Compare commits
16 Commits
imports/c8
...
c8
Author | SHA1 | Date |
---|---|---|
eabdullin | 9c66bdd153 | |
eabdullin | 9a403b1a7e | |
CentOS Sources | 87cae3c020 | |
CentOS Sources | bbe71de11d | |
CentOS Sources | 3b446ac03c | |
CentOS Sources | 6559c78444 | |
CentOS Sources | c7a1fcfb51 | |
CentOS Sources | 960c1714b8 | |
CentOS Sources | 562beb1a29 | |
CentOS Sources | 4d5a159fd8 | |
CentOS Sources | 584a059982 | |
CentOS Sources | 5e7d1b50a8 | |
CentOS Sources | a0d945afc7 | |
CentOS Sources | 904b49bb5c | |
CentOS Sources | f6c0b6929b | |
CentOS Sources | 9e8c2ec9f3 |
|
@ -1 +1 @@
|
|||
SOURCES/sssd-2.3.0.tar.gz
|
||||
SOURCES/sssd-2.9.4.tar.gz
|
||||
|
|
|
@ -1 +1 @@
|
|||
61b8704c33ea80104fa9d94017c704e333c3c552 SOURCES/sssd-2.3.0.tar.gz
|
||||
574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz
|
||||
|
|
|
@ -1,114 +0,0 @@
|
|||
From a7c755672cd277497da3df4714f6d9457b6ac5ae Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 28 May 2020 15:02:43 +0200
|
||||
Subject: [PATCH] ad_gpo_ndr.c: more ndr updates
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch add another update to the ndr code which was previously
|
||||
updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and
|
||||
1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc.
|
||||
|
||||
As missing update in ndr_pull_security_ace() cased
|
||||
a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
|
||||
added to prevent similar issues in future.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5183
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_gpo_ndr.c | 1 +
|
||||
src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 58 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
|
||||
index acd7b77c8..71d6d40f2 100644
|
||||
--- a/src/providers/ad/ad_gpo_ndr.c
|
||||
+++ b/src/providers/ad/ad_gpo_ndr.c
|
||||
@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr,
|
||||
ndr->offset += pad;
|
||||
}
|
||||
if (ndr_flags & NDR_BUFFERS) {
|
||||
+ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
|
||||
NDR_CHECK(ndr_pull_security_ace_object_ctr
|
||||
(ndr, NDR_BUFFERS, &r->object));
|
||||
}
|
||||
diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c
|
||||
index 97f70408a..d1f7a6915 100644
|
||||
--- a/src/tests/cmocka/test_ad_gpo.c
|
||||
+++ b/src/tests/cmocka/test_ad_gpo.c
|
||||
@@ -347,6 +347,60 @@ void test_ad_gpo_ace_includes_host_sid_true(void **state)
|
||||
group_size, ace_dom_sid, true);
|
||||
}
|
||||
|
||||
+uint8_t test_sid_data[] = {
|
||||
+0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
|
||||
+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
|
||||
+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
|
||||
+0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
|
||||
+0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8,
|
||||
+0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00,
|
||||
+0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55,
|
||||
+0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00,
|
||||
+0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60,
|
||||
+0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
|
||||
+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
|
||||
+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
|
||||
+0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
|
||||
+0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00,
|
||||
+0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00,
|
||||
+0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00,
|
||||
+0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11,
|
||||
+0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
|
||||
+0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00,
|
||||
+0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00
|
||||
+};
|
||||
+
|
||||
+void test_ad_gpo_parse_sd(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct security_descriptor *sd = NULL;
|
||||
+
|
||||
+ ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_non_null(sd);
|
||||
+ assert_int_equal(sd->revision, 1);
|
||||
+ assert_int_equal(sd->type, 39940);
|
||||
+ assert_null(sd->owner_sid);
|
||||
+ assert_null(sd->group_sid);
|
||||
+ assert_null(sd->sacl);
|
||||
+ assert_non_null(sd->dacl);
|
||||
+ assert_int_equal(sd->dacl->revision, 4);
|
||||
+ assert_int_equal(sd->dacl->size, 308);
|
||||
+ assert_int_equal(sd->dacl->num_aces, 10);
|
||||
+ assert_int_equal(sd->dacl->aces[0].type, 0);
|
||||
+ assert_int_equal(sd->dacl->aces[0].flags, 0);
|
||||
+ assert_int_equal(sd->dacl->aces[0].size, 36);
|
||||
+ assert_int_equal(sd->dacl->aces[0].access_mask, 917693);
|
||||
+ /* There are more components and ACEs in the security_descriptor struct
|
||||
+ * which are not checked here. */
|
||||
+
|
||||
+ talloc_free(sd);
|
||||
+}
|
||||
+
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
poptContext pc;
|
||||
@@ -385,6 +439,9 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true,
|
||||
ad_gpo_test_setup,
|
||||
ad_gpo_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd,
|
||||
+ ad_gpo_test_setup,
|
||||
+ ad_gpo_test_teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can decide if -d 0 was used. */
|
||||
--
|
||||
2.21.1
|
||||
|
|
@ -0,0 +1,144 @@
|
|||
From dd0f63246aa75d5f53b44cbc185e88833e79976e Mon Sep 17 00:00:00 2001
|
||||
From: Andre Boscatto <andreboscatto@gmail.com>
|
||||
Date: Wed, 7 Feb 2024 12:28:28 +0100
|
||||
Subject: [PATCH] sssd: adding mail as case insensitive
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7173
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51)
|
||||
---
|
||||
src/db/sysdb_init.c | 7 ++++++
|
||||
src/db/sysdb_private.h | 5 +++-
|
||||
src/db/sysdb_upgrade.c | 56 ++++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 67 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
||||
index c2ea6c369..38a9cd64a 100644
|
||||
--- a/src/db/sysdb_init.c
|
||||
+++ b/src/db/sysdb_init.c
|
||||
@@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (strcmp(version, SYSDB_VERSION_0_23) == 0) {
|
||||
+ ret = sysdb_upgrade_23(sysdb, &version);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
done:
|
||||
sysdb->ldb = save_ldb;
|
||||
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
||||
index 1f55007bc..63f7b5601 100644
|
||||
--- a/src/db/sysdb_private.h
|
||||
+++ b/src/db/sysdb_private.h
|
||||
@@ -23,6 +23,7 @@
|
||||
#ifndef __INT_SYS_DB_H__
|
||||
#define __INT_SYS_DB_H__
|
||||
|
||||
+#define SYSDB_VERSION_0_24 "0.24"
|
||||
#define SYSDB_VERSION_0_23 "0.23"
|
||||
#define SYSDB_VERSION_0_22 "0.22"
|
||||
#define SYSDB_VERSION_0_21 "0.21"
|
||||
@@ -47,7 +48,7 @@
|
||||
#define SYSDB_VERSION_0_2 "0.2"
|
||||
#define SYSDB_VERSION_0_1 "0.1"
|
||||
|
||||
-#define SYSDB_VERSION SYSDB_VERSION_0_23
|
||||
+#define SYSDB_VERSION SYSDB_VERSION_0_24
|
||||
|
||||
#define SYSDB_BASE_LDIF \
|
||||
"dn: @ATTRIBUTES\n" \
|
||||
@@ -60,6 +61,7 @@
|
||||
"objectclass: CASE_INSENSITIVE\n" \
|
||||
"ipHostNumber: CASE_INSENSITIVE\n" \
|
||||
"ipNetworkNumber: CASE_INSENSITIVE\n" \
|
||||
+ "mail: CASE_INSENSITIVE\n" \
|
||||
"\n" \
|
||||
"dn: @INDEXLIST\n" \
|
||||
"@IDXATTR: cn\n" \
|
||||
@@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
|
||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
|
||||
|
||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
|
||||
|
||||
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
|
||||
index 346a1cb0b..56083e6be 100644
|
||||
--- a/src/db/sysdb_upgrade.c
|
||||
+++ b/src/db/sysdb_upgrade.c
|
||||
@@ -2718,6 +2718,62 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ int ret;
|
||||
+ struct ldb_message *msg;
|
||||
+ struct upgrade_ctx *ctx;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (!tmp_ctx) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx);
|
||||
+ if (ret) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ /* Add new indexes */
|
||||
+ msg = ldb_msg_new(tmp_ctx);
|
||||
+ if (!msg) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES");
|
||||
+ if (!msg->dn) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Case insensitive search for mail */
|
||||
+ ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE");
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_modify(sysdb->ldb, msg);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* conversion done, update version number */
|
||||
+ ret = update_version(ctx);
|
||||
+
|
||||
+done:
|
||||
+ ret = finish_upgrade(ret, &ctx, ver);
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
|
||||
{
|
||||
struct upgrade_ctx *ctx;
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -0,0 +1,154 @@
|
|||
From a7621a5b464af7a3c8409dcbde038b35fee2c895 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 23 Jan 2024 13:47:53 +0100
|
||||
Subject: [PATCH 2/3] sdap: add search_bases option to groups_by_user_send()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD handles users and computer objects very similar and so does SSSD's
|
||||
GPO code when lookup up the host's group-memberships. But users and
|
||||
computers might be stored in different sub-tree of the AD LDAP tree and
|
||||
if a dedicated user search base is given with the ldap_user_search_base
|
||||
option in sssd.conf the host object might be in a different sub-tree. To
|
||||
make sure the host can still be found this patch uses the base DN of
|
||||
the LDAP tree when searching for hosts in the GPO code.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 10 ++++++++++
|
||||
src/providers/ldap/ldap_common.h | 1 +
|
||||
src/providers/ldap/ldap_id.c | 6 +++++-
|
||||
src/providers/ldap/sdap_async.h | 1 +
|
||||
src/providers/ldap/sdap_async_initgroups.c | 4 +++-
|
||||
5 files changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 94959c36b..b0ee3e616 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2091,6 +2091,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
