Compare commits

..

No commits in common. "c8" and "changed/a9/sssd-2.9.1-4.el9_3.alma.1" have entirely different histories.

15 changed files with 1697 additions and 1934 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.9.4.tar.gz SOURCES/sssd-2.9.1.tar.gz

View File

@ -1 +1 @@
574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz 5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz

View File

@ -1,144 +0,0 @@
From dd0f63246aa75d5f53b44cbc185e88833e79976e Mon Sep 17 00:00:00 2001
From: Andre Boscatto <andreboscatto@gmail.com>
Date: Wed, 7 Feb 2024 12:28:28 +0100
Subject: [PATCH] sssd: adding mail as case insensitive
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7173
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51)
---
src/db/sysdb_init.c | 7 ++++++
src/db/sysdb_private.h | 5 +++-
src/db/sysdb_upgrade.c | 56 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index c2ea6c369..38a9cd64a 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
}
}
+ if (strcmp(version, SYSDB_VERSION_0_23) == 0) {
+ ret = sysdb_upgrade_23(sysdb, &version);
+ if (ret != EOK) {
+ goto done;
+ }
+ }
+
ret = EOK;
done:
sysdb->ldb = save_ldb;
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
index 1f55007bc..63f7b5601 100644
--- a/src/db/sysdb_private.h
+++ b/src/db/sysdb_private.h
@@ -23,6 +23,7 @@
#ifndef __INT_SYS_DB_H__
#define __INT_SYS_DB_H__
+#define SYSDB_VERSION_0_24 "0.24"
#define SYSDB_VERSION_0_23 "0.23"
#define SYSDB_VERSION_0_22 "0.22"
#define SYSDB_VERSION_0_21 "0.21"
@@ -47,7 +48,7 @@
#define SYSDB_VERSION_0_2 "0.2"
#define SYSDB_VERSION_0_1 "0.1"
-#define SYSDB_VERSION SYSDB_VERSION_0_23
+#define SYSDB_VERSION SYSDB_VERSION_0_24
#define SYSDB_BASE_LDIF \
"dn: @ATTRIBUTES\n" \
@@ -60,6 +61,7 @@
"objectclass: CASE_INSENSITIVE\n" \
"ipHostNumber: CASE_INSENSITIVE\n" \
"ipNetworkNumber: CASE_INSENSITIVE\n" \
+ "mail: CASE_INSENSITIVE\n" \
"\n" \
"dn: @INDEXLIST\n" \
"@IDXATTR: cn\n" \
@@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
index 346a1cb0b..56083e6be 100644
--- a/src/db/sysdb_upgrade.c
+++ b/src/db/sysdb_upgrade.c
@@ -2718,6 +2718,62 @@ done:
return ret;
}
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver)
+{
+ TALLOC_CTX *tmp_ctx;
+ int ret;
+ struct ldb_message *msg;
+ struct upgrade_ctx *ctx;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx);
+ if (ret) {
+ return ret;
+ }
+
+ /* Add new indexes */
+ msg = ldb_msg_new(tmp_ctx);
+ if (!msg) {
+ ret = ENOMEM;
+ goto done;
+ }
+ msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES");
+ if (!msg->dn) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* Case insensitive search for mail */
+ ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE");
+ if (ret != LDB_SUCCESS) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_modify(sysdb->ldb, msg);
+ if (ret != LDB_SUCCESS) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ /* conversion done, update version number */
+ ret = update_version(ctx);
+
+done:
+ ret = finish_upgrade(ret, &ctx, ver);
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
{
struct upgrade_ctx *ctx;
--
2.41.0

View File

@ -0,0 +1,106 @@
From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 12:31:39 +0200
Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Those two new calls can be used if there are requests stuck by e.g.
waiting on replies where there is no other way to handle the timeout and
get the system back into a stable state. They should be only used as a
last resort.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 75f2b35ad3b9256de905d05c5108400d35688554)
---
src/util/util.h | 12 ++++++++++++
src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++--
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/util/util.h b/src/util/util.h
index a8356e0cd..9dbcf3301 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -756,6 +756,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
void teardown_watchdog(void);
int get_watchdog_ticks(void);
+/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable
+ * the watchdog reset, respectively. This means that after arm_watchdog() is
+ * called the watchdog will not be resetted anymore and it will kill the
+ * process if disarm_watchdog() wasn't called before.
+ * Those calls should only be used when there is no other way to handle
+ * waiting request and recover into a stable state.
+ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should
+ * not be called a second time in a different request because then
+ * disarm_watchdog() will disable the watchdog coverage for both. */
+void arm_watchdog(void);
+void disarm_watchdog(void);
+
/* from files.c */
int sss_remove_tree(const char *root);
int sss_remove_subtree(const char *root);
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index b1534e499..abafd94b9 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -40,6 +40,7 @@ struct watchdog_ctx {
time_t timestamp;
struct tevent_fd *tfd;
int pipefd[2];
+ bool armed; /* if 'true' ticks counter will not be reset */
} watchdog_ctx;
static void watchdog_detect_timeshift(void)
@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev,
struct timeval current_time,
void *private_data)
{
- /* first thing reset the watchdog ticks */
- watchdog_reset();
+ if (!watchdog_ctx.armed) {
+ /* first thing reset the watchdog ticks */
+ watchdog_reset();
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Watchdog armed, process might be terminated soon.\n");
+ }
/* then set a new watchodg event */
watchdog_ctx.te = tevent_add_timer(ev, ev,
@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval)
watchdog_ctx.ev = ev;
watchdog_ctx.input_interval = interval;
watchdog_ctx.timestamp = time(NULL);
+ watchdog_ctx.armed = false;
ret = pipe(watchdog_ctx.pipefd);
if (ret == -1) {
@@ -264,3 +271,20 @@ int get_watchdog_ticks(void)
{
return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
}
+
+void arm_watchdog(void)
+{
+ if (watchdog_ctx.armed) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "arm_watchdog() is called although the watchdog is already armed. "
+ "This indicates a programming error and should be avoided because "
+ "it will most probably not work as expected.\n");
+ }
+
+ watchdog_ctx.armed = true;
+}
+
+void disarm_watchdog(void)
+{
+ watchdog_ctx.armed = false;
+}
--
2.38.1

