss_domain_info {
char *gssapi_check_upn; /* true | false | NULL */
/* List of indicators associated with the specific PAM service */
char **gssapi_indicators_map;
+
+ /* Counts how often the domain was not found during a refresh of the
+ * domain list */
+ size_t not_found_counter;
};
/**
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index e2381c8af..348f242d0 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -193,6 +193,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->gssapi_services = parent->gssapi_services;
dom->gssapi_indicators_map = parent->gssapi_indicators_map;
+ dom->not_found_counter = 0;
+
if (parent->sysdb == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
goto fail;
--
2.26.3

View File

@ -0,0 +1,241 @@
From 95adf488f94f5968f6cfba9e3bef74c07c02ccff Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 16 Feb 2021 14:30:55 +0100
Subject: [PATCH 55/55] AD: read trusted domains from local domain as well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently SSSD only uses information stored in a domain controller of
the forest root domain to get the names of other trusted domains in the
forest. Depending on how the forest was created the forest root might
not have LDAP objects for all domains in the forest. It looks like a
typical case are child domains of other domains in the forest.
As a start SSSD can now include trusted domains stored in the LDAP tree
of a local domain controller as well. In a long run it would make sense
to allow SSSD to explicitly search for domain by looking up DNS entries
and checking a potential domain controller with a CLDAP ping.
Resolves: https://github.com/SSSD/sssd/issues/5528
:feature: Besides trusted domains known by the forest root, trusted
domains known by the local domain are used as well.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 105 +++++++++++++++++++++++++------
1 file changed, 86 insertions(+), 19 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index f5b0be6c2..3eb49c93f 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -45,6 +45,7 @@
#define AD_AT_TRUST_TYPE "trustType"
#define AD_AT_TRUST_PARTNER "trustPartner"
#define AD_AT_TRUST_ATTRS "trustAttributes"
+#define AD_AT_DOMAIN_NAME "cn"
/* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
@@ -56,7 +57,6 @@
*/
#define SLAVE_DOMAIN_FILTER_BASE "(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))"
#define SLAVE_DOMAIN_FILTER "(&"SLAVE_DOMAIN_FILTER_BASE")"
-#define FOREST_ROOT_FILTER_FMT "(&"SLAVE_DOMAIN_FILTER_BASE"(cn=%s))"
/* Attributes of schema objects. See e.g.
* https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes
@@ -646,6 +646,10 @@ done:
return ret;
}
+/* How many times we keep a domain not found during searches before it will be
+ * removed. */
+#define MAX_NOT_FOUND 6
+
static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
struct sdap_idmap_ctx *idmap_ctx,
struct sdap_options *opts,
@@ -706,6 +710,25 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
}
if (c >= num_subdomains) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "Domain [%s] not in current list.\n",
+ dom->name);
+ /* Since the forest root might not have trustedDomain objects for
+ * each domain in the forest, especially e.g. for child-domains of
+ * child-domains, we cannot reliable say if a domain is still
+ * present or not.
+ * Maybe it would work to check the crossRef objects in
+ * CN=Partitions,CN=Configuration as well to understand if a
+ * domain is still known in the forest or not.
+ * For the time being we use a counter, if a domain was not found
+ * after multiple attempts it will be deleted. */
+
+ if (dom->not_found_counter++ < MAX_NOT_FOUND) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Domain [%s] was not found [%zu] times.\n", dom->name,
+ dom->not_found_counter);
+ continue;
+ }
+
/* ok this subdomain does not exist anymore, let's clean up */
sss_domain_set_state(dom, DOM_DISABLED);
@@ -740,6 +763,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
/* terminate all requests for this subdomain so we can free it */
dp_terminate_domain_requests(be_ctx->provider, dom->name);
talloc_zfree(sdom);
+
} else {
/* ok let's try to update it */
ret = ad_subdom_enumerates(domain, subdomains[c], &enumerate);
@@ -747,6 +771,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
goto done;
}
+ dom->not_found_counter = 0;
ret = ad_subdom_store(be_ctx->cdb, idmap_ctx, domain,
subdomains[c], enumerate);
if (ret) {
@@ -1307,10 +1332,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req;
struct sdap_options *opts;
errno_t ret;
- const char *filter;
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
AD_AT_SID, AD_AT_TRUST_TYPE,
- AD_AT_TRUST_ATTRS, NULL };
+ AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL };
req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state);
if (req == NULL) {
@@ -1335,15 +1359,10 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
state->domain = domain;
state->forest = forest;
- filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest);
- if (filter == NULL) {
- ret = ENOMEM;
- goto immediately;
- }
-
subreq = sdap_search_bases_return_first_send(state, ev, opts, sh,
opts->sdom->search_bases,
- NULL, false, 0, filter, attrs,
+ NULL, false, 0,
+ SLAVE_DOMAIN_FILTER, attrs,
NULL);
if (subreq == NULL) {
ret = ENOMEM;
@@ -1365,11 +1384,33 @@ immediately:
return req;
}
+static struct sysdb_attrs *find_domain(size_t count, struct sysdb_attrs **reply,
+ const char *dom_name)
+{
+ size_t c;
+ const char *name;
+ int ret;
+
+ for (c = 0; c < count; c++) {
+ ret = sysdb_attrs_get_string(reply[c], AD_AT_DOMAIN_NAME, &name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to find domain name, skipping");
+ continue;
+ }
+ if (strcasecmp(name, dom_name) == 0) {
+ return reply[c];
+ }
+ }
+
+ return NULL;
+}
+
static void ad_get_root_domain_done(struct tevent_req *subreq)
{
struct tevent_req *req;
struct ad_get_root_domain_state *state;
errno_t ret;
+ bool has_changes = false;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_get_root_domain_state);
@@ -1384,7 +1425,37 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
goto done;
}
- if (state->reply_count == 0) {
+ find_domain(state->reply_count, state->reply, state->forest);
+
+ if (state->reply_count == 0
+ || find_domain(state->reply_count, state->reply,
+ state->forest) == NULL) {
+
+ if (state->reply_count > 0) {
+ /* refresh the other domains we have found before checking forest
+ * root */
+ ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx,
+ state->opts,
+ state->reply, state->reply_count, false,
+ &state->sd_ctx->last_refreshed,
+ &has_changes);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "ad_subdomains_refresh failed [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ if (has_changes) {
+ ret = ad_subdom_reinit(state->sd_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not reinitialize subdomains\n");
+ goto done;
+ }
+ }
+ }
+
DEBUG(SSSDBG_OP_FAILURE,
"No information provided for root domain, trying directly.\n");
subreq = ad_check_domain_send(state, state->ev, state->be_ctx,
@@ -1397,11 +1468,6 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
}
tevent_req_set_callback(subreq, ad_check_root_domain_done, req);
return;
- } else if (state->reply_count > 1) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, "
- "domain list might be incomplete!\n");
- ret = ERR_MALFORMED_ENTRY;
- goto done;
}
ret = ad_get_root_domain_refresh(state);
@@ -1519,7 +1585,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
errno_t ret;
ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts,
- state->reply, state->reply_count, true,
+ state->reply, state->reply_count, false,
&state->sd_ctx->last_refreshed,
&has_changes);
if (ret != EOK) {
@@ -1536,8 +1602,9 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
}
}
- state->root_domain_attrs = state->reply[0];
- root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]);
+ state->root_domain_attrs = find_domain(state->reply_count, state->reply,
+ state->forest);
+ root_domain = ads_get_root_domain(state->be_ctx, state->root_domain_attrs);
if (root_domain == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n");
ret = EFAULT;
--
2.26.3

