Compare commits
3 Commits
c8
...
changed/a8
Author | SHA1 | Date | |
---|---|---|---|
3be8b07c4d | |||
e945aa7449 | |||
5ddcf41b6f |
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/sssd-2.9.4.tar.gz
|
SOURCES/sssd-2.9.1.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz
|
5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz
|
||||||
|
@ -1,144 +0,0 @@
|
|||||||
From dd0f63246aa75d5f53b44cbc185e88833e79976e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andre Boscatto <andreboscatto@gmail.com>
|
|
||||||
Date: Wed, 7 Feb 2024 12:28:28 +0100
|
|
||||||
Subject: [PATCH] sssd: adding mail as case insensitive
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/7173
|
|
||||||
|
|
||||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51)
|
|
||||||
---
|
|
||||||
src/db/sysdb_init.c | 7 ++++++
|
|
||||||
src/db/sysdb_private.h | 5 +++-
|
|
||||||
src/db/sysdb_upgrade.c | 56 ++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 67 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
|
||||||
index c2ea6c369..38a9cd64a 100644
|
|
||||||
--- a/src/db/sysdb_init.c
|
|
||||||
+++ b/src/db/sysdb_init.c
|
|
||||||
@@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (strcmp(version, SYSDB_VERSION_0_23) == 0) {
|
|
||||||
+ ret = sysdb_upgrade_23(sysdb, &version);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = EOK;
|
|
||||||
done:
|
|
||||||
sysdb->ldb = save_ldb;
|
|
||||||
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
|
||||||
index 1f55007bc..63f7b5601 100644
|
|
||||||
--- a/src/db/sysdb_private.h
|
|
||||||
+++ b/src/db/sysdb_private.h
|
|
||||||
@@ -23,6 +23,7 @@
|
|
||||||
#ifndef __INT_SYS_DB_H__
|
|
||||||
#define __INT_SYS_DB_H__
|
|
||||||
|
|
||||||
+#define SYSDB_VERSION_0_24 "0.24"
|
|
||||||
#define SYSDB_VERSION_0_23 "0.23"
|
|
||||||
#define SYSDB_VERSION_0_22 "0.22"
|
|
||||||
#define SYSDB_VERSION_0_21 "0.21"
|
|
||||||
@@ -47,7 +48,7 @@
|
|
||||||
#define SYSDB_VERSION_0_2 "0.2"
|
|
||||||
#define SYSDB_VERSION_0_1 "0.1"
|
|
||||||
|
|
||||||
-#define SYSDB_VERSION SYSDB_VERSION_0_23
|
|
||||||
+#define SYSDB_VERSION SYSDB_VERSION_0_24
|
|
||||||
|
|
||||||
#define SYSDB_BASE_LDIF \
|
|
||||||
"dn: @ATTRIBUTES\n" \
|
|
||||||
@@ -60,6 +61,7 @@
|
|
||||||
"objectclass: CASE_INSENSITIVE\n" \
|
|
||||||
"ipHostNumber: CASE_INSENSITIVE\n" \
|
|
||||||
"ipNetworkNumber: CASE_INSENSITIVE\n" \
|
|
||||||
+ "mail: CASE_INSENSITIVE\n" \
|
|
||||||
"\n" \
|
|
||||||
"dn: @INDEXLIST\n" \
|
|
||||||
"@IDXATTR: cn\n" \
|
|
||||||
@@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
|
|
||||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
|
|
||||||
index 346a1cb0b..56083e6be 100644
|
|
||||||
--- a/src/db/sysdb_upgrade.c
|
|
||||||
+++ b/src/db/sysdb_upgrade.c
|
|
||||||
@@ -2718,6 +2718,62 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver)
|
|
||||||
+{
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ int ret;
|
|
||||||
+ struct ldb_message *msg;
|
|
||||||
+ struct upgrade_ctx *ctx;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(NULL);
|
|
||||||
+ if (!tmp_ctx) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx);
|
|
||||||
+ if (ret) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Add new indexes */
|
|
||||||
+ msg = ldb_msg_new(tmp_ctx);
|
|
||||||
+ if (!msg) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES");
|
|
||||||
+ if (!msg->dn) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Case insensitive search for mail */
|
|
||||||
+ ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL);
|
|
||||||
+ if (ret != LDB_SUCCESS) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE");
|
|
||||||
+ if (ret != LDB_SUCCESS) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = ldb_modify(sysdb->ldb, msg);
|
|
||||||
+ if (ret != LDB_SUCCESS) {
|
|
||||||
+ ret = sysdb_error_to_errno(ret);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* conversion done, update version number */
|
|
||||||
+ ret = update_version(ctx);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ ret = finish_upgrade(ret, &ctx, ver);
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
|
|
||||||
{
|
|
||||||
struct upgrade_ctx *ctx;
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -0,0 +1,106 @@
|
|||||||
|
From f16e570838d1c6cd30b5883f364b0f437c314b1f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 9 Jun 2023 12:31:39 +0200
|
||||||
|
Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Those two new calls can be used if there are requests stuck by e.g.
|
||||||
|
waiting on replies where there is no other way to handle the timeout and
|
||||||
|
get the system back into a stable state. They should be only used as a
|
||||||
|
last resort.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/6803
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
(cherry picked from commit 75f2b35ad3b9256de905d05c5108400d35688554)
|
||||||
|
---
|
||||||
|
src/util/util.h | 12 ++++++++++++
|
||||||
|
src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++--
|
||||||
|
2 files changed, 38 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/util.h b/src/util/util.h
|
||||||
|
index 11dc40d57..02fd53237 100644
|
||||||
|
--- a/src/util/util.h
|
||||||
|
+++ b/src/util/util.h
|
||||||
|
@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
|
||||||
|
void teardown_watchdog(void);
|
||||||
|
int get_watchdog_ticks(void);
|
||||||
|
|
||||||
|
+/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable
|
||||||
|
+ * the watchdog reset, respectively. This means that after arm_watchdog() is
|
||||||
|
+ * called the watchdog will not be resetted anymore and it will kill the
|
||||||
|
+ * process if disarm_watchdog() wasn't called before.
|
||||||
|
+ * Those calls should only be used when there is no other way to handle
|
||||||
|
+ * waiting request and recover into a stable state.
|
||||||
|
+ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should
|
||||||
|
+ * not be called a second time in a different request because then
|
||||||
|
+ * disarm_watchdog() will disable the watchdog coverage for both. */
|
||||||
|
+void arm_watchdog(void);
|
||||||
|
+void disarm_watchdog(void);
|
||||||
|
+
|
||||||
|
/* from files.c */
|
||||||
|
int sss_remove_tree(const char *root);
|
||||||
|
int sss_remove_subtree(const char *root);
|
||||||
|
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
|
||||||
|
index b1534e499..abafd94b9 100644
|
||||||
|
--- a/src/util/util_watchdog.c
|
||||||
|
+++ b/src/util/util_watchdog.c
|
||||||
|
@@ -40,6 +40,7 @@ struct watchdog_ctx {
|
||||||
|
time_t timestamp;
|
||||||
|
struct tevent_fd *tfd;
|
||||||
|
int pipefd[2];
|
||||||
|
+ bool armed; /* if 'true' ticks counter will not be reset */
|
||||||
|
} watchdog_ctx;
|
||||||
|
|
||||||
|
static void watchdog_detect_timeshift(void)
|
||||||
|
@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev,
|
||||||
|
struct timeval current_time,
|
||||||
|
void *private_data)
|
||||||
|
{
|
||||||
|
- /* first thing reset the watchdog ticks */
|
||||||
|
- watchdog_reset();
|
||||||
|
+ if (!watchdog_ctx.armed) {
|
||||||
|
+ /* first thing reset the watchdog ticks */
|
||||||
|
+ watchdog_reset();
|
||||||
|
+ } else {
|
||||||
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||||
|
+ "Watchdog armed, process might be terminated soon.\n");
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* then set a new watchodg event */
|
||||||
|
watchdog_ctx.te = tevent_add_timer(ev, ev,
|
||||||
|
@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval)
|
||||||
|
watchdog_ctx.ev = ev;
|
||||||
|
watchdog_ctx.input_interval = interval;
|
||||||
|
watchdog_ctx.timestamp = time(NULL);
|
||||||
|
+ watchdog_ctx.armed = false;
|
||||||
|
|
||||||
|
ret = pipe(watchdog_ctx.pipefd);
|
||||||
|
if (ret == -1) {
|
||||||
|
@@ -264,3 +271,20 @@ int get_watchdog_ticks(void)
|
||||||
|
{
|
||||||
|
return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+void arm_watchdog(void)
|
||||||
|
+{
|
||||||
|
+ if (watchdog_ctx.armed) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "arm_watchdog() is called although the watchdog is already armed. "
|
||||||
|
+ "This indicates a programming error and should be avoided because "
|
||||||
|
+ "it will most probably not work as expected.\n");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ watchdog_ctx.armed = true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void disarm_watchdog(void)
|
||||||
|
+{
|
||||||
|
+ watchdog_ctx.armed = false;
|
||||||
|
+}
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
@ -0,0 +1,66 @@
|
|||||||
|
From 27987c791bc452f53696a3a33f0d607ab040e78d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 9 Jun 2023 13:01:47 +0200
|
||||||
|
Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
There seem to be conditions where the reply in the
|
||||||
|
sbus_call_DBus_Hello_send() request gets lost and the backend cannot
|
||||||
|
properly initialize its sbus/DBus server. Since the backend cannot be
|
||||||
|
connected by the frontends in this state the best way to recover would
|
||||||
|
be a restart. Since the event-loop is active in this state, e.g. waiting
|
||||||
|
for the reply, the watchdog will not consider the process as hung and
|
||||||
|
will not restart the process.