View File

@ -0,0 +1,53 @@
From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 13:01:47 +0200
Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There seem to be conditions where the reply in the
sbus_call_DBus_Hello_send() request gets lost and the backend cannot
properly initialize its sbus/DBus server. Since the backend cannot be
connected by the frontends in this state the best way to recover would
be a restart. Since the event-loop is active in this state, e.g. waiting
for the reply, the watchdog will not consider the process as hung and
will not restart the process.
To make the watchdog handle this case arm_watchdog() and
disarm_watchdog() are called before and after the request, respectively.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
---
src/sbus/connection/sbus_connection_connect.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
index 45a0fa491..edc090e15 100644
--- a/src/sbus/connection/sbus_connection_connect.c
+++ b/src/sbus/connection/sbus_connection_connect.c
@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req);
+ arm_watchdog();
+
return req;
}
@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq)
uint32_t res;
errno_t ret;
+ disarm_watchdog();
+
req = tevent_req_callback_data(subreq, struct tevent_req);
ret = sbus_call_DBus_RequestName_recv(subreq, &res);
--
2.38.1

View File

@ -1,154 +0,0 @@
From a7621a5b464af7a3c8409dcbde038b35fee2c895 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 23 Jan 2024 13:47:53 +0100
Subject: [PATCH 2/3] sdap: add search_bases option to groups_by_user_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AD handles users and computer objects very similar and so does SSSD's
GPO code when lookup up the host's group-memberships. But users and
computers might be stored in different sub-tree of the AD LDAP tree and
if a dedicated user search base is given with the ldap_user_search_base
option in sssd.conf the host object might be in a different sub-tree. To
make sure the host can still be found this patch uses the base DN of
the LDAP tree when searching for hosts in the GPO code.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196)
---
src/providers/ad/ad_gpo.c | 10 ++++++++++
src/providers/ldap/ldap_common.h | 1 +
src/providers/ldap/ldap_id.c | 6 +++++-
src/providers/ldap/sdap_async.h | 1 +
src/providers/ldap/sdap_async_initgroups.c | 4 +++-
5 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 94959c36b..b0ee3e616 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2091,6 +2091,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
char *server_uri;
LDAPURLDesc *lud;
struct sdap_domain *sdom;
+ struct sdap_search_base **search_bases;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_gpo_access_state);
@@ -2184,9 +2185,18 @@ ad_gpo_connect_done(struct tevent_req *subreq)
goto done;
}
+ ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
+ "AD_HOSTS", NULL, &search_bases);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to create dedicated search base for host lookups, "
+ "trying with user search base.");
+ }
+
subreq = groups_by_user_send(state, state->ev,
state->access_ctx->ad_id_ctx->sdap_id_ctx,
sdom, state->conn,
+ search_bases,
state->host_fqdn,
BE_FILTER_NAME,
NULL,
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 7159d6356..2c984ef50 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -304,6 +304,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
struct sdap_id_ctx *ctx,
struct sdap_domain *sdom,
struct sdap_id_conn_ctx *conn,
+ struct sdap_search_base **search_bases,
const char *filter_value,
int filter_type,
const char *extra_value,
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index da54816bd..b3ea2333f 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1139,6 +1139,7 @@ struct groups_by_user_state {
struct sdap_id_op *op;
struct sysdb_ctx *sysdb;
struct sss_domain_info *domain;
+ struct sdap_search_base **search_bases;
const char *filter_value;
int filter_type;
@@ -1160,6 +1161,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
struct sdap_id_ctx *ctx,
struct sdap_domain *sdom,
struct sdap_id_conn_ctx *conn,
+ struct sdap_search_base **search_bases,
const char *filter_value,
int filter_type,
const char *extra_value,
@@ -1192,6 +1194,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
state->extra_value = extra_value;
state->domain = sdom->dom;
state->sysdb = sdom->dom->sysdb;
+ state->search_bases = search_bases;
if (state->domain->type == DOM_TYPE_APPLICATION || set_non_posix) {
state->non_posix = true;
@@ -1254,6 +1257,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
sdap_id_op_handle(state->op),
state->ctx,
state->conn,
+ state->search_bases,
state->filter_value,
state->filter_type,
state->extra_value,
@@ -1449,7 +1453,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
}
subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
- sdom, conn,
+ sdom, conn, NULL,
ar->filter_value,
ar->filter_type,
ar->extra_value,
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 5458d21f1..89245f41f 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -158,6 +158,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
struct sdap_id_conn_ctx *conn,
+ struct sdap_search_base **search_bases,
const char *name,
int filter_type,
const char *extra_value,
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 97be594a3..fb3d8fe24 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2732,6 +2732,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
struct sdap_id_conn_ctx *conn,
+ struct sdap_search_base **search_bases,
const char *filter_value,
int filter_type,
const char *extra_value,
@@ -2764,7 +2765,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->orig_user = NULL;
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
state->user_base_iter = 0;
- state->user_search_bases = sdom->user_search_bases;
+ state->user_search_bases = (search_bases == NULL) ? sdom->user_search_bases
+ : search_bases;
if (!state->user_search_bases) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Initgroups lookup request without a user search base\n");
--
2.41.0

