import sssd-2.4.0-9.el8_4.1
This commit is contained in:
parent
9e8c2ec9f3
commit
f6c0b6929b
233
SOURCES/0052-handle-large-service-tickets.patch
Normal file
233
SOURCES/0052-handle-large-service-tickets.patch
Normal file
@ -0,0 +1,233 @@
|
|||||||
|
From b6efe6b119b0c11314a324e8a2cf96fb74a9c983 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Morris <sam@robots.org.uk>
|
||||||
|
Date: Tue, 6 Apr 2021 18:42:19 +0100
|
||||||
|
Subject: [PATCH 1/6] responder/common/responder_packet: handle large service
|
||||||
|
tickets
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5568
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/common/responder_packet.c | 11 +++++++++++
|
||||||
|
src/responder/common/responder_packet.h | 1 +
|
||||||
|
2 files changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
||||||
|
index f56d92276..d091332b0 100644
|
||||||
|
--- a/src/responder/common/responder_packet.c
|
||||||
|
+++ b/src/responder/common/responder_packet.c
|
||||||
|
@@ -229,6 +229,17 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
||||||
|
if (ret != EOK) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
+ /* Kerberos tickets can get pretty big; since Windows Server 2012, the
|
||||||
|
+ * limit is 48 KiB!
|
||||||
|
+ */
|
||||||
|
+ } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX)
|
||||||
|
+ && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE
|
||||||
|
+ && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) {
|
||||||
|
+ sss_packet_set_len(packet, 0);
|
||||||
|
+ ret = sss_packet_grow(packet, new_len);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
return EINVAL;
|
||||||
|
}
|
||||||
|
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
|
||||||
|
index 509a22a9a..70bf1e8d3 100644
|
||||||
|
--- a/src/responder/common/responder_packet.h
|
||||||
|
+++ b/src/responder/common/responder_packet.h
|
||||||
|
@@ -26,6 +26,7 @@
|
||||||
|
|
||||||
|
#define SSS_PACKET_MAX_RECV_SIZE 1024
|
||||||
|
#define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
|
||||||
|
+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 )
|
||||||
|
|
||||||
|
struct sss_packet;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
||||||
|
|
||||||
|
From c6a76283580c25ff78b36b8b23efdabbdb3a2cc1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Morris <sam@robots.org.uk>
|
||||||
|
Date: Wed, 7 Apr 2021 14:21:34 +0100
|
||||||
|
Subject: [PATCH 2/6] responder/common/responder_packet: reduce duplication of
|
||||||
|
code that handles larger-than-normal packets
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/common/responder_packet.c | 40 +++++++++++++------------
|
||||||
|
1 file changed, 21 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
||||||
|
index d091332b0..523c9ddd4 100644
|
||||||
|
--- a/src/responder/common/responder_packet.c
|
||||||
|
+++ b/src/responder/common/responder_packet.c
|
||||||
|
@@ -216,25 +216,27 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
||||||
|
|
||||||
|
new_len = sss_packet_get_len(packet);
|
||||||
|
if (new_len > packet->memsize) {
|
||||||
|
- /* Allow certificate based requests to use larger buffer but not
|
||||||
|
- * larger than SSS_CERT_PACKET_MAX_RECV_SIZE. Due to the way
|
||||||
|
- * sss_packet_grow() works the packet len must be set to '0' first and
|
||||||
|
- * then grow to the expected size. */
|
||||||
|
- if ((sss_packet_get_cmd(packet) == SSS_NSS_GETNAMEBYCERT
|
||||||
|
- || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT)
|
||||||
|
- && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE
|
||||||
|
- && new_len < SSS_CERT_PACKET_MAX_RECV_SIZE) {
|
||||||
|
- sss_packet_set_len(packet, 0);
|
||||||
|
- ret = sss_packet_grow(packet, new_len);
|
||||||
|
- if (ret != EOK) {
|
||||||
|
- return ret;
|
||||||
|
- }
|
||||||
|
- /* Kerberos tickets can get pretty big; since Windows Server 2012, the
|
||||||
|
- * limit is 48 KiB!
