diff --git a/.gitignore b/.gitignore index 8927f97..f74e090 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.6.2.tar.gz +SOURCES/sssd-2.7.3.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index b533b3d..6132eb6 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz +0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz diff --git a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch new file mode 100644 index 0000000..271a5d8 --- /dev/null +++ b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch @@ -0,0 +1,51 @@ +From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 21 Jul 2022 20:16:32 +0200 +Subject: [PATCH] Makefile: remove unneeded dependency +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f) +--- + Makefile.am | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 669a0fc56..92d046888 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \ + $(KRB5_CFLAGS) \ + $(UUID_CFLAGS) \ + $(CURL_CFLAGS) \ +- $(JANSSON_CFLAGS) \ + $(NULL) + sssd_kcm_LDADD = \ + $(LIBADD_DL) \ + $(KRB5_LIBS) \ +- $(JANSSON_LIBS) \ + $(SSSD_LIBS) \ + $(UUID_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ +@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \ + $(UUID_CFLAGS) \ + $(NULL) + test_kcm_marshalling_LDADD = \ +- $(JANSSON_LIBS) \ + $(UUID_LIBS) \ + $(KRB5_LIBS) \ + $(CMOCKA_LIBS) \ +@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \ + test_kcm_renewals_LDADD = \ + $(LIBADD_DL) \ + $(UUID_LIBS) \ +- $(JANSSON_LIBS) \ + $(KRB5_LIBS) \ + $(CARES_LIBS) \ + $(CMOCKA_LIBS) \ +-- +2.37.1 + diff --git a/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch b/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch deleted file mode 100644 index 068853a..0000000 --- a/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 4 Jan 2022 10:11:49 +0100 -Subject: [PATCH] ipa: fix reply socket of selinux_child - -Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched -the reply socket of selinux_child from stdout to stderr while switching -from exec_child to exec_child_ex. This patch returns the original -behavior. - -Resolves: https://github.com/SSSD/sssd/issues/5939 - -Reviewed-by: Alexey Tikhonov ---- - src/providers/ipa/ipa_selinux.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c -index 6f885c0fd..2e0593dd7 100644 ---- a/src/providers/ipa/ipa_selinux.c -+++ b/src/providers/ipa/ipa_selinux.c -@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) - if (pid == 0) { /* child */ - exec_child_ex(state, pipefd_to_child, pipefd_from_child, - SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args, -- false, STDIN_FILENO, STDERR_FILENO); -+ false, STDIN_FILENO, STDOUT_FILENO); - DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n", - ret, sss_strerror(ret)); - return ret; --- -2.26.3 - diff --git a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch new file mode 100644 index 0000000..6caa8fc --- /dev/null +++ b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch @@ -0,0 +1,155 @@ +From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 29 Jul 2022 14:57:20 +0200 +Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it + should survive context destruction / re-initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Iker Pedrosa +Reviewed-by: Pavel Březina +(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911) +--- + src/sss_client/nss_mc.h | 4 ++-- + src/sss_client/nss_mc_common.c | 10 ++++++++-- + src/sss_client/nss_mc_group.c | 5 +++++ + src/sss_client/nss_mc_initgr.c | 5 +++++ + src/sss_client/nss_mc_passwd.c | 5 +++++ + src/sss_client/nss_mc_sid.c | 5 +++++ + 6 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h +index b66e8f09f..de1496ccc 100644 +--- a/src/sss_client/nss_mc.h ++++ b/src/sss_client/nss_mc.h +@@ -48,7 +48,7 @@ enum sss_mc_state { + struct sss_cli_mc_ctx { + enum sss_mc_state initialized; + #if HAVE_PTHREAD +- pthread_mutex_t mutex; ++ pthread_mutex_t *mutex; + #endif + int fd; + +@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx { + }; + + #if HAVE_PTHREAD +-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} ++#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} + #else + #define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} + #endif +diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c +index c73a93a9a..f38a4a85a 100644 +--- a/src/sss_client/nss_mc_common.c ++++ b/src/sss_client/nss_mc_common.c +@@ -58,14 +58,14 @@ do { \ + static void sss_mt_lock(struct sss_cli_mc_ctx *ctx) + { + #if HAVE_PTHREAD +- pthread_mutex_lock(&ctx->mutex); ++ pthread_mutex_lock(ctx->mutex); + #endif + } + + static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx) + { + #if HAVE_PTHREAD +- pthread_mutex_unlock(&ctx->mutex); ++ pthread_mutex_unlock(ctx->mutex); + #endif + } + +@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) + static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) + { + uint32_t active_threads = ctx->active_threads; ++#if HAVE_PTHREAD ++ pthread_mutex_t *mutex = ctx->mutex; ++#endif + + if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { + munmap(ctx->mmap_base, ctx->mmap_size); +@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) + + /* restore count of active threads */ + ctx->active_threads = active_threads; ++#if HAVE_PTHREAD ++ ctx->mutex = mutex; ++#endif + } + + static errno_t sss_nss_mc_init_ctx(const char *name, +diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c +index 2ea40c435..d4f2a82ab 100644 +--- a/src/sss_client/nss_mc_group.c ++++ b/src/sss_client/nss_mc_group.c +@@ -29,7 +29,12 @@ + #include "nss_mc.h" + #include "shared/safealign.h" + ++#if HAVE_PTHREAD ++static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; ++static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex); ++#else + static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; ++#endif + + static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + struct group *result, +diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c +index b05946263..bd7282935 100644 +--- a/src/sss_client/nss_mc_initgr.c ++++ b/src/sss_client/nss_mc_initgr.c +@@ -32,7 +32,12 @@ + #include "nss_mc.h" + #include "shared/safealign.h" + ++#if HAVE_PTHREAD ++static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; ++static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex); ++#else + static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; ++#endif + + static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + long int *start, long int *size, +diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c +index 01c6801da..256d48444 100644 +--- a/src/sss_client/nss_mc_passwd.c ++++ b/src/sss_client/nss_mc_passwd.c +@@ -28,7 +28,12 @@ + #include + #include "nss_mc.h" + ++#if HAVE_PTHREAD ++static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; ++static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex); ++#else + static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; ++#endif + + static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + struct passwd *result, +diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c +index af7d7bbd5..52e684da5 100644 +--- a/src/sss_client/nss_mc_sid.c ++++ b/src/sss_client/nss_mc_sid.c +@@ -30,7 +30,12 @@ + #include "util/mmap_cache.h" + #include "idmap/sss_nss_idmap.h" + ++#if HAVE_PTHREAD ++static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; ++static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex); ++#else + static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; ++#endif + + static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type, + char **sid, uint32_t *type, +-- +2.37.1 + diff --git a/SOURCES/0002-po-update-translations.patch b/SOURCES/0002-po-update-translations.patch deleted file mode 100644 index 0433c32..0000000 --- a/SOURCES/0002-po-update-translations.patch +++ /dev/null @@ -1,1249 +0,0 @@ -From e7069c53235d11e2a8f2b58f2781d303bdbe13b3 Mon Sep 17 00:00:00 2001 -From: Weblate -Date: Wed, 5 Jan 2022 13:23:20 +0100 -Subject: [PATCH] po: update translations -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Japanese) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(Finnish) currently translated at 3.5% (93 of 2627 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/ - -po: update translations - -(Swedish) currently translated at 100.0% (2627 of 2627 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/ - -po: update translations - -(Swedish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/ - -po: update translations - -(Korean) currently translated at 14.4% (379 of 2615 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - -po: update translations - -(Korean) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ - -po: update translations - -(Ukrainian) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ - -po: update translations - -(Polish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ - -Update translation files - -Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. - -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ - -po: update translations - -(Korean) currently translated at 14.4% (379 of 2615 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - -po: update translations - -(Korean) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ - -po: update translations - -(Korean) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ - -po: update translations - -(Korean) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ - -po: update translations - -(Finnish) currently translated at 6.1% (38 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ - -po: update translations - -(Finnish) currently translated at 6.1% (38 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ - -po: update translations - -(Chinese (Traditional) (zh_TW)) currently translated at 7.9% (49 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_TW/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Ukrainian) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ - -po: update translations - -(Ukrainian) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ - -po: update translations - -(Turkish) currently translated at 15.1% (94 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/ - -po: update translations - -(Turkish) currently translated at 15.1% (94 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/ - -po: update translations - -(Tajik) currently translated at 0.9% (6 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tg/ - -po: update translations - -(Swedish) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/ - -po: update translations - -(Swedish) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/ - -po: update translations - -(Russian) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ - -po: update translations - -(Russian) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ - -po: update translations - -(Russian) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ - -po: update translations - -(Portuguese (Brazil)) currently translated at 0.8% (5 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt_BR/ - -po: update translations - -(Portuguese) currently translated at 15.6% (97 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/ - -po: update translations - -(Polish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ - -po: update translations - -(Polish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ - -po: update translations - -(Dutch) currently translated at 47.6% (295 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/nl/ - -po: update translations - -(Norwegian Bokmål) currently translated at 2.2% (14 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/nb_NO/ - -po: update translations - -(Japanese) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -po: update translations - -(Japanese) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -po: update translations - -(Japanese) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -po: update translations - -(Italian) currently translated at 19.0% (118 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/it/ - -po: update translations - -(Italian) currently translated at 19.0% (118 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/it/ - -po: update translations - -(Indonesian) currently translated at 8.7% (54 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/id/ - -po: update translations - -(Hungarian) currently translated at 7.1% (44 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/hu/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(Basque) currently translated at 6.7% (42 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/eu/ - -po: update translations - -(Spanish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/ - -po: update translations - -(Spanish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/ - -po: update translations - -(German) currently translated at 51.5% (319 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/de/ - -po: update translations - -(German) currently translated at 51.5% (319 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/de/ - -po: update translations - -(Czech) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ - -po: update translations - -(Czech) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ - -po: update translations - -(Czech) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ - -po: update translations - -(Catalan) currently translated at 55.7% (345 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ca/ - -po: update translations - -(Bulgarian) currently translated at 15.1% (94 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/bg/ - -po: update translations - -(Ukrainian) currently translated at 100.0% (2627 of 2627 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ ---- - po/cs.po | 6 +++ - po/es.po | 6 +++ - po/fr.po | 19 +++++--- - po/ja.po | 18 +++++--- - po/ko.po | 15 +++--- - po/pl.po | 17 ++++--- - po/sv.po | 21 ++++----- - po/uk.po | 16 +++++-- - po/zh_CN.po | 25 +++++----- - src/man/po/fi.po | 10 ++-- - src/man/po/sv.po | 117 +++++++++++++++++------------------------------ - src/man/po/uk.po | 21 +++++---- - 13 files changed, 161 insertions(+), 152 deletions(-) - -diff --git a/po/cs.po b/po/cs.po -index 3a707d70c..abc1f36cc 100644 ---- a/po/cs.po -+++ b/po/cs.po -@@ -2935,6 +2935,12 @@ msgstr "Informuje, že odpovídač byl aktivován přes dbus" - #~ "Je doporučeno použít volbu --logdir vůči identifikátoru tevent řetězce " - #~ "podporovaným záznamům událostí v SSSD.