View File

@ -0,0 +1,109 @@
From 231d1118727b989a4af9911a45a465912fe659d6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 12 Mar 2021 14:38:54 +0100
Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When checking if a group returned by an initgroups request is filtered
in the negative cache the domain of the user was used. This does not
work reliable if the user can be a member of groups from multiple
domains.
With this patch th domain the group belongs to is determined and used
while checking the negative cache.
Resolves: https://github.com/SSSD/sssd/issues/5534
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb.c | 22 ++++++++++++++++++++++
src/db/sysdb.h | 7 +++++++
src/responder/nss/nss_protocol_grent.c | 8 +++++---
3 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 693f687be..6001c49cb 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -2139,3 +2139,25 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
fmt, ap);
}
}
+
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
+ struct ldb_message *msg)
+{
+ const char *name;
+ struct sss_domain_info *obj_dom = NULL;
+
+ name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Object does not have a name attribute.\n");
+ return dom;
+ }
+
+ obj_dom = find_domain_by_object_name(get_domains_head(dom), name);
+ if (obj_dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name);
+ return dom;
+ }
+
+ return obj_dom;
+}
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index a00efa55f..37a2c4124 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1532,4 +1532,11 @@ errno_t sysdb_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx,
void ldb_debug_messages(void *context, enum ldb_debug_level level,
const char *fmt, va_list ap);
+/* Try to detect the object domain from the object's SYSDB_NAME attribute and
+ * return the matching sss_domain_info. This should work reliable with user
+ * and group objects since fully-qualified names are used here. If the proper
+ * domain cannot be detected the given domain is returned. */
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
+ struct ldb_message *msg);
+
#endif /* __SYS_DB_H__ */
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 135b392f7..f6e00eb10 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -361,6 +361,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
struct cache_req_result *result)
{
struct sss_domain_info *domain;
+ struct sss_domain_info *grp_dom;
struct ldb_message *user;
struct ldb_message *msg;
struct ldb_message *primary_group_msg;
@@ -418,10 +419,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
num_results = 0;
for (i = 1; i < result->count; i++) {
msg = result->msgs[i];
- gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
+ grp_dom = find_domain_by_msg(domain, msg);
+ gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM,
0);
posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
- grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
+ grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME,
NULL);
if (gid == 0) {
@@ -435,7 +437,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
}
}
- if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
+ if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) {
continue;
}
--
2.26.3