View File

@ -0,0 +1,220 @@
From 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 4 Aug 2023 12:19:49 +0200
Subject: [PATCH] mc: recover from invalid memory cache size
If we access the mmap file outside its boundaries a SIGBUS is raised.
We can now safely recover if the file has unexpected size.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nsssrv_mmap_cache.c | 86 +++++++++++++++++----
src/sss_client/nss_mc_common.c | 42 +++++++---
src/tests/system/tests/test_memory_cache.py | 36 ++++++++-
3 files changed, 135 insertions(+), 29 deletions(-)
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index 12c2996596..bd814f3bc7 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -722,6 +722,57 @@ static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc,
return EOK;
}
+static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc)
+{
+ struct sss_mc_ctx *mcc = *_mcc;
+ struct stat fdstat;
+ bool reinit = false;
+ errno_t ret;
+
+ /* No mcc initialized? Memory cache may be disabled. */
+ if (mcc == NULL || mcc->fd < 0) {
+ ret = EINVAL;
+ reinit = false;
+ goto done;
+ }
+
+ if (fstat(mcc->fd, &fdstat) == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to stat memory cache [file=%s, fd=%d] [%d]: %s\n",
+ mcc->file, mcc->fd, ret, sss_strerror(ret));
+ reinit = true;
+ goto done;
+ }
+
+ if (fdstat.st_nlink == 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Memory cache file was removed\n");
+ ret = ENOENT;
+ reinit = true;
+ goto done;
+ }
+
+ if (fdstat.st_size != mcc->mmap_size) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Memory cache is corrupted, invalid size [file=%s, fd=%d, "
+ "expected_size=%zu, real_size=%zu]\n",
+ mcc->file, mcc->fd, mcc->mmap_size, fdstat.st_size);
+ ret = EINVAL;
+ reinit = true;
+ goto done;
+ }
+
+ ret = EOK;
+ reinit = false;
+
+done:
+ if (reinit) {
+ return sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, -1, -1, _mcc);
+ }
+
+ return ret;
+}
+
/***************************************************************************
* passwd map
***************************************************************************/
@@ -744,9 +795,9 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc,
size_t pos;
int ret;
- if (mcc == NULL) {
- /* cache not initialized? */
- return EINVAL;
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ if (ret != EOK) {
+ return ret;
}
ret = snprintf(uidstr, 11, "%ld", (long)uid);
@@ -815,9 +866,9 @@ errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid)
char *uidstr;
errno_t ret;
- if (mcc == NULL) {
- /* cache not initialized? */
- return EINVAL;
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ if (ret != EOK) {
+ return ret;
}
uidstr = talloc_asprintf(NULL, "%ld", (long)uid);
@@ -886,9 +937,9 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
size_t pos;
int ret;
- if (mcc == NULL) {
- /* cache not initialized? */
- return EINVAL;
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ if (ret != EOK) {
+ return ret;
}
ret = snprintf(gidstr, 11, "%ld", (long)gid);
@@ -953,9 +1004,9 @@ errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid)
char *gidstr;
errno_t ret;
- if (mcc == NULL) {
- /* cache not initialized? */
- return EINVAL;
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ if (ret != EOK) {
+ return ret;
}
gidstr = talloc_asprintf(NULL, "%ld", (long)gid);
@@ -1018,9 +1069,9 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc,
size_t pos;
int ret;
- if (mcc == NULL) {
- /* cache not initialized? */
- return EINVAL;
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ if (ret != EOK) {
+ return ret;
}
/* array of gids + name + unique_name */
@@ -1087,8 +1138,9 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc,
size_t rec_len;
int ret;
- if (mcc == NULL) {
- return EINVAL;
+ ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ if (ret != EOK) {
+ return ret;
}
ret = snprintf(idkey, sizeof(idkey), "%d-%ld",
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index 3128861bf3..e227c0bae3 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -69,13 +69,43 @@ static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx)
#endif
}
+static errno_t sss_nss_mc_validate(struct sss_cli_mc_ctx *ctx)
+{
+ struct stat fdstat;
+
+ /* No mc ctx initialized?*/
+ if (ctx == NULL || ctx->fd < 0) {
+ return EINVAL;
+ }
+
+ if (fstat(ctx->fd, &fdstat) == -1) {
+ return errno;
+ }
+
+ /* Memcache was removed. */
+ if (fdstat.st_nlink == 0) {
+ return ENOENT;
+ }
+
+ /* Invalid size. */
+ if (fdstat.st_size != ctx->mmap_size) {
+ return ERANGE;
+ }
+
+ return EOK;
+}
+
errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
{
struct sss_mc_header h;
bool copy_ok;
int count;
int ret;
- struct stat fdstat;
+
+ ret = sss_nss_mc_validate(ctx);
+ if (ret != EOK) {
+ return ret;
+ }
/* retry barrier protected reading max 5 times then give up */
for (count = 5; count > 0; count--) {
@@ -115,16 +145,6 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
}
}
- ret = fstat(ctx->fd, &fdstat);
- if (ret == -1) {
- return EIO;
- }
-
- if (fdstat.st_nlink == 0) {
- /* memory cache was removed; we need to reinitialize it. */
- return EINVAL;
- }
-
return 0;
}

View File

@ -1,194 +0,0 @@
From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 24 Jan 2024 14:21:12 +0100
Subject: [PATCH 3/3] sdap: add naming_context as new member of struct
sdap_domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The naming_context could be a more reliable source than basedn for the
actual base DN because basedn is set very early from the domain name
given in sssd.conf. Although it is recommended to use the fully
qualified DNS domain name here it is not required. As a result basedn
might not reflect the actual based DN of the LDAP server. Also pure LDAP
server (i.e. not AD or FreeIPA) might use different schemes to set the
base DN which will not be based on the DNS domain of the LDAP server.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)
---
src/providers/ad/ad_gpo.c | 6 ++++--
src/providers/ldap/sdap.c | 36 +++++++++++++-----------------------
src/providers/ldap/sdap.h | 11 +++++++++++
3 files changed, 28 insertions(+), 25 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index b0ee3e616..3d1ad39c7 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
goto done;
}
- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
- "AD_HOSTS", NULL, &search_bases);
+ ret = common_parse_search_base(state,
+ sdom->naming_context == NULL ? sdom->basedn
+ : sdom->naming_context,
+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to create dedicated search base for host lookups, "
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index f5637c5fb..956eba93a 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
struct sdap_domain *sdom)
{
int ret;
- char *naming_context = NULL;
- if (!sdom->search_bases
- || !sdom->user_search_bases
- || !sdom->group_search_bases
- || !sdom->netgroup_search_bases
- || !sdom->host_search_bases
- || !sdom->sudo_search_bases
- || !sdom->iphost_search_bases
- || !sdom->ipnetwork_search_bases
- || !sdom->autofs_search_bases) {
- naming_context = get_naming_context(opts->basic, rootdse);
- if (naming_context == NULL) {
+ if (!sdom->naming_context) {
+ sdom->naming_context = get_naming_context(sdom, rootdse);
+ if (sdom->naming_context == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
/* This has to be non-fatal, since some servers offer
@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->user_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_USER_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->group_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_GROUP_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->netgroup_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_NETGROUP_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->host_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_HOST_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->sudo_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SUDO_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->service_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SERVICE_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->autofs_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_AUTOFS_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->iphost_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_IPHOST_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->ipnetwork_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_IPNETWORK_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
ret = EOK;
done:
- talloc_free(naming_context);
return ret;
}
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 161bc5c26..103d50ed4 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -454,6 +454,17 @@ struct sdap_domain {
char *basedn;
+ /* The naming_context could be a more reliable source than basedn for the
+ * actual base DN because basedn is set very early from the domain name
+ * given in sssd.conf. Although it is recommended to use the fully
+ * qualified DNS domain name here it is not required. As a result basedn
+ * might not reflect the actual based DN of the LDAP server. Also pure
+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
+ * the base DN which will not be based on the DNS domain of the LDAP
+ * server. naming_context might be NULL even after connection to an LDAP
+ * server. */
+ char *naming_context;
+
struct sdap_search_base **search_bases;
struct sdap_search_base **user_search_bases;
struct sdap_search_base **group_search_bases;
--
2.41.0