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "POZN.: chybí podpora pro identifikátor tevent řetězce, analýza požadavku " -+#~ "bude jen základní.\n" -+ - #~ msgid "Timeout for messages sent over the SBUS" - #~ msgstr "Časový limit pro zprávy posílané přes SBUS" - -diff --git a/po/es.po b/po/es.po -index dfa4f12f2..2a05620bd 100644 ---- a/po/es.po -+++ b/po/es.po -@@ -2997,6 +2997,12 @@ msgstr "Informa que el contestador ha sido dbus-activated" - #~ "Se recomienda usar la opción --logdir contra la ID de la cadena de " - #~ "eventos soportada por los registros SSSD.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "AVISO: Falta el soporte de identificación de la cadena de eventos, el " -+#~ "análisis de solicitudes será limitado.\n" -+ - #~ msgid "Timeout for messages sent over the SBUS" - #~ msgstr "Tiempo máximo para los mensajes enviados a través de SBUS" - -diff --git a/po/fr.po b/po/fr.po -index 2687f3c1a..b5c2e531c 100644 ---- a/po/fr.po -+++ b/po/fr.po -@@ -8,7 +8,7 @@ - # Fabien Archambault , 2012 - # Mariko Vincent , 2012 - # Jérôme Fenal , 2016. #zanata --# Ludek Janda , 2020. #zanata, 2021. -+# Ludek Janda , 2020. #zanata, 2021, 2022. - # Pavel Brezina , 2020. #zanata - # Jean-Baptiste Holcroft , 2020. - # Sundeep Anand , 2021. -@@ -17,7 +17,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-12-22 07:16+0000\n" -+"PO-Revision-Date: 2022-01-05 12:23+0000\n" - "Last-Translator: Ludek Janda \n" - "Language-Team: French \n" -@@ -26,7 +26,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n > 1;\n" --"X-Generator: Weblate 4.10\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -2085,7 +2085,7 @@ msgstr "Utiliser la version personnalisée de krb5_get_init_creds_password" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "ID de chaîne Tevent utilisé à des fins de journalisation" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2762,11 +2762,10 @@ msgid "Specify debug level you want to set" - msgstr "Spécifiez le niveau de débogage que vous souhaitez définir" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" - msgstr "" --"REMARQUE : Prise en charge de l’ID de chaîne Tevent manquante, l’analyse des " --"demandes sera limitée.\n" -+"ERREUR : Prise en charge de l’ID de chaîne Tevent manquante, l’analyseur de " -+"journal n’est pas pris en charge.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -3011,6 +3010,12 @@ msgstr "Informe que le répondeur a été activé par un dbus" - #~ "Il est recommandé d’utiliser l’option --logdir pour les journaux SSSD " - #~ "pris en charge par l’ID de chaîne Tevent.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "REMARQUE : Prise en charge de l’ID de chaîne Tevent manquante, l’analyse " -+#~ "des demandes sera limitée.\n" -+ - #~ msgid "Running under %" - #~ msgstr "En cours d’exécution sous %" - -diff --git a/po/ja.po b/po/ja.po -index 3156fe5a7..699980621 100644 ---- a/po/ja.po -+++ b/po/ja.po -@@ -6,7 +6,7 @@ - # Tomoyuki KATO , 2012-2013 - # Noriko Mizumoto , 2016. #zanata - # Keiko Moriguchi , 2019. #zanata --# Ludek Janda , 2020. #zanata, 2021. -+# Ludek Janda , 2020. #zanata, 2021, 2022. - # Pavel Brezina , 2020. #zanata - # Sundeep Anand , 2021. - msgid "" -@@ -14,7 +14,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-12-22 07:16+0000\n" -+"PO-Revision-Date: 2022-01-05 12:23+0000\n" - "Last-Translator: Ludek Janda \n" - "Language-Team: Japanese \n" -@@ -23,7 +23,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Weblate 4.10\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -1960,7 +1960,7 @@ msgstr "krb5_get_init_creds_password のカスタムバージョンを使用し - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "デバッグのロギングの冗長性を設定する" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2629,10 +2629,8 @@ msgid "Specify debug level you want to set" - msgstr "設定したいデバッグレベルを指定します" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" --msgstr "" --"注記: Tevent チェーン ID サポートがないため、リクエスト分析は制限されます。\n" -+msgstr "エラー: Tevent chain ID サポートがなく、ログアナライザーはサポートされません。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -2877,6 +2875,12 @@ msgstr "レスポンダーが dbus でアクティベートされたと知らせ - #~ "tevent チェーン ID でサポートされる SSSD ログに対して --logdir オプション" - #~ "を使用することが推奨されます。\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "注記: Tevent チェーン ID サポートがないため、リクエスト分析は制限されま" -+#~ "す。\n" -+ - #~ msgid "Running under %" - #~ msgstr "% 化で実行" - -diff --git a/po/ko.po b/po/ko.po -index 5a27bab30..2dd7cbd52 100644 ---- a/po/ko.po -+++ b/po/ko.po -@@ -9,8 +9,8 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-12-22 07:16+0000\n" --"Last-Translator: Ludek Janda \n" -+"PO-Revision-Date: 2021-12-25 00:16+0000\n" -+"Last-Translator: simmon \n" - "Language-Team: Korean \n" - "Language: ko\n" -@@ -18,7 +18,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Weblate 4.10\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -1929,7 +1929,7 @@ msgstr "krb5_get_init_creds_password의 사용자 지정 버전 사용" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "로깅 목적을 위해 사용되는 T이벤트 체인 ID" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2588,9 +2588,8 @@ msgid "Specify debug level you want to set" - msgstr "설정할 디버그 수준 지정" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" --msgstr "참고: Tevent 체인 ID 지원이 누락되어 요청 분석이 제한됩니다.\n" -+msgstr "오류: T이벤트 체인 ID 지원이 누락되었으며, 로그 분석이 지원되지 않습니다.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -2835,6 +2834,10 @@ msgstr "응답자가 dbus-활성화 되었음을 알립니다" - #~ "tevent 체인 ID에서 지원되는 SSSD 로그에 대해 --logdir 옵션을 사용하는 것" - #~ "이 좋습니다.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "참고: Tevent 체인 ID 지원이 누락되어 요청 분석이 제한됩니다.\n" -+ - #~ msgid "Timeout for messages sent over the SBUS" - #~ msgstr "SBUS를 통해 전송된 메시지에 시간초과" - -diff --git a/po/pl.po b/po/pl.po -index 60c4090b5..89969bf6e 100644 ---- a/po/pl.po -+++ b/po/pl.po -@@ -16,7 +16,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-11-11 11:34+0000\n" -+"PO-Revision-Date: 2021-12-24 10:33+0000\n" - "Last-Translator: Piotr Drąg \n" - "Language-Team: Polish \n" -@@ -26,7 +26,7 @@ msgstr "" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " - "|| n%100>=20) ? 1 : 2;\n" --"X-Generator: Weblate 4.8.1\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -2025,7 +2025,7 @@ msgstr "Użycie niestandardowej wersji krb5_get_init_creds_password" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "Identyfikator łańcucha tevent używany do celów zapisywania w dzienniku" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2692,11 +2692,10 @@ msgid "Specify debug level you want to set" - msgstr "Podaje poziom debugowania do ustawienia" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" - msgstr "" --"UWAGA: brak obsługi identyfikatora łańcucha tevent, analiza żądań będzie " --"ograniczona.\n" -+"BŁĄD: brak obsługi identyfikatora łańcucha tevent, analizator dziennika jest " -+"nieobsługiwany.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -2941,6 +2940,12 @@ msgstr "Informuje, że program odpowiadający został aktywowany magistralą D-B - #~ "Zalecane jest używanie opcji --logdir przy dziennikach SSSD obsługujących " - #~ "identyfikator łańcucha tevent.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "UWAGA: brak obsługi identyfikatora łańcucha tevent, analiza żądań będzie " -+#~ "ograniczona.\n" -+ - #~ msgid "Running under %" - #~ msgstr "Uruchamianie jako %" - -diff --git a/po/sv.po b/po/sv.po -index 910a89552..d679d83b9 100644 ---- a/po/sv.po -+++ b/po/sv.po -@@ -13,7 +13,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-08-08 16:04+0000\n" -+"PO-Revision-Date: 2021-12-31 15:16+0000\n" - "Last-Translator: Göran Uddeborg \n" - "Language-Team: Swedish \n" -@@ -22,7 +22,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n != 1;\n" --"X-Generator: Weblate 4.7.2\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -823,9 +823,8 @@ msgstr "" - "servern när den senaste förfrågan inte hittade någon regel" - - #: src/config/SSSDConfig/sssdoptions.py:244 --#, fuzzy - msgid "Search base for SUBID ranges" --msgstr "Sökbas för vybehållare" -+msgstr "Sökbas för SUBAID-intervall" - - #: src/config/SSSDConfig/sssdoptions.py:245 - msgid "The LDAP attribute that contains FQDN of the host." -@@ -1951,7 +1950,7 @@ msgstr "Flaggan -g är inkompatibel med -D eller -i\n" - #: src/monitor/monitor.c:2401 - #, c-format - msgid "Running under %, must be root\n" --msgstr "" -+msgstr "Kör under %, måste vara root\n" - - #: src/monitor/monitor.c:2483 - msgid "SSSD is already running\n" -@@ -1999,7 +1998,7 @@ msgstr "Använd en anpassad version av krb5_get_init_creds_password" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "Tevent-kedje-ID använt för loggningssyfte" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2335,14 +2334,14 @@ msgid "Error while executing external command\n" - msgstr "Fel när externt kommando kördes\n" - - #: src/tools/sssctl/sssctl.c:123 --#, fuzzy, c-format -+#, c-format - msgid "Error while executing external command '%s'\n" --msgstr "Fel när externt kommando kördes\n" -+msgstr "Fel när externt kommando kördes ”%s”\n" - - #: src/tools/sssctl/sssctl.c:126 --#, fuzzy, c-format -+#, c-format - msgid "Command '%s' failed with [%d]\n" --msgstr "dlsym misslyckades med [%s].\n" -+msgstr "Kommandot ”%s” misslyckades med [%d].\n" - - #: src/tools/sssctl/sssctl.c:173 - msgid "SSSD needs to be running. Start SSSD now?" -@@ -2665,7 +2664,7 @@ msgstr "Ange felsökningsnivå du vill sätta" - - #: src/tools/sssctl/sssctl_logs.c:398 - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" --msgstr "" -+msgstr "FEL: stöd för tevent-kedje-ID saknas, logganalysatorn stödjs inte.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -diff --git a/po/uk.po b/po/uk.po -index 9ee86deb0..84e63bcc9 100644 ---- a/po/uk.po -+++ b/po/uk.po -@@ -16,7 +16,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-11-12 12:05+0000\n" -+"PO-Revision-Date: 2021-12-25 00:16+0000\n" - "Last-Translator: Yuri Chornoivan \n" - "Language-Team: Ukrainian \n" -@@ -26,7 +26,7 @@ msgstr "" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" - "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" --"X-Generator: Weblate 4.8.1\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -2088,6 +2088,7 @@ msgstr "Використовувати нетипову версію krb5_get_in - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" - msgstr "" -+"Ідентифікатор ланцюжка Tevent, який використовується для ведення журналу" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2757,11 +2758,10 @@ msgid "Specify debug level you want to set" - msgstr "Вкажіть рівень діагностики, яким ви хочете скористатися" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" - msgstr "" --"УВАГА: немає підтримки ідентифікатора черги Tevent, можливості аналізу " --"запитів буде обмежено.\n" -+"Помилка: немає підтримки ідентифікатора ланцюжка Tevent, можливість аналізу " -+"журналу недоступна.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -3006,6 +3006,12 @@ msgstr "Інформує про те, що на відповідачі заді - #~ "Рекомендуємо скористатися параметром --logdir для обробки журналу SSSD із " - #~ "підтримкою ідентифікаторів ланцюжка tevent.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "УВАГА: немає підтримки ідентифікатора черги Tevent, можливості аналізу " -+#~ "запитів буде обмежено.\n" -+ - #~ msgid "Running under %" - #~ msgstr "Запущено від імені %" - -diff --git a/po/zh_CN.po b/po/zh_CN.po -index 5f23f62eb..1ade71110 100644 ---- a/po/zh_CN.po -+++ b/po/zh_CN.po -@@ -4,7 +4,7 @@ - # - # Translators: - # Christopher Meng , 2012 --# Ludek Janda , 2020. #zanata, 2021. -+# Ludek Janda , 2020. #zanata, 2021, 2022. - # Pavel Brezina , 2020. #zanata - # Charles Lee , 2020, 2021. - # Sundeep Anand , 2021. -@@ -13,7 +13,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-12-22 07:16+0000\n" -+"PO-Revision-Date: 2022-01-05 12:23+0000\n" - "Last-Translator: Ludek Janda \n" - "Language-Team: Chinese (Simplified) \n" -@@ -22,7 +22,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Weblate 4.10\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -1007,7 +1007,7 @@ msgstr "Kerberos 备份服务器地址" - - #: src/config/SSSDConfig/sssdoptions.py:313 - msgid "Kerberos realm" --msgstr "Kerberos realm" -+msgstr "Kerberos 域" - - #: src/config/SSSDConfig/sssdoptions.py:314 - msgid "Authentication timeout" -@@ -1071,7 +1071,7 @@ msgstr "启用企业主体" - - #: src/config/SSSDConfig/sssdoptions.py:331 - msgid "Enables using of subdomains realms for authentication" --msgstr "启用使用子域域进行验证" -+msgstr "允许使用子域域进行身份验证" - - #: src/config/SSSDConfig/sssdoptions.py:332 - msgid "A mapping from user names to Kerberos principal names" -@@ -1128,7 +1128,7 @@ msgstr "离线时尝试重新连接的时间间隔" - - #: src/config/SSSDConfig/sssdoptions.py:350 - msgid "Use only the upper case for realm names" --msgstr "realm 名称仅使用大写字母" -+msgstr "对于域名称仅使用大写字母" - - #: src/config/SSSDConfig/sssdoptions.py:351 - msgid "File that contains CA certificates" -@@ -1164,7 +1164,7 @@ msgstr "指定要使用的 sasl 授权 ID" - - #: src/config/SSSDConfig/sssdoptions.py:359 - msgid "Specify the sasl authorization realm to use" --msgstr "指定要使用的 sasl 授权 realm" -+msgstr "指定要使用的 sasl 授权域" - - #: src/config/SSSDConfig/sssdoptions.py:360 - msgid "Specify the minimal SSF for LDAP sasl authorization" -@@ -1876,7 +1876,7 @@ msgstr "组创建 FAST 缓存为" - - #: src/providers/krb5/krb5_child.c:3336 - msgid "Kerberos realm to use" --msgstr "使用的 kerberos realm" -+msgstr "要使用的 kerberos 域" - - #: src/providers/krb5/krb5_child.c:3338 - msgid "Requested lifetime of the ticket" -@@ -1904,7 +1904,7 @@ msgstr "使用自定义版本的 krb5_get_init_creds_password" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "用于日志记录的 Tevent 链 ID" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2558,9 +2558,8 @@ msgid "Specify debug level you want to set" - msgstr "指定要设置的调试级别" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" --msgstr "注意:缺少 Tevent 链 ID 支持,请求分析会受到限制。