View File

@ -0,0 +1,198 @@
From 0cddb67128edc86be4163489e29eaa3c4e123b7b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 12 Mar 2021 19:27:12 +0100
Subject: [PATCH] DEBUG: introduce SSSDBG_TOOLS_DEFAULT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/5488
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +-
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +-
src/tools/common/sss_tools.c | 2 +-
src/tools/sss_cache.c | 2 +-
src/tools/sss_groupadd.c | 2 +-
src/tools/sss_groupdel.c | 2 +-
src/tools/sss_groupmod.c | 2 +-
src/tools/sss_groupshow.c | 2 +-
src/tools/sss_seed.c | 2 +-
src/tools/sss_useradd.c | 2 +-
src/tools/sss_userdel.c | 2 +-
src/tools/sss_usermod.c | 2 +-
src/util/debug.h | 1 +
13 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
index e356f28c3..324e5e3a3 100644
--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
@@ -32,7 +32,7 @@
int main(int argc, const char **argv)
{
TALLOC_CTX *mem_ctx = NULL;
- int pc_debug = SSSDBG_FATAL_FAILURE;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
const char *pc_domain = NULL;
const char *pc_user = NULL;
struct poptOption long_options[] = {
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index 3cd12b480..170ba30a3 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -174,7 +174,7 @@ connect_proxy_command(char **args)
int main(int argc, const char **argv)
{
TALLOC_CTX *mem_ctx = NULL;
- int pc_debug = SSSDBG_FATAL_FAILURE;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
int pc_port = 22;
const char *pc_domain = NULL;
const char *pc_host = NULL;
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index 368d09ae2..637e251f6 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -56,7 +56,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
int *argc, const char **argv)
{
poptContext pc;
- int debug = SSSDBG_DEFAULT;
+ int debug = SSSDBG_TOOLS_DEFAULT;
int orig_argc = *argc;
int help = 0;
diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c
index cea900bf1..b5391b16d 100644
--- a/src/tools/sss_cache.c
+++ b/src/tools/sss_cache.c
@@ -709,7 +709,7 @@ static errno_t init_context(int argc, const char *argv[],
struct cache_tool_ctx *ctx = NULL;
int idb = INVALIDATE_NONE;
struct input_values values = { 0 };
- int debug = SSSDBG_DEFAULT;
+ int debug = SSSDBG_TOOLS_DEFAULT;
errno_t ret = EOK;
poptContext pc = NULL;
diff --git a/src/tools/sss_groupadd.c b/src/tools/sss_groupadd.c
index f71d6dde7..91559116d 100644
--- a/src/tools/sss_groupadd.c
+++ b/src/tools/sss_groupadd.c
@@ -34,7 +34,7 @@
int main(int argc, const char **argv)
{
gid_t pc_gid = 0;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
struct poptOption long_options[] = {
POPT_AUTOHELP
{ "debug",'\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug,
diff --git a/src/tools/sss_groupdel.c b/src/tools/sss_groupdel.c
index 5dcc2056d..e64441758 100644
--- a/src/tools/sss_groupdel.c
+++ b/src/tools/sss_groupdel.c
@@ -33,7 +33,7 @@
int main(int argc, const char **argv)
{
int ret = EXIT_SUCCESS;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
const char *pc_groupname = NULL;
struct tools_ctx *tctx = NULL;
diff --git a/src/tools/sss_groupmod.c b/src/tools/sss_groupmod.c
index eddc7034a..8770b6684 100644
--- a/src/tools/sss_groupmod.c
+++ b/src/tools/sss_groupmod.c
@@ -35,7 +35,7 @@
int main(int argc, const char **argv)
{
gid_t pc_gid = 0;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
struct poptOption long_options[] = {
POPT_AUTOHELP
{ "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug,
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 7b0fbe117..aa618eecb 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -654,7 +654,7 @@ static void print_recursive(struct group_info **group_members, unsigned level)
int main(int argc, const char **argv)
{
int ret = EXIT_SUCCESS;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
bool pc_recursive = false;
const char *pc_groupname = NULL;
struct tools_ctx *tctx = NULL;
diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c
index 1189604a3..17ba81956 100644
--- a/src/tools/sss_seed.c
+++ b/src/tools/sss_seed.c
@@ -460,7 +460,7 @@ static int seed_init(TALLOC_CTX *mem_ctx,
struct seed_ctx **_sctx)
{
TALLOC_CTX *tmp_ctx = NULL;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
const char *pc_domain = NULL;
const char *pc_name = NULL;
uid_t pc_uid = 0;
diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c
index ca2cbd6c1..fa1091ec8 100644
--- a/src/tools/sss_useradd.c
+++ b/src/tools/sss_useradd.c
@@ -38,7 +38,7 @@ int main(int argc, const char **argv)
const char *pc_gecos = NULL;
const char *pc_home = NULL;
char *pc_shell = NULL;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
int pc_create_home = 0;
const char *pc_username = NULL;
const char *pc_skeldir = NULL;
diff --git a/src/tools/sss_userdel.c b/src/tools/sss_userdel.c
index bd703fd2e..60bb0f835 100644
--- a/src/tools/sss_userdel.c
+++ b/src/tools/sss_userdel.c
@@ -125,7 +125,7 @@ int main(int argc, const char **argv)
struct tools_ctx *tctx = NULL;
const char *pc_username = NULL;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
int pc_remove = 0;
int pc_force = 0;
int pc_kick = 0;
diff --git a/src/tools/sss_usermod.c b/src/tools/sss_usermod.c
index 6a818f13a..0f3230d27 100644
--- a/src/tools/sss_usermod.c
+++ b/src/tools/sss_usermod.c
@@ -40,7 +40,7 @@ int main(int argc, const char **argv)
char *pc_gecos = NULL;
char *pc_home = NULL;
char *pc_shell = NULL;
- int pc_debug = SSSDBG_DEFAULT;
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
const char *pc_selinux_user = NULL;
struct poptOption long_options[] = {
POPT_AUTOHELP
diff --git a/src/util/debug.h b/src/util/debug.h
index a3adfe576..54a7e3934 100644
--- a/src/util/debug.h
+++ b/src/util/debug.h
@@ -108,6 +108,7 @@ int rotate_debug_files(void);
#define SSSDBG_INVALID -1
#define SSSDBG_UNRESOLVED 0
#define SSSDBG_DEFAULT (SSSDBG_FATAL_FAILURE|SSSDBG_CRIT_FAILURE|SSSDBG_OP_FAILURE)
+#define SSSDBG_TOOLS_DEFAULT (SSSDBG_FATAL_FAILURE)
/** \def DEBUG(level, format, ...)
--
2.26.3