View File

@ -1,233 +0,0 @@
From 50077c3255177fe1b01837fbe31a7f8fd47dee74 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 18 Jan 2024 13:08:17 +0100
Subject: [PATCH] pam: fix SC auth with multiple certs and missing login name
While introducing the local_auth_policy option a quite specific use-case
was not covered correctly. If there are multiple matching certificates
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
mode was used for login, i.e. there is no user name given and the user
has to be derived from the certificate used for login, authentication
failed. The main reason for the failure is that in this case the
Smartcard interaction and the user mapping has to be done first to
determine the user before local_auth_policy is evaluated. As a result
when checking if the authentication can be finished the request was in
an unexpected state because the indicator for local Smartcard
authentication was not enabled.
Resolves: https://github.com/SSSD/sssd/issues/7109
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Scott Poore <spoore@redhat.com>
(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3)
---
src/responder/pam/pamsrv.h | 10 ++++
src/responder/pam/pamsrv_cmd.c | 17 +++++--
src/tests/intg/Makefile.am | 2 +
src/tests/intg/test_pam_responder.py | 74 +++++++++++++++++++++++++++-
4 files changed, 96 insertions(+), 7 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 7013a8edd..618836189 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -93,7 +93,17 @@ struct pam_auth_req {
struct ldb_message *user_obj;
struct cert_auth_info *cert_list;
struct cert_auth_info *current_cert;
+ /* Switched to 'true' if the backend indicates that it cannot handle
+ * Smartcard authentication, but Smartcard authentication is
+ * possible and local Smartcard authentication is allowed. */
bool cert_auth_local;
+ /* Switched to 'true' if authentication (not pre-authentication) was
+ * started without a login name and the name had to be lookup up with the
+ * certificate used for authentication. Since reading the certificate from
+ * the Smartcard already involves the PIN validation in this case there
+ * would be no need for an additional Smartcard interaction if only local
+ * Smartcard authentication is possible. */
+ bool initial_cert_auth_successful;
bool passkey_data_exists;
uint32_t client_id_num;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c23ea7ba4..a7c181733 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -2200,8 +2200,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
ret = ENOENT;
goto done;
}
-
- if (cert_count > 1) {
+ /* Multiple certificates are only expected during pre-auth */
+ if (cert_count > 1 && preq->pd->cmd == SSS_PAM_PREAUTH) {
for (preq->current_cert = preq->cert_list;
preq->current_cert != NULL;
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
@@ -2285,7 +2285,9 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
}
/* If logon_name was not given during authentication add a
- * SSS_PAM_CERT_INFO message to send the name to the caller. */
+ * SSS_PAM_CERT_INFO message to send the name to the caller.
+ * Additionally initial_cert_auth_successful is set to
+ * indicate that the user is already authenticated. */
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
&& preq->pd->logon_name == NULL) {
ret = add_pam_cert_response(preq->pd,
@@ -2297,6 +2299,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
goto done;
}
+
+ preq->initial_cert_auth_successful = true;
}
/* cert_user will be returned to the PAM client as user name, so
@@ -2851,12 +2855,15 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
if (found) {
if (local_policy != NULL && strcasecmp(local_policy, "only") == 0) {
talloc_free(tmp_ctx);
- DEBUG(SSSDBG_IMPORTANT_INFO, "Local auth only set, skipping online auth\n");
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Local auth only set and matching certificate was found, "
+ "skipping online auth\n");
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
preq->pd->pam_status = PAM_SUCCESS;
} else if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
&& IS_SC_AUTHTOK(preq->pd->authtok)
- && preq->cert_auth_local) {
+ && (preq->cert_auth_local
+ || preq->initial_cert_auth_successful)) {
preq->pd->pam_status = PAM_SUCCESS;
preq->callback = pam_reply;
}
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 3866d3ca6..0cfd268dc 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -199,6 +199,7 @@ clean-local:
PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
+SOFTHSM2_TWO_CONF="$(abs_builddir)/../test_CA/softhsm2_two.conf"
intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains sss_netgroup_thread_test
pipepath="$(DESTDIR)$(pipepath)"; \
@@ -233,6 +234,7 @@ intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
ABS_SRCDIR=$(abs_srcdir) \
SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
+ SOFTHSM2_TWO_CONF=$(SOFTHSM2_TWO_CONF) \
KCM_RENEW=$(KCM_RENEW) \
FILES_PROVIDER=$(FILES_PROVIDER) \
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index 1fc3937e6..0fbf8065e 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -168,7 +168,7 @@ def format_pam_cert_auth_conf(config, provider):
{provider.p}
[certmap/auth_only/user1]
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
""").format(**locals())
@@ -201,7 +201,7 @@ def format_pam_cert_auth_conf_name_format(config, provider):
{provider.p}
[certmap/auth_only/user1]
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
""").format(**locals())
@@ -380,6 +380,28 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
return None
+@pytest.fixture
+def simple_pam_cert_auth_two_certs(request, passwd_ops_setup):
+ """Setup SSSD with pam_cert_auth=True"""
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
+ softhsm2_two_conf = os.environ['SOFTHSM2_TWO_CONF']
+ os.environ['SOFTHSM2_CONF'] = softhsm2_two_conf
+
+ conf = format_pam_cert_auth_conf(config, provider_switch(request.param))
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
+
+ passwd_ops_setup.useradd(**USER1)
+ passwd_ops_setup.useradd(**USER2)
+ sync_files_provider(USER2['name'])
+
+ return None
+
+
@pytest.fixture
def simple_pam_cert_auth_name_format(request, passwd_ops_setup):
"""Setup SSSD with pam_cert_auth=True and full_name_format"""
@@ -522,6 +544,54 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
assert err.find("pam_authenticate for user [user1]: Success") != -1
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
+def test_sc_auth_two(simple_pam_cert_auth_two_certs, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth", "--service=pam_sss_service"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="2\n123456")
+ except Exception:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
+def test_sc_auth_two_missing_name(simple_pam_cert_auth_two_certs, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "",
+ "--action=auth", "--service=pam_sss_allow_missing_name"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="2\n123456")
+ except Exception:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
@pytest.mark.parametrize('simple_pam_cert_auth', ['proxy_password'], indirect=True)
def test_sc_proxy_password_fallback(simple_pam_cert_auth, env_for_sssctl):
"""
--
2.41.0