|
||||||
|
|
||||||
|
To make the watchdog handle this case arm_watchdog() and
|
||||||
|
disarm_watchdog() are called before and after the request, respectively.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/6803
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
|
||||||
|
---
|
||||||
|
Makefile.am | 1 -
|
||||||
|
src/sbus/connection/sbus_connection_connect.c | 4 ++++
|
||||||
|
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index e780e8a14..23c63ec1e 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -4672,7 +4672,6 @@ krb5_child_LDADD = \
|
||||||
|
$(CLIENT_LIBS) \
|
||||||
|
$(SYSTEMD_LOGIN_LIBS) \
|
||||||
|
$(JANSSON_LIBS) \
|
||||||
|
- libsss_sbus.la \
|
||||||
|
$(NULL)
|
||||||
|
|
||||||
|
ldap_child_SOURCES = \
|
||||||
|
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
|
||||||
|
index 45a0fa491..edc090e15 100644
|
||||||
|
--- a/src/sbus/connection/sbus_connection_connect.c
|
||||||
|
+++ b/src/sbus/connection/sbus_connection_connect.c
|
||||||
|
@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx,
|
||||||
|
|
||||||
|
tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req);
|
||||||
|
|
||||||
|
+ arm_watchdog();
|
||||||
|
+
|
||||||
|
return req;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq)
|
||||||
|
uint32_t res;
|
||||||
|
errno_t ret;
|
||||||
|
|
||||||
|
+ disarm_watchdog();
|
||||||
|
+
|
||||||
|
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||||
|
|
||||||
|
ret = sbus_call_DBus_RequestName_recv(subreq, &res);
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
@ -1,154 +0,0 @@
|
|||||||
From a7621a5b464af7a3c8409dcbde038b35fee2c895 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 23 Jan 2024 13:47:53 +0100
|
|
||||||
Subject: [PATCH 2/3] sdap: add search_bases option to groups_by_user_send()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
AD handles users and computer objects very similar and so does SSSD's
|
|
||||||
GPO code when lookup up the host's group-memberships. But users and
|
|
||||||
computers might be stored in different sub-tree of the AD LDAP tree and
|
|
||||||
if a dedicated user search base is given with the ldap_user_search_base
|
|
||||||
option in sssd.conf the host object might be in a different sub-tree. To
|
|
||||||
make sure the host can still be found this patch uses the base DN of
|
|
||||||
the LDAP tree when searching for hosts in the GPO code.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
|
||||||
|
|
||||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196)
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_gpo.c | 10 ++++++++++
|
|
||||||
src/providers/ldap/ldap_common.h | 1 +
|
|
||||||
src/providers/ldap/ldap_id.c | 6 +++++-
|
|
||||||
src/providers/ldap/sdap_async.h | 1 +
|
|
||||||
src/providers/ldap/sdap_async_initgroups.c | 4 +++-
|
|
||||||
5 files changed, 20 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
||||||
index 94959c36b..b0ee3e616 100644
|
|
||||||
--- a/src/providers/ad/ad_gpo.c
|
|
||||||
+++ b/src/providers/ad/ad_gpo.c
|
|
||||||
@@ -2091,6 +2091,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
|
||||||
char *server_uri;
|
|
||||||
LDAPURLDesc *lud;
|
|
||||||
struct sdap_domain *sdom;
|
|
||||||
+ struct sdap_search_base **search_bases;
|
|
||||||
|
|
||||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
|
||||||
state = tevent_req_data(req, struct ad_gpo_access_state);
|
|
||||||
@@ -2184,9 +2185,18 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
|
||||||
+ "AD_HOSTS", NULL, &search_bases);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "Failed to create dedicated search base for host lookups, "
|
|
||||||
+ "trying with user search base.");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
subreq = groups_by_user_send(state, state->ev,
|
|
||||||
state->access_ctx->ad_id_ctx->sdap_id_ctx,
|
|
||||||
sdom, state->conn,
|
|
||||||
+ search_bases,
|
|
||||||
state->host_fqdn,
|
|
||||||
BE_FILTER_NAME,
|
|
||||||
NULL,
|
|
||||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
|
||||||
index 7159d6356..2c984ef50 100644
|
|
||||||
--- a/src/providers/ldap/ldap_common.h
|
|
||||||
+++ b/src/providers/ldap/ldap_common.h
|
|
||||||
@@ -304,6 +304,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
|
||||||
struct sdap_id_ctx *ctx,
|
|
||||||
struct sdap_domain *sdom,
|
|
||||||
struct sdap_id_conn_ctx *conn,
|
|
||||||
+ struct sdap_search_base **search_bases,
|
|
||||||
const char *filter_value,
|
|
||||||
int filter_type,
|
|
||||||
const char *extra_value,
|
|
||||||
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
|
||||||
index da54816bd..b3ea2333f 100644
|
|
||||||
--- a/src/providers/ldap/ldap_id.c
|
|
||||||
+++ b/src/providers/ldap/ldap_id.c
|
|
||||||
@@ -1139,6 +1139,7 @@ struct groups_by_user_state {
|
|
||||||
struct sdap_id_op *op;
|
|
||||||
struct sysdb_ctx *sysdb;
|
|
||||||
struct sss_domain_info *domain;
|
|
||||||
+ struct sdap_search_base **search_bases;
|
|
||||||
|
|
||||||
const char *filter_value;
|
|
||||||
int filter_type;
|
|
||||||
@@ -1160,6 +1161,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
|
||||||
struct sdap_id_ctx *ctx,
|
|
||||||
struct sdap_domain *sdom,
|
|
||||||
struct sdap_id_conn_ctx *conn,
|
|
||||||
+ struct sdap_search_base **search_bases,
|
|
||||||
const char *filter_value,
|
|
||||||
int filter_type,
|
|
||||||
const char *extra_value,
|
|
||||||
@@ -1192,6 +1194,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
|
||||||
state->extra_value = extra_value;
|
|
||||||
state->domain = sdom->dom;
|
|
||||||
state->sysdb = sdom->dom->sysdb;
|
|
||||||
+ state->search_bases = search_bases;
|
|
||||||
|
|
||||||
if (state->domain->type == DOM_TYPE_APPLICATION || set_non_posix) {
|
|
||||||
state->non_posix = true;
|
|
||||||
@@ -1254,6 +1257,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
|
|
||||||
sdap_id_op_handle(state->op),
|
|
||||||
state->ctx,
|
|
||||||
state->conn,
|
|
||||||
+ state->search_bases,
|
|
||||||
state->filter_value,
|
|
||||||
state->filter_type,
|
|
||||||
state->extra_value,
|
|
||||||
@@ -1449,7 +1453,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
|
|
||||||
- sdom, conn,
|
|
||||||
+ sdom, conn, NULL,
|
|
||||||
ar->filter_value,
|
|
||||||
ar->filter_type,
|
|
||||||
ar->extra_value,
|
|
||||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
|
||||||
index 5458d21f1..89245f41f 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async.h
|
|
||||||
+++ b/src/providers/ldap/sdap_async.h
|
|
||||||
@@ -158,6 +158,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
||||||
struct sdap_handle *sh,
|
|
||||||
struct sdap_id_ctx *id_ctx,
|
|
||||||
struct sdap_id_conn_ctx *conn,
|
|
||||||
+ struct sdap_search_base **search_bases,
|
|
||||||
const char *name,
|
|
||||||
int filter_type,
|
|
||||||
const char *extra_value,
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
index 97be594a3..fb3d8fe24 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
@@ -2732,6 +2732,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
||||||
struct sdap_handle *sh,
|
|
||||||
struct sdap_id_ctx *id_ctx,
|
|
||||||
struct sdap_id_conn_ctx *conn,
|
|
||||||
+ struct sdap_search_base **search_bases,
|
|
||||||
const char *filter_value,
|
|
||||||
int filter_type,
|
|
||||||
const char *extra_value,
|
|
||||||
@@ -2764,7 +2765,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
||||||
state->orig_user = NULL;
|
|
||||||
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
|
||||||
state->user_base_iter = 0;
|
|
||||||
- state->user_search_bases = sdom->user_search_bases;
|
|
||||||
+ state->user_search_bases = (search_bases == NULL) ? sdom->user_search_bases
|
|
||||||
+ : search_bases;
|
|
||||||
if (!state->user_search_bases) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Initgroups lookup request without a user search base\n");
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,194 +0,0 @@
|
|||||||
From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 24 Jan 2024 14:21:12 +0100
|
|
||||||
Subject: [PATCH 3/3] sdap: add naming_context as new member of struct
|
|
||||||
sdap_domain
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The naming_context could be a more reliable source than basedn for the
|
|
||||||
actual base DN because basedn is set very early from the domain name
|
|
||||||
given in sssd.conf. Although it is recommended to use the fully
|
|
||||||
qualified DNS domain name here it is not required. As a result basedn
|
|
||||||
might not reflect the actual based DN of the LDAP server. Also pure LDAP
|
|
||||||
server (i.e. not AD or FreeIPA) might use different schemes to set the
|
|
||||||
base DN which will not be based on the DNS domain of the LDAP server.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
|
||||||
|
|
||||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_gpo.c | 6 ++++--
|
|
||||||
src/providers/ldap/sdap.c | 36 +++++++++++++-----------------------
|
|
||||||
src/providers/ldap/sdap.h | 11 +++++++++++
|
|
||||||
3 files changed, 28 insertions(+), 25 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
||||||
index b0ee3e616..3d1ad39c7 100644
|
|
||||||
--- a/src/providers/ad/ad_gpo.c
|
|
||||||
+++ b/src/providers/ad/ad_gpo.c
|
|
||||||
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
|
||||||
- "AD_HOSTS", NULL, &search_bases);
|
|
||||||
+ ret = common_parse_search_base(state,
|
|
||||||
+ sdom->naming_context == NULL ? sdom->basedn
|
|
||||||
+ : sdom->naming_context,
|
|
||||||
+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"Failed to create dedicated search base for host lookups, "
|
|
||||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
|
||||||
index f5637c5fb..956eba93a 100644
|
|
||||||
--- a/src/providers/ldap/sdap.c
|
|
||||||
+++ b/src/providers/ldap/sdap.c
|
|
||||||
@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
struct sdap_domain *sdom)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
- char *naming_context = NULL;
|
|
||||||
|
|
||||||
- if (!sdom->search_bases
|
|
||||||
- || !sdom->user_search_bases
|
|
||||||
- || !sdom->group_search_bases
|
|
||||||
- || !sdom->netgroup_search_bases
|
|
||||||
- || !sdom->host_search_bases
|
|
||||||
- || !sdom->sudo_search_bases
|
|
||||||
- || !sdom->iphost_search_bases
|
|
||||||
- || !sdom->ipnetwork_search_bases
|
|
||||||
- || !sdom->autofs_search_bases) {
|
|
||||||
- naming_context = get_naming_context(opts->basic, rootdse);
|
|
||||||
- if (naming_context == NULL) {
|
|
||||||
+ if (!sdom->naming_context) {
|
|
||||||
+ sdom->naming_context = get_naming_context(sdom, rootdse);
|
|
||||||
+ if (sdom->naming_context == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
|
|
||||||
|
|
||||||
/* This has to be non-fatal, since some servers offer
|
|
||||||
@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->user_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_USER_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->group_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_GROUP_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->netgroup_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_NETGROUP_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->host_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_HOST_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->sudo_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_SUDO_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->service_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_SERVICE_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->autofs_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_AUTOFS_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->iphost_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_IPHOST_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
if (!sdom->ipnetwork_search_bases) {
|
|
||||||
ret = sdap_set_search_base(opts, sdom,
|
|
||||||
SDAP_IPNETWORK_SEARCH_BASE,
|
|
||||||
- naming_context);
|
|
||||||
+ sdom->naming_context);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = EOK;
|
|
||||||
|
|
||||||
done:
|
|
||||||
- talloc_free(naming_context);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