char *server_uri;
|
||||
LDAPURLDesc *lud;
|
||||
struct sdap_domain *sdom;
|
||||
+ struct sdap_search_base **search_bases;
|
||||
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct ad_gpo_access_state);
|
||||
@@ -2184,9 +2185,18 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
||||
+ "AD_HOSTS", NULL, &search_bases);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to create dedicated search base for host lookups, "
|
||||
+ "trying with user search base.");
|
||||
+ }
|
||||
+
|
||||
subreq = groups_by_user_send(state, state->ev,
|
||||
state->access_ctx->ad_id_ctx->sdap_id_ctx,
|
||||
sdom, state->conn,
|
||||
+ search_bases,
|
||||
state->host_fqdn,
|
||||
BE_FILTER_NAME,
|
||||
NULL,
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index 7159d6356..2c984ef50 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -304,6 +304,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
struct sdap_id_ctx *ctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
||||
index da54816bd..b3ea2333f 100644
|
||||
--- a/src/providers/ldap/ldap_id.c
|
||||
+++ b/src/providers/ldap/ldap_id.c
|
||||
@@ -1139,6 +1139,7 @@ struct groups_by_user_state {
|
||||
struct sdap_id_op *op;
|
||||
struct sysdb_ctx *sysdb;
|
||||
struct sss_domain_info *domain;
|
||||
+ struct sdap_search_base **search_bases;
|
||||
|
||||
const char *filter_value;
|
||||
int filter_type;
|
||||
@@ -1160,6 +1161,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
struct sdap_id_ctx *ctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
@@ -1192,6 +1194,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
state->extra_value = extra_value;
|
||||
state->domain = sdom->dom;
|
||||
state->sysdb = sdom->dom->sysdb;
|
||||
+ state->search_bases = search_bases;
|
||||
|
||||
if (state->domain->type == DOM_TYPE_APPLICATION || set_non_posix) {
|
||||
state->non_posix = true;
|
||||
@@ -1254,6 +1257,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
|
||||
sdap_id_op_handle(state->op),
|
||||
state->ctx,
|
||||
state->conn,
|
||||
+ state->search_bases,
|
||||
state->filter_value,
|
||||
state->filter_type,
|
||||
state->extra_value,
|
||||
@@ -1449,7 +1453,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
|
||||
- sdom, conn,
|
||||
+ sdom, conn, NULL,
|
||||
ar->filter_value,
|
||||
ar->filter_type,
|
||||
ar->extra_value,
|
||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
||||
index 5458d21f1..89245f41f 100644
|
||||
--- a/src/providers/ldap/sdap_async.h
|
||||
+++ b/src/providers/ldap/sdap_async.h
|
||||
@@ -158,6 +158,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *name,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index 97be594a3..fb3d8fe24 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -2732,6 +2732,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
@@ -2764,7 +2765,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
state->orig_user = NULL;
|
||||
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
||||
state->user_base_iter = 0;
|
||||
- state->user_search_bases = sdom->user_search_bases;
|
||||
+ state->user_search_bases = (search_bases == NULL) ? sdom->user_search_bases
|
||||
+ : search_bases;
|
||||
if (!state->user_search_bases) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Initgroups lookup request without a user search base\n");
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From 532b75c937d767caf60bb00f1a525ae7f6c70cc6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 20 May 2020 12:07:13 +0200
|
||||
Subject: [PATCH] test: avoid endian issues in network tests
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_nss_srv.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
||||
index 2c91d0a23..3cd7809cf 100644
|
||||
--- a/src/tests/cmocka/test_nss_srv.c
|
||||
+++ b/src/tests/cmocka/test_nss_srv.c
|
||||
@@ -35,6 +35,7 @@
|
||||
#include "util/util_sss_idmap.h"
|
||||
#include "util/crypto/sss_crypto.h"
|
||||
#include "util/crypto/nss/nss_util.h"
|
||||
+#include "util/sss_endian.h"
|
||||
#include "db/sysdb_private.h" /* new_subdomain() */
|
||||
#include "db/sysdb_iphosts.h"
|
||||
#include "db/sysdb_ipnetworks.h"
|
||||
@@ -5308,7 +5309,13 @@ struct netent test_netent = {
|
||||
.n_name = discard_const("test_network"),
|
||||
.n_aliases = discard_const(test_netent_aliases),
|
||||
.n_addrtype = AF_INET,
|
||||
+#if (__BYTE_ORDER == __LITTLE_ENDIAN)
|
||||
.n_net = 0x04030201 /* 1.2.3.4 */
|
||||
+#elif (__BYTE_ORDER == __BIG_ENDIAN)
|
||||
+ .n_net = 0x01020304 /* 1.2.3.4 */
|
||||
+#else
|
||||
+ #error "unknow endianess"
|
||||
+#endif
|
||||
};
|
||||
|
||||
static void mock_input_netbyname(const char *name)
|
||||
--
|
||||
2.21.1
|
||||
|
|
@ -0,0 +1,194 @@
|
|||
From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 24 Jan 2024 14:21:12 +0100
|
||||
Subject: [PATCH 3/3] sdap: add naming_context as new member of struct
|
||||
sdap_domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The naming_context could be a more reliable source than basedn for the
|
||||
actual base DN because basedn is set very early from the domain name
|
||||
given in sssd.conf. Although it is recommended to use the fully
|
||||
qualified DNS domain name here it is not required. As a result basedn
|
||||
might not reflect the actual based DN of the LDAP server. Also pure LDAP
|
||||
server (i.e. not AD or FreeIPA) might use different schemes to set the
|
||||
base DN which will not be based on the DNS domain of the LDAP server.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 6 ++++--
|
||||
src/providers/ldap/sdap.c | 36 +++++++++++++-----------------------
|
||||
src/providers/ldap/sdap.h | 11 +++++++++++
|
||||
3 files changed, 28 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index b0ee3e616..3d1ad39c7 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
||||
- "AD_HOSTS", NULL, &search_bases);
|
||||
+ ret = common_parse_search_base(state,
|
||||
+ sdom->naming_context == NULL ? sdom->basedn
|
||||
+ : sdom->naming_context,
|
||||
+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to create dedicated search base for host lookups, "
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index f5637c5fb..956eba93a 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
struct sdap_domain *sdom)
|
||||
{
|
||||
int ret;
|
||||
- char *naming_context = NULL;
|
||||
|
||||
- if (!sdom->search_bases
|
||||
- || !sdom->user_search_bases
|
||||
- || !sdom->group_search_bases
|
||||
- || !sdom->netgroup_search_bases
|
||||
- || !sdom->host_search_bases
|
||||
- || !sdom->sudo_search_bases
|
||||
- || !sdom->iphost_search_bases
|
||||
- || !sdom->ipnetwork_search_bases
|
||||
- || !sdom->autofs_search_bases) {
|
||||
- naming_context = get_naming_context(opts->basic, rootdse);
|
||||
- if (naming_context == NULL) {
|
||||
+ if (!sdom->naming_context) {
|
||||
+ sdom->naming_context = get_naming_context(sdom, rootdse);
|
||||
+ if (sdom->naming_context == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
|
||||
|
||||
/* This has to be non-fatal, since some servers offer
|
||||
@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->user_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_USER_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->group_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_GROUP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->netgroup_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_NETGROUP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->host_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_HOST_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->sudo_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SUDO_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->service_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SERVICE_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->autofs_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_AUTOFS_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->iphost_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_IPHOST_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->ipnetwork_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_IPNETWORK_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
- talloc_free(naming_context);
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index 161bc5c26..103d50ed4 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -454,6 +454,17 @@ struct sdap_domain {
|
||||
|
||||
char *basedn;
|
||||
|
||||
+ /* The naming_context could be a more reliable source than basedn for the
|
||||
+ * actual base DN because basedn is set very early from the domain name
|
||||
+ * given in sssd.conf. Although it is recommended to use the fully
|
||||
+ * qualified DNS domain name here it is not required. As a result basedn
|
||||
+ * might not reflect the actual based DN of the LDAP server. Also pure
|
||||
+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
|
||||
+ * the base DN which will not be based on the DNS domain of the LDAP
|
||||
+ * server. naming_context might be NULL even after connection to an LDAP
|
||||
+ * server. */
|
||||
+ char *naming_context;
|
||||
+
|
||||
struct sdap_search_base **search_bases;
|
||||
struct sdap_search_base **user_search_bases;
|
||||
struct sdap_search_base **group_search_bases;
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -1,137 +0,0 @@
|
|||
From 61f4aaa56ea876fb75c1366c938818b7799408ab Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Wed, 29 Apr 2020 16:40:36 +0200
|
||||
Subject: [PATCH] sssctl: sssctl config-check alternative config file
|
||||
|
||||
The sssctl config-check now allows to specify alternative config
|
||||
file so it can be tested before rewriting system configuration.