View File

@ -0,0 +1,34 @@
From fbf33babe3fb52323f098aa300b51bf8fc5ee363 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 19 May 2021 17:20:52 +0200
Subject: [PATCH] TOOLS: removed unneeded debug message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This message was logged before `sss_tool_init()` that sets debug level,
thus ignoring configured debug level.
Since the same message is printed via `ERROR` on a next line, this log
message doesn't add any information and can be simply removed.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/tools/common/sss_tools.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index 637e251f6..806667f46 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -512,7 +512,6 @@ int sss_tool_main(int argc, const char **argv,
uid = getuid();
if (uid != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid);
ERROR("%1$s must be run as root\n", argv[0]);
return EXIT_FAILURE;
}
--
2.26.3

View File

@ -26,7 +26,7 @@
Name: sssd
Version: 2.4.0
Release: 9%{?dist}
Release: 9%{?dist}.1
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -85,6 +85,13 @@ Patch0048: 0048-pot-update-pot-files.patch
Patch0049: 0049-Update-the-translations-for-the-2.4.1-release.patch
Patch0050: 0050-pot-update-pot-files.patch
Patch0051: 0051-po-update-translations.patch
Patch0052: 0052-handle-large-service-tickets.patch
Patch0053: 0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch
Patch0054: 0054-sss_domain_info-add-not_found_counter.patch
Patch0055: 0055-AD-read-trusted-domains-from-local-domain-as-well.patch
Patch0056: 0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch
Patch0057: 0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch
Patch0058: 0058-TOOLS-removed-unneeded-debug-message.patch
### Downstream Patches ###
@ -1266,6 +1273,13 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Mon May 24 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-9.1
- Resolves: rhbz#1949170 - pam_sss_gss.so doesn't work with large kerberos tickets [rhel-8.4.0.z]
- Resolves: rhbz#1945656 - No gpo found and ad_gpo_implicit_deny set to True still permits user login [rhel-8.4.0.z]
- Resolves: rhbz#1945655 - SSSD not detecting subdomain from AD forest (RHEL 8.3) [rhel-8.4.0.z]
- Resolves: rhbz#1945654 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-8.4.0.z]
- Resolves: rhbz#1942438 - Wrong default debug level of sssd tools [rhel-8.4.0.z]
* Fri Mar 19 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-9
- Resolves: rhbz#1899712 - [sssd] RHEL 8.4 Tier 0 Localization