|
||||||
index 161bc5c26..103d50ed4 100644
|
|
||||||
--- a/src/providers/ldap/sdap.h
|
|
||||||
+++ b/src/providers/ldap/sdap.h
|
|
||||||
@@ -454,6 +454,17 @@ struct sdap_domain {
|
|
||||||
|
|
||||||
char *basedn;
|
|
||||||
|
|
||||||
+ /* The naming_context could be a more reliable source than basedn for the
|
|
||||||
+ * actual base DN because basedn is set very early from the domain name
|
|
||||||
+ * given in sssd.conf. Although it is recommended to use the fully
|
|
||||||
+ * qualified DNS domain name here it is not required. As a result basedn
|
|
||||||
+ * might not reflect the actual based DN of the LDAP server. Also pure
|
|
||||||
+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
|
|
||||||
+ * the base DN which will not be based on the DNS domain of the LDAP
|
|
||||||
+ * server. naming_context might be NULL even after connection to an LDAP
|
|
||||||
+ * server. */
|
|
||||||
+ char *naming_context;
|
|
||||||
+
|
|
||||||
struct sdap_search_base **search_bases;
|
|
||||||
struct sdap_search_base **user_search_bases;
|
|
||||||
struct sdap_search_base **group_search_bases;
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,233 +0,0 @@
|
|||||||
From 50077c3255177fe1b01837fbe31a7f8fd47dee74 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 18 Jan 2024 13:08:17 +0100
|
|
||||||
Subject: [PATCH] pam: fix SC auth with multiple certs and missing login name
|
|
||||||
|
|
||||||
While introducing the local_auth_policy option a quite specific use-case
|
|
||||||
was not covered correctly. If there are multiple matching certificates
|
|
||||||
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
|
|
||||||
mode was used for login, i.e. there is no user name given and the user
|
|
||||||
has to be derived from the certificate used for login, authentication
|
|
||||||
failed. The main reason for the failure is that in this case the
|
|
||||||
Smartcard interaction and the user mapping has to be done first to
|
|
||||||
determine the user before local_auth_policy is evaluated. As a result
|
|
||||||
when checking if the authentication can be finished the request was in
|
|
||||||
an unexpected state because the indicator for local Smartcard
|
|
||||||
authentication was not enabled.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/7109
|
|
||||||
|
|
||||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
Reviewed-by: Scott Poore <spoore@redhat.com>
|
|
||||||
(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3)
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv.h | 10 ++++
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 17 +++++--
|
|
||||||
src/tests/intg/Makefile.am | 2 +
|
|
||||||
src/tests/intg/test_pam_responder.py | 74 +++++++++++++++++++++++++++-
|
|
||||||
4 files changed, 96 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
||||||
index 7013a8edd..618836189 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.h
|
|
||||||
+++ b/src/responder/pam/pamsrv.h
|
|
||||||
@@ -93,7 +93,17 @@ struct pam_auth_req {
|
|
||||||
struct ldb_message *user_obj;
|
|
||||||
struct cert_auth_info *cert_list;
|
|
||||||
struct cert_auth_info *current_cert;
|
|
||||||
+ /* Switched to 'true' if the backend indicates that it cannot handle
|
|
||||||
+ * Smartcard authentication, but Smartcard authentication is
|
|
||||||
+ * possible and local Smartcard authentication is allowed. */
|
|
||||||
bool cert_auth_local;
|
|
||||||
+ /* Switched to 'true' if authentication (not pre-authentication) was
|
|
||||||
+ * started without a login name and the name had to be lookup up with the
|
|
||||||
+ * certificate used for authentication. Since reading the certificate from
|
|
||||||
+ * the Smartcard already involves the PIN validation in this case there
|
|
||||||
+ * would be no need for an additional Smartcard interaction if only local
|
|
||||||
+ * Smartcard authentication is possible. */
|
|
||||||
+ bool initial_cert_auth_successful;
|
|
||||||
|
|
||||||
bool passkey_data_exists;
|
|
||||||
uint32_t client_id_num;
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index c23ea7ba4..a7c181733 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -2200,8 +2200,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
||||||
ret = ENOENT;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- if (cert_count > 1) {
|
|
||||||
+ /* Multiple certificates are only expected during pre-auth */
|
|
||||||
+ if (cert_count > 1 && preq->pd->cmd == SSS_PAM_PREAUTH) {
|
|
||||||
for (preq->current_cert = preq->cert_list;
|
|
||||||
preq->current_cert != NULL;
|
|
||||||
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
|
|
||||||
@@ -2285,7 +2285,9 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If logon_name was not given during authentication add a
|
|
||||||
- * SSS_PAM_CERT_INFO message to send the name to the caller. */
|
|
||||||
+ * SSS_PAM_CERT_INFO message to send the name to the caller.
|
|
||||||
+ * Additionally initial_cert_auth_successful is set to
|
|
||||||
+ * indicate that the user is already authenticated. */
|
|
||||||
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
|
||||||
&& preq->pd->logon_name == NULL) {
|
|
||||||
ret = add_pam_cert_response(preq->pd,
|
|
||||||
@@ -2297,6 +2299,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
||||||
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ preq->initial_cert_auth_successful = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* cert_user will be returned to the PAM client as user name, so
|
|
||||||
@@ -2851,12 +2855,15 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
|
||||||
if (found) {
|
|
||||||
if (local_policy != NULL && strcasecmp(local_policy, "only") == 0) {
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
- DEBUG(SSSDBG_IMPORTANT_INFO, "Local auth only set, skipping online auth\n");
|
|
||||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
|
||||||
+ "Local auth only set and matching certificate was found, "
|
|
||||||
+ "skipping online auth\n");
|
|
||||||
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
|
|
||||||
preq->pd->pam_status = PAM_SUCCESS;
|
|
||||||
} else if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
|
||||||
&& IS_SC_AUTHTOK(preq->pd->authtok)
|
|
||||||
- && preq->cert_auth_local) {
|
|
||||||
+ && (preq->cert_auth_local
|
|
||||||
+ || preq->initial_cert_auth_successful)) {
|
|
||||||
preq->pd->pam_status = PAM_SUCCESS;
|
|
||||||
preq->callback = pam_reply;
|
|
||||||
}
|
|
||||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
||||||
index 3866d3ca6..0cfd268dc 100644
|
|
||||||
--- a/src/tests/intg/Makefile.am
|
|
||||||
+++ b/src/tests/intg/Makefile.am
|
|
||||||
@@ -199,6 +199,7 @@ clean-local:
|
|
||||||
|
|
||||||
PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
|
||||||
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
|
||||||
+SOFTHSM2_TWO_CONF="$(abs_builddir)/../test_CA/softhsm2_two.conf"
|
|
||||||
|
|
||||||
intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains sss_netgroup_thread_test
|
|
||||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
|
||||||
@@ -233,6 +234,7 @@ intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
|
|
||||||
PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
|
||||||
ABS_SRCDIR=$(abs_srcdir) \
|
|
||||||
SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
|
||||||
+ SOFTHSM2_TWO_CONF=$(SOFTHSM2_TWO_CONF) \
|
|
||||||
KCM_RENEW=$(KCM_RENEW) \
|
|
||||||
FILES_PROVIDER=$(FILES_PROVIDER) \
|
|
||||||
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
|
||||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
|
||||||
index 1fc3937e6..0fbf8065e 100644
|
|
||||||
--- a/src/tests/intg/test_pam_responder.py
|
|
||||||
+++ b/src/tests/intg/test_pam_responder.py
|
|
||||||
@@ -168,7 +168,7 @@ def format_pam_cert_auth_conf(config, provider):
|
|
||||||
{provider.p}
|
|
||||||
|
|
||||||
[certmap/auth_only/user1]
|
|
||||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
|
||||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
|
||||||
""").format(**locals())
|
|
||||||
|
|
||||||
|
|
||||||
@@ -201,7 +201,7 @@ def format_pam_cert_auth_conf_name_format(config, provider):
|
|
||||||
{provider.p}
|
|
||||||
|
|
||||||
[certmap/auth_only/user1]
|
|
||||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
|
||||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
|
||||||
""").format(**locals())
|
|
||||||
|
|
||||||
|
|
||||||
@@ -380,6 +380,28 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
+@pytest.fixture
|
|
||||||
+def simple_pam_cert_auth_two_certs(request, passwd_ops_setup):
|
|
||||||
+ """Setup SSSD with pam_cert_auth=True"""
|
|
||||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
|
||||||
+
|
|
||||||
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
|
|
||||||
+ softhsm2_two_conf = os.environ['SOFTHSM2_TWO_CONF']
|
|
||||||
+ os.environ['SOFTHSM2_CONF'] = softhsm2_two_conf
|
|
||||||
+
|
|
||||||
+ conf = format_pam_cert_auth_conf(config, provider_switch(request.param))
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_fixture(request)
|
|
||||||
+
|
|
||||||
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
|
|
||||||
+
|
|
||||||
+ passwd_ops_setup.useradd(**USER1)
|
|
||||||
+ passwd_ops_setup.useradd(**USER2)
|
|
||||||
+ sync_files_provider(USER2['name'])
|
|
||||||
+
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@pytest.fixture
|
|
||||||
def simple_pam_cert_auth_name_format(request, passwd_ops_setup):
|
|
||||||
"""Setup SSSD with pam_cert_auth=True and full_name_format"""
|
|
||||||
@@ -522,6 +544,54 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
|
||||||
assert err.find("pam_authenticate for user [user1]: Success") != -1
|
|
||||||
|
|
||||||
|
|
||||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
|
||||||
+def test_sc_auth_two(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
|
||||||
+
|
|
||||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
||||||
+ "--action=auth", "--service=pam_sss_service"],
|
|
||||||
+ universal_newlines=True,
|
|
||||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
||||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ out, err = sssctl.communicate(input="2\n123456")
|
|
||||||
+ except Exception:
|
|
||||||
+ sssctl.kill()
|
|
||||||
+ out, err = sssctl.communicate()
|
|
||||||
+
|
|
||||||
+ sssctl.stdin.close()
|
|
||||||
+ sssctl.stdout.close()
|
|
||||||
+
|
|
||||||
+ if sssctl.wait() != 0:
|
|
||||||
+ raise Exception("sssctl failed")
|
|
||||||
+
|
|
||||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
|
||||||
+def test_sc_auth_two_missing_name(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
|
||||||
+
|
|
||||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "",
|
|
||||||
+ "--action=auth", "--service=pam_sss_allow_missing_name"],
|
|
||||||
+ universal_newlines=True,
|
|
||||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
||||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ out, err = sssctl.communicate(input="2\n123456")
|
|
||||||
+ except Exception:
|
|
||||||
+ sssctl.kill()
|
|
||||||
+ out, err = sssctl.communicate()
|
|
||||||
+
|
|
||||||
+ sssctl.stdin.close()
|
|
||||||
+ sssctl.stdout.close()
|
|
||||||
+
|
|
||||||
+ if sssctl.wait() != 0:
|
|
||||||
+ raise Exception("sssctl failed")
|
|
||||||
+
|
|
||||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@pytest.mark.parametrize('simple_pam_cert_auth', ['proxy_password'], indirect=True)
|
|
||||||
def test_sc_proxy_password_fallback(simple_pam_cert_auth, env_for_sssctl):
|
|
||||||
"""
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,218 +0,0 @@
|
|||||||
From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 8 Nov 2023 14:50:24 +0100
|
|
||||||
Subject: [PATCH] ad-gpo: use hash to store intermediate results
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Currently after the evaluation of a single GPO file the intermediate
|
|
||||||
results are stored in the cache and this cache entry is updated until
|
|
||||||
all applicable GPO files are evaluated. Finally the data in the cache is
|
|
||||||
used to make the decision of access is granted or rejected.