|
||||||
|
- */
|
||||||
|
- } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX)
|
||||||
|
- && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE
|
||||||
|
- && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) {
|
||||||
|
+ enum sss_cli_command cmd = sss_packet_get_cmd(packet);
|
||||||
|
+ size_t max_recv_size;
|
||||||
|
+
|
||||||
|
+ /* Allow certain packet types to use a larger buffer. */
|
||||||
|
+ switch (cmd) {
|
||||||
|
+ case SSS_NSS_GETNAMEBYCERT:
|
||||||
|
+ case SSS_NSS_GETLISTBYCERT:
|
||||||
|
+ max_recv_size = SSS_CERT_PACKET_MAX_RECV_SIZE;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ case SSS_GSSAPI_SEC_CTX:
|
||||||
|
+ max_recv_size = SSS_GSSAPI_PACKET_MAX_RECV_SIZE;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ default:
|
||||||
|
+ max_recv_size = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Due to the way sss_packet_grow() works, the packet len must be set
|
||||||
|
+ * to 0 first, and then grown to the expected size. */
|
||||||
|
+ if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) {
|
||||||
|
sss_packet_set_len(packet, 0);
|
||||||
|
ret = sss_packet_grow(packet, new_len);
|
||||||
|
if (ret != EOK) {
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
||||||
|
|
||||||
|
From 63f318f73c933dc2cb08cad2f911a52d2281c45b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Morris <sam@robots.org.uk>
|
||||||
|
Date: Wed, 7 Apr 2021 14:22:25 +0100
|
||||||
|
Subject: [PATCH 3/6] responder/common/responder_packet: add debug logging to
|
||||||
|
assist with errors caused by overlarge packets
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/common/responder_packet.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
||||||
|
index 523c9ddd4..01a4e640e 100644
|
||||||
|
--- a/src/responder/common/responder_packet.c
|
||||||
|
+++ b/src/responder/common/responder_packet.c
|
||||||
|
@@ -243,6 +243,9 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "Refusing to read overlarge packet from fd %d (length %zu bytes, cmd %#04x)",
|
||||||
|
+ fd, new_len, cmd);
|
||||||
|
return EINVAL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
||||||
|
|
||||||
|
From 37d331774385b2b871ba76fcdef6ceafd776efce Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Morris <sam@robots.org.uk>
|
||||||
|
Date: Wed, 7 Apr 2021 14:23:03 +0100
|
||||||
|
Subject: [PATCH 4/6] responder/common/responder_packet: further increase
|
||||||
|
packet size for SSS_GSSAPI_SEC_CTX
|
||||||
|
|
||||||
|
Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB
|
||||||
|
provides extra overhead should that increase in the future.
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/common/responder_packet.h | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
|
||||||
|
index 70bf1e8d3..fd991969b 100644
|
||||||
|
--- a/src/responder/common/responder_packet.h
|
||||||
|
+++ b/src/responder/common/responder_packet.h
|
||||||
|
@@ -26,7 +26,7 @@
|
||||||
|
|
||||||
|
#define SSS_PACKET_MAX_RECV_SIZE 1024
|
||||||
|
#define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
|
||||||
|
-#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 )
|
||||||
|
+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( 128 * 1024 )
|
||||||
|
|
||||||
|
struct sss_packet;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
||||||
|
|
||||||
|
From 5c9fa75bd0ffa02e31cbbf19ee68134ed384229a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Morris <sam@robots.org.uk>
|
||||||
|
Date: Wed, 7 Apr 2021 19:59:45 +0100
|
||||||
|
Subject: [PATCH 5/6] responder/common/responder_packet: remove some
|
||||||
|
unnecessary checks before growing packet
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/common/responder_packet.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
||||||
|
index 01a4e640e..c4b38f71b 100644
|
||||||
|
--- a/src/responder/common/responder_packet.c
|
||||||
|
+++ b/src/responder/common/responder_packet.c
|
||||||
|
@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
||||||
|
|
||||||
|
/* Due to the way sss_packet_grow() works, the packet len must be set
|
||||||
|
* to 0 first, and then grown to the expected size. */
|
||||||
|
- if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) {
|
||||||
|
+ if (new_len < max_recv_size) {
|
||||||
|
sss_packet_set_len(packet, 0);
|
||||||
|
ret = sss_packet_grow(packet, new_len);
|
||||||
|
if (ret != EOK) {
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
||||||
|
|
||||||
|
From b87619f9a917d6ed9ecdb5360c4bf242dce8e372 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Morris <sam@robots.org.uk>
|
||||||
|
Date: Thu, 8 Apr 2021 19:09:33 +0100
|
||||||
|
Subject: [PATCH 6/6] responder/common/responder_packet: allow packets of max
|
||||||
|
size
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/common/responder_packet.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
||||||
|
index c4b38f71b..f2223c665 100644
|
||||||
|
--- a/src/responder/common/responder_packet.c
|
||||||
|
+++ b/src/responder/common/responder_packet.c
|
||||||
|
@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
||||||
|
|
||||||
|
/* Due to the way sss_packet_grow() works, the packet len must be set
|
||||||
|
* to 0 first, and then grown to the expected size. */
|
||||||
|
- if (new_len < max_recv_size) {
|
||||||
|
+ if (new_len <= max_recv_size) {
|
||||||
|
sss_packet_set_len(packet, 0);
|
||||||
|
ret = sss_packet_grow(packet, new_len);
|
||||||
|
if (ret != EOK) {
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,46 @@
|
|||||||
|
From e865b008aa8947efca0116deb95e29cc2309256f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Tue, 30 Mar 2021 15:31:17 +0200
|
||||||
|
Subject: [PATCH] AD GPO: respect ad_gpo_implicit_deny if no GPO is present
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at