View File

@ -0,0 +1,400 @@
From 1e5dfc187c7659cca567d2f7d5592e72794ef13c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 4 Sep 2023 14:12:58 +0200
Subject: [PATCH] sss_iface: do not add cli_id to chain key
Otherwise we only chain identical requests from the same client
which effectively renders chaining not functional.
Resolves: https://github.com/SSSD/sssd/issues/6911
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/sss_iface/sbus_sss_client_async.c | 12 +++----
src/sss_iface/sbus_sss_interface.h | 24 ++++++-------
src/sss_iface/sbus_sss_keygens.c | 50 +++++++++++++--------------
src/sss_iface/sbus_sss_keygens.h | 10 +++---
src/sss_iface/sss_iface.xml | 12 +++----
5 files changed, 54 insertions(+), 54 deletions(-)
diff --git a/src/sss_iface/sbus_sss_client_async.c b/src/sss_iface/sbus_sss_client_async.c
index 042d1b7b34..5ca925283a 100644
--- a/src/sss_iface/sbus_sss_client_async.c
+++ b/src/sss_iface/sbus_sss_client_async.c
@@ -1861,7 +1861,7 @@ sbus_call_dp_autofs_Enumerate_send
const char * arg_mapname,
uint32_t arg_cli_id)
{
- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
+ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
busname, object_path, "sssd.DataProvider.Autofs", "Enumerate", arg_dp_flags, arg_mapname, arg_cli_id);
}
@@ -1883,7 +1883,7 @@ sbus_call_dp_autofs_GetEntry_send
const char * arg_entryname,
uint32_t arg_cli_id)
{
- return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2_3,
+ return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2,
busname, object_path, "sssd.DataProvider.Autofs", "GetEntry", arg_dp_flags, arg_mapname, arg_entryname, arg_cli_id);
}
@@ -1904,7 +1904,7 @@ sbus_call_dp_autofs_GetMap_send
const char * arg_mapname,
uint32_t arg_cli_id)
{
- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
+ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
busname, object_path, "sssd.DataProvider.Autofs", "GetMap", arg_dp_flags, arg_mapname, arg_cli_id);
}
@@ -2142,7 +2142,7 @@ sbus_call_dp_dp_getAccountDomain_send
const char * arg_filter,
uint32_t arg_cli_id)
{
- return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2_3,
+ return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2,
busname, object_path, "sssd.dataprovider", "getAccountDomain", arg_dp_flags, arg_entry_type, arg_filter, arg_cli_id);
}
@@ -2170,7 +2170,7 @@ sbus_call_dp_dp_getAccountInfo_send
const char * arg_extra,
uint32_t arg_cli_id)
{
- return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4_5,
+ return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4,
busname, object_path, "sssd.dataprovider", "getAccountInfo", arg_dp_flags, arg_entry_type, arg_filter, arg_domain, arg_extra, arg_cli_id);
}
@@ -2267,7 +2267,7 @@ sbus_call_dp_dp_resolverHandler_send
const char * arg_filter_value,
uint32_t arg_cli_id)
{
- return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3_4,
+ return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3,
busname, object_path, "sssd.dataprovider", "resolverHandler", arg_dp_flags, arg_entry_type, arg_filter_type, arg_filter_value, arg_cli_id);
}
diff --git a/src/sss_iface/sbus_sss_interface.h b/src/sss_iface/sbus_sss_interface.h
index fc86c71d90..5b4d1c362a 100644
--- a/src/sss_iface/sbus_sss_interface.h
+++ b/src/sss_iface/sbus_sss_interface.h
@@ -166,7 +166,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler), (data)); \
})
@@ -177,7 +177,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler_send), (handler_recv), (data)); \
})
@@ -188,7 +188,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
NULL, \
_sbus_sss_invoke_in_ussu_out__send, \
- _sbus_sss_key_ussu_0_1_2_3, \
+ _sbus_sss_key_ussu_0_1_2, \
(handler), (data)); \
})
@@ -199,7 +199,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
NULL, \
_sbus_sss_invoke_in_ussu_out__send, \
- _sbus_sss_key_ussu_0_1_2_3, \
+ _sbus_sss_key_ussu_0_1_2, \
(handler_send), (handler_recv), (data)); \
})
@@ -210,7 +210,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler), (data)); \
})
@@ -221,7 +221,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler_send), (handler_recv), (data)); \
})
@@ -522,7 +522,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
NULL, \
_sbus_sss_invoke_in_uusu_out_qus_send, \
- _sbus_sss_key_uusu_0_1_2_3, \
+ _sbus_sss_key_uusu_0_1_2, \
(handler), (data)); \
})
@@ -533,7 +533,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
NULL, \
_sbus_sss_invoke_in_uusu_out_qus_send, \
- _sbus_sss_key_uusu_0_1_2_3, \
+ _sbus_sss_key_uusu_0_1_2, \
(handler_send), (handler_recv), (data)); \
})
@@ -544,7 +544,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
NULL, \
_sbus_sss_invoke_in_uusssu_out_qus_send, \
- _sbus_sss_key_uusssu_0_1_2_3_4_5, \
+ _sbus_sss_key_uusssu_0_1_2_3_4, \
(handler), (data)); \
})
@@ -555,7 +555,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
NULL, \
_sbus_sss_invoke_in_uusssu_out_qus_send, \
- _sbus_sss_key_uusssu_0_1_2_3_4_5, \
+ _sbus_sss_key_uusssu_0_1_2_3_4, \
(handler_send), (handler_recv), (data)); \
})
@@ -632,7 +632,7 @@
&_sbus_sss_args_sssd_dataprovider_resolverHandler, \
NULL, \
_sbus_sss_invoke_in_uuusu_out_qus_send, \
- _sbus_sss_key_uuusu_0_1_2_3_4, \
+ _sbus_sss_key_uuusu_0_1_2_3, \
(handler), (data)); \
})
@@ -643,7 +643,7 @@
&_sbus_sss_args_sssd_dataprovider_resolverHandler, \
NULL, \
_sbus_sss_invoke_in_uuusu_out_qus_send, \
- _sbus_sss_key_uuusu_0_1_2_3_4, \
+ _sbus_sss_key_uuusu_0_1_2_3, \
(handler_send), (handler_recv), (data)); \
})
diff --git a/src/sss_iface/sbus_sss_keygens.c b/src/sss_iface/sbus_sss_keygens.c
index 1bffc1360f..0bded60f83 100644
--- a/src/sss_iface/sbus_sss_keygens.c
+++ b/src/sss_iface/sbus_sss_keygens.c
@@ -90,86 +90,86 @@ _sbus_sss_key_ussu_0_1
}
const char *
-_sbus_sss_key_ussu_0_1_2_3
+_sbus_sss_key_ussu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_ussu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
const char *
-_sbus_sss_key_usu_0_1_2
+_sbus_sss_key_usu_0_1
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_usu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2);
+ sbus_req->path, args->arg0, args->arg1);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2);
+ sbus_req->path, args->arg0, args->arg1);
}
const char *
-_sbus_sss_key_uusssu_0_1_2_3_4_5
+_sbus_sss_key_uusssu_0_1_2_3_4
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusssu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
}
const char *
-_sbus_sss_key_uusu_0_1_2_3
+_sbus_sss_key_uusu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
const char *
-_sbus_sss_key_uuusu_0_1_2_3_4
+_sbus_sss_key_uuusu_0_1_2_3
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uuusu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
}
diff --git a/src/sss_iface/sbus_sss_keygens.h b/src/sss_iface/sbus_sss_keygens.h
index 8f09b46de5..7e42c2c53f 100644
--- a/src/sss_iface/sbus_sss_keygens.h
+++ b/src/sss_iface/sbus_sss_keygens.h
@@ -49,31 +49,31 @@ _sbus_sss_key_ussu_0_1
struct _sbus_sss_invoker_args_ussu *args);
const char *
-_sbus_sss_key_ussu_0_1_2_3
+_sbus_sss_key_ussu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_ussu *args);
const char *
-_sbus_sss_key_usu_0_1_2
+_sbus_sss_key_usu_0_1
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_usu *args);
const char *
-_sbus_sss_key_uusssu_0_1_2_3_4_5
+_sbus_sss_key_uusssu_0_1_2_3_4
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusssu *args);
const char *
-_sbus_sss_key_uusu_0_1_2_3
+_sbus_sss_key_uusu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusu *args);
const char *
-_sbus_sss_key_uuusu_0_1_2_3_4
+_sbus_sss_key_uuusu_0_1_2_3
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uuusu *args);
diff --git a/src/sss_iface/sss_iface.xml b/src/sss_iface/sss_iface.xml
index 6709c4e48a..82c65aa0b8 100644
--- a/src/sss_iface/sss_iface.xml
+++ b/src/sss_iface/sss_iface.xml
@@ -91,18 +91,18 @@
<method name="GetMap">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
- <arg name="cli_id" type="u" direction="in" key="3" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
<method name="GetEntry">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
<arg name="entryname" type="s" direction="in" key="3" />
- <arg name="cli_id" type="u" direction="in" key="4" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
<method name="Enumerate">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
- <arg name="cli_id" type="u" direction="in" key="3" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
</interface>
@@ -133,7 +133,7 @@
<arg name="entry_type" type="u" direction="in" key="2" />
<arg name="filter_type" type="u" direction="in" key="3" />
<arg name="filter_value" type="s" direction="in" key="4" />
- <arg name="cli_id" type="u" direction="in" key="5" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="error_message" type="s" direction="out" />
@@ -150,7 +150,7 @@
<arg name="filter" type="s" direction="in" key="3" />
<arg name="domain" type="s" direction="in" key="4" />
<arg name="extra" type="s" direction="in" key="5" />
- <arg name="cli_id" type="u" direction="in" key="6" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="error_message" type="s" direction="out" />
@@ -159,7 +159,7 @@
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="entry_type" type="u" direction="in" key="2" />
<arg name="filter" type="s" direction="in" key="3" />
- <arg name="cli_id" type="u" direction="in" key="4" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="domain_name" type="s" direction="out" />