|
|
||||||
|
|
||||||
If there are two or more access-control request running in parallel one
|
|
||||||
request might overwrite the cache object with intermediate data while
|
|
||||||
another request reads the cached data for the access decision and as a
|
|
||||||
result will do this decision based on intermediate data.
|
|
||||||
|
|
||||||
To avoid this the intermediate results are not stored in the cache
|
|
||||||
anymore but in hash tables which are specific to the request. Only the
|
|
||||||
final result is written to the cache to have it available for offline
|
|
||||||
authentication.
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
|
|
||||||
1 file changed, 102 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
||||||
index 3d1ad39c7..b879b0a08 100644
|
|
||||||
--- a/src/providers/ad/ad_gpo.c
|
|
||||||
+++ b/src/providers/ad/ad_gpo.c
|
|
||||||
@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static errno_t
|
|
||||||
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
|
|
||||||
+{
|
|
||||||
+ int hret;
|
|
||||||
+ hash_key_t k;
|
|
||||||
+ hash_value_t v;
|
|
||||||
+
|
|
||||||
+ if (hash == NULL || key == NULL || value == NULL) {
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ k.type = HASH_KEY_CONST_STRING;
|
|
||||||
+ k.c_str = key;
|
|
||||||
+
|
|
||||||
+ v.type = HASH_VALUE_PTR;
|
|
||||||
+ v.ptr = value;
|
|
||||||
+
|
|
||||||
+ hret = hash_enter(hash, &k, &v);
|
|
||||||
+ if (hret != HASH_SUCCESS) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
|
|
||||||
+ key, value, hash_error_string(hret));
|
|
||||||
+ return EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
|
|
||||||
* and stores the allow_key and deny_key of all of the gpo_map_types present
|
|
||||||
@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
|
||||||
*/
|
|
||||||
static errno_t
|
|
||||||
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
|
||||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
|
|
||||||
const char *filename)
|
|
||||||
{
|
|
||||||
struct ini_cfgfile *file_ctx = NULL;
|
|
||||||
@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
|
||||||
goto done;
|
|
||||||
} else if (ret != ENOENT) {
|
|
||||||
const char *value = allow_value ? allow_value : empty_val;
|
|
||||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
|
||||||
- allow_key,
|
|
||||||
- value);
|
|
||||||
+ ret = add_result_to_hash(allow_maps, allow_key,
|
|
||||||
+ talloc_strdup(allow_maps, value));
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
|
||||||
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
|
|
||||||
- ret, sss_strerror(ret));
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
|
||||||
+ "value: [%s] to allow maps "
|
|
||||||
+ "[%d][%s].\n",
|
|
||||||
+ allow_key, value, ret,
|
|
||||||
+ sss_strerror(ret));
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
|
||||||
goto done;
|
|
||||||
} else if (ret != ENOENT) {
|
|
||||||
const char *value = deny_value ? deny_value : empty_val;
|
|
||||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
|
||||||
- deny_key,
|
|
||||||
- value);
|
|
||||||
+ ret = add_result_to_hash(deny_maps, deny_key,
|
|
||||||
+ talloc_strdup(deny_maps, value));
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
|
||||||
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
|
|
||||||
- ret, sss_strerror(ret));
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
|
||||||
+ "value: [%s] to deny maps "
|
|
||||||
+ "[%d][%s].\n",
|
|
||||||
+ deny_key, value, ret,
|
|
||||||
+ sss_strerror(ret));
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state {
|
|
||||||
int num_cse_filtered_gpos;
|
|
||||||
int cse_gpo_index;
|
|
||||||
const char *ad_domain;
|
|
||||||
+ hash_table_t *allow_maps;
|
|
||||||
+ hash_table_t *deny_maps;
|
|
||||||
};
|
|
||||||
|
|
||||||
static void ad_gpo_connect_done(struct tevent_req *subreq);
|
|
||||||
@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
|
||||||
goto immediately;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = sss_hash_create(state, 0, &state->allow_maps);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
|
|
||||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
|
||||||
+ goto immediately;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sss_hash_create(state, 0, &state->deny_maps);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
|
|
||||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
|
||||||
+ goto immediately;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
|
|
||||||
if (subreq == NULL) {
|
|
||||||
@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req)
|
|
||||||
return EAGAIN;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static errno_t
|
|
||||||
+store_hash_maps_in_cache(struct sss_domain_info *domain,
|
|
||||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ struct hash_iter_context_t *iter;
|
|
||||||
+ hash_entry_t *entry;
|
|
||||||
+ size_t c;
|
|
||||||
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ for (c = 0; hash_list[c] != NULL; c++) {
|
|
||||||
+ iter = new_hash_iter_context(hash_list[c]);
|
|
||||||
+ if (iter == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while ((entry = iter->next(iter)) != NULL) {
|
|
||||||
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
|
|
||||||
+ entry->key.c_str,
|
|
||||||
+ entry->value.ptr);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ free(iter);
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
|
|
||||||
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
|
|
||||||
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ talloc_free(iter);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
|
|
||||||
* cse_gpo_index until the policy settings for all applicable GPOs have been
|
|
||||||
@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
|
||||||
* (as part of the GPO Result object in the sysdb cache).
|
|
||||||
*/
|
|
||||||
ret = ad_gpo_store_policy_settings(state->host_domain,
|
|
||||||
+ state->allow_maps, state->deny_maps,
|
|
||||||
cse_filtered_gpo->policy_filename);
|
|
||||||
if (ret != EOK && ret != ENOENT) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
|
||||||
|
|
||||||
if (ret == EOK) {
|
|
||||||
/* ret is EOK only after all GPO policy files have been downloaded */
|
|
||||||
+ ret = store_hash_maps_in_cache(state->host_domain,
|
|
||||||
+ state->allow_maps, state->deny_maps);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
|
|
||||||
+ "[%d][%s].\n", ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
ret = ad_gpo_perform_hbac_processing(state,
|
|
||||||
state->gpo_mode,
|
|
||||||
state->gpo_map_type,
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,81 +0,0 @@
|
|||||||
From db27a51f274640e1aa2f13476c80955a3ec9e91c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 1 Mar 2024 10:50:07 +0100
|
|
||||||
Subject: [PATCH] ad: refresh root domain when read directly
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
If the domain object of the forest root domain cannot be found in the
|
|
||||||
LDAP tree of the local AD domain SSSD tries to read the request data
|
|
||||||
from an LDAP server of the forest root domain directly. After reading
|
|
||||||
this data the information is stored in the cache but currently the
|
|
||||||
information about the domain store in memory is not updated with the
|
|
||||||
additional data. As a result e.g. the domain SID is missing in this data
|
|
||||||
and only becomes available after a restart where it is read from the
|
|
||||||
cache.