|
||||
|
||||
sssctl config-check -c ./sssd.conf
|
||||
|
||||
Configuration snippets are looked up in the same place under
|
||||
conf.d directory. It would be in ./conf.d/ for the example above.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5142
|
||||
|
||||
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 6 ++--
|
||||
src/tools/sssctl/sssctl_config.c | 56 ++++++++++++++++++++++++++++----
|
||||
2 files changed, 53 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 0a5593232..a2b58e12a 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -40,8 +40,10 @@
|
||||
|
||||
#define CONFDB_DEFAULT_CFG_FILE_VER 2
|
||||
#define CONFDB_FILE "config.ldb"
|
||||
-#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf"
|
||||
-#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/conf.d"
|
||||
+#define SSSD_CONFIG_FILE_NAME "sssd.conf"
|
||||
+#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME
|
||||
+#define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d"
|
||||
+#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/"CONFDB_DEFAULT_CONFIG_DIR_NAME
|
||||
#define SSSD_MIN_ID 1
|
||||
#define SSSD_LOCAL_MINID 1000
|
||||
#define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh"
|
||||
diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
|
||||
index 74395b61c..de9f3de6e 100644
|
||||
--- a/src/tools/sssctl/sssctl_config.c
|
||||
+++ b/src/tools/sssctl/sssctl_config.c
|
||||
@@ -34,6 +34,29 @@
|
||||
|
||||
|
||||
#ifdef HAVE_LIBINI_CONFIG_V1_3
|
||||
+
|
||||
+static char *sssctl_config_snippet_path(TALLOC_CTX *ctx, const char *path)
|
||||
+{
|
||||
+ char *tmp = NULL;
|
||||
+ const char delimiter = '/';
|
||||
+ char *dpos = NULL;
|
||||
+
|
||||
+ tmp = talloc_strdup(ctx, path);
|
||||
+ if (!tmp) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ dpos = strrchr(tmp, delimiter);
|
||||
+ if (dpos != NULL) {
|
||||
+ ++dpos;
|
||||
+ *dpos = '\0';
|
||||
+ } else {
|
||||
+ *tmp = '\0';
|
||||
+ }
|
||||
+
|
||||
+ return talloc_strdup_append(tmp, CONFDB_DEFAULT_CONFIG_DIR_NAME);
|
||||
+}
|
||||
+
|
||||
errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||
struct sss_tool_ctx *tool_ctx,
|
||||
void *pvt)
|
||||
@@ -47,8 +70,15 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||
size_t num_ra_error, num_ra_success;
|
||||
char **strs = NULL;
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
-
|
||||
- ret = sss_tool_popt(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL);
|
||||
+ const char *config_path = NULL;
|
||||
+ const char *config_snippet_path = NULL;
|
||||
+ struct poptOption long_options[] = {
|
||||
+ {"config", 'c', POPT_ARG_STRING, &config_path,
|
||||
+ 0, _("Specify a non-default config file"), NULL},
|
||||
+ POPT_TABLEEND
|
||||
+ };
|
||||
+
|
||||
+ ret = sss_tool_popt(cmdline, long_options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n");
|
||||
return ret;
|
||||
@@ -62,17 +92,29 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (config_path != NULL) {
|
||||
+ config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path);
|
||||
+ if (config_snippet_path == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else {
|
||||
+ config_path = SSSD_CONFIG_FILE;
|
||||
+ config_snippet_path = CONFDB_DEFAULT_CONFIG_DIR;
|
||||
+ }
|
||||
+
|
||||
ret = sss_ini_read_sssd_conf(init_data,
|
||||
- SSSD_CONFIG_FILE,
|
||||
- CONFDB_DEFAULT_CONFIG_DIR);
|
||||
+ config_path,
|
||||
+ config_snippet_path);
|
||||
|
||||
if (ret == ERR_INI_OPEN_FAILED) {
|
||||
- PRINT("Failed to open %s\n", SSSD_CONFIG_FILE);
|
||||
+ PRINT("Failed to open %s\n", config_path);
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (!sss_ini_exists(init_data)) {
|
||||
- PRINT("File %1$s does not exist.\n", SSSD_CONFIG_FILE);
|
||||
+ PRINT("File %1$s does not exist.\n", config_path);
|
||||
}
|
||||
|
||||
if (ret == ERR_INI_INVALID_PERMISSION) {
|
||||
@@ -83,7 +125,7 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||
|
||||
if (ret == ERR_INI_PARSE_FAILED) {
|
||||
PRINT("Failed to load configuration from %s.\n",
|
||||
- SSSD_CONFIG_FILE);
|
||||
+ config_path);
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.21.1
|
||||
|
|
@ -1,664 +0,0 @@
|
|||
From 375887543daf26003ff7d900cf6a69d0c0b58523 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 27 May 2020 22:33:50 +0200
|
||||
Subject: [PATCH] DEBUG: only open child process log files when required
|
||||
|
||||
There was no reason to keep child process log files open permanently.
|
||||
|
||||
This patch:
|
||||
- helps to avoid issue when SIGHUP was ignored for child process logs;
|
||||
- somewhat reduces code duplication.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/4667
|
||||
|
||||
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 17 +++--------------
|
||||
src/providers/ad/ad_init.c | 7 -------
|
||||
src/providers/ad/ad_machine_pw_renewal.c | 2 +-
|
||||
src/providers/ipa/ipa_init.c | 7 -------
|
||||
src/providers/ipa/ipa_selinux.c | 17 +----------------
|
||||
src/providers/krb5/krb5_child_handler.c | 2 +-
|
||||
src/providers/krb5/krb5_common.h | 1 -
|
||||
src/providers/krb5/krb5_init_shared.c | 8 --------
|
||||
src/providers/ldap/ldap_common.c | 3 ---
|
||||
src/providers/ldap/ldap_common.h | 6 ------
|
||||
src/providers/ldap/ldap_init.c | 7 -------
|
||||
src/providers/ldap/sdap_child_helpers.c | 10 +---------
|
||||
src/responder/pam/pamsrv.c | 1 -
|
||||
src/responder/pam/pamsrv.h | 2 --
|
||||
src/responder/pam/pamsrv_cmd.c | 2 +-
|
||||
src/responder/pam/pamsrv_p11.c | 9 ++-------
|
||||
src/responder/ssh/ssh_private.h | 1 -
|
||||
src/responder/ssh/ssh_reply.c | 4 ++--
|
||||
src/responder/ssh/sshsrv.c | 10 ----------
|
||||
src/tests/cmocka/test_cert_utils.c | 12 ++++++------
|
||||
src/util/cert.h | 2 +-
|
||||
src/util/cert/cert_common_p11_child.c | 9 ++++-----
|
||||
src/util/child_common.c | 21 +++++++++++++++++----
|
||||
src/util/child_common.h | 6 ++----
|
||||
24 files changed, 42 insertions(+), 124 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index f17917552..bbe8d8a1e 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -99,15 +99,14 @@
|
||||
#define GPO_CHILD SSSD_LIBEXEC_PATH"/gpo_child"
|
||||
#endif
|
||||
|
||||
+#define GPO_CHILD_LOG_FILE "gpo_child"
|
||||
+
|
||||
/* If INI_PARSE_IGNORE_NON_KVP is not defined, use 0 (no effect) */
|
||||
#ifndef INI_PARSE_IGNORE_NON_KVP
|
||||
#define INI_PARSE_IGNORE_NON_KVP 0
|
||||
#warning INI_PARSE_IGNORE_NON_KVP not defined.
|
||||
#endif
|
||||
|
||||
-/* fd used by the gpo_child process for logging */
|
||||
-int gpo_child_debug_fd = -1;
|
||||
-
|
||||
/* == common data structures and declarations ============================= */
|
||||
|
||||
struct gp_som {
|
||||
@@ -1618,13 +1617,6 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-#define GPO_CHILD_LOG_FILE "gpo_child"
|
||||
-
|
||||
-static errno_t gpo_child_init(void)
|
||||
-{
|
||||
- return child_debug_init(GPO_CHILD_LOG_FILE, &gpo_child_debug_fd);
|
||||
-}
|
||||
-
|
||||
/*
|
||||
* This function retrieves the raw policy_setting_value for the input key from
|
||||
* the GPO_Result object in the sysdb cache. It then parses the raw value and
|
||||
@@ -1808,9 +1800,6 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
||||
hash_value_t val;
|
||||
enum gpo_map_type gpo_map_type;
|
||||
|
||||
- /* setup logging for gpo child */
|
||||
- gpo_child_init();
|
||||
-
|
||||
req = tevent_req_create(mem_ctx, &state, struct ad_gpo_access_state);
|
||||
if (req == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
|
||||
@@ -4763,7 +4752,7 @@ gpo_fork_child(struct tevent_req *req)
|
||||
if (pid == 0) { /* child */
|
||||
exec_child_ex(state,
|
||||
pipefd_to_child, pipefd_from_child,
|
||||
- GPO_CHILD, gpo_child_debug_fd, NULL, false,
|
||||
+ GPO_CHILD, GPO_CHILD_LOG_FILE, NULL, false,
|
||||
STDIN_FILENO, AD_GPO_CHILD_OUT_FILENO);
|
||||
|
||||
/* We should never get here */
|
||||
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
||||
index 05535fcb0..704e63a06 100644
|
||||
--- a/src/providers/ad/ad_init.c
|
||||
+++ b/src/providers/ad/ad_init.c
|
||||
@@ -402,13 +402,6 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
|
||||
|
||||
sdap_id_ctx->opts->sdom->pvt = ad_id_ctx;
|
||||
|
||||
- ret = sdap_setup_child();
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
- return ret;
|
||||
- }
|
||||
-
|
||||
ret = ad_init_srv_plugin(be_ctx, ad_options);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n",
|
||||
diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
|
||||
index e0db5fad5..ce9bbe6f3 100644
|
||||
--- a/src/providers/ad/ad_machine_pw_renewal.c
|
||||
+++ b/src/providers/ad/ad_machine_pw_renewal.c
|
||||
@@ -185,7 +185,7 @@ ad_machine_account_password_renewal_send(TALLOC_CTX *mem_ctx,
|
||||
child_pid = fork();
|
||||
if (child_pid == 0) { /* child */
|
||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
|
||||
- renewal_data->prog_path, -1,
|
||||
+ renewal_data->prog_path, NULL,
|
||||
extra_args, true,
|
||||
STDIN_FILENO, STDERR_FILENO);
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
|
||||
index cdfd11d7a..d8d592653 100644
|
||||
--- a/src/providers/ipa/ipa_init.c
|
||||
+++ b/src/providers/ipa/ipa_init.c
|
||||
@@ -571,13 +571,6 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- ret = sdap_setup_child();
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
- return ret;
|
||||
- }
|
||||
-
|
||||
if (dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE)) {
|
||||
ret = ipa_init_server_mode(be_ctx, ipa_options, ipa_id_ctx);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
||||
index 630f68ad5..9ae37b90d 100644
|
||||
--- a/src/providers/ipa/ipa_selinux.c
|
||||
+++ b/src/providers/ipa/ipa_selinux.c
|
||||
@@ -51,9 +51,6 @@
|
||||