View File

@ -0,0 +1,28 @@
From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 15 Jun 2023 12:05:03 +0200
Subject: [PATCH] BUILD: Accept krb5 1.21 for building the PAC plugin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/external/pac_responder.m4 | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
index 3cbe3c9cfb..90727185b5 100644
--- a/src/external/pac_responder.m4
+++ b/src/external/pac_responder.m4
@@ -22,7 +22,8 @@ then
Kerberos\ 5\ release\ 1.17* | \
Kerberos\ 5\ release\ 1.18* | \
Kerberos\ 5\ release\ 1.19* | \
- Kerberos\ 5\ release\ 1.20*)
+ Kerberos\ 5\ release\ 1.20* | \
+ Kerberos\ 5\ release\ 1.21*)
krb5_version_ok=yes
AC_MSG_RESULT([yes])
;;

View File

@ -1,218 +0,0 @@
From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 8 Nov 2023 14:50:24 +0100
Subject: [PATCH] ad-gpo: use hash to store intermediate results
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.
If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.
To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
---
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
1 file changed, 102 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 3d1ad39c7..b879b0a08 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
return ret;
}
+static errno_t
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
+{
+ int hret;
+ hash_key_t k;
+ hash_value_t v;
+
+ if (hash == NULL || key == NULL || value == NULL) {
+ return EINVAL;
+ }
+
+ k.type = HASH_KEY_CONST_STRING;
+ k.c_str = key;
+
+ v.type = HASH_VALUE_PTR;
+ v.ptr = value;
+
+ hret = hash_enter(hash, &k, &v);
+ if (hret != HASH_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
+ key, value, hash_error_string(hret));
+ return EIO;
+ }
+
+ return EOK;
+}
+
/*
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
* and stores the allow_key and deny_key of all of the gpo_map_types present
@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
*/
static errno_t
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
const char *filename)
{
struct ini_cfgfile *file_ctx = NULL;
@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = allow_value ? allow_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- allow_key,
- value);
+ ret = add_result_to_hash(allow_maps, allow_key,
+ talloc_strdup(allow_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to allow maps "
+ "[%d][%s].\n",
+ allow_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = deny_value ? deny_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- deny_key,
- value);
+ ret = add_result_to_hash(deny_maps, deny_key,
+ talloc_strdup(deny_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to deny maps "
+ "[%d][%s].\n",
+ deny_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state {
int num_cse_filtered_gpos;
int cse_gpo_index;
const char *ad_domain;
+ hash_table_t *allow_maps;
+ hash_table_t *deny_maps;
};
static void ad_gpo_connect_done(struct tevent_req *subreq);
@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
goto immediately;
}
+ ret = sss_hash_create(state, 0, &state->allow_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
+
+ ret = sss_hash_create(state, 0, &state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
if (subreq == NULL) {
@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req)
return EAGAIN;
}
+static errno_t
+store_hash_maps_in_cache(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
+{
+ int ret;
+ struct hash_iter_context_t *iter;
+ hash_entry_t *entry;
+ size_t c;
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
+
+
+ for (c = 0; hash_list[c] != NULL; c++) {
+ iter = new_hash_iter_context(hash_list[c]);
+ if (iter == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
+ return EINVAL;
+ }
+
+ while ((entry = iter->next(iter)) != NULL) {
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
+ entry->key.c_str,
+ entry->value.ptr);
+ if (ret != EOK) {
+ free(iter);
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
+ return ret;
+ }
+ }
+ talloc_free(iter);
+ }
+
+ return EOK;
+}
+
/*
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
* cse_gpo_index until the policy settings for all applicable GPOs have been
@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
* (as part of the GPO Result object in the sysdb cache).
*/
ret = ad_gpo_store_policy_settings(state->host_domain,
+ state->allow_maps, state->deny_maps,
cse_filtered_gpo->policy_filename);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
if (ret == EOK) {
/* ret is EOK only after all GPO policy files have been downloaded */
+ ret = store_hash_maps_in_cache(state->host_domain,
+ state->allow_maps, state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
+ "[%d][%s].\n", ret, sss_strerror(ret));
+ goto done;
+ }
ret = ad_gpo_perform_hbac_processing(state,
state->gpo_mode,
state->gpo_map_type,
--
2.44.0