\n" -+msgstr "ERROR:缺少 Tevent 链 ID 支持,不支持日志分析器。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -2803,6 +2802,10 @@ msgstr "通知响应者已被 dbus 激活" - #~ "supported SSSD logs.\n" - #~ msgstr "建议对 tevent 链 ID 支持的 SSSD 日志使用 --logdir 选项。\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "注意:缺少 Tevent 链 ID 支持,请求分析会受到限制。\n" -+ - #~ msgid "Running under %" - #~ msgstr "运行于 % 下" - -diff --git a/src/man/po/fi.po b/src/man/po/fi.po -index 6ebf97280..e5c596767 100644 ---- a/src/man/po/fi.po -+++ b/src/man/po/fi.po -@@ -4,7 +4,7 @@ msgstr "" - "Project-Id-Version: sssd-docs 2.3.0\n" - "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" - "POT-Creation-Date: 2021-12-20 16:05+0100\n" --"PO-Revision-Date: 2021-09-14 13:04+0000\n" -+"PO-Revision-Date: 2022-01-02 20:16+0000\n" - "Last-Translator: Jan Kuparinen \n" - "Language-Team: Finnish \n" -@@ -13,7 +13,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n != 1;\n" --"X-Generator: Weblate 4.8\n" -+"X-Generator: Weblate 4.10.1\n" - - #. type: Content of: - #: sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 -@@ -1393,7 +1393,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> - #: sssd.conf.5.xml:1115 - msgid "default_shell" --msgstr "" -+msgstr "Oletuskomentorivitulkki" - - #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:1118 -@@ -11978,7 +11978,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> - #: sssd-krb5.5.xml:174 - msgid "principal name" --msgstr "" -+msgstr "ensisijaisen nimi" - - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> - #: sssd-krb5.5.xml:178 -@@ -11988,7 +11988,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> - #: sssd-krb5.5.xml:179 - msgid "realm name" --msgstr "" -+msgstr "alueen nimi" - - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> - #: sssd-krb5.5.xml:182 -diff --git a/src/man/po/sv.po b/src/man/po/sv.po -index 9123017be..a96d14770 100644 ---- a/src/man/po/sv.po -+++ b/src/man/po/sv.po -@@ -7,7 +7,7 @@ msgstr "" - "Project-Id-Version: sssd-docs 2.3.0\n" - "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" - "POT-Creation-Date: 2021-12-20 16:05+0100\n" --"PO-Revision-Date: 2021-09-17 22:04+0000\n" -+"PO-Revision-Date: 2021-12-31 15:16+0000\n" - "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n" - "Language-Team: Swedish <https://translate.fedoraproject.org/projects/sssd/" - "sssd-manpage-master/sv/>\n" -@@ -16,7 +16,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n != 1;\n" --"X-Generator: Weblate 4.8\n" -+"X-Generator: Weblate 4.10.1\n" - - #. type: Content of: <reference><title> - #: sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 -@@ -678,6 +678,9 @@ msgid "" - "e. accessible via <quote>files</quote> service of <filename>nsswitch.conf</" - "filename>." - msgstr "" -+"Både ett användarnamn och ett aid kan användas men användaren skall vara " -+"lokal, d.v.s. åtkomlig via tjänsten <quote>files</quote> i <filename>nsswitch" -+".conf</filename>." - - #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:433 -@@ -3174,6 +3177,8 @@ msgid "" - "Local user names are required, i.e. accessible via <quote>files</quote> " - "service of <filename>nsswitch.conf</filename>." - msgstr "" -+"Lokalt användarnamn krävs, d.v.s. åtkomligt via tjänsten <quote>files</" -+"quote> i <filename>nsswitch.conf</filename>." - - #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:2177 -@@ -4800,6 +4805,8 @@ msgstr "" - msgid "" - "The AD provider will use this option for the CLDAP ping timeouts as well." - msgstr "" -+"AD-leverantören kommer även att använda detta alternativ för CLDAP-" -+"pingtidsgränsen." - - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:3437 sssd.conf.5.xml:3457 sssd.conf.5.xml:3476 -@@ -15938,7 +15945,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><refsect2><title> - #: sssd-ifp.5.xml:43 - msgid "FIND BY VALID CERTIFICATE" --msgstr "" -+msgstr "HITTA MED GILTIGT CERTIFIKAT" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para> - #: sssd-ifp.5.xml:45 -@@ -15946,6 +15953,8 @@ msgid "" - "The following options can be used to control how the certificates are " - "validated when using the FindByValidCertificate() API:" - msgstr "" -+"Följande alternativ kan användas för att styra hur certifikat valideras när " -+"API:et FindByValidCertificate() används:" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> - #: sssd-ifp.5.xml:48 sss_ssh_authorizedkeys.1.xml:92 -@@ -15964,16 +15973,12 @@ msgstr "certificate_verification" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para> - #: sssd-ifp.5.xml:52 --#, fuzzy --#| msgid "" --#| "For more details, see the <citerefentry> <refentrytitle>sssd.conf</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." - msgid "" - "For more details about the options see <citerefentry><refentrytitle>sssd." - "conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." - msgstr "" --"För fler detaljer, se manualsidan <citerefentry> <refentrytitle>sssd.conf</" --"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -+"För fler detaljer om alternativet, se <citerefentry><refentrytitle>sssd." -+"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." - - #. type: Content of: <reference><refentry><refsect1><para> - #: sssd-ifp.5.xml:62 -@@ -20750,45 +20755,6 @@ msgstr "" - - #. type: Content of: <refsect1><para> - #: include/seealso.xml:4 --#, fuzzy --#| msgid "" --#| "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</" --#| "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" --#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" --#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" --#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sssd-files</" --#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition=" --#| "\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " --#| "<manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase condition=" --#| "\"with_secrets\"> <citerefentry> <refentrytitle>sssd-secrets</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " --#| "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " --#| "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" --#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sss_seed</" --#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" --#| "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> " --#| "<citerefentry> <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " --#| "<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" --#| "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " --#| "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" --#| "manvolnum> </citerefentry>, </phrase> <citerefentry> " --#| "<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </" --#| "citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <phrase condition=" --#| "\"with_stap\"> <citerefentry> <refentrytitle>sssd-systemtap</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> </phrase>" - msgid "" - "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" - "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -@@ -20826,41 +20792,42 @@ msgid "" - "citerefentry> </phrase>" - msgstr "" - "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" --"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> <refentrytitle>sssd." -+"conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " - "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" --"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> <refentrytitle>sssd-" -+"krb5</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " - "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" --"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> <refentrytitle>sssd-" -+"ipa</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " - "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd-files</" --"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition=" --"\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " --"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase condition=" --"\"with_secrets\"> <citerefentry> <refentrytitle>sssd-secrets</refentrytitle> " --"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> " --"<refentrytitle>sssd-session-recording</refentrytitle> <manvolnum>5</" --"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_cache</" --"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> <refentrytitle>sssd-" -+"files</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " -+"condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" -+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " -+"<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " -+"<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -+"<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" -+"citerefentry>, <citerefentry> " - "<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" --"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> " -+"<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" -+"citerefentry>, <citerefentry> " - "<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" --"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" --"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" --"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> " -+"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" -+"manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> " -+"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</" -+"manvolnum> </citerefentry>, <citerefentry> " - "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" - "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " - "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" --"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" --"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " --"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" --"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " --"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" --"citerefentry> </phrase>" -+"manvolnum> </citerefentry>, </phrase> <citerefentry> " -+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </" -+"citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</refentrytitle> " -+"<manvolnum>5</manvolnum> </citerefentry> <phrase condition=\"with_stap\"> " -+"<citerefentry> <refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</" -+"manvolnum> </citerefentry> </phrase>" - - #. type: Content of: <listitem><para> - #: include/ldap_search_bases.xml:3 -diff --git a/src/man/po/uk.po b/src/man/po/uk.po -index dd08f055e..e6477148e 100644 ---- a/src/man/po/uk.po -+++ b/src/man/po/uk.po -@@ -16,7 +16,7 @@ msgstr "" - "Project-Id-Version: sssd-docs 2.3.0\n" - "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" - "POT-Creation-Date: 2021-12-20 16:05+0100\n" --"PO-Revision-Date: 2021-10-20 03:21+0000\n" -+"PO-Revision-Date: 2021-12-22 10:38+0000\n" - "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n" - "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/sssd/" - "sssd-manpage-master/uk/>\n" -@@ -26,7 +26,7 @@ msgstr "" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" - "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" --"X-Generator: Weblate 4.8\n" -+"X-Generator: Weblate 4.10\n" - - #. type: Content of: <reference><title> - #: sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 -@@ -703,6 +703,9 @@ msgid "" - "e. accessible via <quote>files</quote> service of <filename>nsswitch.conf</" - "filename>." - msgstr "" -+"Можна скористатися іменем користувача і UID, але користувач має бути " -+"локальним, тобто доступним для служби <quote>files</quote> <filename>nsswitch" -+".conf</filename>." - - #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:433 -@@ -3255,6 +3258,8 @@ msgid "" - "Local user names are required, i.e. accessible via <quote>files</quote> " - "service of <filename>nsswitch.conf</filename>." - msgstr "" -+"Потрібні локальні імена користувачів, тобто імена, які доступні зі служби " -+"<quote>files</quote> <filename>nsswitch.conf</filename>." - - #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:2177 -@@ -4915,6 +4920,8 @@ msgstr "" - msgid "" - "The AD provider will use this option for the CLDAP ping timeouts as well." - msgstr "" -+"Надавач даних AD використовуватиме цей параметр також для визначення часу " -+"очікування на відгук на луна-імпульс CLDAP." - - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:3437 sssd.conf.5.xml:3457 sssd.conf.5.xml:3476 -@@ -16286,7 +16293,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><refsect2><title> - #: sssd-ifp.5.xml:43 - msgid "FIND BY VALID CERTIFICATE" --msgstr "" -+msgstr "ПОШУК ЗА ЧИННИМ СЕРТИФІКАТОМ" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para> - #: sssd-ifp.5.xml:45 -@@ -16294,6 +16301,8 @@ msgid "" - "The following options can be used to control how the certificates are " - "validated when using the FindByValidCertificate() API:" - msgstr "" -+"Для керування тим, як буде виконуватися перевірка, якщо використано " -+"програмний інтерфейс FindByValidCertificate(), використовують такі параметри:" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> - #: sssd-ifp.5.xml:48 sss_ssh_authorizedkeys.1.xml:92 -@@ -16312,15 +16321,11 @@ msgstr "certificate_verification" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para> - #: sssd-ifp.5.xml:52 --#, fuzzy --#| msgid "" --#| "For more details, see the <citerefentry> <refentrytitle>sssd.conf</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." - msgid "" - "For more details about the options see <citerefentry><refentrytitle>sssd." - "conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." - msgstr "" --"Щоб дізнатися більше, ознайомтеся зі сторінкою підручника щодо " -+"Щоб дізнатися більше про параметри, ознайомтеся зі сторінкою підручника щодо " - "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" - "manvolnum> </citerefentry>." - --- -2.26.3 - diff --git a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch new file mode 100644 index 0000000..965ceaa --- /dev/null +++ b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch @@ -0,0 +1,36 @@ +From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001 +From: Justin Stephenson <jstephen@redhat.com> +Date: Mon, 1 Aug 2022 09:54:51 -0400 +Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Skip calling cache_req_data_set_hybrid_lookup() when hybrid data +is NULL for certain NSS request types (e.g. Service by Name). + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Pavel Březina <pbrezina@redhat.com> +(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7) +--- + src/responder/nss/nss_get_object.