|
|
||||||
|
|
||||||
With this patch an unconditional refresh is triggered at the end of the
|
|
||||||
fallback code path.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/7250
|
|
||||||
|
|
||||||
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
(cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53)
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_subdomains.c | 10 +++++-----
|
|
||||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
||||||
index a8d1892cc..d8f3738ce 100644
|
|
||||||
--- a/src/providers/ad/ad_subdomains.c
|
|
||||||
+++ b/src/providers/ad/ad_subdomains.c
|
|
||||||
@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state {
|
|
||||||
static void ad_get_root_domain_done(struct tevent_req *subreq);
|
|
||||||
static void ad_check_root_domain_done(struct tevent_req *subreq);
|
|
||||||
static errno_t
|
|
||||||
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
|
|
||||||
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
|
|
||||||
|
|
||||||
struct tevent_req *
|
|
||||||
ad_check_domain_send(TALLOC_CTX *mem_ctx,
|
|
||||||
@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ad_get_root_domain_refresh(state);
|
|
||||||
+ ret = ad_get_root_domain_refresh(state, false);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
|
||||||
}
|
|
||||||
@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
|
|
||||||
|
|
||||||
state->reply_count = 1;
|
|
||||||
|
|
||||||
- ret = ad_get_root_domain_refresh(state);
|
|
||||||
+ ret = ad_get_root_domain_refresh(state, true);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
|
||||||
}
|
|
||||||
@@ -1697,7 +1697,7 @@ done:
|
|
||||||
}
|
|
||||||
|
|
||||||
static errno_t
|
|
||||||
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
|
||||||
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
|
|
||||||
{
|
|
||||||
struct sss_domain_info *root_domain;
|
|
||||||
bool has_changes;
|
|
||||||
@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (has_changes) {
|
|
||||||
+ if (has_changes || refresh) {
|
|
||||||
ret = ad_subdom_reinit(state->sd_ctx);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
|
|
||||||
--
|
|
||||||
2.45.0
|
|
||||||
|
|
@ -0,0 +1,332 @@
|
|||||||
|
From 88d8afbb115f18007dcc11f7ebac1b238c3ebd98 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Mon, 25 Sep 2023 12:36:09 +0200
|
||||||
|
Subject: [PATCH] MC: a couple of additions to 'recover from invalid memory
|
||||||
|
cache size' patch
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Additions to 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 :
|
||||||
|
|
||||||
|
- handle all invalidations consistently
|
||||||
|
- supply a valid pointer to `sss_mmap_cache_validate_or_reinit()`,
|
||||||
|
not a pointer to a local var
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/nss/nss_get_object.c | 10 ++---
|
||||||
|
src/responder/nss/nss_iface.c | 8 ++--
|
||||||
|
src/responder/nss/nsssrv_mmap_cache.c | 64 ++++++++++++++++++---------
|
||||||
|
src/responder/nss/nsssrv_mmap_cache.h | 10 ++---
|
||||||
|
4 files changed, 56 insertions(+), 36 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
|
||||||
|
index 5d62dd0985..29f9cb59b5 100644
|
||||||
|
--- a/src/responder/nss/nss_get_object.c
|
||||||
|
+++ b/src/responder/nss/nss_get_object.c
|
||||||
|
@@ -34,13 +34,13 @@ memcache_delete_entry_by_name(struct sss_nss_ctx *nss_ctx,
|
||||||
|
|
||||||
|
switch (type) {
|
||||||
|
case SSS_MC_PASSWD:
|
||||||
|
- ret = sss_mmap_cache_pw_invalidate(nss_ctx->pwd_mc_ctx, name);
|
||||||
|
+ ret = sss_mmap_cache_pw_invalidate(&nss_ctx->pwd_mc_ctx, name);
|
||||||
|
break;
|
||||||
|
case SSS_MC_GROUP:
|
||||||
|
- ret = sss_mmap_cache_gr_invalidate(nss_ctx->grp_mc_ctx, name);
|
||||||
|
+ ret = sss_mmap_cache_gr_invalidate(&nss_ctx->grp_mc_ctx, name);
|
||||||
|
break;
|
||||||
|
case SSS_MC_INITGROUPS:
|
||||||
|
- ret = sss_mmap_cache_initgr_invalidate(nss_ctx->initgr_mc_ctx, name);
|
||||||
|
+ ret = sss_mmap_cache_initgr_invalidate(&nss_ctx->initgr_mc_ctx, name);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return EINVAL;
|
||||||
|
@@ -66,10 +66,10 @@ memcache_delete_entry_by_id(struct sss_nss_ctx *nss_ctx,
|
||||||
|
|
||||||
|
switch (type) {
|
||||||
|
case SSS_MC_PASSWD:
|
||||||
|
- ret = sss_mmap_cache_pw_invalidate_uid(nss_ctx->pwd_mc_ctx, (uid_t)id);
|
||||||
|
+ ret = sss_mmap_cache_pw_invalidate_uid(&nss_ctx->pwd_mc_ctx, (uid_t)id);
|
||||||
|
break;
|
||||||
|
case SSS_MC_GROUP:
|
||||||
|
- ret = sss_mmap_cache_gr_invalidate_gid(nss_ctx->grp_mc_ctx, (gid_t)id);
|
||||||
|
+ ret = sss_mmap_cache_gr_invalidate_gid(&nss_ctx->grp_mc_ctx, (gid_t)id);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return EINVAL;
|
||||||
|
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
|
||||||
|
index 07e91aa811..db743f8b7e 100644
|
||||||
|
--- a/src/responder/nss/nss_iface.c
|
||||||
|
+++ b/src/responder/nss/nss_iface.c
|
||||||
|
@@ -78,7 +78,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
|
||||||
|
|
||||||
|
if (ret == ENOENT || res->count == 0) {
|
||||||
|
/* The user is gone. Invalidate the mc record */
|
||||||
|
- ret = sss_mmap_cache_pw_invalidate(nctx->pwd_mc_ctx, delete_name);
|
||||||
|
+ ret = sss_mmap_cache_pw_invalidate(&nctx->pwd_mc_ctx, delete_name);
|
||||||
|
if (ret != EOK && ret != ENOENT) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
"Internal failure in memory cache code: %d [%s]\n",
|
||||||
|
@@ -125,7 +125,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
|
||||||
|
for (i = 0; i < gnum; i++) {
|
||||||
|
id = groups[i];
|
||||||
|
|
||||||
|
- ret = sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, id);
|
||||||
|
+ ret = sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, id);
|
||||||
|
if (ret != EOK && ret != ENOENT) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
"Internal failure in memory cache code: %d [%s]\n",
|
||||||
|
@@ -134,7 +134,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
to_sized_string(delete_name, fq_name);
|
||||||
|
- ret = sss_mmap_cache_initgr_invalidate(nctx->initgr_mc_ctx,
|
||||||
|
+ ret = sss_mmap_cache_initgr_invalidate(&nctx->initgr_mc_ctx,
|
||||||
|
delete_name);
|
||||||
|
if (ret != EOK && ret != ENOENT) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
@@ -208,7 +208,7 @@ sss_nss_memorycache_invalidate_group_by_id(TALLOC_CTX *mem_ctx,
|
||||||
|
DEBUG(SSSDBG_TRACE_LIBS,
|
||||||
|
"Invalidating group %u from memory cache\n", gid);
|
||||||
|
|
||||||
|
- sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid);
|
||||||
|
+ sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, gid);
|
||||||
|
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
|
||||||
|
index 90d12299a4..06f3d7a694 100644
|
||||||
|
--- a/src/responder/nss/nsssrv_mmap_cache.c
|
||||||
|
+++ b/src/responder/nss/nsssrv_mmap_cache.c
|
||||||
|
@@ -701,16 +701,22 @@ static inline void sss_mmap_chain_in_rec(struct sss_mc_ctx *mcc,
|
||||||
|
* generic invalidation
|
||||||
|
***************************************************************************/
|
||||||
|
|
||||||
|
-static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc,
|
||||||
|
+static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc);
|
||||||
|
+
|
||||||
|
+static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx **_mcc,
|
||||||
|
const struct sized_string *key)
|
||||||
|
{
|
||||||
|
+ struct sss_mc_ctx *mcc;
|
||||||
|
struct sss_mc_rec *rec;
|
||||||
|
+ int ret;
|
||||||
|
|
||||||
|
- if (mcc == NULL) {
|
||||||
|
- /* cache not initialized? */
|
||||||
|
- return EINVAL;
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mcc = *_mcc;
|
||||||
|
+
|
||||||
|
rec = sss_mc_find_record(mcc, key);
|
||||||
|
if (rec == NULL) {
|
||||||
|
/* nothing to invalidate */
|
||||||
|
@@ -785,7 +791,7 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc,
|
||||||
|
const struct sized_string *homedir,
|
||||||
|
const struct sized_string *shell)
|
||||||
|
{
|
||||||
|
- struct sss_mc_ctx *mcc = *_mcc;
|
||||||
|
+ struct sss_mc_ctx *mcc;
|
||||||
|
struct sss_mc_rec *rec;
|
||||||
|
struct sss_mc_pwd_data *data;
|
||||||
|
struct sized_string uidkey;
|
||||||
|
@@ -795,11 +801,13 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc,
|
||||||
|
size_t pos;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
|
||||||
|
if (ret != EOK) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mcc = *_mcc;
|
||||||
|
+
|
||||||
|
ret = snprintf(uidstr, 11, "%ld", (long)uid);
|
||||||
|
if (ret > 10) {
|
||||||
|
return EINVAL;
|
||||||
|
@@ -851,14 +859,15 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc,
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc,
|
||||||
|
+errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx **_mcc,
|
||||||
|
const struct sized_string *name)
|
||||||
|
{
|
||||||
|
- return sss_mmap_cache_invalidate(mcc, name);
|
||||||
|
+ return sss_mmap_cache_invalidate(_mcc, name);
|
||||||
|
}
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid)
|
||||||
|
+errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx **_mcc, uid_t uid)
|
||||||
|
{
|
||||||
|
+ struct sss_mc_ctx *mcc;
|
||||||
|
struct sss_mc_rec *rec = NULL;
|
||||||
|
struct sss_mc_pwd_data *data;
|
||||||
|
uint32_t hash;
|
||||||
|
@@ -866,11 +875,13 @@ errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid)
|
||||||
|
char *uidstr;
|
||||||
|
errno_t ret;
|
||||||
|
|
||||||
|
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
|
||||||
|
if (ret != EOK) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mcc = *_mcc;
|
||||||
|
+
|
||||||
|
uidstr = talloc_asprintf(NULL, "%ld", (long)uid);
|
||||||
|
if (!uidstr) {
|
||||||
|
return ENOMEM;
|
||||||
|
@@ -927,7 +938,7 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
|
||||||
|
gid_t gid, size_t memnum,
|
||||||
|
const char *membuf, size_t memsize)
|
||||||
|
{
|
||||||
|
- struct sss_mc_ctx *mcc = *_mcc;
|
||||||
|
+ struct sss_mc_ctx *mcc;
|
||||||
|
struct sss_mc_rec *rec;
|
||||||
|
struct sss_mc_grp_data *data;
|
||||||
|
struct sized_string gidkey;
|
||||||
|
@@ -937,11 +948,13 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
|
||||||
|
size_t pos;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
|
||||||
|