View File

@ -0,0 +1,332 @@
From 88d8afbb115f18007dcc11f7ebac1b238c3ebd98 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 25 Sep 2023 12:36:09 +0200
Subject: [PATCH] MC: a couple of additions to 'recover from invalid memory
cache size' patch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Additions to 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 :
- handle all invalidations consistently
- supply a valid pointer to `sss_mmap_cache_validate_or_reinit()`,
not a pointer to a local var
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/nss/nss_get_object.c | 10 ++---
src/responder/nss/nss_iface.c | 8 ++--
src/responder/nss/nsssrv_mmap_cache.c | 64 ++++++++++++++++++---------
src/responder/nss/nsssrv_mmap_cache.h | 10 ++---
4 files changed, 56 insertions(+), 36 deletions(-)
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
index 5d62dd0985..29f9cb59b5 100644
--- a/src/responder/nss/nss_get_object.c
+++ b/src/responder/nss/nss_get_object.c
@@ -34,13 +34,13 @@ memcache_delete_entry_by_name(struct sss_nss_ctx *nss_ctx,
switch (type) {
case SSS_MC_PASSWD:
- ret = sss_mmap_cache_pw_invalidate(nss_ctx->pwd_mc_ctx, name);
+ ret = sss_mmap_cache_pw_invalidate(&nss_ctx->pwd_mc_ctx, name);
break;
case SSS_MC_GROUP:
- ret = sss_mmap_cache_gr_invalidate(nss_ctx->grp_mc_ctx, name);
+ ret = sss_mmap_cache_gr_invalidate(&nss_ctx->grp_mc_ctx, name);
break;
case SSS_MC_INITGROUPS:
- ret = sss_mmap_cache_initgr_invalidate(nss_ctx->initgr_mc_ctx, name);
+ ret = sss_mmap_cache_initgr_invalidate(&nss_ctx->initgr_mc_ctx, name);
break;
default:
return EINVAL;
@@ -66,10 +66,10 @@ memcache_delete_entry_by_id(struct sss_nss_ctx *nss_ctx,
switch (type) {
case SSS_MC_PASSWD:
- ret = sss_mmap_cache_pw_invalidate_uid(nss_ctx->pwd_mc_ctx, (uid_t)id);
+ ret = sss_mmap_cache_pw_invalidate_uid(&nss_ctx->pwd_mc_ctx, (uid_t)id);
break;
case SSS_MC_GROUP:
- ret = sss_mmap_cache_gr_invalidate_gid(nss_ctx->grp_mc_ctx, (gid_t)id);
+ ret = sss_mmap_cache_gr_invalidate_gid(&nss_ctx->grp_mc_ctx, (gid_t)id);
break;
default:
return EINVAL;
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
index 07e91aa811..db743f8b7e 100644
--- a/src/responder/nss/nss_iface.c
+++ b/src/responder/nss/nss_iface.c
@@ -78,7 +78,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
if (ret == ENOENT || res->count == 0) {
/* The user is gone. Invalidate the mc record */
- ret = sss_mmap_cache_pw_invalidate(nctx->pwd_mc_ctx, delete_name);
+ ret = sss_mmap_cache_pw_invalidate(&nctx->pwd_mc_ctx, delete_name);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Internal failure in memory cache code: %d [%s]\n",
@@ -125,7 +125,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
for (i = 0; i < gnum; i++) {
id = groups[i];
- ret = sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, id);
+ ret = sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, id);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Internal failure in memory cache code: %d [%s]\n",
@@ -134,7 +134,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
}
to_sized_string(delete_name, fq_name);
- ret = sss_mmap_cache_initgr_invalidate(nctx->initgr_mc_ctx,
+ ret = sss_mmap_cache_initgr_invalidate(&nctx->initgr_mc_ctx,
delete_name);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -208,7 +208,7 @@ sss_nss_memorycache_invalidate_group_by_id(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_LIBS,
"Invalidating group %u from memory cache\n", gid);
- sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid);
+ sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, gid);
return EOK;
}
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index 90d12299a4..06f3d7a694 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -701,16 +701,22 @@ static inline void sss_mmap_chain_in_rec(struct sss_mc_ctx *mcc,
* generic invalidation
***************************************************************************/
-static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc,
+static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc);
+
+static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx **_mcc,
const struct sized_string *key)
{
+ struct sss_mc_ctx *mcc;
struct sss_mc_rec *rec;
+ int ret;
- if (mcc == NULL) {
- /* cache not initialized? */
- return EINVAL;
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
+ if (ret != EOK) {
+ return ret;
}
+ mcc = *_mcc;
+
rec = sss_mc_find_record(mcc, key);
if (rec == NULL) {
/* nothing to invalidate */
@@ -785,7 +791,7 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc,
const struct sized_string *homedir,
const struct sized_string *shell)
{
- struct sss_mc_ctx *mcc = *_mcc;
+ struct sss_mc_ctx *mcc;
struct sss_mc_rec *rec;
struct sss_mc_pwd_data *data;
struct sized_string uidkey;
@@ -795,11 +801,13 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc,
size_t pos;
int ret;
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
if (ret != EOK) {
return ret;
}
+ mcc = *_mcc;
+
ret = snprintf(uidstr, 11, "%ld", (long)uid);
if (ret > 10) {
return EINVAL;
@@ -851,14 +859,15 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc,
return EOK;
}
-errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc,
+errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx **_mcc,
const struct sized_string *name)
{
- return sss_mmap_cache_invalidate(mcc, name);
+ return sss_mmap_cache_invalidate(_mcc, name);
}
-errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid)
+errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx **_mcc, uid_t uid)
{
+ struct sss_mc_ctx *mcc;
struct sss_mc_rec *rec = NULL;
struct sss_mc_pwd_data *data;
uint32_t hash;
@@ -866,11 +875,13 @@ errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid)
char *uidstr;
errno_t ret;
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
if (ret != EOK) {
return ret;
}
+ mcc = *_mcc;
+
uidstr = talloc_asprintf(NULL, "%ld", (long)uid);
if (!uidstr) {
return ENOMEM;
@@ -927,7 +938,7 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
gid_t gid, size_t memnum,
const char *membuf, size_t memsize)
{
- struct sss_mc_ctx *mcc = *_mcc;
+ struct sss_mc_ctx *mcc;
struct sss_mc_rec *rec;
struct sss_mc_grp_data *data;
struct sized_string gidkey;
@@ -937,11 +948,13 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
size_t pos;
int ret;
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
if (ret != EOK) {
return ret;
}
+ mcc = *_mcc;
+
ret = snprintf(gidstr, 11, "%ld", (long)gid);
if (ret > 10) {
return EINVAL;
@@ -989,14 +1002,15 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc,
return EOK;
}
-errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc,
+errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx **_mcc,
const struct sized_string *name)
{
- return sss_mmap_cache_invalidate(mcc, name);
+ return sss_mmap_cache_invalidate(_mcc, name);
}
-errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid)
+errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx **_mcc, gid_t gid)
{
+ struct sss_mc_ctx *mcc;
struct sss_mc_rec *rec = NULL;
struct sss_mc_grp_data *data;
uint32_t hash;
@@ -1004,11 +1018,13 @@ errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid)
char *gidstr;
errno_t ret;
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
if (ret != EOK) {
return ret;
}
+ mcc = *_mcc;
+
gidstr = talloc_asprintf(NULL, "%ld", (long)gid);
if (!gidstr) {
return ENOMEM;
@@ -1061,7 +1077,7 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc,
uint32_t num_groups,
const uint8_t *gids_buf)
{
- struct sss_mc_ctx *mcc = *_mcc;
+ struct sss_mc_ctx *mcc;
struct sss_mc_rec *rec;
struct sss_mc_initgr_data *data;
size_t data_len;
@@ -1069,11 +1085,13 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc,
size_t pos;
int ret;
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
if (ret != EOK) {
return ret;
}
+ mcc = *_mcc;
+
/* array of gids + name + unique_name */
data_len = num_groups * sizeof(uint32_t) + name->len + unique_name->len;
rec_len = sizeof(struct sss_mc_rec) + sizeof(struct sss_mc_initgr_data)
@@ -1119,10 +1137,10 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc,
return EOK;
}
-errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc,
+errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc,
const struct sized_string *name)
{
- return sss_mmap_cache_invalidate(mcc, name);
+ return sss_mmap_cache_invalidate(_mcc, name);
}
errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc,
@@ -1131,18 +1149,20 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc,
uint32_t type,
bool explicit_lookup)
{
- struct sss_mc_ctx *mcc = *_mcc;
+ struct sss_mc_ctx *mcc;
struct sss_mc_rec *rec;
struct sss_mc_sid_data *data;
char idkey[16];
size_t rec_len;
int ret;
- ret = sss_mmap_cache_validate_or_reinit(&mcc);
+ ret = sss_mmap_cache_validate_or_reinit(_mcc);
if (ret != EOK) {
return ret;
}
+ mcc = *_mcc;
+
ret = snprintf(idkey, sizeof(idkey), "%d-%ld",
(type == SSS_ID_TYPE_GID) ? SSS_ID_TYPE_GID : SSS_ID_TYPE_UID,
(long)id);
diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h
index 686b8e1b21..28ee5adb64 100644
--- a/src/responder/nss/nsssrv_mmap_cache.h
+++ b/src/responder/nss/nsssrv_mmap_cache.h
@@ -63,17 +63,17 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc,
uint32_t type, /* enum sss_id_type*/
bool explicit_lookup); /* false ~ by_id(), true ~ by_uid/gid() */
-errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc,
+errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx **_mcc,
const struct sized_string *name);
-errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid);
+errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx **_mcc, uid_t uid);
-errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc,
+errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx **_mcc,
const struct sized_string *name);
-errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid);
+errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx **_mcc, gid_t gid);
-errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc,
+errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc,
const struct sized_string *name);
errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx,