|
||||
#include <selinux/selinux.h>
|
||||
|
||||
-/* fd used by the selinux_child process for logging */
|
||||
-int selinux_child_debug_fd = -1;
|
||||
-
|
||||
static struct tevent_req *
|
||||
ipa_get_selinux_send(TALLOC_CTX *mem_ctx,
|
||||
struct be_ctx *be_ctx,
|
||||
@@ -565,7 +562,6 @@ struct selinux_child_state {
|
||||
struct child_io_fds *io;
|
||||
};
|
||||
|
||||
-static errno_t selinux_child_init(void);
|
||||
static errno_t selinux_child_create_buffer(struct selinux_child_state *state);
|
||||
static errno_t selinux_fork_child(struct selinux_child_state *state);
|
||||
static void selinux_child_step(struct tevent_req *subreq);
|
||||
@@ -602,12 +598,6 @@ static struct tevent_req *selinux_child_send(TALLOC_CTX *mem_ctx,
|
||||
state->io->read_from_child_fd = -1;
|
||||
talloc_set_destructor((void *) state->io, child_io_destructor);
|
||||
|
||||
- ret = selinux_child_init();
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Failed to init the child\n");
|
||||
- goto immediately;
|
||||
- }
|
||||
-
|
||||
ret = selinux_child_create_buffer(state);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Failed to create the send buffer\n");
|
||||
@@ -638,11 +628,6 @@ immediately:
|
||||
return req;
|
||||
}
|
||||
|
||||
-static errno_t selinux_child_init(void)
|
||||
-{
|
||||
- return child_debug_init(SELINUX_CHILD_LOG_FILE, &selinux_child_debug_fd);
|
||||
-}
|
||||
-
|
||||
static errno_t selinux_child_create_buffer(struct selinux_child_state *state)
|
||||
{
|
||||
size_t rp;
|
||||
@@ -712,7 +697,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
|
||||
|
||||
if (pid == 0) { /* child */
|
||||
exec_child(state, pipefd_to_child, pipefd_from_child,
|
||||
- SELINUX_CHILD, selinux_child_debug_fd);
|
||||
+ SELINUX_CHILD, SELINUX_CHILD_LOG_FILE);
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
||||
index b7fb54499..8546285b2 100644
|
||||
--- a/src/providers/krb5/krb5_child_handler.c
|
||||
+++ b/src/providers/krb5/krb5_child_handler.c
|
||||
@@ -465,7 +465,7 @@ static errno_t fork_child(struct tevent_req *req)
|
||||
if (pid == 0) { /* child */
|
||||
exec_child_ex(state,
|
||||
pipefd_to_child, pipefd_from_child,
|
||||
- KRB5_CHILD, state->kr->krb5_ctx->child_debug_fd,
|
||||
+ KRB5_CHILD, KRB5_CHILD_LOG_FILE,
|
||||
krb5_child_extra_args, false,
|
||||
STDIN_FILENO, STDOUT_FILENO);
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
||||
index 493d12e5f..f198e2684 100644
|
||||
--- a/src/providers/krb5/krb5_common.h
|
||||
+++ b/src/providers/krb5/krb5_common.h
|
||||
@@ -124,7 +124,6 @@ struct krb5_ctx {
|
||||
struct dp_option *opts;
|
||||
struct krb5_service *service;
|
||||
struct krb5_service *kpasswd_service;
|
||||
- int child_debug_fd;
|
||||
|
||||
sss_regexp_t *illegal_path_re;
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
|
||||
index afe15b365..ea3d32805 100644
|
||||
--- a/src/providers/krb5/krb5_init_shared.c
|
||||
+++ b/src/providers/krb5/krb5_init_shared.c
|
||||
@@ -71,14 +71,6 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- krb5_auth_ctx->child_debug_fd = -1; /* -1 means not initialized */
|
||||
- ret = child_debug_init(KRB5_CHILD_LOG_FILE,
|
||||
- &krb5_auth_ctx->child_debug_fd);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Could not set krb5_child debugging!\n");
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
ret = parse_krb5_map_user(krb5_auth_ctx,
|
||||
dp_opt_get_cstring(krb5_auth_ctx->opts,
|
||||
KRB5_MAP_USER),
|
||||
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
|
||||
index 9d7806a2f..2133db36f 100644
|
||||
--- a/src/providers/ldap/ldap_common.c
|
||||
+++ b/src/providers/ldap/ldap_common.c
|
||||
@@ -35,9 +35,6 @@
|
||||
|
||||
#include "providers/ldap/sdap_idmap.h"
|
||||
|
||||
-/* a fd the child process would log into */
|
||||
-int ldap_child_debug_fd = -1;
|
||||
-
|
||||
errno_t ldap_id_setup_tasks(struct sdap_id_ctx *ctx)
|
||||
{
|
||||
return sdap_id_setup_tasks(ctx->be, ctx, ctx->opts->sdom,
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index 63ee5dd84..13e6d4871 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -44,9 +44,6 @@
|
||||
|
||||
#define LDAP_ENUM_PURGE_TIMEOUT 10800
|
||||
|
||||
-/* a fd the child process would log into */
|
||||
-extern int ldap_child_debug_fd;
|
||||
-
|
||||
struct sdap_id_ctx;
|
||||
|
||||
struct sdap_id_conn_ctx {
|
||||
@@ -342,9 +339,6 @@ sdap_ipnetwork_handler_recv(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_req *req,
|
||||
struct dp_reply_std *data);
|
||||
|
||||
-/* setup child logging */
|
||||
-int sdap_setup_child(void);
|
||||
-
|
||||
|
||||
errno_t string_to_shadowpw_days(const char *s, long *d);
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
|
||||
index 1be5d13de..de64e5985 100644
|
||||
--- a/src/providers/ldap/ldap_init.c
|
||||
+++ b/src/providers/ldap/ldap_init.c
|
||||
@@ -419,13 +419,6 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- ret = sdap_setup_child();
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
- return ret;
|
||||
- }
|
||||
-
|
||||
/* Setup SRV lookup plugin */
|
||||
ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
|
||||
index a03d28c9c..9d25aea8b 100644
|
||||
--- a/src/providers/ldap/sdap_child_helpers.c
|
||||
+++ b/src/providers/ldap/sdap_child_helpers.c
|
||||
@@ -111,7 +111,7 @@ static errno_t sdap_fork_child(struct tevent_context *ev,
|
||||
if (pid == 0) { /* child */
|
||||
exec_child(child,
|
||||
pipefd_to_child, pipefd_from_child,
|
||||
- LDAP_CHILD, ldap_child_debug_fd);
|
||||
+ LDAP_CHILD, LDAP_CHILD_LOG_FILE);
|
||||
|
||||
/* We should never get here */
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec LDAP child\n");
|
||||
@@ -512,11 +512,3 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req,
|
||||
|
||||
return EOK;
|
||||
}
|
||||
-
|
||||
-
|
||||
-
|
||||
-/* Setup child logging */
|
||||
-int sdap_setup_child(void)
|
||||
-{
|
||||
- return child_debug_init(LDAP_CHILD_LOG_FILE, &ldap_child_debug_fd);
|
||||
-}
|
||||
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
||||
index a4c9ebbbb..dde44a472 100644
|
||||
--- a/src/responder/pam/pamsrv.c
|
||||
+++ b/src/responder/pam/pamsrv.c
|
||||
@@ -277,7 +277,6 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- pctx->p11_child_debug_fd = -1;
|
||||
if (pctx->cert_auth) {
|
||||
ret = p11_child_init(pctx);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 24bd9764d..478d91b93 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -54,7 +54,6 @@ struct pam_ctx {
|
||||
char **app_services;
|
||||
|
||||
bool cert_auth;
|
||||
- int p11_child_debug_fd;
|
||||
char *nss_db;
|
||||
struct sss_certmap_ctx *sss_certmap_ctx;
|
||||
char **smartcard_services;
|
||||
@@ -110,7 +109,6 @@ void sss_cai_check_users(struct cert_auth_info **list, size_t *_cert_count,
|
||||
|
||||
struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
- int child_debug_fd,
|
||||
const char *nss_db,
|
||||
time_t timeout,
|
||||
const char *verify_opts,
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index ddde9eda2..1cd901f15 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1404,7 +1404,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
|
||||
+ req = pam_check_cert_send(mctx, ev,
|
||||
pctx->nss_db, p11_child_timeout,
|
||||
cert_verification_opts, pctx->sss_certmap_ctx,
|
||||
uri, pd);
|
||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
||||
index 8e276b200..3f0afaeff 100644
|
||||
--- a/src/responder/pam/pamsrv_p11.c
|
||||
+++ b/src/responder/pam/pamsrv_p11.c
|
||||
@@ -242,7 +242,7 @@ errno_t p11_child_init(struct pam_ctx *pctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
- return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
|
||||
+ return EOK;
|
||||
}
|
||||
|
||||
static inline bool
|
||||
@@ -705,7 +705,6 @@ static void p11_child_timeout(struct tevent_context *ev,
|
||||
|
||||
struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
- int child_debug_fd,
|
||||
const char *nss_db,
|
||||
time_t timeout,
|
||||
const char *verify_opts,
|
||||
@@ -838,14 +837,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (child_debug_fd == -1) {
|
||||
- child_debug_fd = STDERR_FILENO;
|
||||
- }
|
||||
-
|
||||
child_pid = fork();
|
||||
if (child_pid == 0) { /* child */
|
||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
|
||||
- P11_CHILD_PATH, child_debug_fd, extra_args, false,
|
||||
+ P11_CHILD_PATH, P11_CHILD_LOG_FILE, extra_args, false,
|
||||
STDIN_FILENO, STDOUT_FILENO);
|
||||
|
||||
/* We should never get here */
|
||||
diff --git a/src/responder/ssh/ssh_private.h b/src/responder/ssh/ssh_private.h
|
||||
index 028ccd616..5aa7e37d6 100644
|
||||
--- a/src/responder/ssh/ssh_private.h
|
||||
+++ b/src/responder/ssh/ssh_private.h
|
||||
@@ -36,7 +36,6 @@ struct ssh_ctx {
|
||||
char *ca_db;
|
||||
bool use_cert_keys;
|
||||
|
||||
- int p11_child_debug_fd;
|
||||
time_t certmap_last_read;
|
||||
struct sss_certmap_ctx *sss_certmap_ctx;
|
||||
char **cert_rules;
|
||||
diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c
|
||||
index 97914266d..edeb28765 100644
|
||||
--- a/src/responder/ssh/ssh_reply.c
|
||||
+++ b/src/responder/ssh/ssh_reply.c
|
||||
@@ -249,7 +249,7 @@ struct tevent_req *ssh_get_output_keys_send(TALLOC_CTX *mem_ctx,
|
||||
: state->user_cert_override;
|
||||
|
||||
subreq = cert_to_ssh_key_send(state, state->ev,
|
||||
- state->ssh_ctx->p11_child_debug_fd,
|
||||
+ P11_CHILD_LOG_FILE,
|
||||
state->p11_child_timeout,
|
||||
state->ssh_ctx->ca_db,
|
||||
state->ssh_ctx->sss_certmap_ctx,
|
||||
@@ -335,7 +335,7 @@ void ssh_get_output_keys_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- subreq = cert_to_ssh_key_send(state, state->ev, -1,
|
||||
+ subreq = cert_to_ssh_key_send(state, state->ev, NULL,
|
||||