|
||||||
|
all for the given client. With this patch this case is handled as
|
||||||
|
expected as well.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5561
|
||||||
|
|
||||||
|
:fixes: `ad_gpo_implicit_deny` is now respected even if there are no
|
||||||
|
applicable GPOs present
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_gpo.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||||
|
index b15e0f345..4ef6a7219 100644
|
||||||
|
--- a/src/providers/ad/ad_gpo.c
|
||||||
|
+++ b/src/providers/ad/ad_gpo.c
|
||||||
|
@@ -2472,7 +2472,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = EOK;
|
||||||
|
+ if (state->gpo_implicit_deny == true) {
|
||||||
|
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||||
|
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
|
||||||
|
+ " is set to 'true'. The user will be denied access.\n");
|
||||||
|
+ ret = ERR_ACCESS_DENIED;
|
||||||
|
+ } else {
|
||||||
|
+ ret = EOK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
64
SOURCES/0054-sss_domain_info-add-not_found_counter.patch
Normal file
64
SOURCES/0054-sss_domain_info-add-not_found_counter.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
From 5d65411f1aa16af929ae2271ee4d3d9101728a67 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 14 Apr 2021 17:22:06 +0200
|
||||||
|
Subject: [PATCH 54/55] sss_domain_info: add not_found_counter
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This new counter should be used to track how often a domain could not be
|
||||||
|
found while discovering the environment so that it can be deleted after
|
||||||
|
a number of failed attempts.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5528
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/confdb/confdb.c | 1 +
|
||||||
|
src/confdb/confdb.h | 4 ++++
|
||||||
|
src/db/sysdb_subdomains.c | 2 ++
|
||||||
|
3 files changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||||
|
index cca76159b..c554edda0 100644
|
||||||
|
--- a/src/confdb/confdb.c
|
||||||
|
+++ b/src/confdb/confdb.c
|
||||||
|
@@ -1620,6 +1620,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||||
|
domain->view_name = NULL;
|
||||||
|
|
||||||
|
domain->state = DOM_ACTIVE;
|
||||||
|
+ domain->not_found_counter = 0;
|
||||||
|
|
||||||
|
*_domain = domain;
|
||||||
|
ret = EOK;
|
||||||
|
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||||
|
index 81b68a0f1..c6c2514f8 100644
|
||||||
|
--- a/src/confdb/confdb.h
|
||||||
|
+++ b/src/confdb/confdb.h
|
||||||
|
@@ -441,6 +441,10 @@ struct sss_domain_info {
|
||||||
|
char *gssapi_check_upn; /* true | false | NULL */
|
||||||
|
/* List of indicators associated with the specific PAM service */
|
||||||
|
char **gssapi_indicators_map;
|
||||||
|
+
|
||||||
|
+ /* Counts how often the domain was not found during a refresh of the
|
||||||
|
+ * domain list */
|
||||||
|
+ size_t not_found_counter;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
||||||
|
index e2381c8af..348f242d0 100644
|
||||||
|
--- a/src/db/sysdb_subdomains.c
|
||||||
|
+++ b/src/db/sysdb_subdomains.c
|
||||||
|
@@ -193,6 +193,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
||||||
|
dom->gssapi_services = parent->gssapi_services;
|
||||||
|
dom->gssapi_indicators_map = parent->gssapi_indicators_map;
|
||||||
|
|
||||||
|
+ dom->not_found_counter = 0;
|
||||||
|
+
|
||||||
|
if (parent->sysdb == NULL) {
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
|
||||||
|
goto fail;
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,241 @@
|
|||||||
|
From 95adf488f94f5968f6cfba9e3bef74c07c02ccff Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Tue, 16 Feb 2021 14:30:55 +0100
|
||||||
|
Subject: [PATCH 55/55] AD: read trusted domains from local domain as well
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Currently SSSD only uses information stored in a domain controller of
|
||||||
|
the forest root domain to get the names of other trusted domains in the
|
||||||
|
forest. Depending on how the forest was created the forest root might
|
||||||
|
not have LDAP objects for all domains in the forest. It looks like a
|
||||||
|
typical case are child domains of other domains in the forest.
|
||||||
|
|
||||||
|
As a start SSSD can now include trusted domains stored in the LDAP tree
|
||||||
|
of a local domain controller as well. In a long run it would make sense
|
||||||
|
to allow SSSD to explicitly search for domain by looking up DNS entries
|
||||||
|
and checking a potential domain controller with a CLDAP ping.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5528
|
||||||
|
|
||||||
|
:feature: Besides trusted domains known by the forest root, trusted
|
||||||
|
domains known by the local domain are used as well.
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_subdomains.c | 105 +++++++++++++++++++++++++------
|
||||||
|
1 file changed, 86 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||||
|
index f5b0be6c2..3eb49c93f 100644
|
||||||
|
--- a/src/providers/ad/ad_subdomains.c
|
||||||
|
+++ b/src/providers/ad/ad_subdomains.c
|
||||||
|
@@ -45,6 +45,7 @@
|
||||||
|
#define AD_AT_TRUST_TYPE "trustType"
|
||||||
|
#define AD_AT_TRUST_PARTNER "trustPartner"
|
||||||
|
#define AD_AT_TRUST_ATTRS "trustAttributes"
|
||||||
|
+#define AD_AT_DOMAIN_NAME "cn"
|
||||||
|
|
||||||
|
/* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
|
||||||
|
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
|
||||||
|
@@ -56,7 +57,6 @@
|
||||||
|
*/
|
||||||
|
#define SLAVE_DOMAIN_FILTER_BASE "(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))"
|
||||||
|
#define SLAVE_DOMAIN_FILTER "(&"SLAVE_DOMAIN_FILTER_BASE")"
|
||||||
|
-#define FOREST_ROOT_FILTER_FMT "(&"SLAVE_DOMAIN_FILTER_BASE"(cn=%s))"
|
||||||
|
|
||||||
|
/* Attributes of schema objects. See e.g.