if (ret != EOK) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mcc = *_mcc;
|
||||||
|
+
|
||||||
|
ret = snprintf(gidstr, 11, "%ld", (long)gid);
|
||||||
|
if (ret > 10) {
|
||||||
|
return EINVAL;
|
||||||
|
@@ -989,14 +1002,15 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc,
|
||||||
|
+errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx **_mcc,
|
||||||
|
const struct sized_string *name)
|
||||||
|
{
|
||||||
|
- return sss_mmap_cache_invalidate(mcc, name);
|
||||||
|
+ return sss_mmap_cache_invalidate(_mcc, name);
|
||||||
|
}
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid)
|
||||||
|
+errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx **_mcc, gid_t gid)
|
||||||
|
{
|
||||||
|
+ struct sss_mc_ctx *mcc;
|
||||||
|
struct sss_mc_rec *rec = NULL;
|
||||||
|
struct sss_mc_grp_data *data;
|
||||||
|
uint32_t hash;
|
||||||
|
@@ -1004,11 +1018,13 @@ errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid)
|
||||||
|
char *gidstr;
|
||||||
|
errno_t ret;
|
||||||
|
|
||||||
|
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
|
||||||
|
if (ret != EOK) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mcc = *_mcc;
|
||||||
|
+
|
||||||
|
gidstr = talloc_asprintf(NULL, "%ld", (long)gid);
|
||||||
|
if (!gidstr) {
|
||||||
|
return ENOMEM;
|
||||||
|
@@ -1061,7 +1077,7 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc,
|
||||||
|
uint32_t num_groups,
|
||||||
|
const uint8_t *gids_buf)
|
||||||
|
{
|
||||||
|
- struct sss_mc_ctx *mcc = *_mcc;
|
||||||
|
+ struct sss_mc_ctx *mcc;
|
||||||
|
struct sss_mc_rec *rec;
|
||||||
|
struct sss_mc_initgr_data *data;
|
||||||
|
size_t data_len;
|
||||||
|
@@ -1069,11 +1085,13 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc,
|
||||||
|
size_t pos;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
|
||||||
|
if (ret != EOK) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mcc = *_mcc;
|
||||||
|
+
|
||||||
|
/* array of gids + name + unique_name */
|
||||||
|
data_len = num_groups * sizeof(uint32_t) + name->len + unique_name->len;
|
||||||
|
rec_len = sizeof(struct sss_mc_rec) + sizeof(struct sss_mc_initgr_data)
|
||||||
|
@@ -1119,10 +1137,10 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc,
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc,
|
||||||
|
+errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc,
|
||||||
|
const struct sized_string *name)
|
||||||
|
{
|
||||||
|
- return sss_mmap_cache_invalidate(mcc, name);
|
||||||
|
+ return sss_mmap_cache_invalidate(_mcc, name);
|
||||||
|
}
|
||||||
|
|
||||||
|
errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc,
|
||||||
|
@@ -1131,18 +1149,20 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc,
|
||||||
|
uint32_t type,
|
||||||
|
bool explicit_lookup)
|
||||||
|
{
|
||||||
|
- struct sss_mc_ctx *mcc = *_mcc;
|
||||||
|
+ struct sss_mc_ctx *mcc;
|
||||||
|
struct sss_mc_rec *rec;
|
||||||
|
struct sss_mc_sid_data *data;
|
||||||
|
char idkey[16];
|
||||||
|
size_t rec_len;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
|
||||||
|
if (ret != EOK) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mcc = *_mcc;
|
||||||
|
+
|
||||||
|
ret = snprintf(idkey, sizeof(idkey), "%d-%ld",
|
||||||
|
(type == SSS_ID_TYPE_GID) ? SSS_ID_TYPE_GID : SSS_ID_TYPE_UID,
|
||||||
|
(long)id);
|
||||||
|
diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h
|
||||||
|
index 686b8e1b21..28ee5adb64 100644
|
||||||
|
--- a/src/responder/nss/nsssrv_mmap_cache.h
|
||||||
|
+++ b/src/responder/nss/nsssrv_mmap_cache.h
|
||||||
|
@@ -63,17 +63,17 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc,
|
||||||
|
uint32_t type, /* enum sss_id_type*/
|
||||||
|
bool explicit_lookup); /* false ~ by_id(), true ~ by_uid/gid() */
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc,
|
||||||
|
+errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx **_mcc,
|
||||||
|
const struct sized_string *name);
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid);
|
||||||
|
+errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx **_mcc, uid_t uid);
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc,
|
||||||
|
+errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx **_mcc,
|
||||||
|
const struct sized_string *name);
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid);
|
||||||
|
+errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx **_mcc, gid_t gid);
|
||||||
|
|
||||||
|
-errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc,
|
||||||
|
+errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc,
|
||||||
|
const struct sized_string *name);
|
||||||
|
|
||||||
|
errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx,
|
220
SOURCES/mc-recover-from-invalid-memory-cache-size.patch
Normal file
220
SOURCES/mc-recover-from-invalid-memory-cache-size.patch
Normal file
@ -0,0 +1,220 @@
|
|||||||
|
From 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
|
Date: Fri, 4 Aug 2023 12:19:49 +0200
|
||||||
|
Subject: [PATCH] mc: recover from invalid memory cache size
|
||||||
|
|
||||||
|
If we access the mmap file outside its boundaries a SIGBUS is raised.
|
||||||
|
We can now safely recover if the file has unexpected size.
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/nss/nsssrv_mmap_cache.c | 86 +++++++++++++++++----
|
||||||
|
src/sss_client/nss_mc_common.c | 42 +++++++---
|
||||||
|
2 files changed, 135 insertions(+), 29 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
|
||||||
|
index 12c2996596..bd814f3bc7 100644
|
||||||
|
--- a/src/responder/nss/nsssrv_mmap_cache.c
|
||||||
|
+++ b/src/responder/nss/nsssrv_mmap_cache.c
|
||||||
|
@@ -722,6 +722,57 @@ static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc,
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc)
|
||||||
|
+{
|
||||||
|
+ struct sss_mc_ctx *mcc = *_mcc;
|
||||||
|
+ struct stat fdstat;
|
||||||
|
+ bool reinit = false;
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ /* No mcc initialized? Memory cache may be disabled. */
|
||||||
|
+ if (mcc == NULL || mcc->fd < 0) {
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ reinit = false;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fstat(mcc->fd, &fdstat) == -1) {
|
||||||
|
+ ret = errno;
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "Unable to stat memory cache [file=%s, fd=%d] [%d]: %s\n",
|
||||||
|
+ mcc->file, mcc->fd, ret, sss_strerror(ret));
|
||||||
|
+ reinit = true;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fdstat.st_nlink == 0) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Memory cache file was removed\n");
|
||||||
|
+ ret = ENOENT;
|
||||||
|
+ reinit = true;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fdstat.st_size != mcc->mmap_size) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "Memory cache is corrupted, invalid size [file=%s, fd=%d, "
|
||||||
|
+ "expected_size=%zu, real_size=%zu]\n",
|
||||||
|
+ mcc->file, mcc->fd, mcc->mmap_size, fdstat.st_size);
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ reinit = true;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = EOK;
|
||||||
|
+ reinit = false;
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ if (reinit) {
|
||||||
|
+ return sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, -1, -1, _mcc);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/***************************************************************************
|
||||||
|
* passwd map
|
||||||
|
***************************************************************************/
|
||||||
|
@@ -744,9 +795,9 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc,
|
||||||
|
size_t pos;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- if (mcc == NULL) {
|
||||||
|
- /* cache not initialized? */
|
||||||
|
- return EINVAL;
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = snprintf(uidstr, 11, "%ld", (long)uid);
|
||||||
|
@@ -815,9 +866,9 @@ errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid)
|
||||||
|
char *uidstr;
|
||||||
|
errno_t ret;
|
||||||
|
|
||||||
|
- if (mcc == NULL) {
|
||||||
|
- /* cache not initialized? */
|
||||||
|
- return EINVAL;
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
uidstr = talloc_asprintf(NULL, "%ld", (long)uid);
|
||||||
|
@@ -886,9 +937,9 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
|
||||||
|
size_t pos;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- if (mcc == NULL) {
|
||||||
|
- /* cache not initialized? */
|
||||||
|
- return EINVAL;
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = snprintf(gidstr, 11, "%ld", (long)gid);
|
||||||
|
@@ -953,9 +1004,9 @@ errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid)
|
||||||
|
char *gidstr;
|
||||||
|
errno_t ret;
|
||||||
|
|
||||||
|
- if (mcc == NULL) {
|
||||||
|
- /* cache not initialized? */
|
||||||
|
- return EINVAL;
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
gidstr = talloc_asprintf(NULL, "%ld", (long)gid);
|
||||||
|
@@ -1018,9 +1069,9 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc,
|
||||||
|
size_t pos;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- if (mcc == NULL) {
|
||||||
|
- /* cache not initialized? */
|
||||||
|
- return EINVAL;
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* array of gids + name + unique_name */
|
||||||
|
@@ -1087,8 +1138,9 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc,
|
||||||
|
size_t rec_len;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- if (mcc == NULL) {
|
||||||
|
- return EINVAL;
|
||||||
|
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = snprintf(idkey, sizeof(idkey), "%d-%ld",
|
||||||
|
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
|
||||||
|
index 3128861bf3..e227c0bae3 100644
|
||||||
|
--- a/src/sss_client/nss_mc_common.c
|
||||||
|
+++ b/src/sss_client/nss_mc_common.c
|
||||||
|
@@ -69,13 +69,43 @@ static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx)
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
+static errno_t sss_nss_mc_validate(struct sss_cli_mc_ctx *ctx)
|
||||||
|
+{
|
||||||
|
+ struct stat fdstat;
|
||||||
|
+
|
||||||
|
+ /* No mc ctx initialized?*/
|
||||||
|
+ if (ctx == NULL || ctx->fd < 0) {
|
||||||
|
+ return EINVAL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fstat(ctx->fd, &fdstat) == -1) {
|
||||||
|