state->p11_child_timeout,
|
||||
state->ssh_ctx->ca_db,
|
||||
state->ssh_ctx->sss_certmap_ctx,
|
||||
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
|
||||
index 7765e91b8..6072a702c 100644
|
||||
--- a/src/responder/ssh/sshsrv.c
|
||||
+++ b/src/responder/ssh/sshsrv.c
|
||||
@@ -126,16 +126,6 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- ssh_ctx->p11_child_debug_fd = -1;
|
||||
- if (ssh_ctx->use_cert_keys) {
|
||||
- ret = child_debug_init(P11_CHILD_LOG_FILE,
|
||||
- &ssh_ctx->p11_child_debug_fd);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Failed to setup p11_child logging, ignored.\n");
|
||||
- }
|
||||
- }
|
||||
-
|
||||
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
||||
diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c
|
||||
index 848ed1a8d..1ff20576a 100644
|
||||
--- a/src/tests/cmocka/test_cert_utils.c
|
||||
+++ b/src/tests/cmocka/test_cert_utils.c
|
||||
@@ -391,7 +391,7 @@ void test_cert_to_ssh_key_send(void **state)
|
||||
ev = tevent_context_init(ts);
|
||||
assert_non_null(ev);
|
||||
|
||||
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
|
||||
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
|
||||
#ifdef HAVE_NSS
|
||||
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
|
||||
#else
|
||||
@@ -465,7 +465,7 @@ void test_cert_to_ssh_2keys_send(void **state)
|
||||
ev = tevent_context_init(ts);
|
||||
assert_non_null(ev);
|
||||
|
||||
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
|
||||
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
|
||||
#ifdef HAVE_NSS
|
||||
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
|
||||
#else
|
||||
@@ -548,7 +548,7 @@ void test_cert_to_ssh_2keys_invalid_send(void **state)
|
||||
ev = tevent_context_init(ts);
|
||||
assert_non_null(ev);
|
||||
|
||||
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
|
||||
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
|
||||
#ifdef HAVE_NSS
|
||||
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
|
||||
#else
|
||||
@@ -614,7 +614,7 @@ void test_ec_cert_to_ssh_key_send(void **state)
|
||||
ev = tevent_context_init(ts);
|
||||
assert_non_null(ev);
|
||||
|
||||
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
|
||||
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
|
||||
#ifdef HAVE_NSS
|
||||
"sql:" ABS_BUILD_DIR "/src/tests/test_ECC_CA/p11_ecc_nssdb",
|
||||
#else
|
||||
@@ -691,7 +691,7 @@ void test_cert_to_ssh_2keys_with_certmap_send(void **state)
|
||||
ev = tevent_context_init(ts);
|
||||
assert_non_null(ev);
|
||||
|
||||
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
|
||||
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
|
||||
#ifdef HAVE_NSS
|
||||
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
|
||||
#else
|
||||
@@ -769,7 +769,7 @@ void test_cert_to_ssh_2keys_with_certmap_2_send(void **state)
|
||||
ev = tevent_context_init(ts);
|
||||
assert_non_null(ev);
|
||||
|
||||
- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT,
|
||||
+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT,
|
||||
#ifdef HAVE_NSS
|
||||
"sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
|
||||
#else
|
||||
diff --git a/src/util/cert.h b/src/util/cert.h
|
||||
index d038a99f6..16dda37b3 100644
|
||||
--- a/src/util/cert.h
|
||||
+++ b/src/util/cert.h
|
||||
@@ -57,7 +57,7 @@ errno_t get_ssh_key_from_derb64(TALLOC_CTX *mem_ctx, const char *derb64,
|
||||
|
||||
struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
- int child_debug_fd, time_t timeout,
|
||||
+ const char *logfile, time_t timeout,
|
||||
const char *ca_db,
|
||||
struct sss_certmap_ctx *sss_certmap_ctx,
|
||||
size_t cert_count,
|
||||
diff --git a/src/util/cert/cert_common_p11_child.c b/src/util/cert/cert_common_p11_child.c
|
||||
index 1846ff89a..18a331f23 100644
|
||||
--- a/src/util/cert/cert_common_p11_child.c
|
||||
+++ b/src/util/cert/cert_common_p11_child.c
|
||||
@@ -24,7 +24,7 @@
|
||||
|
||||
struct cert_to_ssh_key_state {
|
||||
struct tevent_context *ev;
|
||||
- int child_debug_fd;
|
||||
+ const char *logfile;
|
||||
time_t timeout;
|
||||
const char **extra_args;
|
||||
const char **certs;
|
||||
@@ -45,7 +45,7 @@ static void cert_to_ssh_key_done(int child_status,
|
||||
|
||||
struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
- int child_debug_fd, time_t timeout,
|
||||
+ const char *logfile, time_t timeout,
|
||||
const char *ca_db,
|
||||
struct sss_certmap_ctx *sss_certmap_ctx,
|
||||
size_t cert_count,
|
||||
@@ -70,8 +70,7 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
state->ev = ev;
|
||||
- state->child_debug_fd = (child_debug_fd == -1) ? STDERR_FILENO
|
||||
- : child_debug_fd;
|
||||
+ state->logfile = logfile;
|
||||
state->timeout = timeout;
|
||||
state->io = talloc(state, struct child_io_fds);
|
||||
if (state->io == NULL) {
|
||||
@@ -205,7 +204,7 @@ static errno_t cert_to_ssh_key_step(struct tevent_req *req)
|
||||
child_pid = fork();
|
||||
if (child_pid == 0) { /* child */
|
||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child, P11_CHILD_PATH,
|
||||
- state->child_debug_fd, state->extra_args, false,
|
||||
+ state->logfile, state->extra_args, false,
|
||||
STDIN_FILENO, STDOUT_FILENO);
|
||||
/* We should never get here */
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec p11 child\n");
|
||||
diff --git a/src/util/child_common.c b/src/util/child_common.c
|
||||
index 3a07580c2..5cac725ca 100644
|
||||
--- a/src/util/child_common.c
|
||||
+++ b/src/util/child_common.c
|
||||
@@ -47,6 +47,8 @@ struct sss_child_ctx {
|
||||
struct sss_sigchild_ctx *sigchld_ctx;
|
||||
};
|
||||
|
||||
+static errno_t child_debug_init(const char *logfile, int *debug_fd);
|
||||
+
|
||||
static void sss_child_handler(struct tevent_context *ev,
|
||||
struct tevent_signal *se,
|
||||
int signum,
|
||||
@@ -725,13 +727,24 @@ fail:
|
||||
|
||||
void exec_child_ex(TALLOC_CTX *mem_ctx,
|
||||
int *pipefd_to_child, int *pipefd_from_child,
|
||||
- const char *binary, int debug_fd,
|
||||
+ const char *binary, const char *logfile,
|
||||
const char *extra_argv[], bool extra_args_only,
|
||||
int child_in_fd, int child_out_fd)
|
||||
{
|
||||
int ret;
|
||||
errno_t err;
|
||||
char **argv;
|
||||
+ int debug_fd = -1;
|
||||
+
|
||||
+ if (logfile) {
|
||||
+ ret = child_debug_init(logfile, &debug_fd);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "child_debug_init() failed.\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ } else {
|
||||
+ debug_fd = STDERR_FILENO;
|
||||
+ }
|
||||
|
||||
close(pipefd_to_child[1]);
|
||||
ret = dup2(pipefd_to_child[0], child_in_fd);
|
||||
@@ -767,10 +780,10 @@ void exec_child_ex(TALLOC_CTX *mem_ctx,
|
||||
|
||||
void exec_child(TALLOC_CTX *mem_ctx,
|
||||
int *pipefd_to_child, int *pipefd_from_child,
|
||||
- const char *binary, int debug_fd)
|
||||
+ const char *binary, const char *logfile)
|
||||
{
|
||||
exec_child_ex(mem_ctx, pipefd_to_child, pipefd_from_child,
|
||||
- binary, debug_fd, NULL, false,
|
||||
+ binary, logfile, NULL, false,
|
||||
STDIN_FILENO, STDOUT_FILENO);
|
||||
}
|
||||
|
||||
@@ -803,7 +816,7 @@ int child_io_destructor(void *ptr)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
-errno_t child_debug_init(const char *logfile, int *debug_fd)
|
||||
+static errno_t child_debug_init(const char *logfile, int *debug_fd)
|
||||
{
|
||||
int ret;
|
||||
FILE *debug_filep;
|
||||
diff --git a/src/util/child_common.h b/src/util/child_common.h
|
||||
index 37116e2a7..92d66a500 100644
|
||||
--- a/src/util/child_common.h
|
||||
+++ b/src/util/child_common.h
|
||||
@@ -106,7 +106,7 @@ void fd_nonblocking(int fd);
|
||||
/* Never returns EOK, ether returns an error, or doesn't return on success */
|
||||
void exec_child_ex(TALLOC_CTX *mem_ctx,
|
||||
int *pipefd_to_child, int *pipefd_from_child,
|
||||
- const char *binary, int debug_fd,
|
||||
+ const char *binary, const char *logfile,
|
||||
const char *extra_argv[], bool extra_args_only,
|
||||
int child_in_fd, int child_out_fd);
|
||||
|
||||
@@ -115,10 +115,8 @@ void exec_child_ex(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
void exec_child(TALLOC_CTX *mem_ctx,
|
||||
int *pipefd_to_child, int *pipefd_from_child,
|
||||
- const char *binary, int debug_fd);
|
||||
+ const char *binary, const char *logfile);
|
||||
|
||||
int child_io_destructor(void *ptr);
|
||||
|
||||
-errno_t child_debug_init(const char *logfile, int *debug_fd);
|
||||
-
|
||||
#endif /* __CHILD_COMMON_H__ */
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -0,0 +1,233 @@
|
|||
From 50077c3255177fe1b01837fbe31a7f8fd47dee74 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Jan 2024 13:08:17 +0100
|
||||
Subject: [PATCH] pam: fix SC auth with multiple certs and missing login name
|
||||
|
||||
While introducing the local_auth_policy option a quite specific use-case
|
||||
was not covered correctly. If there are multiple matching certificates
|
||||
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
|
||||
mode was used for login, i.e. there is no user name given and the user
|
||||
has to be derived from the certificate used for login, authentication
|
||||
failed. The main reason for the failure is that in this case the
|
||||
Smartcard interaction and the user mapping has to be done first to
|
||||
determine the user before local_auth_policy is evaluated. As a result
|
||||
when checking if the authentication can be finished the request was in
|
||||
an unexpected state because the indicator for local Smartcard
|
||||
authentication was not enabled.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7109
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Scott Poore <spoore@redhat.com>
|
||||
(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3)
|
||||
---
|
||||