|
||||||
|
* https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes
|
||||||
|
@@ -646,6 +646,10 @@ done:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* How many times we keep a domain not found during searches before it will be
|
||||||
|
+ * removed. */
|
||||||
|
+#define MAX_NOT_FOUND 6
|
||||||
|
+
|
||||||
|
static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
|
||||||
|
struct sdap_idmap_ctx *idmap_ctx,
|
||||||
|
struct sdap_options *opts,
|
||||||
|
@@ -706,6 +710,25 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (c >= num_subdomains) {
|
||||||
|
+ DEBUG(SSSDBG_CONF_SETTINGS, "Domain [%s] not in current list.\n",
|
||||||
|
+ dom->name);
|
||||||
|
+ /* Since the forest root might not have trustedDomain objects for
|
||||||
|
+ * each domain in the forest, especially e.g. for child-domains of
|
||||||
|
+ * child-domains, we cannot reliable say if a domain is still
|
||||||
|
+ * present or not.
|
||||||
|
+ * Maybe it would work to check the crossRef objects in
|
||||||
|
+ * CN=Partitions,CN=Configuration as well to understand if a
|
||||||
|
+ * domain is still known in the forest or not.
|
||||||
|
+ * For the time being we use a counter, if a domain was not found
|
||||||
|
+ * after multiple attempts it will be deleted. */
|
||||||
|
+
|
||||||
|
+ if (dom->not_found_counter++ < MAX_NOT_FOUND) {
|
||||||
|
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||||
|
+ "Domain [%s] was not found [%zu] times.\n", dom->name,
|
||||||
|
+ dom->not_found_counter);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* ok this subdomain does not exist anymore, let's clean up */
|
||||||
|
sss_domain_set_state(dom, DOM_DISABLED);
|
||||||
|
|
||||||
|
@@ -740,6 +763,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
|
||||||
|
/* terminate all requests for this subdomain so we can free it */
|
||||||
|
dp_terminate_domain_requests(be_ctx->provider, dom->name);
|
||||||
|
talloc_zfree(sdom);
|
||||||
|
+
|
||||||
|
} else {
|
||||||
|
/* ok let's try to update it */
|
||||||
|
ret = ad_subdom_enumerates(domain, subdomains[c], &enumerate);
|
||||||
|
@@ -747,6 +771,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ dom->not_found_counter = 0;
|
||||||
|
ret = ad_subdom_store(be_ctx->cdb, idmap_ctx, domain,
|
||||||
|
subdomains[c], enumerate);
|
||||||
|
if (ret) {
|
||||||
|
@@ -1307,10 +1332,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||||
|
struct tevent_req *req;
|
||||||
|
struct sdap_options *opts;
|
||||||
|
errno_t ret;
|
||||||
|
- const char *filter;
|
||||||
|
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
|
||||||
|
AD_AT_SID, AD_AT_TRUST_TYPE,
|
||||||
|
- AD_AT_TRUST_ATTRS, NULL };
|
||||||
|
+ AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL };
|
||||||
|
|
||||||
|
req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state);
|
||||||
|
if (req == NULL) {
|
||||||
|
@@ -1335,15 +1359,10 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||||
|
state->domain = domain;
|
||||||
|
state->forest = forest;
|
||||||
|
|
||||||
|
- filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest);
|
||||||
|
- if (filter == NULL) {
|
||||||
|
- ret = ENOMEM;
|
||||||
|
- goto immediately;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
subreq = sdap_search_bases_return_first_send(state, ev, opts, sh,
|
||||||
|
opts->sdom->search_bases,
|
||||||
|
- NULL, false, 0, filter, attrs,
|
||||||
|
+ NULL, false, 0,
|
||||||
|
+ SLAVE_DOMAIN_FILTER, attrs,
|
||||||
|
NULL);
|
||||||
|
if (subreq == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
@@ -1365,11 +1384,33 @@ immediately:
|
||||||
|
return req;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static struct sysdb_attrs *find_domain(size_t count, struct sysdb_attrs **reply,
|
||||||
|
+ const char *dom_name)
|
||||||
|
+{
|
||||||
|
+ size_t c;
|
||||||
|
+ const char *name;
|
||||||
|
+ int ret;
|
||||||
|
+
|
||||||
|
+ for (c = 0; c < count; c++) {
|
||||||
|
+ ret = sysdb_attrs_get_string(reply[c], AD_AT_DOMAIN_NAME, &name);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to find domain name, skipping");
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ if (strcasecmp(name, dom_name) == 0) {
|
||||||
|
+ return reply[c];
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||||
|
{
|
||||||
|
struct tevent_req *req;
|
||||||
|
struct ad_get_root_domain_state *state;
|
||||||
|
errno_t ret;
|
||||||
|
+ bool has_changes = false;
|
||||||
|
|
||||||
|
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||||
|
state = tevent_req_data(req, struct ad_get_root_domain_state);
|
||||||
|
@@ -1384,7 +1425,37 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (state->reply_count == 0) {
|
||||||
|
+ find_domain(state->reply_count, state->reply, state->forest);
|
||||||
|
+
|
||||||
|
+ if (state->reply_count == 0
|
||||||
|
+ || find_domain(state->reply_count, state->reply,
|
||||||
|
+ state->forest) == NULL) {
|
||||||
|
+
|
||||||
|
+ if (state->reply_count > 0) {