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c +index 9762d6bfe..5a2e7e9bd 100644 +--- a/src/responder/nss/nss_get_object.c ++++ b/src/responder/nss/nss_get_object.c +@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx, + input_name); + } + +- cache_req_data_set_hybrid_lookup(hybrid_data, true); ++ if (hybrid_data != NULL) { ++ cache_req_data_set_hybrid_lookup(hybrid_data, true); ++ } + + return hybrid_data; + } +-- +2.37.1 + diff --git a/SOURCES/0003-ad-add-required-cn-attribute-to-subdomain-object.patch b/SOURCES/0003-ad-add-required-cn-attribute-to-subdomain-object.patch deleted file mode 100644 index 2ff9888..0000000 --- a/SOURCES/0003-ad-add-required-cn-attribute-to-subdomain-object.patch +++ /dev/null @@ -1,42 +0,0 @@ -From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Thu, 16 Dec 2021 11:14:18 +0100 -Subject: [PATCH] ad: add required 'cn' attribute to subdomain object -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the forest root is not part of the return trusted domain objects -from the local domain controller we generate an object for further -processing. During this processing it is expected that the 'cn' -attribute is set and contains the name of the forest root. So far this -attribute was missing and it is now added by this patch. - -Resolves: https://github.com/SSSD/sssd/issues/5926 - -Reviewed-by: Pavel Březina <pbrezina@redhat.com> ---- - src/providers/ad/ad_subdomains.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 0353de76f..0c3f8ac31 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) - goto done; - } - -+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME, -+ state->forest); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); -+ goto done; -+ } -+ - err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id, - &id_val.data, &id_val.length); - if (err != IDMAP_SUCCESS) { --- -2.26.3 - diff --git a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch new file mode 100644 index 0000000..7f87ccc --- /dev/null +++ b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch @@ -0,0 +1,30 @@ +From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson <jstephen@redhat.com> +Date: Thu, 14 Jul 2022 11:21:04 -0400 +Subject: [PATCH] Analyzer: Fix escaping raw fstring + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> +(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19) +--- + src/tools/analyzer/modules/request.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py +index b8dd9b25c..935e13adc 100644 +--- a/src/tools/analyzer/modules/request.py ++++ b/src/tools/analyzer/modules/request.py +@@ -243,8 +243,8 @@ class RequestAnalyzer: + be_results = False + component = source.Component.NSS + resp = "nss" +- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]'] +- pattern.append(rf"\[CID#{cid}\\]") ++ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]'] ++ pattern.append(rf"\[CID#{cid}\]") + + if args.pam: + component = source.Component.PAM +-- +2.37.1 + diff --git a/SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch b/SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch deleted file mode 100644 index 07f55b0..0000000 --- a/SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch +++ /dev/null @@ -1,140 +0,0 @@ -From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa <ipedrosa@redhat.com> -Date: Thu, 13 Jan 2022 11:28:30 +0100 -Subject: [PATCH] krb5: AD and IPA don't change Kerberos port -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -AD and IPA providers use a common fo_server object for LDAP and -Kerberos, which is created with the LDAP data. This means that due to -the changes introduced in -https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f -the port in use for the Kerberos requests would be the one specified for -LDAP, usually the default one (389). - -In order to avoid that, AD and IPA providers shouldn't change the -Kerberos port with the one provided for LDAP. - -:fixes: A critical regression that prevented authentication of users via -AD and IPA providers was fixed. LDAP port was reused for Kerberos -communication and this provider would send incomprehensible information -to this port. - -Resolves: https://github.com/SSSD/sssd/issues/5947 - -Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> - -Reviewed-by: Pavel Březina <pbrezina@redhat.com> ---- - src/providers/ad/ad_common.c | 1 + - src/providers/ipa/ipa_common.c | 1 + - src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++------------- - src/providers/krb5/krb5_common.h | 1 + - 4 files changed, 23 insertions(+), 14 deletions(-) - -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index e263444c5..1ca5f8e3a 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server) - if (service->krb5_service->write_kdcinfo) { - ret = write_krb5info_file_from_fo_server(service->krb5_service, - server, -+ true, - SSS_KRB5KDC_FO_SRV, - ad_krb5info_file_filter); - if (ret != EOK) { -diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c -index 1509cb1ce..e6c1f9aa4 100644 ---- a/src/providers/ipa/ipa_common.c -+++ b/src/providers/ipa/ipa_common.c -@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server) - if (service->krb5_service->write_kdcinfo) { - ret = write_krb5info_file_from_fo_server(service->krb5_service, - server, -+ true, - SSS_KRB5KDC_FO_SRV, - NULL); - if (ret != EOK) { -diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c -index 719ce6a12..5ffa20809 100644 ---- a/src/providers/krb5/krb5_common.c -+++ b/src/providers/krb5/krb5_common.c -@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv - - errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, - struct fo_server *server, -+ bool force_default_port, - const char *service, - bool (*filter)(struct fo_server *)) - { -@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, - if (filter == NULL || filter(server) == false) { - address = fo_server_address_or_name(tmp_ctx, server); - if (address) { -- port = fo_get_server_port(server); -- if (port != 0) { -- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); -- if (address == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); -- talloc_free(tmp_ctx); -- return ENOMEM; -+ if (!force_default_port) { -+ port = fo_get_server_port(server); -+ if (port != 0) { -+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); -+ if (address == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); -+ talloc_free(tmp_ctx); -+ return ENOMEM; -+ } - } - } - -@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, - continue; - } - -- port = fo_get_server_port(item); -- if (port != 0) { -- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); -- if (address == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); -- talloc_free(tmp_ctx); -- return ENOMEM; -+ if (!force_default_port) { -+ port = fo_get_server_port(item); -+ if (port != 0) { -+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); -+ if (address == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); -+ talloc_free(tmp_ctx); -+ return ENOMEM; -+ } - } - } - -@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) - if (krb5_service->write_kdcinfo) { - ret = write_krb5info_file_from_fo_server(krb5_service, - server, -+ false, - krb5_service->name, - NULL); - if (ret != EOK) { -diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h -index 151f446d1..2fd39a751 100644 ---- a/src/providers/krb5/krb5_common.h -+++ b/src/providers/krb5/krb5_common.h -@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service, - - errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, - struct fo_server *server, -+ bool force_default_port, - const char *service, - bool (*filter)(struct fo_server *)); - --- -2.26.3 - diff --git a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch new file mode 100644 index 0000000..a820d44 --- /dev/null +++ b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch @@ -0,0 +1,34 @@ +From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <atikhono@redhat.com> +Date: Tue, 16 Aug 2022 21:48:43 +0200 +Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Sumit Bose <sbose@redhat.com> +Reviewed-by: Tomáš Halman <thalman@redhat.com> +(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f) +--- + src/sss_client/nss_mc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h +index de1496ccc..0f88521e9 100644 +--- a/src/sss_client/nss_mc.h ++++ b/src/sss_client/nss_mc.h +@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx { + }; + + #if HAVE_PTHREAD +-#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} ++#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} + #else +-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} ++#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} + #endif + + errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx); +-- +2.37.1 + diff --git a/SOURCES/0005-Revert-usertools-force-local-user-for-sssd-process-u.patch b/SOURCES/0005-Revert-usertools-force-local-user-for-sssd-process-u.patch deleted file mode 100644 index 54eea8e..0000000 --- a/SOURCES/0005-Revert-usertools-force-local-user-for-sssd-process-u.patch +++ /dev/null @@ -1,432 +0,0 @@ -From 37f90057792a0b4543f34684ed9a240fe8e869c1 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon, 11 Apr 2022 22:48:19 +0200 -Subject: [PATCH 5/6] Revert "usertools: force local user for sssd process - user" - -This reverts commit 9c447dc85853116c035bbc2f9e3b8553a65be621. - -Resolves: https://github.com/SSSD/sssd/issues/6107 - -Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - Makefile.am | 3 - - src/tests/cwrap/Makefile.am | 8 +-- - src/tests/cwrap/common_mock_nss_dl_load.c | 77 ----------------------- - src/tests/cwrap/common_mock_nss_dl_load.h | 30 --------- - src/tests/cwrap/test_responder_common.c | 7 --- - src/tests/cwrap/test_usertools.c | 6 -- - src/util/nss_dl_load.c | 13 +--- - src/util/nss_dl_load.h | 3 - - src/util/nss_dl_load_extra.c | 40 ------------ - src/util/usertools.c | 32 +++------- - 10 files changed, 12 insertions(+), 207 deletions(-) - delete mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c - delete mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h - delete mode 100644 src/util/nss_dl_load_extra.c - -diff --git a/Makefile.am b/Makefile.am -index 1121a3fb2..e0dd5220c 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -888,7 +888,6 @@ dist_noinst_HEADERS = \ - src/tests/cmocka/test_expire_common.h \ - src/tests/cmocka/test_sdap_access.h \ - src/tests/cmocka/data_provider/mock_dp.h \ -- src/tests/cwrap/common_mock_nss_dl_load.h \ - src/sss_client/pam_message.h \ - src/sss_client/ssh/sss_ssh_client.h \ - src/sss_client/sudo/sss_sudo.h \ -@@ -1271,8 +1270,6 @@ libsss_util_la_SOURCES = \ - src/util/sss_regexp.c \ - src/util/sss_chain_id_tevent.c \ - src/util/sss_chain_id.c \ -- src/util/nss_dl_load.c \ -- src/util/nss_dl_load_extra.c \ - $(NULL) - libsss_util_la_CFLAGS = \ - $(AM_CFLAGS) \ -diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am -index 4ac24a492..f25d2e3c6 100644 ---- a/src/tests/cwrap/Makefile.am -+++ b/src/tests/cwrap/Makefile.am -@@ -142,17 +142,15 @@ endif - - usertools_tests_SOURCES = \ - test_usertools.c \ -- common_mock_nss_dl_load.c \ -- ../../../src/util/usertools.c \ - $(NULL) - usertools_tests_CFLAGS = \ - $(AM_CFLAGS) \ - $(NULL) - usertools_tests_LDADD = \ -- $(LIBADD_DL) \ - $(CMOCKA_LIBS) \ - $(POPT_LIBS) \ - $(TALLOC_LIBS) \ -+ $(abs_top_builddir)/libsss_util.la \ - $(abs_top_builddir)/libsss_debug.la \ - $(abs_top_builddir)/libsss_test_common.la \ - $(NULL) -@@ -162,10 +160,9 @@ endif - - responder_common_tests_SOURCES =\ - test_responder_common.c \ -- common_mock_nss_dl_load.c \ - $(SSSD_RESPONDER_IFACE_OBJ) \ - ../../../src/responder/common/negcache_files.c \ -- ../../../src/util/usertools.c \ -+ ../../../src/util/nss_dl_load.c \ - ../../../src/responder/common/negcache.c \ - ../../../src/responder/common/responder_common.c \ - ../../../src/responder/common/responder_packet.c \ -@@ -183,6 +180,7 @@ responder_common_tests_LDADD = \ - $(SSSD_LIBS) \ - $(SELINUX_LIBS) \ - $(SYSTEMD_DAEMON_LIBS) \ -+ $(abs_top_builddir)/libsss_util.la \ - $(abs_top_builddir)/libsss_debug.la \ - $(abs_top_builddir)/libsss_test_common.la \ - $(abs_top_builddir)/libsss_iface.la \ -diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c -deleted file mode 100644 -index 72f6c39ac..000000000 ---- a/src/tests/cwrap/common_mock_nss_dl_load.c -+++ /dev/null -@@ -1,77 +0,0 @@ --/* -- Authors: -- Iker Pedrosa <ipedrosa@redhat.com> -- -- Copyright (C) 2021 Red Hat -- -- SSSD tests: Fake nss dl load -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see <http://www.gnu.org/licenses/>. --*/ -- --#include <sys/types.h> --#include <sys/stat.h> --#include <errno.h> --#include <stddef.h> -- --#include "common_mock_nss_dl_load.h" -- -- --static enum nss_status --mock_getpwnam_r(const char *name, struct passwd *result, -- char *buffer, size_t buflen, int *errnop) --{ -- void *pwd_pointer = NULL; -- int rc; -- -- rc = getpwnam_r(name, result, buffer, buflen, (struct passwd **)&pwd_pointer); -- if (rc == 0 && pwd_pointer == result) { -- *errnop = 0; -- return NSS_STATUS_SUCCESS; -- } else if (rc == 0 && (pwd_pointer == NULL)) { -- *errnop = ENOENT; -- return NSS_STATUS_NOTFOUND; -- } else { -- *errnop = rc; -- return NSS_STATUS_UNAVAIL; -- } --} -- --static enum nss_status --mock_getpwuid_r(uid_t uid, struct passwd *result, -- char *buffer, size_t buflen, int *errnop) --{ -- void *pwd_pointer = NULL; -- int rc; -- -- rc = getpwuid_r(uid, result, buffer, buflen, (struct passwd **)&pwd_pointer); -- if (rc == 0 && pwd_pointer == result) { -- *errnop = 0; -- return NSS_STATUS_SUCCESS; -- } else if (rc == 0 && (pwd_pointer == NULL)) { -- *errnop = ENOENT; -- return NSS_STATUS_NOTFOUND; -- } else { -- *errnop = rc; -- return NSS_STATUS_UNAVAIL; -- } --} -- --errno_t mock_sss_load_nss_pw_symbols(struct sss_nss_ops *ops) --{ -- ops->getpwnam_r = mock_getpwnam_r; -- ops->getpwuid_r = mock_getpwuid_r; -- -- return EOK; --} -diff --git a/src/tests/cwrap/common_mock_nss_dl_load.h b/src/tests/cwrap/common_mock_nss_dl_load.h -deleted file mode 100644 -index 6db411450..000000000 ---- a/src/tests/cwrap/common_mock_nss_dl_load.h -+++ /dev/null -@@ -1,30 +0,0 @@ --/* -- Authors: -- Iker Pedrosa <ipedrosa@redhat.com> -- -- Copyright (C) 2021 Red Hat -- -- SSSD tests: Fake nss dl load -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see <http://www.gnu.org/licenses/>. --*/ -- --#ifndef __COMMON_MOCK_NSS_DL_LOAD_H_ --#define __COMMON_MOCK_NSS_DL_LOAD_H_ -- --#include "util/nss_dl_load.h" -- --errno_t mock_sss_load_nss_pw_symbols(struct sss_nss_ops *ops); -- --#endif /* __COMMON_MOCK_NSS_DL_LOAD_H_ */ -diff --git a/src/tests/cwrap/test_responder_common.c b/src/tests/cwrap/test_responder_common.c -index 571e95d36..11cc3abd8 100644 ---- a/src/tests/cwrap/test_responder_common.c -+++ b/src/tests/cwrap/test_responder_common.c -@@ -29,13 +29,6 @@ - #include "util/util.h" - #include "responder/common/responder.h" - #include "tests/cmocka/common_mock.h" --#include "tests/cwrap/common_mock_nss_dl_load.h" -- -- --errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops) --{ -- return mock_sss_load_nss_pw_symbols(ops); --} - - /* Just to satisfy dependencies */ - struct cli_protocol_version *register_cli_protocol_version(void) -diff --git a/src/tests/cwrap/test_usertools.c b/src/tests/cwrap/test_usertools.c -index eb30a540c..f61ae83e2 100644 ---- a/src/tests/cwrap/test_usertools.c -+++ b/src/tests/cwrap/test_usertools.c -@@ -27,12 +27,6 @@ - #include <popt.h> - #include "util/util.h" - #include "tests/cmocka/common_mock.h" --#include "tests/cwrap/common_mock_nss_dl_load.h" -- --errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops) --{ -- return mock_sss_load_nss_pw_symbols(ops); --} - - void test_get_user_num(void **state) - { -diff --git a/src/util/nss_dl_load.c b/src/util/nss_dl_load.c -index 379ccfa65..442108307 100644 ---- a/src/util/nss_dl_load.c -+++ b/src/util/nss_dl_load.c -@@ -48,16 +48,6 @@ static void *proxy_dlsym(void *handle, - return funcptr; - } - --static void sss_close_handle(struct sss_nss_ops *ops, const char *libname) --{ -- if (dlclose(ops->dl_handle) != 0) { -- DEBUG(SSSDBG_OP_FAILURE, -- "Error closing the handle for the '%s' library, error: %s.\n", -- libname, dlerror()); -- } -- -- ops->dl_handle = NULL; --} - - errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname, - struct sss_nss_symbols *syms, size_t nsyms) -@@ -82,7 +72,7 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname, - - for (i = 0; i < nsyms; i++) { - *(syms[i].fptr) = proxy_dlsym(ops->dl_handle, syms[i].fname, -- libname); -+ libname); - - if (*(syms[i].fptr) == NULL) { - if (syms[i].mandatory) { -@@ -90,7 +80,6 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname, - "mandatory symbol '%s', error: %s.\n", libpath, - syms[i].fname, dlerror()); - ret = ELIBBAD; -- sss_close_handle(ops, libname); - goto out; - } else { - DEBUG(SSSDBG_OP_FAILURE, "Library '%s' did not provide " -diff --git a/src/util/nss_dl_load.h b/src/util/nss_dl_load.h -index 07c04e091..f1e882b96 100644 ---- a/src/util/nss_dl_load.h -+++ b/src/util/nss_dl_load.h -@@ -23,8 +23,6 @@ - #include <pwd.h> - #include <grp.h> - #include <netdb.h> --#include <stdbool.h> -- - #include "util/util_errors.h" - #include "sss_client/nss_compat.h" - -@@ -120,6 +118,5 @@ struct sss_nss_symbols { - errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname, - struct sss_nss_symbols *syms, size_t nsyms); - --errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops); - - #endif /* __SSSD_NSS_DL_LOAD_H__ */ -diff --git a/src/util/nss_dl_load_extra.c b/src/util/nss_dl_load_extra.c -deleted file mode 100644 -index 162957025..000000000 ---- a/src/util/nss_dl_load_extra.c -+++ /dev/null -@@ -1,40 +0,0 @@ --/* -- SSSD -- -- nss_dl_load_extra.c -- -- Authors: -- Sumit Bose <sbose@redhat.com> -- Iker Pedrosa <ipedrosa@redhat.com> -- -- Copyright (C) 2021 Red Hat -- -- This program is free software; you can redistribute it and/or modify -- it under the terms of the GNU General Public License as published by -- the Free Software Foundation; either version 3 of the License, or -- (at your option) any later version. -- -- This program is distributed in the hope that it will be useful, -- but WITHOUT ANY WARRANTY; without even the implied warranty of -- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- GNU General Public License for more details. -- -- You should have received a copy of the GNU General Public License -- along with this program. If not, see <http://www.gnu.org/licenses/>. --*/ -- --#include "util/nss_dl_load.h" -- --errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops) --{ -- errno_t ret; -- struct sss_nss_symbols syms[] = { -- {(void*)&ops->getpwnam_r, true, "getpwnam_r" }, -- {(void*)&ops->getpwuid_r, true, "getpwuid_r" } -- }; -- size_t nsyms = sizeof(syms) / sizeof(struct sss_nss_symbols); -- -- ret = sss_load_nss_symbols(ops, "files", syms, nsyms); -- -- return ret; --} -diff --git a/src/util/usertools.c b/src/util/usertools.c -index 33315a798..511fb2d5d 100644 ---- a/src/util/usertools.c -+++ b/src/util/usertools.c -@@ -27,14 +27,12 @@ - - #include "db/sysdb.h" - #include "confdb/confdb.h" --#include "util/nss_dl_load.h" - #include "util/strtonum.h" - #include "util/util.h" - #include "util/safe-format-string.h" - #include "responder/common/responder.h" - - #define NAME_DOMAIN_PATTERN_OPTIONS (SSS_REGEXP_DUPNAMES | SSS_REGEXP_EXTENDED) --#define NSS_BUFFER_SIZE 16384 - - /* Function returns given realm name as new uppercase string */ - char *get_uppercase_realm(TALLOC_CTX *memctx, const char *name) -@@ -568,23 +566,10 @@ sss_fqname(char *str, size_t size, struct sss_names_ctx *nctx, - - errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid) - { -- static struct sss_nss_ops nss_ops; - uid_t uid; - errno_t ret; - char *endptr; -- struct passwd pwd = { 0 }; -- int errnop = 0; -- enum nss_status status; -- static char s_nss_buffer[NSS_BUFFER_SIZE]; -- -- if (!nss_ops.dl_handle) { -- ret = sss_load_nss_pw_symbols(&nss_ops); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Unable to load NSS symbols [%d]: %s\n", -- ret, sss_strerror(ret)); -- return ret; -- } -- } -+ struct passwd *pwd; - - /* Try if it's an ID first */ - uid = strtouint32(input, &endptr, 10); -@@ -596,27 +581,26 @@ errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid) - return ret; - } - -- status = nss_ops.getpwnam_r(input, &pwd, s_nss_buffer, NSS_BUFFER_SIZE, &errnop); -+ /* Nope, maybe a username? */ -+ pwd = getpwnam(input); - } else { -- status = nss_ops.getpwuid_r(uid, &pwd, s_nss_buffer, NSS_BUFFER_SIZE, &errnop); -+ pwd = getpwuid(uid); - } - -- if (status != NSS_STATUS_SUCCESS) { -+ if (pwd == NULL) { - DEBUG(SSSDBG_OP_FAILURE, - "[%s] is neither a valid UID nor a user name which could be " -- "resolved by getpwnam() [%d][%s]. status returned [%d]\n", -- input, errnop, strerror(errnop), status); -+ "resolved by getpwnam().\n", input); - return EINVAL; - } - - if (_uid) { -- *_uid = pwd.pw_uid; -+ *_uid = pwd->pw_uid; - } - - if (_gid) { -- *_gid = pwd.pw_gid; -+ *_gid = pwd->pw_gid; - } -- - return EOK; - } - --- -2.26.3 - diff --git a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch new file mode 100644 index 0000000..f759975 --- /dev/null +++ b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch @@ -0,0 +1,78 @@ +From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <atikhono@redhat.com> +Date: Tue, 16 Aug 2022 21:51:03 +0200 +Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be + touched +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL` +was creating a possibility for a race. + +Reviewed-by: Sumit Bose <sbose@redhat.com> +Reviewed-by: Tomáš Halman <thalman@redhat.com> +(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757) +--- + src/sss_client/nss_mc.h | 4 +++- + src/sss_client/nss_mc_common.c | 20 ++++++++++---------- + 2 files changed, 13 insertions(+), 11 deletions(-) + +diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h +index 0f88521e9..9ab2736fa 100644 +--- a/src/sss_client/nss_mc.h ++++ b/src/sss_client/nss_mc.h +@@ -44,7 +44,9 @@ enum sss_mc_state { + RECYCLED, + }; + +-/* common stuff */ ++/* In the case this structure is extended, don't forget to update ++ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`. ++ */ + struct sss_cli_mc_ctx { + enum sss_mc_state initialized; + #if HAVE_PTHREAD +diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c +index f38a4a85a..3128861bf 100644 +--- a/src/sss_client/nss_mc_common.c ++++ b/src/sss_client/nss_mc_common.c +@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) + + static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) + { +- uint32_t active_threads = ctx->active_threads; +-#if HAVE_PTHREAD +- pthread_mutex_t *mutex = ctx->mutex; +-#endif + + if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { + munmap(ctx->mmap_base, ctx->mmap_size); + } ++ ctx->mmap_base = NULL; ++ ctx->mmap_size = 0; ++ + if (ctx->fd != -1) { + close(ctx->fd); + } +- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); + ctx->fd = -1; + +- /* restore count of active threads */ +- ctx->active_threads = active_threads; +-#if HAVE_PTHREAD +- ctx->mutex = mutex; +-#endif ++ ctx->seed = 0; ++ ctx->data_table = NULL; ++ ctx->dt_size = 0; ++ ctx->hash_table = NULL; ++ ctx->ht_size = 0; ++ ctx->initialized = UNINITIALIZED; ++ /* `mutex` and `active_threads` should be left intact */ + } + + static errno_t sss_nss_mc_init_ctx(const char *name, +-- +2.37.1 + diff --git a/SOURCES/0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch b/SOURCES/0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch deleted file mode 100644 index 85a2b59..0000000 --- a/SOURCES/0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 3c6218aa91026e066e793ee26333ea64fd6bc50e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov <atikhono@redhat.com> -Date: Mon, 11 Apr 2022 22:49:30 +0200 -Subject: [PATCH 6/6] Revert "man: sssd.conf and sssd-ifp clarify user option" - -This reverts commit 3d25724dc63dffb6d734790e58b1647e3a64e84f. - -Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> ---- - src/man/sssd-ifp.5.xml | 5 ----- - src/man/sssd.conf.5.xml | 11 ----------- - 2 files changed, 16 deletions(-) - -diff --git a/src/man/sssd-ifp.5.xml b/src/man/sssd-ifp.5.xml -index d3080537a..1c35d58a8 100644 ---- a/src/man/sssd-ifp.5.xml -+++ b/src/man/sssd-ifp.5.xml -@@ -71,11 +71,6 @@ - responder. User names are resolved to UIDs at - startup. - </para> -- <para> -- Local user names are required, i.e. accessible via -- <quote>files</quote> service of -- <filename>nsswitch.conf</filename>. -- </para> - <para> - Default: 0 (only the root user is allowed to access - the InfoPipe responder) -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index b6c5912f9..1b8ea7398 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -423,12 +423,6 @@ - responder. - </phrase> - </para> -- <para> -- Both a user name and a uid can be used but the -- user should be a local one, i.e. accessible via -- <quote>files</quote> service of -- <filename>nsswitch.conf</filename>. -- </para> - <para> - Default: not set, process will run as root - </para> -@@ -2168,11 +2162,6 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit - responder. User names are resolved to UIDs at - startup. - </para> -- <para> -- Local user names are required, i.e. accessible via -- <quote>files</quote> service of -- <filename>nsswitch.conf</filename>. -- </para> - <para> - Default: 0 (only the root user is allowed to access - the PAC responder) --- -2.26.3 - diff --git