src/responder/pam/pamsrv.h | 10 ++++
|
||||
src/responder/pam/pamsrv_cmd.c | 17 +++++--
|
||||
src/tests/intg/Makefile.am | 2 +
|
||||
src/tests/intg/test_pam_responder.py | 74 +++++++++++++++++++++++++++-
|
||||
4 files changed, 96 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 7013a8edd..618836189 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -93,7 +93,17 @@ struct pam_auth_req {
|
||||
struct ldb_message *user_obj;
|
||||
struct cert_auth_info *cert_list;
|
||||
struct cert_auth_info *current_cert;
|
||||
+ /* Switched to 'true' if the backend indicates that it cannot handle
|
||||
+ * Smartcard authentication, but Smartcard authentication is
|
||||
+ * possible and local Smartcard authentication is allowed. */
|
||||
bool cert_auth_local;
|
||||
+ /* Switched to 'true' if authentication (not pre-authentication) was
|
||||
+ * started without a login name and the name had to be lookup up with the
|
||||
+ * certificate used for authentication. Since reading the certificate from
|
||||
+ * the Smartcard already involves the PIN validation in this case there
|
||||
+ * would be no need for an additional Smartcard interaction if only local
|
||||
+ * Smartcard authentication is possible. */
|
||||
+ bool initial_cert_auth_successful;
|
||||
|
||||
bool passkey_data_exists;
|
||||
uint32_t client_id_num;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index c23ea7ba4..a7c181733 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -2200,8 +2200,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
ret = ENOENT;
|
||||
goto done;
|
||||
}
|
||||
-
|
||||
- if (cert_count > 1) {
|
||||
+ /* Multiple certificates are only expected during pre-auth */
|
||||
+ if (cert_count > 1 && preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
for (preq->current_cert = preq->cert_list;
|
||||
preq->current_cert != NULL;
|
||||
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
|
||||
@@ -2285,7 +2285,9 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
}
|
||||
|
||||
/* If logon_name was not given during authentication add a
|
||||
- * SSS_PAM_CERT_INFO message to send the name to the caller. */
|
||||
+ * SSS_PAM_CERT_INFO message to send the name to the caller.
|
||||
+ * Additionally initial_cert_auth_successful is set to
|
||||
+ * indicate that the user is already authenticated. */
|
||||
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& preq->pd->logon_name == NULL) {
|
||||
ret = add_pam_cert_response(preq->pd,
|
||||
@@ -2297,6 +2299,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
+ preq->initial_cert_auth_successful = true;
|
||||
}
|
||||
|
||||
/* cert_user will be returned to the PAM client as user name, so
|
||||
@@ -2851,12 +2855,15 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
if (found) {
|
||||
if (local_policy != NULL && strcasecmp(local_policy, "only") == 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
- DEBUG(SSSDBG_IMPORTANT_INFO, "Local auth only set, skipping online auth\n");
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Local auth only set and matching certificate was found, "
|
||||
+ "skipping online auth\n");
|
||||
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
} else if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& IS_SC_AUTHTOK(preq->pd->authtok)
|
||||
- && preq->cert_auth_local) {
|
||||
+ && (preq->cert_auth_local
|
||||
+ || preq->initial_cert_auth_successful)) {
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
preq->callback = pam_reply;
|
||||
}
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 3866d3ca6..0cfd268dc 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -199,6 +199,7 @@ clean-local:
|
||||
|
||||
PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
||||
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
||||
+SOFTHSM2_TWO_CONF="$(abs_builddir)/../test_CA/softhsm2_two.conf"
|
||||
|
||||
intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains sss_netgroup_thread_test
|
||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
||||
@@ -233,6 +234,7 @@ intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
|
||||
PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
||||
ABS_SRCDIR=$(abs_srcdir) \
|
||||
SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
||||
+ SOFTHSM2_TWO_CONF=$(SOFTHSM2_TWO_CONF) \
|
||||
KCM_RENEW=$(KCM_RENEW) \
|
||||
FILES_PROVIDER=$(FILES_PROVIDER) \
|
||||
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
||||
index 1fc3937e6..0fbf8065e 100644
|
||||
--- a/src/tests/intg/test_pam_responder.py
|
||||
+++ b/src/tests/intg/test_pam_responder.py
|
||||
@@ -168,7 +168,7 @@ def format_pam_cert_auth_conf(config, provider):
|
||||
{provider.p}
|
||||
|
||||
[certmap/auth_only/user1]
|
||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -201,7 +201,7 @@ def format_pam_cert_auth_conf_name_format(config, provider):
|
||||
{provider.p}
|
||||
|
||||
[certmap/auth_only/user1]
|
||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -380,6 +380,28 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
|
||||
return None
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def simple_pam_cert_auth_two_certs(request, passwd_ops_setup):
|
||||
+ """Setup SSSD with pam_cert_auth=True"""
|
||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
||||
+
|
||||
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
|
||||
+ softhsm2_two_conf = os.environ['SOFTHSM2_TWO_CONF']
|
||||
+ os.environ['SOFTHSM2_CONF'] = softhsm2_two_conf
|
||||
+
|
||||
+ conf = format_pam_cert_auth_conf(config, provider_switch(request.param))
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+
|
||||
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
|
||||
+
|
||||
+ passwd_ops_setup.useradd(**USER1)
|
||||
+ passwd_ops_setup.useradd(**USER2)
|
||||
+ sync_files_provider(USER2['name'])
|
||||
+
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def simple_pam_cert_auth_name_format(request, passwd_ops_setup):
|
||||
"""Setup SSSD with pam_cert_auth=True and full_name_format"""
|
||||
@@ -522,6 +544,54 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
||||
assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
|
||||
|
||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
||||
+def test_sc_auth_two(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth", "--service=pam_sss_service"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="2\n123456")
|
||||
+ except Exception:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
||||
+def test_sc_auth_two_missing_name(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "",
|
||||
+ "--action=auth", "--service=pam_sss_allow_missing_name"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="2\n123456")
|
||||
+ except Exception:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
@pytest.mark.parametrize('simple_pam_cert_auth', ['proxy_password'], indirect=True)
|
||||
def test_sc_proxy_password_fallback(simple_pam_cert_auth, env_for_sssctl):
|
||||
"""
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
From e58853f9ce63fae0c8b219b79be65c760a2f3e7e Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 5 Jun 2020 13:57:59 +0200
|
||||
Subject: [PATCH] DEBUG: use new exec_child(_ex) interface in tests
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/4667
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_child_common.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_child_common.c b/src/tests/cmocka/test_child_common.c
|
||||
index 5cf460b50..87cae3405 100644
|
||||
--- a/src/tests/cmocka/test_child_common.c
|
||||
+++ b/src/tests/cmocka/test_child_common.c
|
||||
@@ -97,7 +97,7 @@ void test_exec_child(void **state)
|
||||
exec_child(child_tctx,
|
||||
child_tctx->pipefd_to_child,
|
||||
child_tctx->pipefd_from_child,
|
||||
- CHILD_DIR"/"TEST_BIN, 2);
|
||||
+ CHILD_DIR"/"TEST_BIN, NULL);
|
||||
} else {
|
||||
do {
|
||||
errno = 0;
|
||||
@@ -168,7 +168,7 @@ static void extra_args_test(struct child_test_ctx *child_tctx,
|
||||
exec_child_ex(child_tctx,
|
||||
child_tctx->pipefd_to_child,
|
||||
child_tctx->pipefd_from_child,
|
||||
- CHILD_DIR"/"TEST_BIN, 2, extra_args,
|
||||
+ CHILD_DIR"/"TEST_BIN, NULL, extra_args,
|
||||
extra_args_only,
|
||||
STDIN_FILENO, STDOUT_FILENO);
|
||||
} else {
|
||||
@@ -291,7 +291,7 @@ void test_exec_child_handler(void **state)
|
||||
exec_child(child_tctx,
|
||||
child_tctx->pipefd_to_child,
|
||||
child_tctx->pipefd_from_child,
|
||||
- CHILD_DIR"/"TEST_BIN, 2);
|
||||
+ CHILD_DIR"/"TEST_BIN, NULL);
|
||||
}
|
||||
|
||||
ret = child_handler_setup(child_tctx->test_ctx->ev, child_pid,
|
||||
@@ -341,7 +341,7 @@ void test_exec_child_echo(void **state)
|
||||
exec_child_ex(child_tctx,
|
||||
child_tctx->pipefd_to_child,
|
||||
child_tctx->pipefd_from_child,
|
||||
- CHILD_DIR"/"TEST_BIN, 2, NULL, false,
|
||||
+ CHILD_DIR"/"TEST_BIN, NULL, NULL, false,
|
||||
STDIN_FILENO, 3);
|
||||
}
|
||||
|
||||
@@ -474,7 +474,7 @@ void test_sss_child(void **state)
|
||||
exec_child(child_tctx,
|
||||
child_tctx->pipefd_to_child,
|
||||
child_tctx->pipefd_from_child,
|
||||
- CHILD_DIR"/"TEST_BIN, 2);
|
||||
+ CHILD_DIR"/"TEST_BIN, NULL);
|
||||
}
|
||||
|
||||
ret = sss_child_register(child_tctx, sc_ctx,
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -0,0 +1,218 @@
|
|||
From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 8 Nov 2023 14:50:24 +0100
|
||||
Subject: [PATCH] ad-gpo: use hash to store intermediate results
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently after the evaluation of a single GPO file the intermediate
|
||||
results are stored in the cache and this cache entry is updated until
|
||||
all applicable GPO files are evaluated. Finally the data in the cache is
|
||||
used to make the decision of access is granted or rejected.