|
||||||
|
+ /* refresh the other domains we have found before checking forest
|
||||||
|
+ * root */
|
||||||
|
+ ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx,
|
||||||
|
+ state->opts,
|
||||||
|
+ state->reply, state->reply_count, false,
|
||||||
|
+ &state->sd_ctx->last_refreshed,
|
||||||
|
+ &has_changes);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "ad_subdomains_refresh failed [%d]: %s\n",
|
||||||
|
+ ret, sss_strerror(ret));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (has_changes) {
|
||||||
|
+ ret = ad_subdom_reinit(state->sd_ctx);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "Could not reinitialize subdomains\n");
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
"No information provided for root domain, trying directly.\n");
|
||||||
|
subreq = ad_check_domain_send(state, state->ev, state->be_ctx,
|
||||||
|
@@ -1397,11 +1468,6 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||||
|
}
|
||||||
|
tevent_req_set_callback(subreq, ad_check_root_domain_done, req);
|
||||||
|
return;
|
||||||
|
- } else if (state->reply_count > 1) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, "
|
||||||
|
- "domain list might be incomplete!\n");
|
||||||
|
- ret = ERR_MALFORMED_ENTRY;
|
||||||
|
- goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = ad_get_root_domain_refresh(state);
|
||||||
|
@@ -1519,7 +1585,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
||||||
|
errno_t ret;
|
||||||
|
|
||||||
|
ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts,
|
||||||
|
- state->reply, state->reply_count, true,
|
||||||
|
+ state->reply, state->reply_count, false,
|
||||||
|
&state->sd_ctx->last_refreshed,
|
||||||
|
&has_changes);
|
||||||
|
if (ret != EOK) {
|
||||||
|
@@ -1536,8 +1602,9 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- state->root_domain_attrs = state->reply[0];
|
||||||
|
- root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]);
|
||||||
|
+ state->root_domain_attrs = find_domain(state->reply_count, state->reply,
|
||||||
|
+ state->forest);
|
||||||
|
+ root_domain = ads_get_root_domain(state->be_ctx, state->root_domain_attrs);
|
||||||
|
if (root_domain == NULL) {
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n");
|
||||||
|
ret = EFAULT;
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,109 @@
|
|||||||
|
From 231d1118727b989a4af9911a45a465912fe659d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 12 Mar 2021 14:38:54 +0100
|
||||||
|
Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
When checking if a group returned by an initgroups request is filtered
|
||||||
|
in the negative cache the domain of the user was used. This does not
|
||||||
|
work reliable if the user can be a member of groups from multiple
|
||||||
|
domains.
|
||||||
|
|
||||||
|
With this patch th domain the group belongs to is determined and used
|
||||||
|
while checking the negative cache.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5534
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/db/sysdb.c | 22 ++++++++++++++++++++++
|
||||||
|
src/db/sysdb.h | 7 +++++++
|
||||||
|
src/responder/nss/nss_protocol_grent.c | 8 +++++---
|
||||||
|
3 files changed, 34 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
|
||||||
|
index 693f687be..6001c49cb 100644
|
||||||
|
--- a/src/db/sysdb.c
|
||||||
|
+++ b/src/db/sysdb.c
|
||||||
|
@@ -2139,3 +2139,25 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
|
||||||
|
fmt, ap);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
|
||||||
|
+ struct ldb_message *msg)
|
||||||
|
+{
|
||||||
|
+ const char *name;
|
||||||
|
+ struct sss_domain_info *obj_dom = NULL;
|
||||||
|
+
|
||||||
|
+ name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
||||||
|
+ if (name == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "Object does not have a name attribute.\n");
|
||||||
|
+ return dom;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ obj_dom = find_domain_by_object_name(get_domains_head(dom), name);
|
||||||
|
+ if (obj_dom == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name);
|
||||||
|
+ return dom;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return obj_dom;
|
||||||
|
+}
|
||||||
|
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||||
|
index a00efa55f..37a2c4124 100644
|
||||||
|
--- a/src/db/sysdb.h
|
||||||
|
+++ b/src/db/sysdb.h
|
||||||
|
@@ -1532,4 +1532,11 @@ errno_t sysdb_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx,
|
||||||
|
void ldb_debug_messages(void *context, enum ldb_debug_level level,
|
||||||
|
const char *fmt, va_list ap);
|
||||||
|
|
||||||
|
+/* Try to detect the object domain from the object's SYSDB_NAME attribute and
|
||||||
|
+ * return the matching sss_domain_info. This should work reliable with user
|
||||||
|
+ * and group objects since fully-qualified names are used here. If the proper
|
||||||
|
+ * domain cannot be detected the given domain is returned. */
|
||||||
|