a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch new file mode 100644 index 0000000..0e06c29 --- /dev/null +++ b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch @@ -0,0 +1,33 @@ +From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson <jstephen@redhat.com> +Date: Mon, 15 Aug 2022 16:17:59 -0400 +Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup + +Fixes an issue when the sssctl analyzer option is +used on systems where SSSD is not running or configured. This is +an expected use case when using --logdir option to analyze external +log files. + +Resolves: https://github.com/SSSD/sssd/issues/6298 + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +--- + src/tools/sssctl/sssctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 3816125ad..f18689f9f 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -296,7 +296,7 @@ int main(int argc, const char **argv) + SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove), + SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch), + SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level), +- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze), ++ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT), + #ifdef HAVE_LIBINI_CONFIG_V1_3 + SSS_TOOL_DELIMITER("Configuration files tools:"), + SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), +-- +2.37.1 + diff --git a/SOURCES/0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch b/SOURCES/0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch deleted file mode 100644 index da5505b..0000000 --- a/SOURCES/0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 51e92297157562511baf8902777f02a4aa2e70e6 Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Tue, 15 Mar 2022 11:36:45 +0100 -Subject: [PATCH] ad: use right sdap_domain in ad_domain_info_send -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Originally ad_domain_info_send() was only called when there was only a -single domain available and hence only a single sdap_domain struct with -the search bases in the sdap_domain list. Since ad_domain_info_send() is -now called at other times as well the right sdap_domain struct must be -selected so that the right search bases are used. - -Resolves: https://github.com/SSSD/sssd/issues/6063 - -Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> -Reviewed-by: Pavel Březina <pbrezina@redhat.com> ---- - src/providers/ad/ad_domain_info.c | 10 +++++- - src/providers/ldap/ldap_common.h | 3 ++ - src/providers/ldap/sdap_domain.c | 21 ++++++++++++ - src/tests/cmocka/test_search_bases.c | 48 +++++++++++++++++++++++++++- - 4 files changed, 80 insertions(+), 2 deletions(-) - -diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c -index 52b2e2442..f3a82a198 100644 ---- a/src/providers/ad/ad_domain_info.c -+++ b/src/providers/ad/ad_domain_info.c -@@ -181,6 +181,7 @@ struct ad_domain_info_state { - struct sdap_id_op *id_op; - struct sdap_id_ctx *id_ctx; - struct sdap_options *opts; -+ struct sdap_domain *sdom; - - const char *dom_name; - int base_iter; -@@ -215,6 +216,13 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx, - state->id_ctx = conn->id_ctx; - state->opts = conn->id_ctx->opts; - state->dom_name = dom_name; -+ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name); -+ if (state->sdom == NULL || state->sdom->search_bases == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n"); -+ ret = EINVAL; -+ goto immediate; -+ } -+ - - ret = ad_domain_info_next(req); - if (ret != EOK && ret != EAGAIN) { -@@ -243,7 +251,7 @@ ad_domain_info_next(struct tevent_req *req) - struct ad_domain_info_state *state = - tevent_req_data(req, struct ad_domain_info_state); - -- base = state->opts->sdom->search_bases[state->base_iter]; -+ base = state->sdom->search_bases[state->base_iter]; - if (base == NULL) { - return EOK; - } -diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h -index c78338b5d..426ee68df 100644 ---- a/src/providers/ldap/ldap_common.h -+++ b/src/providers/ldap/ldap_common.h -@@ -391,6 +391,9 @@ sdap_domain_remove(struct sdap_options *opts, - struct sdap_domain *sdap_domain_get(struct sdap_options *opts, - struct sss_domain_info *dom); - -+struct sdap_domain *sdap_domain_get_by_name(struct sdap_options *opts, -+ const char *dom_name); -+ - struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts, - const char *dn); - -diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c -index fa6e9340d..1785dd20d 100644 ---- a/src/providers/ldap/sdap_domain.c -+++ b/src/providers/ldap/sdap_domain.c -@@ -44,6 +44,27 @@ sdap_domain_get(struct sdap_options *opts, - return sditer; - } - -+struct sdap_domain * -+sdap_domain_get_by_name(struct sdap_options *opts, -+ const char *dom_name) -+{ -+ struct sdap_domain *sditer = NULL; -+ -+ if (dom_name == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Missing domain name.\n"); -+ return NULL; -+ } -+ -+ DLIST_FOR_EACH(sditer, opts->sdom) { -+ if (sditer->dom->name != NULL -+ && strcasecmp(sditer->dom->name, dom_name) == 0) { -+ break; -+ } -+ } -+ -+ return sditer; -+} -+ - struct sdap_domain * - sdap_domain_get_by_dn(struct sdap_options *opts, - const char *dn) -diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c -index 109fa04bf..3276cf118 100644 ---- a/src/tests/cmocka/test_search_bases.c -+++ b/src/tests/cmocka/test_search_bases.c -@@ -176,6 +176,51 @@ void test_get_by_dn_fail(void **state) - do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS); - } - -+void test_sdap_domain_get_by_name(void **state) -+{ -+ struct sdap_options *opts; -+ struct sss_domain_info dom1 = { 0 }; -+ dom1.name = discard_const("dom1"); -+ struct sss_domain_info dom2 = { 0 }; -+ dom2.name = discard_const("dom2"); -+ struct sss_domain_info dom3 = { 0 }; -+ dom3.name = discard_const("dom3"); -+ int ret; -+ struct sdap_domain *sdom; -+ -+ opts = talloc_zero(NULL, struct sdap_options); -+ assert_non_null(opts); -+ -+ ret = sdap_domain_add(opts, &dom1, NULL); -+ assert_int_equal(ret, EOK); -+ -+ ret = sdap_domain_add(opts, &dom2, NULL); -+ assert_int_equal(ret, EOK); -+ -+ ret = sdap_domain_add(opts, &dom3, NULL); -+ assert_int_equal(ret, EOK); -+ -+ sdom = sdap_domain_get_by_name(opts, NULL); -+ assert_null(sdom); -+ -+ sdom = sdap_domain_get_by_name(opts, "abc"); -+ assert_null(sdom); -+ -+ sdom = sdap_domain_get_by_name(opts, "dom1"); -+ assert_non_null(sdom); -+ assert_ptr_equal(sdom->dom, &dom1); -+ -+ sdom = sdap_domain_get_by_name(opts, "dom2"); -+ assert_non_null(sdom); -+ assert_ptr_equal(sdom->dom, &dom2); -+ -+ sdom = sdap_domain_get_by_name(opts, "dom3"); -+ assert_non_null(sdom); -+ assert_ptr_equal(sdom->dom, &dom3); -+ -+ talloc_free(opts); -+} -+ - int main(void) - { - const struct CMUnitTest tests[] = { -@@ -183,7 +228,8 @@ int main(void) - cmocka_unit_test(test_search_bases_success), - cmocka_unit_test(test_get_by_dn_fail), - cmocka_unit_test(test_get_by_dn), -- cmocka_unit_test(test_get_by_dn2) -+ cmocka_unit_test(test_get_by_dn2), -+ cmocka_unit_test(test_sdap_domain_get_by_name) - }; - - return cmocka_run_group_tests(tests, NULL, NULL); --- -2.34.3 - diff --git a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch new file mode 100644 index 0000000..769e082 --- /dev/null +++ b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch @@ -0,0 +1,297 @@ +From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001 +From: Justin Stephenson <jstephen@redhat.com> +Date: Fri, 19 Aug 2022 09:50:22 -0400 +Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Client ID is not stored properly to match requests +when parallel requests are made to client SSSD + +Resolves: https://github.com/SSSD/sssd/issues/6307 + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Pavel Březina <pbrezina@redhat.com> + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +--- + src/responder/common/cache_req/cache_req.c | 5 +++-- + .../plugins/cache_req_autofs_entry_by_name.c | 3 ++- + .../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++- + .../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++- + .../plugins/cache_req_ssh_host_id_by_name.c | 3 ++- + src/responder/common/responder.h | 2 +- + src/responder/common/responder_common.c | 12 +++++++----- + src/responder/common/responder_dp.c | 5 +++-- + src/responder/common/responder_get_domains.c | 3 ++- + src/responder/pam/pamsrv_cmd.c | 4 ++-- + 10 files changed, 26 insertions(+), 17 deletions(-) + +diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c +index 4dd45b038..bc65bae71 100644 +--- a/src/responder/common/cache_req/cache_req.c ++++ b/src/responder/common/cache_req/cache_req.c +@@ -24,6 +24,7 @@ + #include <errno.h> + + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "responder/common/responder.h" + #include "responder/common/cache_req/cache_req_private.h" + #include "responder/common/cache_req/cache_req_plugin.h" +@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx, + } + state->first_iteration = true; + +- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n", +- rctx->client_id_num, cr->reqname); ++ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n", ++ sss_chain_id_get(), cr->reqname); + + ret = cache_req_is_well_known_object(state, cr, &result); + if (ret == EOK) { +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index 788b6708c..b2b0a06eb 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -24,6 +24,7 @@ + #include "db/sysdb.h" + #include "db/sysdb_autofs.h" + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "providers/data_provider.h" + #include "responder/common/cache_req/cache_req_plugin.h" + +@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx, + be_conn->bus_name, SSS_BUS_PATH, + 0, data->name.name, + data->autofs_entry_name, +- cr->rctx->client_id_num); ++ sss_chain_id_get()); + } + + bool +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 5d82641cc..23b11b1cd 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -24,6 +24,7 @@ + #include "db/sysdb.h" + #include "db/sysdb_autofs.h" + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "providers/data_provider.h" + #include "responder/common/cache_req/cache_req_plugin.h" + +@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx, + return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, + 0, data->name.name, +- cr->rctx->client_id_num); ++ sss_chain_id_get()); + } + + bool +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index 29f289723..18c08ca39 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -24,6 +24,7 @@ + #include "db/sysdb.h" + #include "db/sysdb_autofs.h" + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "providers/data_provider.h" + #include "responder/common/cache_req/cache_req_plugin.h" + +@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx, + return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, + 0, data->name.name, +- cr->rctx->client_id_num); ++ sss_chain_id_get()); + } + + bool +diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c +index a8b8f47a8..29f52f10d 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c +@@ -23,6 +23,7 @@ + + #include "db/sysdb_ssh.h" + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "providers/data_provider.h" + #include "responder/common/cache_req/cache_req_plugin.h" + +@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx, + return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, + 0, data->name.name, data->alias, +- cr->rctx->client_id_num); ++ sss_chain_id_get()); + } + + static bool +diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h +index 5cb79e3e6..259b3ff13 100644 +--- a/src/responder/common/responder.h ++++ b/src/responder/common/responder.h +@@ -165,13 +165,13 @@ struct cli_ctx { + + struct cli_creds *creds; + char *cmd_line; +- uint64_t old_chain_id; + + void *protocol_ctx; + void *state_ctx; + + struct tevent_timer *idle; + time_t last_request_time; ++ uint32_t client_id_num; + }; + + struct sss_cmd_table { +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index 6e3b61ef0..a4ba8ea71 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev, + "Failed to close fd [%d]: [%s]\n", + ctx->cfd, strerror(ret)); + } +- /* Restore the original chain id */ +- sss_chain_id_set(ctx->old_chain_id); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Terminated client [%p][%d]\n", +@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev, + int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd; + + rctx->client_id_num++; +- + if (accept_ctx->is_private) { + ret = stat(rctx->priv_sock_name, &stat_buf); + if (ret == -1) { +@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev, + + talloc_set_destructor(cctx, cli_ctx_destructor); + ++ cctx->client_id_num = rctx->client_id_num; ++ + len = sizeof(cctx->addr); + cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); + if (cctx->cfd == -1) { +@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev, + + DEBUG(SSSDBG_TRACE_FUNC, + "[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n", +- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), ++ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), + cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : ""); + + return; +@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr, + uint16_t flags) + { + errno_t ret; ++ uint64_t old_chain_id; + struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx); + + /* Always reset the responder idle timer on any activity */ +@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr, + } + + /* Set the chain id */ +- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num); ++ old_chain_id = sss_chain_id_set(cctx->client_id_num); + + if (flags & TEVENT_FD_READ) { + recv_fn(cctx); +@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr, + send_fn(cctx); + return; + } ++ /* Restore the original chain id */ ++ sss_chain_id_set(old_chain_id); + } + + int sss_connection_setup(struct cli_ctx *cctx) +diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c +index d549e02d3..4b4770da1 100644 +--- a/src/responder/common/responder_dp.c ++++ b/src/responder/common/responder_dp.c +@@ -23,6 +23,7 @@ + #include <sys/time.h> + #include <time.h> + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "responder/common/responder_packet.h" + #include "responder/common/responder.h" + #include "providers/data_provider.h" +@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx, + subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, dp_flags, + entry_type, filter, dom->name, extra, +- rctx->client_id_num); ++ sss_chain_id_get()); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); + ret = ENOMEM; +@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx, + SSS_BUS_PATH, + dp_flags, entry_type, + filter_type, filter_value, +- rctx->client_id_num); ++ sss_chain_id_get()); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); + ret = ENOMEM; +diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c +index 918124756..aeff28d73 100644 +--- a/src/responder/common/responder_get_domains.c ++++ b/src/responder/common/responder_get_domains.c +@@ -19,6 +19,7 @@ + */ + + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "responder/common/responder.h" + #include "providers/data_provider.h" + #include "db/sysdb.h" +@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx, + be_conn->bus_name, + SSS_BUS_PATH, dp_flags, + entry_type, filter, +- rctx->client_id_num); ++ sss_chain_id_get()); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); + ret = ENOMEM; +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index cb0e1b82f..1695554fc 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) + } + preq->cctx = cctx; + preq->cert_auth_local = false; +- preq->client_id_num = pctx->rctx->client_id_num; ++ preq->client_id_num = cctx->client_id_num; + + preq->pd = create_pam_data(preq); + if (!preq->pd) { +@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) + + pd->cmd = pam_cmd; + pd->priv = cctx->priv; +- pd->client_id_num = pctx->rctx->client_id_num; ++ pd->client_id_num = cctx->client_id_num; + + ret = pam_forwarder_parse_data(cctx, pd); + if (ret == EAGAIN) { +-- +2.37.1 + diff --git a/SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch b/SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch deleted file mode 100644 index 093fea8..0000000 --- a/SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 80ffa314c669feaaffe487d8ea5004c149d948c8 Mon Sep 17 00:00:00 2001 -From: Sumit Bose <sbose@redhat.com> -Date: Mon, 23 May 2022 09:05:43 +0200 -Subject: [PATCH] ad: add fallback in ad_domain_info_send() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed -ad_domain_info_send() to handle multiple domains by searching for the -matching sdap_domain data. Unfortunately it assumed that the configured -name and the DNS domain name are always matching. This is true for all -sub-domains discovered at runtime by DNS lookups but might not be true -for the domain configured in sssd.conf. Since the configured domain is -the first in the list of sdap_domain data it will be used as a fallback -in case no data could be found by name. - -Resolves: https://github.com/SSSD/sssd/issues/6170 - -Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> -Reviewed-by: Pavel Březina <pbrezina@redhat.com> -(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e) ---- - src/providers/ad/ad_domain_info.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c -index f3a82a198..9583c74b9 100644 ---- a/src/providers/ad/ad_domain_info.c -+++ b/src/providers/ad/ad_domain_info.c -@@ -217,8 +217,23 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx, - state->opts = conn->id_ctx->opts; - state->dom_name = dom_name; - state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name); -+ /* The first domain in the list is the domain configured in sssd.conf and -+ * here it might be possible that the domain name from the config file and -+ * the DNS domain name do not match. All other sub-domains are discovered -+ * at runtime with the help of DNS lookups so it is expected that the -+ * names matches. Hence it makes sense to fall back to the first entry in -+ * the list if no matching domain was found since it is most probably -+ * related to the configured domain. */ -+ if (state->sdom == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "No internal domain data found for [%s], " -+ "falling back to first domain.\n", -+ state->dom_name); -+ state->sdom = state->opts->sdom; -+ } - if (state->sdom == NULL || state->sdom->search_bases == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Missing internal domain data for domain [%s].\n", -+ state->dom_name); - ret = EINVAL; - goto immediate; - } --- -2.34.3 - diff --git a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch new file mode 100644 index 0000000..b2c49e1 --- /dev/null +++ b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch @@ -0,0 +1,185 @@ +From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson <jstephen@redhat.com> +Date: Fri, 19 Aug 2022 14:44:11 -0400 +Subject: [PATCH 9/9] Analyzer: support parallel requests parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Analyzer code(primarily the list verbose command) needs +changes to handle parsing the necessary lines from +NSS/PAM log files when multiple intermixed/parallel +client requests are sent to SSSD. + +Resolves: https://github.com/SSSD/sssd/issues/6307 + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Pavel Březina <pbrezina@redhat.com> + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +--- + src/tools/analyzer/modules/request.py | 119 +++++++++++++++----------- + 1 file changed, 67 insertions(+), 52 deletions(-) + +diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py +index 935e13adc..b9fe3caf8 100644 +--- a/src/tools/analyzer/modules/request.py ++++ b/src/tools/analyzer/modules/request.py +@@ -16,7 +16,6 @@ class RequestAnalyzer: + """ + module_parser = None + consumed_logs = [] +- done = "" + list_opts = [ + Option('--verbose', 'Verbose output', bool, '-v'), + Option('--pam', 'Filter only PAM requests', bool), +@@ -149,58 +148,74 @@ class RequestAnalyzer: + print(line) + return found_results + +- def print_formatted(self, line, verbose): ++ def print_formatted_verbose(self, source, patterns): ++ """ ++ Parse line and print formatted verbose list_requests output ++ ++ Args: ++ source (Reader): source Reader object ++ patterns (list): List of regex patterns to use for ++ matching lines ++ """ ++ # Get CID number, and print the basic line first ++ for line in self.matched_line(source, patterns): ++ cid = self.print_formatted(line) ++ ++ # Loop through each line with this CID number to extract and ++ # print the verbose data needed ++ verbose_patterns = ["(cache_req_send|cache_req_process_input|" ++ "cache_req_search_send)"] ++ for cidline in self.matched_line(source, verbose_patterns): ++ plugin = "" ++ name = "" ++ id = "" ++ ++ # skip any lines not pertaining to this CID ++ if f"CID#{cid}]" not in cidline: ++ continue ++ if "refreshed" in cidline: ++ continue ++ # CR Plugin name ++ if re.search("cache_req_send", cidline): ++ plugin = cidline.split('\'')[1] ++ # CR Input name ++ elif re.search("cache_req_process_input", cidline): ++ name = cidline.rsplit('[')[-1] ++ # CR Input id ++ elif re.search("cache_req_search_send", cidline): ++ id = cidline.rsplit()[-1] ++ ++ if plugin: ++ print(" - " + plugin) ++ if name: ++ print(" - " + name[:-2]) ++ if (id and ("UID" in cidline or "GID" in cidline)): ++ print(" - " + id) ++ ++ def print_formatted(self, line): + """ + Parse line and print formatted list_requests output + + Args: + line (str): line to parse +- verbose (bool): If true, enable verbose output ++ Returns: ++ Client ID from printed line, 0 otherwise + """ +- plugin = "" +- name = "" +- id = "" +- + # exclude backtrace logs + if line.startswith(' * '): +- return +- fields = line.split("[") +- cr_field = fields[3][7:] +- cr = cr_field.split(":")[0][4:] ++ return 0 + if "refreshed" in line: +- return +- # CR Plugin name +- if re.search("cache_req_send", line): +- plugin = line.split('\'')[1] +- # CR Input name +- elif re.search("cache_req_process_input", line): +- name = line.rsplit('[')[-1] +- # CR Input id +- elif re.search("cache_req_search_send", line): +- id = line.rsplit()[-1] +- # CID and client process name +- else: +- ts = line.split(")")[0] +- ts = ts[1:] +- fields = line.split("[") +- cid = fields[3][4:-9] +- cmd = fields[4][4:-1] +- uid = fields[5][4:-1] +- if not uid.isnumeric(): +- uid = fields[6][4:-1] +- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') +- +- if verbose: +- if plugin: +- print(" - " + plugin) +- if name: +- if cr not in self.done: +- print(" - " + name[:-2]) +- self.done = cr +- if id: +- if cr not in self.done: +- print(" - " + id) +- self.done = cr ++ return 0 ++ ts = line.split(")")[0] ++ ts = ts[1:] ++ fields = line.split("[") ++ cid = fields[3][4:-9] ++ cmd = fields[4][4:-1] ++ uid = fields[5][4:-1] ++ if not uid.isnumeric(): ++ uid = fields[6][4:-1] ++ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') ++ return cid + + def list_requests(self, args): + """ +@@ -215,20 +230,20 @@ class RequestAnalyzer: + # Log messages matching the following regex patterns contain + # the useful info we need to produce list output + patterns = [r'\[cmd'] +- patterns.append("(cache_req_send|cache_req_process_input|" +- "cache_req_search_send)") + if args.pam: + component = source.Component.PAM + resp = "pam" + + logger.info(f"******** Listing {resp} client requests ********") + source.set_component(component, False) +- self.done = "" +- for line in self.matched_line(source, patterns): +- if isinstance(source, Journald): +- print(line) +- else: +- self.print_formatted(line, args.verbose) ++ if args.verbose: ++ self.print_formatted_verbose(source, patterns) ++ else: ++ for line in self.matched_line(source, patterns): ++ if isinstance(source, Journald): ++ print(line) ++ else: ++ self.print_formatted(line) + + def track_request(self, args): + """ +-- +2.37.1 + diff --git a/SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch b/SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch deleted file mode 100644 index b757a37..0000000 --- a/SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0eae7db9e06645ef88d0cf15672770776293edb5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com> -Date: Mon, 23 May 2022 11:05:01 +0200 -Subject: [PATCH] pam_sss_gss: KRB5CCNAME may be NULL - -Resolves: https://github.com/SSSD/sssd/issues/6180 - -:fixes: A regression in pam_sss_gss module causing a failure if - KRB5CCNAME environment variable was not set was fixed. - -Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> -Reviewed-by: Sumit Bose <sbose@redhat.com> -(cherry picked from commit 9aad30711a5928f0e8a3627305b6449291de507f) ---- - src/sss_client/pam_sss_gss.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c -index 51047efc3..77a58e4cf 100644 ---- a/src/sss_client/pam_sss_gss.c -+++ b/src/sss_client/pam_sss_gss.c -@@ -492,7 +492,8 @@ static errno_t sss_cli_getenv(const char *variable_name, char **_value) - { - char *value = getenv(variable_name); - if (value == NULL) { -- return ENOENT; -+ *_value = NULL; -+ return EOK; - } - - *_value = strdup(value); --- -2.34.3 - diff --git a/SOURCES/0010-CLIENT-fix-client-fd-leak.patch b/SOURCES/0010-CLIENT-fix-client-fd-leak.patch new file mode 100644 index 0000000..48622c8 --- /dev/null +++ b/SOURCES/0010-CLIENT-fix-client-fd-leak.patch @@ -0,0 +1,295 @@ +From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <atikhono@redhat.com> +Date: Thu, 25 Aug 2022 18:10:46 +0200 +Subject: [PATCH] CLIENT: fix client fd leak + + - close client socket at thread exit + - only build lock-free client support if libc has required + functionality for a proper cleanup + - use proper mechanisms to init lock_mode only once + +:relnote:Lock-free client support will be only built if libc +provides `pthread_key_create()` and `pthread_once()`. For glibc +this means version 2.34+ + +Reviewed-by: Justin Stephenson <jstephen@redhat.com> +Reviewed-by: Sumit Bose <sbose@redhat.com> +(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb) +--- + configure.ac | 29 +++++++++-- + src/man/Makefile.am | 5 +- + src/man/sssd.8.xml | 2 +- + src/sss_client/common.c | 83 +++++++++++++++++++------------- + src/sss_client/idmap/common_ex.c | 4 ++ + 5 files changed, 84 insertions(+), 39 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 93bd93b85..5a05de41e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]]) + m4_include([src/build_macros.m4]) + BUILD_WITH_SHARED_BUILD_DIR + +-AC_COMPILE_IFELSE( ++ ++SAVE_LIBS=$LIBS ++LIBS= ++AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[#include <pthread.h>]], + [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER; +- (void) m; /* unused */ ++ pthread_mutex_lock(&m); ++ pthread_mutex_unlock(&m); + ]])], + [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.]) + HAVE_PTHREAD=1 + ], +- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])]) ++ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])]) ++LIBS=$SAVE_LIBS ++AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) + + +-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) ++SAVE_LIBS=$LIBS ++LIBS= ++AC_LINK_IFELSE( ++ [AC_LANG_PROGRAM([[#include <pthread.h>]], ++ [[static pthread_key_t k; ++ static pthread_once_t f = PTHREAD_ONCE_INIT; ++ pthread_once(&f, NULL); ++ pthread_key_create(&k, NULL); ++ ]])], ++ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.]) ++ HAVE_PTHREAD_EXT=1 ++ ], ++ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])]) ++LIBS=$SAVE_LIBS ++AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"]) ++ + + # Check library for the timer_create function + SAVE_LIBS=$LIBS +diff --git a/src/man/Makefile.am b/src/man/Makefile.am +index 93dd14819..063ff1bf0 100644 +--- a/src/man/Makefile.am ++++ b/src/man/Makefile.am +@@ -46,9 +46,12 @@ endif + if BUILD_KCM_RENEWAL + KCM_RENEWAL_CONDS = ;enable_kcm_renewal + endif ++if BUILD_LOCKFREE_CLIENT ++LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support ++endif + + +-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS) ++CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS) + + + #Special Rules: +diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml +index df07b7f29..5f507c631 100644 +--- a/src/man/sssd.8.xml ++++ b/src/man/sssd.8.xml +@@ -240,7 +240,7 @@ + If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", + client applications will not use the fast in-memory cache. + </para> +- <para> ++ <para condition="enable_lockfree_support"> + If the environment variable SSS_LOCKFREE is set to "NO", requests + from multiple threads of a single application will be serialized. + </para> +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 29c751a50..d762dff49 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -35,7 +35,6 @@ + #include <stdlib.h> + #include <stdbool.h> + #include <stdint.h> +-#include <stdatomic.h> + #include <string.h> + #include <fcntl.h> + #include <poll.h> +@@ -62,8 +61,15 @@ + + /* common functions */ + ++#ifdef HAVE_PTHREAD_EXT ++static pthread_key_t sss_sd_key; ++static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT; + static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */ + static __thread struct stat sss_cli_sb; /* the sss client stat buffer */ ++#else ++static int sss_cli_sd = -1; /* the sss client socket descriptor */ ++static struct stat sss_cli_sb; /* the sss client stat buffer */ ++#endif + + #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR + __attribute__((destructor)) +@@ -76,6 +82,18 @@ void sss_cli_close_socket(void) + } + } + ++#ifdef HAVE_PTHREAD_EXT ++static void sss_at_thread_exit(void *v) ++{ ++ sss_cli_close_socket(); ++} ++ ++static void init_sd_key(void) ++{ ++ pthread_key_create(&sss_sd_key, sss_at_thread_exit); ++} ++#endif ++ + /* Requests: + * + * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) +@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout + return -1; + } + ++#ifdef HAVE_PTHREAD_EXT ++ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */ ++ ++ /* It actually doesn't matter what value to set for a key. ++ * The only important thing: key must be non-NULL to ensure ++ * destructor is executed at thread exit. ++ */ ++ pthread_setspecific(sss_sd_key, &sss_cli_sd); ++#endif ++ + /* set as non-blocking, close on exec, and make sure standard + * descriptors are not used */ + sd = make_safe_fd(sd); +@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len) + } + + #if HAVE_PTHREAD +-bool sss_is_lockfree_mode(void) ++ ++#ifdef HAVE_PTHREAD_EXT ++static bool sss_lock_free = true; ++static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT; ++ ++static void init_lock_mode(void) + { +- const char *env = NULL; +- enum { +- MODE_UNDEF, +- MODE_LOCKING, +- MODE_LOCKFREE +- }; +- static atomic_int mode = MODE_UNDEF; +- +- if (mode == MODE_UNDEF) { +- env = getenv("SSS_LOCKFREE"); +- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { +- mode = MODE_LOCKING; +- } else { +- mode = MODE_LOCKFREE; +- } ++ const char *env = getenv("SSS_LOCKFREE"); ++ ++ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { ++ sss_lock_free = false; + } ++} + +- return (mode == MODE_LOCKFREE); ++bool sss_is_lockfree_mode(void) ++{ ++ pthread_once(&sss_lock_mode_initialized, init_lock_mode); ++ return sss_lock_free; + } ++#endif + + struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; +- + static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; +- +-static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; +- + static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; + + static void sss_mt_lock(struct sss_mutex *m) + { ++#ifdef HAVE_PTHREAD_EXT + if (sss_is_lockfree_mode()) { + return; + } ++#endif + + pthread_mutex_lock(&m->mtx); + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state); +@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m) + + static void sss_mt_unlock(struct sss_mutex *m) + { ++#ifdef HAVE_PTHREAD_EXT + if (sss_is_lockfree_mode()) { + return; + } ++#endif + + pthread_setcancelstate(m->old_cancel_state, NULL); + pthread_mutex_unlock(&m->mtx); +@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void) + sss_mt_unlock(&sss_nss_mtx); + } + +-/* NSS mutex wrappers */ ++/* PAM mutex wrappers */ + void sss_pam_lock(void) + { + sss_mt_lock(&sss_pam_mtx); +@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void) + sss_mt_unlock(&sss_pam_mtx); + } + +-/* NSS mutex wrappers */ +-void sss_nss_mc_lock(void) +-{ +- sss_mt_lock(&sss_nss_mc_mtx); +-} +-void sss_nss_mc_unlock(void) +-{ +- sss_mt_unlock(&sss_nss_mc_mtx); +-} +- + /* PAC mutex wrappers */ + void sss_pac_lock(void) + { +diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c +index 4f454cd63..8c4894fd9 100644 +--- a/src/sss_client/idmap/common_ex.c ++++ b/src/sss_client/idmap/common_ex.c +@@ -28,7 +28,9 @@ + #include "common_private.h" + + extern struct sss_mutex sss_nss_mtx; ++#ifdef HAVE_PTHREAD_EXT + bool sss_is_lockfree_mode(void); ++#endif + + #define SEC_FROM_MSEC(ms) ((ms) / 1000) + #define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000) +@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime) + { + int ret; + ++#ifdef HAVE_PTHREAD_EXT + if (sss_is_lockfree_mode()) { + return 0; + } ++#endif + + ret = pthread_mutex_timedlock(&m->mtx, endtime); + if (ret != 0) { +-- +2.37.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 5a0a438..b315d03 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,23 +26,24 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.6.2 -Release: 4%{?dist}.1 +Version: 2.7.3 +Release: 4%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch -Patch0002: 0002-po-update-translations.patch -Patch0003: 0003-ad-add-required-cn-attribute-to-subdomain-object.patch -Patch0004: 0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch -Patch0005: 0005-Revert-usertools-force-local-user-for-sssd-process-u.patch -Patch0006: 0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch -Patch0007: 0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch -Patch0008: 0008-ad-add-fallback-in-ad_domain_info_send.patch -Patch0009: 0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch +Patch0001: 0001-Makefile-remove-unneeded-dependency.patch +Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch +Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch +Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch +Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch +Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch +Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch +Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch +Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch +Patch0010: 0010-CLIENT-fix-client-fd-leak.patch ### Dependencies ### @@ -84,6 +85,9 @@ BuildRequires: gdm-pam-extensions-devel BuildRequires: gettext-devel # required for p11_child smartcard tests BuildRequires: gnutls-utils +BuildRequires: jansson-devel +BuildRequires: libcurl-devel +BuildRequires: libjose-devel BuildRequires: keyutils-libs-devel BuildRequires: krb5-devel BuildRequires: krb5-libs >= 1.18.2-11 @@ -486,6 +490,16 @@ Requires: krb5-libs >= 1.18.2-11 An implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache. +%package idp +Summary: Kerberos plugins and OIDC helper for external identity providers. +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} + +%description idp +This package provides Kerberos plugins that are required to enable +authentication against external identity providers. Additionally a helper +program to handle the OAuth 2.0 Device Authorization Grant is provided. + %prep %autosetup -p1 @@ -556,6 +570,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache +# Enable krb5 idp plugins by default (when sssd-idp package is installed) +cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \ + $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp + # krb5 configuration snippet cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir @@ -849,6 +867,7 @@ done %{_mandir}/man8/pam_sss.8* %{_mandir}/man8/pam_sss_gss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* +%{_mandir}/man8/sssd_krb5_localauth_plugin.8* %files -n libsss_sudo %license src/sss_client/COPYING @@ -954,6 +973,12 @@ done %{_unitdir}/sssd-kcm.service %{_mandir}/man8/sssd-kcm.8* +%files idp +%{_libexecdir}/%{servicename}/oidc_child +%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so +%{_datadir}/sssd/krb5-snippets/sssd_enable_idp +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp + %if 0%{?rhel} %pre common getent group sssd >/dev/null || groupadd -r sssd @@ -1043,12 +1068,61 @@ fi %systemd_postun_with_restart sssd.service %changelog -* Thu Jun 2 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4.1 -- Resolves: rhbz#2072959 - Use right sdap_domain in ad_domain_info_send [rhel-9.0.0.z] -- Resolves: rhbz#2089251 - pam_sss_gss ceased to work after upgrade to 8.6 [rhel-9.0.0.z] +* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4 +- Related: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs) -* Mon Apr 25 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4 -- Resolves: rhbz#2075539 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop [rhel-9.0.0.z] +* Tue Aug 23 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-3 +- Resolves: rhbz#2116389 - rpc.gssd crash when access a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-2.el9 +- Resolves: rhbz#2119373 - sssctl analyze --logdir option requires sssd to be configured +- Resolves: rhbz#2120657 - Incorrect request ID tracking from responder to backend + +* Mon Aug 8 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-2 +- Resolves: rhbz#2106660 - [regression] sssd goes offline with forced ldaps configuration +- Resolves: rhbz#2109451 - virsh command will hang after the host run several auto test cases +- Resolves: rhbz#2098654 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL +- Resolves: rhbz#2106685 - [regression] sssctl analyze fails to parse PAM related sssd logs + +* Tue Jul 5 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-1 +- Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1 +- Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN +- Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs) +- Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization + +* Mon Jun 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.1-2 +- Resolves: rhbz#2073095 - Harden kerberos ticket validation (additional patch) +- Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol (additional patch) + +* Sat Jun 4 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.1-1 +- Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1 +- Resolves: rhbz#1893192 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets +- Resolves: rhbz#1927553 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file +- Resolves: rhbz#2089216 - pam_sss_gss ceased to work after upgrade to 8.6 +- Resolves: rhbz#2090776 - Add idp authentication indicator in man page of sssd.conf +- Resolves: rhbz#1927195 - sssd runs out of proxy child slots and doesn't clear the counter for Active requests +- Resolves: rhbz#2073095 - Harden kerberos ticket validation +- Resolves: rhbz#2082455 - 'getent hosts' not return hosts if they have more than one CN in LDAP +- Resolves: rhbz#2087581 - Regression "Missing internal domain data." when setting ad_domain to incorrect + +* Wed May 11 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-2 +- Resolves: rhbz#2065693 - [RHEL9] Ship new sub-package called sssd-idp into sssd + +* Wed Apr 20 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-1 +- Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1 +- Resolves: rhbz#2072640 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop +- Resolves: rhbz#2070189 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. +- Resolves: rhbz#2070138 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) +- Resolves: rhbz#2065693 - [RHEL9] Ship new sub-package called sssd-idp into sssd +- Resolves: rhbz#2065098 - Use right sdap_domain in ad_domain_info_send +- Resolves: rhbz#2062716 - [Improvement] Add user and group version of sss_nss_getorigbyname() +- Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol +- Resolves: rhbz#2056482 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 +- Resolves: rhbz#1937895 - SSSD update prompts for smartcard pin twice - After update to 7.9 +- Resolves: rhbz#1925559 - [RFE] Implement time logging for the LDAP queries and warning of high queries time +- Resolves: rhbz#1915564 - sssd does not enforce smartcard auth for kde screen locker +- Resolves: rhbz#1859751 - [RFE] Allow SSSD to use anonymous pkinit for FAST +- Resolves: rhbz#1749279 - 2FA prompting setting ineffective +- Resolves: rhbz#1661055 - sssd fails GPO-based access if AD have setup with Japanese language +- Resolves: rhbz#1245367 - [RFE] Implement memory cache for SID requests to improve performance * Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2 - Resolves: rhbz#2035244 - AD Domain in the AD Forest Missing after sssd latest update