|
||||
|
||||
If there are two or more access-control request running in parallel one
|
||||
request might overwrite the cache object with intermediate data while
|
||||
another request reads the cached data for the access decision and as a
|
||||
result will do this decision based on intermediate data.
|
||||
|
||||
To avoid this the intermediate results are not stored in the cache
|
||||
anymore but in hash tables which are specific to the request. Only the
|
||||
final result is written to the cache to have it available for offline
|
||||
authentication.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 102 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 3d1ad39c7..b879b0a08 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
|
||||
+{
|
||||
+ int hret;
|
||||
+ hash_key_t k;
|
||||
+ hash_value_t v;
|
||||
+
|
||||
+ if (hash == NULL || key == NULL || value == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ k.type = HASH_KEY_CONST_STRING;
|
||||
+ k.c_str = key;
|
||||
+
|
||||
+ v.type = HASH_VALUE_PTR;
|
||||
+ v.ptr = value;
|
||||
+
|
||||
+ hret = hash_enter(hash, &k, &v);
|
||||
+ if (hret != HASH_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
|
||||
+ key, value, hash_error_string(hret));
|
||||
+ return EIO;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
|
||||
* and stores the allow_key and deny_key of all of the gpo_map_types present
|
||||
@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
static errno_t
|
||||
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
|
||||
const char *filename)
|
||||
{
|
||||
struct ini_cfgfile *file_ctx = NULL;
|
||||
@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
const char *value = allow_value ? allow_value : empty_val;
|
||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
- allow_key,
|
||||
- value);
|
||||
+ ret = add_result_to_hash(allow_maps, allow_key,
|
||||
+ talloc_strdup(allow_maps, value));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
||||
+ "value: [%s] to allow maps "
|
||||
+ "[%d][%s].\n",
|
||||
+ allow_key, value, ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
const char *value = deny_value ? deny_value : empty_val;
|
||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
- deny_key,
|
||||
- value);
|
||||
+ ret = add_result_to_hash(deny_maps, deny_key,
|
||||
+ talloc_strdup(deny_maps, value));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
||||
+ "value: [%s] to deny maps "
|
||||
+ "[%d][%s].\n",
|
||||
+ deny_key, value, ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state {
|
||||
int num_cse_filtered_gpos;
|
||||
int cse_gpo_index;
|
||||
const char *ad_domain;
|
||||
+ hash_table_t *allow_maps;
|
||||
+ hash_table_t *deny_maps;
|
||||
};
|
||||
|
||||
static void ad_gpo_connect_done(struct tevent_req *subreq);
|
||||
@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
||||
goto immediately;
|
||||
}
|
||||
|
||||
+ ret = sss_hash_create(state, 0, &state->allow_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
|
||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_hash_create(state, 0, &state->deny_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
|
||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
|
||||
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
|
||||
if (subreq == NULL) {
|
||||
@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req)
|
||||
return EAGAIN;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+store_hash_maps_in_cache(struct sss_domain_info *domain,
|
||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct hash_iter_context_t *iter;
|
||||
+ hash_entry_t *entry;
|
||||
+ size_t c;
|
||||
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
|
||||
+
|
||||
+
|
||||
+ for (c = 0; hash_list[c] != NULL; c++) {
|
||||
+ iter = new_hash_iter_context(hash_list[c]);
|
||||
+ if (iter == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ while ((entry = iter->next(iter)) != NULL) {
|
||||
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
+ entry->key.c_str,
|
||||
+ entry->value.ptr);
|
||||
+ if (ret != EOK) {
|
||||
+ free(iter);
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
|
||||
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+ talloc_free(iter);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
|
||||
* cse_gpo_index until the policy settings for all applicable GPOs have been
|
||||
@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
* (as part of the GPO Result object in the sysdb cache).
|
||||
*/
|
||||
ret = ad_gpo_store_policy_settings(state->host_domain,
|
||||
+ state->allow_maps, state->deny_maps,
|
||||
cse_filtered_gpo->policy_filename);
|
||||
if (ret != EOK && ret != ENOENT) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
|
||||
if (ret == EOK) {
|
||||
/* ret is EOK only after all GPO policy files have been downloaded */
|
||||
+ ret = store_hash_maps_in_cache(state->host_domain,
|
||||
+ state->allow_maps, state->deny_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
|
||||
+ "[%d][%s].\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
ret = ad_gpo_perform_hbac_processing(state,
|
||||
state->gpo_mode,
|
||||
state->gpo_map_type,
|
||||
--
|
||||
2.44.0
|
||||
|
|
@ -1,60 +0,0 @@
|
|||
From 88e92967a7b4e3e4501b17f21812467effa331c7 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 16 Jun 2020 13:51:28 +0200
|
||||
Subject: [PATCH] NEGCACHE: skip permanent entries in [users/groups] reset
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Files provider calling `sss_ncache_reset_[users/groups]()`
|
||||
during cache rebuilding was breaking neg-cache prepopulation.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/1024
|
||||
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
---
|
||||
src/responder/common/negcache.c | 9 +++++++++
|
||||
src/responder/common/negcache.h | 1 +
|
||||
2 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
||||
index d9545aef6..ce1c0ab8c 100644
|
||||
--- a/src/responder/common/negcache.c
|
||||
+++ b/src/responder/common/negcache.c
|
||||
@@ -900,12 +900,21 @@ static int delete_prefix(struct tdb_context *tdb,
|
||||
TDB_DATA key, TDB_DATA data, void *state)
|
||||
{
|
||||
const char *prefix = (const char *) state;
|
||||
+ unsigned long long int timestamp;
|
||||
+ char *ep = NULL;
|
||||
|
||||
if (strncmp((char *)key.dptr, prefix, strlen(prefix) - 1) != 0) {
|
||||
/* not interested in this key */
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ errno = 0;
|
||||
+ timestamp = strtoull((const char *)data.dptr, &ep, 10);
|
||||
+ if ((errno == 0) && (*ep == '\0') && (timestamp == 0)) {
|
||||
+ /* skip permanent entries */
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
return tdb_delete(tdb, key);
|
||||
}
|
||||
|
||||
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
|
||||
index a80412215..4dcfb5e8f 100644
|
||||
--- a/src/responder/common/negcache.h
|
||||
+++ b/src/responder/common/negcache.h
|
||||
@@ -146,6 +146,7 @@ int sss_ncache_set_locate_uid(struct sss_nc_ctx *ctx,
|
||||
uid_t uid);
|
||||
|
||||
int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx);
|
||||
+/* sss_ncache_reset_[users/groups] skips permanent entries */
|
||||
int sss_ncache_reset_users(struct sss_nc_ctx *ctx);
|
||||
int sss_ncache_reset_groups(struct sss_nc_ctx *ctx);
|
||||
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From 144e78dfebc0fd01feb6c11a37f81d01146cf33a Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 12 Jun 2020 19:10:33 +0200
|
||||
Subject: [PATCH] util/inotify: fixed CLANG_WARNING
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixed following warning:
|
||||
```
|
||||
sssd-2.3.1/src/util/inotify.c:346:17: warning: Value stored to 'ret' is never read
|
||||
# ret = EOK;
|
||||
# ^ ~~~
|
||||
```
|
||||
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
---
|
||||
src/util/inotify.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/util/inotify.c b/src/util/inotify.c
|
||||
index ffc15ad4d..cf3e3d84d 100644
|
||||
--- a/src/util/inotify.c
|
||||
+++ b/src/util/inotify.c
|
||||
@@ -319,7 +319,9 @@ static void snotify_internal_cb(struct tevent_context *ev,
|
||||
|
||||
in_event = (const struct inotify_event *) ptr;
|
||||
|
||||
- //debug_flags(in_event->mask, in_event->name);
|
||||
+#if 0
|
||||
+ debug_flags(in_event->mask, in_event->name);
|
||||
+#endif
|
||||
|
||||
if (snctx->wctx->dir_wd == in_event->wd) {
|
||||
ret = process_dir_event(snctx, in_event);
|
||||
@@ -343,7 +345,6 @@ static void snotify_internal_cb(struct tevent_context *ev,
|
||||
} else {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
"Unknown watch %d\n", in_event->wd);
|
||||
- ret = EOK;
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
From 0c5711f9bae1cb46d4cd3fbe5d86d8688087be13 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 12 Jun 2020 20:45:23 +0200
|
||||
Subject: [PATCH] util/inotify: fixed bug in inotify event processing
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Error was spotted with the help of the following warning:
|
||||
```
|
||||
Error: CLANG_WARNING:
|
||||
sssd-2.3.1/src/util/inotify.c:327:21: warning: Value stored to 'rewatch' is never read
|
||||
# rewatch = true;
|
||||
# ^ ~~~~
|
||||
```
|
||||
|
||||
First part of the issue was that EAGAIN returned by the process_dir_event()
|
||||
didn't trigger snotify_rewatch() (as suggested by the comments).
|
||||
Fixing this part is already enough to resolve issue #1031 (as it was
|
||||
reported).
|
||||
|
||||
Another part of the issue was that process_file_event() return code wasn't
|
||||
checked against EAGAIN (again, as suggested by the DEBUG message).