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
|
||||||
|
+ struct ldb_message *msg);
|
||||||
|
+
|
||||||
|
#endif /* __SYS_DB_H__ */
|
||||||
|
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
|
||||||
|
index 135b392f7..f6e00eb10 100644
|
||||||
|
--- a/src/responder/nss/nss_protocol_grent.c
|
||||||
|
+++ b/src/responder/nss/nss_protocol_grent.c
|
||||||
|
@@ -361,6 +361,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
||||||
|
struct cache_req_result *result)
|
||||||
|
{
|
||||||
|
struct sss_domain_info *domain;
|
||||||
|
+ struct sss_domain_info *grp_dom;
|
||||||
|
struct ldb_message *user;
|
||||||
|
struct ldb_message *msg;
|
||||||
|
struct ldb_message *primary_group_msg;
|
||||||
|
@@ -418,10 +419,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
||||||
|
num_results = 0;
|
||||||
|
for (i = 1; i < result->count; i++) {
|
||||||
|
msg = result->msgs[i];
|
||||||
|
- gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
|
||||||
|
+ grp_dom = find_domain_by_msg(domain, msg);
|
||||||
|
+ gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM,
|
||||||
|
0);
|
||||||
|
posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
|
||||||
|
- grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
|
||||||
|
+ grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME,
|
||||||
|
NULL);
|
||||||
|
|
||||||
|
if (gid == 0) {
|
||||||
|
@@ -435,7 +437,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
|
||||||
|
+ if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
198
SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch
Normal file
198
SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch
Normal file
@ -0,0 +1,198 @@
|
|||||||
|
From 0cddb67128edc86be4163489e29eaa3c4e123b7b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Fri, 12 Mar 2021 19:27:12 +0100
|
||||||
|
Subject: [PATCH] DEBUG: introduce SSSDBG_TOOLS_DEFAULT
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5488
|
||||||
|
|
||||||
|
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||||
|
---
|
||||||
|
src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +-
|
||||||
|
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +-
|
||||||
|
src/tools/common/sss_tools.c | 2 +-
|
||||||
|
src/tools/sss_cache.c | 2 +-
|
||||||
|
src/tools/sss_groupadd.c | 2 +-
|
||||||
|
src/tools/sss_groupdel.c | 2 +-
|
||||||
|
src/tools/sss_groupmod.c | 2 +-
|
||||||
|
src/tools/sss_groupshow.c | 2 +-
|
||||||
|
src/tools/sss_seed.c | 2 +-
|
||||||
|
src/tools/sss_useradd.c | 2 +-
|
||||||
|
src/tools/sss_userdel.c | 2 +-
|
||||||
|
src/tools/sss_usermod.c | 2 +-
|
||||||
|
src/util/debug.h | 1 +
|
||||||
|
13 files changed, 13 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
|
||||||
|
index e356f28c3..324e5e3a3 100644
|
||||||
|
--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c
|
||||||
|
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
|
||||||
|
@@ -32,7 +32,7 @@
|
||||||
|
int main(int argc, const char **argv)
|
||||||
|
{
|
||||||
|
TALLOC_CTX *mem_ctx = NULL;
|
||||||
|
- int pc_debug = SSSDBG_FATAL_FAILURE;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
const char *pc_domain = NULL;
|
||||||
|
const char *pc_user = NULL;
|
||||||
|
struct poptOption long_options[] = {
|
||||||
|
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||||
|
index 3cd12b480..170ba30a3 100644
|
||||||
|
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||||
|
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||||
|
@@ -174,7 +174,7 @@ connect_proxy_command(char **args)
|
||||||
|
int main(int argc, const char **argv)
|
||||||
|
{
|
||||||
|
TALLOC_CTX *mem_ctx = NULL;
|
||||||
|
- int pc_debug = SSSDBG_FATAL_FAILURE;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
int pc_port = 22;
|
||||||
|
const char *pc_domain = NULL;
|
||||||
|
const char *pc_host = NULL;
|
||||||
|
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||||
|
index 368d09ae2..637e251f6 100644
|
||||||
|
--- a/src/tools/common/sss_tools.c
|
||||||
|
+++ b/src/tools/common/sss_tools.c
|
||||||
|
@@ -56,7 +56,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
|
||||||
|
int *argc, const char **argv)
|
||||||
|
{
|
||||||
|
poptContext pc;
|
||||||
|
- int debug = SSSDBG_DEFAULT;
|
||||||
|
+ int debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
int orig_argc = *argc;
|
||||||
|
int help = 0;
|
||||||
|
|
||||||
|
diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c
|
||||||
|
index cea900bf1..b5391b16d 100644
|
||||||
|
--- a/src/tools/sss_cache.c
|
||||||
|
+++ b/src/tools/sss_cache.c
|
||||||
|
@@ -709,7 +709,7 @@ static errno_t init_context(int argc, const char *argv[],
|
||||||
|
struct cache_tool_ctx *ctx = NULL;
|
||||||
|
int idb = INVALIDATE_NONE;
|
||||||
|
struct input_values values = { 0 };
|
||||||
|
- int debug = SSSDBG_DEFAULT;
|
||||||
|
+ int debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
errno_t ret = EOK;
|
||||||
|
|
||||||
|
poptContext pc = NULL;
|
||||||
|
diff --git a/src/tools/sss_groupadd.c b/src/tools/sss_groupadd.c