+ return errno;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Memcache was removed. */
|
||||||
|
+ if (fdstat.st_nlink == 0) {
|
||||||
|
+ return ENOENT;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Invalid size. */
|
||||||
|
+ if (fdstat.st_size != ctx->mmap_size) {
|
||||||
|
+ return ERANGE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return EOK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||||
|
{
|
||||||
|
struct sss_mc_header h;
|
||||||
|
bool copy_ok;
|
||||||
|
int count;
|
||||||
|
int ret;
|
||||||
|
- struct stat fdstat;
|
||||||
|
+
|
||||||
|
+ ret = sss_nss_mc_validate(ctx);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* retry barrier protected reading max 5 times then give up */
|
||||||
|
for (count = 5; count > 0; count--) {
|
||||||
|
@@ -115,16 +145,6 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = fstat(ctx->fd, &fdstat);
|
||||||
|
- if (ret == -1) {
|
||||||
|
- return EIO;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (fdstat.st_nlink == 0) {
|
||||||
|
- /* memory cache was removed; we need to reinitialize it. */
|
||||||
|
- return EINVAL;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
400
SOURCES/sss_iface-do-not-add-cli_id-to-chain-key.patch
Normal file
400
SOURCES/sss_iface-do-not-add-cli_id-to-chain-key.patch
Normal file
@ -0,0 +1,400 @@
|
|||||||
|
From 1e5dfc187c7659cca567d2f7d5592e72794ef13c Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
|
Date: Mon, 4 Sep 2023 14:12:58 +0200
|
||||||
|
Subject: [PATCH] sss_iface: do not add cli_id to chain key
|
||||||
|
|
||||||
|
Otherwise we only chain identical requests from the same client
|
||||||
|
which effectively renders chaining not functional.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/6911
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
---
|
||||||
|
src/sss_iface/sbus_sss_client_async.c | 12 +++----
|
||||||
|
src/sss_iface/sbus_sss_interface.h | 24 ++++++-------
|
||||||
|
src/sss_iface/sbus_sss_keygens.c | 50 +++++++++++++--------------
|
||||||
|
src/sss_iface/sbus_sss_keygens.h | 10 +++---
|
||||||
|
src/sss_iface/sss_iface.xml | 12 +++----
|
||||||
|
5 files changed, 54 insertions(+), 54 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sss_iface/sbus_sss_client_async.c b/src/sss_iface/sbus_sss_client_async.c
|
||||||
|
index 042d1b7b34..5ca925283a 100644
|
||||||
|
--- a/src/sss_iface/sbus_sss_client_async.c
|
||||||
|
+++ b/src/sss_iface/sbus_sss_client_async.c
|
||||||
|
@@ -1861,7 +1861,7 @@ sbus_call_dp_autofs_Enumerate_send
|
||||||
|
const char * arg_mapname,
|
||||||
|
uint32_t arg_cli_id)
|
||||||
|
{
|
||||||
|
- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
|
||||||
|
+ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
|
||||||
|
busname, object_path, "sssd.DataProvider.Autofs", "Enumerate", arg_dp_flags, arg_mapname, arg_cli_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1883,7 +1883,7 @@ sbus_call_dp_autofs_GetEntry_send
|
||||||
|
const char * arg_entryname,
|
||||||
|
uint32_t arg_cli_id)
|
||||||
|
{
|
||||||
|
- return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2_3,
|
||||||
|
+ return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2,
|
||||||
|
busname, object_path, "sssd.DataProvider.Autofs", "GetEntry", arg_dp_flags, arg_mapname, arg_entryname, arg_cli_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1904,7 +1904,7 @@ sbus_call_dp_autofs_GetMap_send
|
||||||
|
const char * arg_mapname,
|
||||||
|
uint32_t arg_cli_id)
|
||||||
|
{
|
||||||
|
- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
|
||||||
|
+ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
|
||||||
|
busname, object_path, "sssd.DataProvider.Autofs", "GetMap", arg_dp_flags, arg_mapname, arg_cli_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2142,7 +2142,7 @@ sbus_call_dp_dp_getAccountDomain_send
|
||||||
|
const char * arg_filter,
|
||||||
|
uint32_t arg_cli_id)
|
||||||
|
{
|
||||||
|
- return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2_3,
|
||||||
|
+ return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2,
|
||||||
|
busname, object_path, "sssd.dataprovider", "getAccountDomain", arg_dp_flags, arg_entry_type, arg_filter, arg_cli_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2170,7 +2170,7 @@ sbus_call_dp_dp_getAccountInfo_send
|
||||||
|
const char * arg_extra,
|
||||||
|
uint32_t arg_cli_id)
|
||||||
|
{
|
||||||
|
- return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4_5,
|
||||||
|
+ return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4,
|
||||||
|
busname, object_path, "sssd.dataprovider", "getAccountInfo", arg_dp_flags, arg_entry_type, arg_filter, arg_domain, arg_extra, arg_cli_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2267,7 +2267,7 @@ sbus_call_dp_dp_resolverHandler_send
|
||||||
|
const char * arg_filter_value,
|
||||||
|
uint32_t arg_cli_id)
|
||||||
|
{
|
||||||
|
- return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3_4,
|
||||||
|
+ return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3,
|
||||||
|
busname, object_path, "sssd.dataprovider", "resolverHandler", arg_dp_flags, arg_entry_type, arg_filter_type, arg_filter_value, arg_cli_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/sss_iface/sbus_sss_interface.h b/src/sss_iface/sbus_sss_interface.h
|
||||||
|
index fc86c71d90..5b4d1c362a 100644
|
||||||
|
--- a/src/sss_iface/sbus_sss_interface.h
|
||||||
|
+++ b/src/sss_iface/sbus_sss_interface.h
|
||||||
|
@@ -166,7 +166,7 @@
|
||||||
|
&_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_usu_out__send, \
|
||||||
|
- _sbus_sss_key_usu_0_1_2, \
|
||||||
|
+ _sbus_sss_key_usu_0_1, \
|
||||||
|
(handler), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -177,7 +177,7 @@
|
||||||
|
&_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_usu_out__send, \
|
||||||
|
- _sbus_sss_key_usu_0_1_2, \
|
||||||
|
+ _sbus_sss_key_usu_0_1, \
|
||||||
|
(handler_send), (handler_recv), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -188,7 +188,7 @@
|
||||||
|
&_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_ussu_out__send, \
|
||||||
|
- _sbus_sss_key_ussu_0_1_2_3, \
|
||||||
|
+ _sbus_sss_key_ussu_0_1_2, \
|
||||||
|
(handler), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -199,7 +199,7 @@
|
||||||
|
&_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_ussu_out__send, \
|
||||||
|
- _sbus_sss_key_ussu_0_1_2_3, \
|
||||||
|
+ _sbus_sss_key_ussu_0_1_2, \
|
||||||
|
(handler_send), (handler_recv), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -210,7 +210,7 @@
|
||||||
|
&_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_usu_out__send, \
|
||||||
|
- _sbus_sss_key_usu_0_1_2, \
|
||||||
|
+ _sbus_sss_key_usu_0_1, \
|
||||||
|
(handler), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -221,7 +221,7 @@
|
||||||
|
&_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_usu_out__send, \
|
||||||
|
- _sbus_sss_key_usu_0_1_2, \
|
||||||
|
+ _sbus_sss_key_usu_0_1, \
|
||||||
|
(handler_send), (handler_recv), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -522,7 +522,7 @@
|
||||||
|
&_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_uusu_out_qus_send, \
|
||||||
|
- _sbus_sss_key_uusu_0_1_2_3, \
|
||||||
|
+ _sbus_sss_key_uusu_0_1_2, \
|
||||||
|
(handler), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -533,7 +533,7 @@
|
||||||
|
&_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_uusu_out_qus_send, \
|
||||||
|
- _sbus_sss_key_uusu_0_1_2_3, \
|
||||||
|
+ _sbus_sss_key_uusu_0_1_2, \
|
||||||
|
(handler_send), (handler_recv), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -544,7 +544,7 @@
|
||||||
|
&_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_uusssu_out_qus_send, \
|
||||||
|
- _sbus_sss_key_uusssu_0_1_2_3_4_5, \
|
||||||
|
+ _sbus_sss_key_uusssu_0_1_2_3_4, \
|
||||||
|
(handler), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -555,7 +555,7 @@
|
||||||
|
&_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_uusssu_out_qus_send, \
|
||||||
|
- _sbus_sss_key_uusssu_0_1_2_3_4_5, \
|
||||||
|
+ _sbus_sss_key_uusssu_0_1_2_3_4, \
|
||||||
|
(handler_send), (handler_recv), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -632,7 +632,7 @@
|
||||||
|
&_sbus_sss_args_sssd_dataprovider_resolverHandler, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_uuusu_out_qus_send, \
|
||||||
|
- _sbus_sss_key_uuusu_0_1_2_3_4, \
|
||||||
|
+ _sbus_sss_key_uuusu_0_1_2_3, \
|
||||||
|
(handler), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -643,7 +643,7 @@
|
||||||
|
&_sbus_sss_args_sssd_dataprovider_resolverHandler, \
|
||||||
|
NULL, \
|
||||||
|
_sbus_sss_invoke_in_uuusu_out_qus_send, \
|
||||||
|
- _sbus_sss_key_uuusu_0_1_2_3_4, \
|
||||||
|
+ _sbus_sss_key_uuusu_0_1_2_3, \
|
||||||
|
(handler_send), (handler_recv), (data)); \
|
||||||
|
})
|
||||||
|
|
||||||
|
diff --git a/src/sss_iface/sbus_sss_keygens.c b/src/sss_iface/sbus_sss_keygens.c
|
||||||
|
index 1bffc1360f..0bded60f83 100644
|
||||||
|
--- a/src/sss_iface/sbus_sss_keygens.c
|
||||||
|
+++ b/src/sss_iface/sbus_sss_keygens.c
|
||||||
|
@@ -90,86 +90,86 @@ _sbus_sss_key_ussu_0_1
|
||||||
|
}
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_ussu_0_1_2_3
|
||||||
|
+_sbus_sss_key_ussu_0_1_2
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_ussu *args)
|
||||||
|
{
|
||||||
|
if (sbus_req->sender == NULL) {
|
||||||
|
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s",
|
||||||
|
sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s",
|
||||||
|
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
|
||||||
|
}
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_usu_0_1_2
|
||||||
|
+_sbus_sss_key_usu_0_1
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_usu *args)
|
||||||
|
{
|
||||||
|
if (sbus_req->sender == NULL) {
|
||||||
|
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s",
|
||||||
|
sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s",
|
||||||
|
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1);
|
||||||
|
}
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_uusssu_0_1_2_3_4_5
|
||||||
|
+_sbus_sss_key_uusssu_0_1_2_3_4
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_uusssu *args)
|
||||||
|
{
|
||||||
|
if (sbus_req->sender == NULL) {
|
||||||
|