View File

@ -1,81 +0,0 @@
From db27a51f274640e1aa2f13476c80955a3ec9e91c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Mar 2024 10:50:07 +0100
Subject: [PATCH] ad: refresh root domain when read directly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the domain object of the forest root domain cannot be found in the
LDAP tree of the local AD domain SSSD tries to read the request data
from an LDAP server of the forest root domain directly. After reading
this data the information is stored in the cache but currently the
information about the domain store in memory is not updated with the
additional data. As a result e.g. the domain SID is missing in this data
and only becomes available after a restart where it is read from the
cache.
With this patch an unconditional refresh is triggered at the end of the
fallback code path.
Resolves: https://github.com/SSSD/sssd/issues/7250
Reviewed-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53)
---
src/providers/ad/ad_subdomains.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index a8d1892cc..d8f3738ce 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state {
static void ad_get_root_domain_done(struct tevent_req *subreq);
static void ad_check_root_domain_done(struct tevent_req *subreq);
static errno_t
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
struct tevent_req *
ad_check_domain_send(TALLOC_CTX *mem_ctx,
@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
return;
}
- ret = ad_get_root_domain_refresh(state);
+ ret = ad_get_root_domain_refresh(state, false);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
}
@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
state->reply_count = 1;
- ret = ad_get_root_domain_refresh(state);
+ ret = ad_get_root_domain_refresh(state, true);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
}
@@ -1697,7 +1697,7 @@ done:
}
static errno_t
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
{
struct sss_domain_info *root_domain;
bool has_changes;
@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
goto done;
}
- if (has_changes) {
+ if (has_changes || refresh) {
ret = ad_subdom_reinit(state->sd_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
--
2.45.0

File diff suppressed because it is too large Load Diff