|
||||||
|
index f71d6dde7..91559116d 100644
|
||||||
|
--- a/src/tools/sss_groupadd.c
|
||||||
|
+++ b/src/tools/sss_groupadd.c
|
||||||
|
@@ -34,7 +34,7 @@
|
||||||
|
int main(int argc, const char **argv)
|
||||||
|
{
|
||||||
|
gid_t pc_gid = 0;
|
||||||
|
- int pc_debug = SSSDBG_DEFAULT;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
struct poptOption long_options[] = {
|
||||||
|
POPT_AUTOHELP
|
||||||
|
{ "debug",'\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug,
|
||||||
|
diff --git a/src/tools/sss_groupdel.c b/src/tools/sss_groupdel.c
|
||||||
|
index 5dcc2056d..e64441758 100644
|
||||||
|
--- a/src/tools/sss_groupdel.c
|
||||||
|
+++ b/src/tools/sss_groupdel.c
|
||||||
|
@@ -33,7 +33,7 @@
|
||||||
|
int main(int argc, const char **argv)
|
||||||
|
{
|
||||||
|
int ret = EXIT_SUCCESS;
|
||||||
|
- int pc_debug = SSSDBG_DEFAULT;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
const char *pc_groupname = NULL;
|
||||||
|
struct tools_ctx *tctx = NULL;
|
||||||
|
|
||||||
|
diff --git a/src/tools/sss_groupmod.c b/src/tools/sss_groupmod.c
|
||||||
|
index eddc7034a..8770b6684 100644
|
||||||
|
--- a/src/tools/sss_groupmod.c
|
||||||
|
+++ b/src/tools/sss_groupmod.c
|
||||||
|
@@ -35,7 +35,7 @@
|
||||||
|
int main(int argc, const char **argv)
|
||||||
|
{
|
||||||
|
gid_t pc_gid = 0;
|
||||||
|
- int pc_debug = SSSDBG_DEFAULT;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
struct poptOption long_options[] = {
|
||||||
|
POPT_AUTOHELP
|
||||||
|
{ "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug,
|
||||||
|
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
|
||||||
|
index 7b0fbe117..aa618eecb 100644
|
||||||
|
--- a/src/tools/sss_groupshow.c
|
||||||
|
+++ b/src/tools/sss_groupshow.c
|
||||||
|
@@ -654,7 +654,7 @@ static void print_recursive(struct group_info **group_members, unsigned level)
|
||||||
|
int main(int argc, const char **argv)
|
||||||
|
{
|
||||||
|
int ret = EXIT_SUCCESS;
|
||||||
|
- int pc_debug = SSSDBG_DEFAULT;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
bool pc_recursive = false;
|
||||||
|
const char *pc_groupname = NULL;
|
||||||
|
struct tools_ctx *tctx = NULL;
|
||||||
|
diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c
|
||||||
|
index 1189604a3..17ba81956 100644
|
||||||
|
--- a/src/tools/sss_seed.c
|
||||||
|
+++ b/src/tools/sss_seed.c
|
||||||
|
@@ -460,7 +460,7 @@ static int seed_init(TALLOC_CTX *mem_ctx,
|
||||||
|
struct seed_ctx **_sctx)
|
||||||
|
{
|
||||||
|
TALLOC_CTX *tmp_ctx = NULL;
|
||||||
|
- int pc_debug = SSSDBG_DEFAULT;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
const char *pc_domain = NULL;
|
||||||
|
const char *pc_name = NULL;
|
||||||
|
uid_t pc_uid = 0;
|
||||||
|
diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c
|
||||||
|
index ca2cbd6c1..fa1091ec8 100644
|
||||||
|
--- a/src/tools/sss_useradd.c
|
||||||
|
+++ b/src/tools/sss_useradd.c
|
||||||
|
@@ -38,7 +38,7 @@ int main(int argc, const char **argv)
|
||||||
|
const char *pc_gecos = NULL;
|
||||||
|
const char *pc_home = NULL;
|
||||||
|
char *pc_shell = NULL;
|
||||||
|
- int pc_debug = SSSDBG_DEFAULT;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
int pc_create_home = 0;
|
||||||
|
const char *pc_username = NULL;
|
||||||
|
const char *pc_skeldir = NULL;
|
||||||
|
diff --git a/src/tools/sss_userdel.c b/src/tools/sss_userdel.c
|
||||||
|
index bd703fd2e..60bb0f835 100644
|
||||||
|
--- a/src/tools/sss_userdel.c
|
||||||
|
+++ b/src/tools/sss_userdel.c
|
||||||
|
@@ -125,7 +125,7 @@ int main(int argc, const char **argv)
|
||||||
|
struct tools_ctx *tctx = NULL;
|
||||||
|
const char *pc_username = NULL;
|
||||||
|
|
||||||
|
- int pc_debug = SSSDBG_DEFAULT;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
int pc_remove = 0;
|
||||||
|
int pc_force = 0;
|
||||||
|
int pc_kick = 0;
|
||||||
|
diff --git a/src/tools/sss_usermod.c b/src/tools/sss_usermod.c
|
||||||
|
index 6a818f13a..0f3230d27 100644
|
||||||
|
--- a/src/tools/sss_usermod.c
|
||||||
|
+++ b/src/tools/sss_usermod.c
|
||||||
|
@@ -40,7 +40,7 @@ int main(int argc, const char **argv)
|
||||||
|
char *pc_gecos = NULL;
|
||||||
|
char *pc_home = NULL;
|
||||||
|
char *pc_shell = NULL;
|
||||||
|
- int pc_debug = SSSDBG_DEFAULT;
|
||||||
|
+ int pc_debug = SSSDBG_TOOLS_DEFAULT;
|
||||||
|
const char *pc_selinux_user = NULL;
|
||||||
|
struct poptOption long_options[] = {
|
||||||
|
POPT_AUTOHELP
|
||||||
|
diff --git a/src/util/debug.h b/src/util/debug.h
|
||||||
|
index a3adfe576..54a7e3934 100644
|
||||||
|
--- a/src/util/debug.h
|
||||||
|
+++ b/src/util/debug.h
|
||||||
|
@@ -108,6 +108,7 @@ int rotate_debug_files(void);
|
||||||
|
#define SSSDBG_INVALID -1
|
||||||
|
#define SSSDBG_UNRESOLVED 0
|
||||||
|
#define SSSDBG_DEFAULT (SSSDBG_FATAL_FAILURE|SSSDBG_CRIT_FAILURE|SSSDBG_OP_FAILURE)
|
||||||
|
+#define SSSDBG_TOOLS_DEFAULT (SSSDBG_FATAL_FAILURE)
|
||||||
|
|
||||||
|
|
||||||
|
/** \def DEBUG(level, format, ...)