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
|
||||||
|
sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
|
||||||
|
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
|
||||||
|
}
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_uusu_0_1_2_3
|
||||||
|
+_sbus_sss_key_uusu_0_1_2
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_uusu *args)
|
||||||
|
{
|
||||||
|
if (sbus_req->sender == NULL) {
|
||||||
|
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
|
||||||
|
sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
|
||||||
|
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
|
||||||
|
}
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_uuusu_0_1_2_3_4
|
||||||
|
+_sbus_sss_key_uuusu_0_1_2_3
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_uuusu *args)
|
||||||
|
{
|
||||||
|
if (sbus_req->sender == NULL) {
|
||||||
|
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
|
||||||
|
sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
|
||||||
|
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
|
||||||
|
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
|
||||||
|
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
|
||||||
|
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
|
||||||
|
}
|
||||||
|
diff --git a/src/sss_iface/sbus_sss_keygens.h b/src/sss_iface/sbus_sss_keygens.h
|
||||||
|
index 8f09b46de5..7e42c2c53f 100644
|
||||||
|
--- a/src/sss_iface/sbus_sss_keygens.h
|
||||||
|
+++ b/src/sss_iface/sbus_sss_keygens.h
|
||||||
|
@@ -49,31 +49,31 @@ _sbus_sss_key_ussu_0_1
|
||||||
|
struct _sbus_sss_invoker_args_ussu *args);
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_ussu_0_1_2_3
|
||||||
|
+_sbus_sss_key_ussu_0_1_2
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_ussu *args);
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_usu_0_1_2
|
||||||
|
+_sbus_sss_key_usu_0_1
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_usu *args);
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_uusssu_0_1_2_3_4_5
|
||||||
|
+_sbus_sss_key_uusssu_0_1_2_3_4
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_uusssu *args);
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_uusu_0_1_2_3
|
||||||
|
+_sbus_sss_key_uusu_0_1_2
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_uusu *args);
|
||||||
|
|
||||||
|
const char *
|
||||||
|
-_sbus_sss_key_uuusu_0_1_2_3_4
|
||||||
|
+_sbus_sss_key_uuusu_0_1_2_3
|
||||||
|
(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sbus_request *sbus_req,
|
||||||
|
struct _sbus_sss_invoker_args_uuusu *args);
|
||||||
|
diff --git a/src/sss_iface/sss_iface.xml b/src/sss_iface/sss_iface.xml
|
||||||
|
index 6709c4e48a..82c65aa0b8 100644
|
||||||
|
--- a/src/sss_iface/sss_iface.xml
|
||||||
|
+++ b/src/sss_iface/sss_iface.xml
|
||||||
|
@@ -91,18 +91,18 @@
|
||||||
|
<method name="GetMap">
|
||||||
|
<arg name="dp_flags" type="u" direction="in" key="1" />
|
||||||
|
<arg name="mapname" type="s" direction="in" key="2" />
|
||||||
|
- <arg name="cli_id" type="u" direction="in" key="3" />
|
||||||
|
+ <arg name="cli_id" type="u" direction="in" />
|
||||||
|
</method>
|
||||||
|
<method name="GetEntry">
|
||||||
|
<arg name="dp_flags" type="u" direction="in" key="1" />
|
||||||
|
<arg name="mapname" type="s" direction="in" key="2" />
|
||||||
|
<arg name="entryname" type="s" direction="in" key="3" />
|
||||||
|
- <arg name="cli_id" type="u" direction="in" key="4" />
|
||||||
|
+ <arg name="cli_id" type="u" direction="in" />
|
||||||
|
</method>
|
||||||
|
<method name="Enumerate">
|
||||||
|
<arg name="dp_flags" type="u" direction="in" key="1" />
|
||||||
|
<arg name="mapname" type="s" direction="in" key="2" />
|
||||||
|
- <arg name="cli_id" type="u" direction="in" key="3" />
|
||||||
|
+ <arg name="cli_id" type="u" direction="in" />
|
||||||
|
</method>
|
||||||
|
</interface>
|
||||||
|
|
||||||
|
@@ -133,7 +133,7 @@
|
||||||
|
<arg name="entry_type" type="u" direction="in" key="2" />
|
||||||
|
<arg name="filter_type" type="u" direction="in" key="3" />
|
||||||
|
<arg name="filter_value" type="s" direction="in" key="4" />
|
||||||
|
- <arg name="cli_id" type="u" direction="in" key="5" />
|
||||||
|
+ <arg name="cli_id" type="u" direction="in" />
|
||||||
|
<arg name="dp_error" type="q" direction="out" />
|
||||||
|
<arg name="error" type="u" direction="out" />
|
||||||
|
<arg name="error_message" type="s" direction="out" />
|
||||||
|
@@ -150,7 +150,7 @@
|
||||||
|
<arg name="filter" type="s" direction="in" key="3" />
|
||||||
|
<arg name="domain" type="s" direction="in" key="4" />
|
||||||
|
<arg name="extra" type="s" direction="in" key="5" />
|
||||||
|
- <arg name="cli_id" type="u" direction="in" key="6" />
|
||||||
|
+ <arg name="cli_id" type="u" direction="in" />
|
||||||
|
<arg name="dp_error" type="q" direction="out" />
|
||||||
|
<arg name="error" type="u" direction="out" />
|
||||||
|
<arg name="error_message" type="s" direction="out" />
|
||||||
|
@@ -159,7 +159,7 @@
|
||||||
|
<arg name="dp_flags" type="u" direction="in" key="1" />
|
||||||
|
<arg name="entry_type" type="u" direction="in" key="2" />
|
||||||
|
<arg name="filter" type="s" direction="in" key="3" />
|
||||||
|
- <arg name="cli_id" type="u" direction="in" key="4" />
|
||||||
|
+ <arg name="cli_id" type="u" direction="in" />
|
||||||
|
<arg name="dp_error" type="q" direction="out" />
|
||||||
|
<arg name="error" type="u" direction="out" />
|
||||||
|
<arg name="domain_name" type="s" direction="out" />
|
@ -18,8 +18,8 @@
|
|||||||
%global enable_systemtap_opt --enable-systemtap
|
%global enable_systemtap_opt --enable-systemtap
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.9.4
|
Version: 2.9.1
|
||||||
Release: 4%{?dist}
|
Release: 4%{?dist}.alma.1
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -27,12 +27,16 @@ URL: https://github.com/SSSD/sssd
|
|||||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
Patch0001: 0001-sssd-adding-mail-as-case-insensitive.patch
|
Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
|
||||||
Patch0002: 0002-sdap-add-search_bases-option-to-groups_by_user_send.patch
|
Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch
|
||||||
Patch0003: 0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch
|
|
||||||
Patch0004: 0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
|
# Patches were taken from:
|
||||||
Patch0005: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch
|
# https://github.com/SSSD/sssd/commit/641e5f73d3bd5b3d32cafd551013d3bfd2a52732
|
||||||
Patch0006: 0006-ad-refresh-root-domain-when-read-directly.patch
|
Patch0005: mc-recover-from-invalid-memory-cache-size.patch
|
||||||
|
# https://github.com/SSSD/sssd/commit/1e5dfc187c7659cca567d2f7d5592e72794ef13c
|
||||||
|
Patch0006: sss_iface-do-not-add-cli_id-to-chain-key.patch
|
||||||
|
# https://github.com/SSSD/sssd/commit/88d8afbb115f18007dcc11f7ebac1b238c3ebd98
|
||||||
|
Patch0007: MC-a-couple-of-additions-to-recover-from-invalid-memory.patch
|
||||||
|
|
||||||
### Downstream Patches ###
|
### Downstream Patches ###
|
||||||
|
|
||||||
@ -356,7 +360,6 @@ Group: Applications/System
|
|||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
Conflicts: sssd < 1.10.0-8.beta2
|
Conflicts: sssd < 1.10.0-8.beta2
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
Requires: libsss_certmap = %{version}-%{release}
|
|
||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
|
|
||||||
%description proxy
|
%description proxy
|
||||||
@ -1217,41 +1220,11 @@ fi
|
|||||||
%systemd_postun_with_restart sssd.service
|
%systemd_postun_with_restart sssd.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri May 17 2024 Arun Bansal <arbansal@redhat.com> - 2.9.4-4
|
* Wed Nov 15 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.9.1-4.alma.1
|
||||||
- Resolves: RHEL-33957 - ad: refresh root domain when read directly
|
- sss_iface: do not add cli_id to chain key
|
||||||
|
- mc: recover from invalid memory cache size
|
||||||
* Thu Apr 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-3
|
- MC: a couple of additions to 'recover from invalid memory
|
||||||
- Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently
|
cache size' patch
|
||||||
|
|
||||||
* Mon Feb 12 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-2
|
|
||||||
- Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8]
|
|
||||||
- Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8]
|
|
||||||
- Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8]
|
|
||||||
|
|
||||||
* Sat Jan 13 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-1
|
|
||||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
|
||||||
- Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache
|
|
||||||
- Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP'
|
|
||||||
- Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider')
|
|
||||||
- Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest
|
|
||||||
- Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf
|
|
||||||
- Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8]
|
|
||||||
- Resolves: RHEL-10721 - very bad performance when requesting service tickets
|
|
||||||
- Resolves: RHEL-19011 - Invalid handling groups from child domain
|
|
||||||
- Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8]
|
|
||||||
|
|
||||||
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-2
|
|
||||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
|
||||||
|
|
||||||
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-1
|
|
||||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
|
||||||
- Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication
|
|
||||||
- Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user
|
|
||||||
|
|
||||||
* Mon Sep 11 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.2-1
|
|
||||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
|
||||||
- Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code
|
|
||||||
- Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7)
|
|
||||||
|
|
||||||
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
|
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
|
||||||
- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
|
- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
|
||||||
|
Loading…
Reference in New Issue
Block a user