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
34
SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch
Normal file
34
SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From fbf33babe3fb52323f098aa300b51bf8fc5ee363 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Wed, 19 May 2021 17:20:52 +0200
|
||||||
|
Subject: [PATCH] TOOLS: removed unneeded debug message
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This message was logged before `sss_tool_init()` that sets debug level,
|
||||||
|
thus ignoring configured debug level.
|
||||||
|
|
||||||
|
Since the same message is printed via `ERROR` on a next line, this log
|
||||||
|
message doesn't add any information and can be simply removed.
|
||||||
|
|
||||||
|
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||||
|
---
|
||||||
|
src/tools/common/sss_tools.c | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||||
|
index 637e251f6..806667f46 100644
|
||||||
|
--- a/src/tools/common/sss_tools.c
|
||||||
|
+++ b/src/tools/common/sss_tools.c
|
||||||
|
@@ -512,7 +512,6 @@ int sss_tool_main(int argc, const char **argv,
|
||||||
|
|
||||||
|
uid = getuid();
|
||||||
|
if (uid != 0) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid);
|
||||||
|
ERROR("%1$s must be run as root\n", argv[0]);
|
||||||
|
return EXIT_FAILURE;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -26,7 +26,7 @@
|
|||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.4.0
|
Version: 2.4.0
|
||||||
Release: 9%{?dist}
|
Release: 9%{?dist}.1
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -85,6 +85,13 @@ Patch0048: 0048-pot-update-pot-files.patch
|
|||||||
Patch0049: 0049-Update-the-translations-for-the-2.4.1-release.patch
|
Patch0049: 0049-Update-the-translations-for-the-2.4.1-release.patch
|
||||||
Patch0050: 0050-pot-update-pot-files.patch
|
Patch0050: 0050-pot-update-pot-files.patch
|
||||||
Patch0051: 0051-po-update-translations.patch
|
Patch0051: 0051-po-update-translations.patch
|
||||||
|
Patch0052: 0052-handle-large-service-tickets.patch
|
||||||
|
Patch0053: 0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch
|
||||||
|
Patch0054: 0054-sss_domain_info-add-not_found_counter.patch
|
||||||
|
Patch0055: 0055-AD-read-trusted-domains-from-local-domain-as-well.patch
|
||||||
|
Patch0056: 0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch
|
||||||
|
Patch0057: 0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch
|
||||||
|
Patch0058: 0058-TOOLS-removed-unneeded-debug-message.patch
|
||||||
|
|
||||||
### Downstream Patches ###
|
### Downstream Patches ###
|
||||||
|
|
||||||
@ -1266,6 +1273,13 @@ fi
|
|||||||
%{_libdir}/%{name}/modules/libwbclient.so
|
%{_libdir}/%{name}/modules/libwbclient.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 24 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-9.1
|
||||||
|
- Resolves: rhbz#1949170 - pam_sss_gss.so doesn't work with large kerberos tickets [rhel-8.4.0.z]
|
||||||
|
- Resolves: rhbz#1945656 - No gpo found and ad_gpo_implicit_deny set to True still permits user login [rhel-8.4.0.z]
|
||||||
|
- Resolves: rhbz#1945655 - SSSD not detecting subdomain from AD forest (RHEL 8.3) [rhel-8.4.0.z]
|
||||||
|
- Resolves: rhbz#1945654 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-8.4.0.z]
|
||||||
|
- Resolves: rhbz#1942438 - Wrong default debug level of sssd tools [rhel-8.4.0.z]
|
||||||
|
|
||||||
* Fri Mar 19 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-9
|
* Fri Mar 19 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-9
|
||||||
- Resolves: rhbz#1899712 - [sssd] RHEL 8.4 Tier 0 Localization
|
- Resolves: rhbz#1899712 - [sssd] RHEL 8.4 Tier 0 Localization
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user