|
||||
Strictly speaking, I'm not sure if this part is really required or
|
||||
if processing DIR events would cover all cases, but rebuilding watches
|
||||
on IN_IGNORED won't hurt.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/1031
|
||||
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
---
|
||||
src/util/inotify.c | 30 +++++++++++++-----------------
|
||||
1 file changed, 13 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/util/inotify.c b/src/util/inotify.c
|
||||
index cf3e3d84d..a3c33eddb 100644
|
||||
--- a/src/util/inotify.c
|
||||
+++ b/src/util/inotify.c
|
||||
@@ -286,7 +286,7 @@ static void snotify_internal_cb(struct tevent_context *ev,
|
||||
struct snotify_ctx *snctx;
|
||||
ssize_t len;
|
||||
errno_t ret;
|
||||
- bool rewatch;
|
||||
+ bool rewatch = false;
|
||||
|
||||
snctx = talloc_get_type(data, struct snotify_ctx);
|
||||
if (snctx == NULL) {
|
||||
@@ -305,7 +305,7 @@ static void snotify_internal_cb(struct tevent_context *ev,
|
||||
} else {
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL, "All inotify events processed\n");
|
||||
}
|
||||
- return;
|
||||
+ break;
|
||||
}
|
||||
|
||||
if ((size_t) len < sizeof(struct inotify_event)) {
|
||||
@@ -325,26 +325,22 @@ static void snotify_internal_cb(struct tevent_context *ev,
|
||||
|
||||
if (snctx->wctx->dir_wd == in_event->wd) {
|
||||
ret = process_dir_event(snctx, in_event);
|
||||
- if (ret == EAGAIN) {
|
||||
- rewatch = true;
|
||||
- /* Continue with the loop and read all the events from
|
||||
- * this descriptor first, then rewatch when done
|
||||
- */
|
||||
- } else if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
- "Failed to process inotify event\n");
|
||||
- continue;
|
||||
- }
|
||||
} else if (snctx->wctx->file_wd == in_event->wd) {
|
||||
ret = process_file_event(snctx, in_event);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
- "Failed to process inotify event\n");
|
||||
- continue;
|
||||
- }
|
||||
} else {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
"Unknown watch %d\n", in_event->wd);
|
||||
+ ret = EOK;
|
||||
+ }
|
||||
+
|
||||
+ if (ret == EAGAIN) {
|
||||
+ rewatch = true;
|
||||
+ /* Continue with the loop and read all the events from
|
||||
+ * this descriptor first, then rewatch when done
|
||||
+ */
|
||||
+ } else if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Failed to process inotify event\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From 02fbf47a85228c131f1b0575da091a01da700189 Mon Sep 17 00:00:00 2001
|
||||
From: vinay mishra <vmishra@redhat.com>
|
||||
Date: Mon, 18 May 2020 10:32:55 +0530
|
||||
Subject: [PATCH] Replaced 'enter' with 'insert'
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5164
|
||||
|
||||
Signed-off-by: vinay mishra <vmishra@redhat.com>
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 4 ++--
|
||||
src/tests/intg/test_pam_responder.py | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index d4f0a8917..69b440774 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -2422,8 +2422,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
-#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s"
|
||||
-#define SC_ENTER_FMT "Please enter smart card"
|
||||
+#define SC_ENTER_LABEL_FMT "Please insert smart card labeled\n %s"
|
||||
+#define SC_ENTER_FMT "Please insert smart card"
|
||||
|
||||
static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
||||
int retries, bool quiet_mode)
|
||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
||||
index 9b5e650ca..7a2458339 100644
|
||||
--- a/src/tests/intg/test_pam_responder.py
|
||||
+++ b/src/tests/intg/test_pam_responder.py
|
||||
@@ -512,7 +512,7 @@ def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl):
|
||||
assert end_time > start_time and \
|
||||
(end_time - start_time) >= 20 and \
|
||||
(end_time - start_time) < 40
|
||||
- assert out.find("Please enter smart card\nPlease enter smart card") != -1
|
||||
+ assert out.find("Please insert smart card\nPlease insert smart card") != -1
|
||||
assert err.find("pam_authenticate for user [user1]: Authentication " +
|
||||
"service cannot retrieve authentication info") != -1
|
||||
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,166 +0,0 @@
|
|||
From aac4dbb17f3e19a2fbeefb38b3319827d3bf820e Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 13 May 2020 13:13:43 +0200
|
||||
Subject: [PATCH] NSS client: preserve errno during _nss_sss_end* calls
|
||||
|
||||
glibc does not expect that errno is changed by some of the calls
|
||||
provided by nss modules. This caused at least issues when
|
||||
_nss_sss_endpwent() is called in compat mode. According to
|
||||
https://pubs.opengroup.org/onlinepubs/9699919799/functions/endpwent.html
|
||||
endpwent() should only set errno in the case of an error. Since there is
|
||||
no other way to report an error we will set errno in the case of an
|
||||
error but preserve it otherwise. This should cause no issues because
|
||||
glibc is taking precautions as well tracked by
|
||||
https://sourceware.org/bugzilla/show_bug.cgi?id=25976.
|
||||
|
||||
To be on the safe side the other _nss_sss_end* calls will show the same
|
||||
behavior.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5153
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
|
||||
---
|
||||
src/sss_client/nss_group.c | 3 +++
|
||||
src/sss_client/nss_hosts.c | 4 +++-
|
||||
src/sss_client/nss_ipnetworks.c | 4 +++-
|
||||
src/sss_client/nss_netgroup.c | 3 +++
|
||||
src/sss_client/nss_passwd.c | 3 +++
|
||||
src/sss_client/nss_services.c | 3 +++
|
||||
6 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c
|
||||
index 5ab2bdf78..4a201bf09 100644
|
||||
--- a/src/sss_client/nss_group.c
|
||||
+++ b/src/sss_client/nss_group.c
|
||||
@@ -735,6 +735,7 @@ enum nss_status _nss_sss_endgrent(void)
|
||||
{
|
||||
enum nss_status nret;
|
||||
int errnop;
|
||||
+ int saved_errno = errno;
|
||||
|
||||
sss_nss_lock();
|
||||
|
||||
@@ -745,6 +746,8 @@ enum nss_status _nss_sss_endgrent(void)
|
||||
NULL, NULL, NULL, &errnop);
|
||||
if (nret != NSS_STATUS_SUCCESS) {
|
||||
errno = errnop;
|
||||
+ } else {
|
||||
+ errno = saved_errno;
|
||||
}
|
||||
|
||||
sss_nss_unlock();
|
||||
diff --git a/src/sss_client/nss_hosts.c b/src/sss_client/nss_hosts.c
|
||||
index 5e279468b..aa2676286 100644
|
||||
--- a/src/sss_client/nss_hosts.c
|
||||
+++ b/src/sss_client/nss_hosts.c
|
||||
@@ -565,6 +565,7 @@ _nss_sss_endhostent(void)
|
||||
{
|
||||
enum nss_status nret;
|
||||
int errnop;
|
||||
+ int saved_errno = errno;
|
||||
|
||||
sss_nss_lock();
|
||||
|
||||
@@ -575,9 +576,10 @@ _nss_sss_endhostent(void)
|
||||
NULL, NULL, NULL, &errnop);
|
||||
if (nret != NSS_STATUS_SUCCESS) {
|
||||
errno = errnop;
|
||||
+ } else {
|
||||
+ errno = saved_errno;
|
||||
}
|
||||
|
||||
sss_nss_unlock();
|
||||
-
|
||||
return nret;
|
||||
}
|
||||
diff --git a/src/sss_client/nss_ipnetworks.c b/src/sss_client/nss_ipnetworks.c
|
||||
index 15fee6039..08070499d 100644
|
||||
--- a/src/sss_client/nss_ipnetworks.c
|
||||
+++ b/src/sss_client/nss_ipnetworks.c
|
||||
@@ -510,6 +510,7 @@ _nss_sss_endnetent(void)
|
||||
{
|
||||
enum nss_status nret;
|
||||
int errnop;
|
||||
+ int saved_errno = errno;
|
||||
|
||||
sss_nss_lock();
|
||||
|
||||
@@ -520,10 +521,11 @@ _nss_sss_endnetent(void)
|
||||
NULL, NULL, NULL, &errnop);
|
||||
if (nret != NSS_STATUS_SUCCESS) {
|
||||
errno = errnop;
|
||||
+ } else {
|
||||
+ errno = saved_errno;
|
||||
}
|
||||
|
||||
sss_nss_unlock();
|
||||
-
|
||||
return nret;
|
||||
}
|
||||
|
||||
diff --git a/src/sss_client/nss_netgroup.c b/src/sss_client/nss_netgroup.c
|
||||
index 3a1834a31..2fc88f8ae 100644
|
||||
--- a/src/sss_client/nss_netgroup.c
|
||||
+++ b/src/sss_client/nss_netgroup.c
|
||||
@@ -309,6 +309,7 @@ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result)
|
||||
{
|
||||
enum nss_status nret;
|
||||
int errnop;
|
||||
+ int saved_errno = errno;
|
||||
|
||||
sss_nss_lock();
|
||||
|
||||
@@ -319,6 +320,8 @@ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result)
|
||||
NULL, NULL, NULL, &errnop);
|
||||
if (nret != NSS_STATUS_SUCCESS) {
|
||||
errno = errnop;
|
||||
+ } else {
|
||||
+ errno = saved_errno;
|
||||
}
|
||||
|
||||
sss_nss_unlock();
|
||||
diff --git a/src/sss_client/nss_passwd.c b/src/sss_client/nss_passwd.c
|
||||
index 96368bd6e..c386dd370 100644
|
||||
--- a/src/sss_client/nss_passwd.c
|
||||
+++ b/src/sss_client/nss_passwd.c
|
||||
@@ -455,6 +455,7 @@ enum nss_status _nss_sss_endpwent(void)
|
||||
{
|
||||
enum nss_status nret;
|
||||
int errnop;
|
||||
+ int saved_errno = errno;
|
||||
|
||||
sss_nss_lock();
|
||||
|
||||
@@ -465,6 +466,8 @@ enum nss_status _nss_sss_endpwent(void)
|
||||
NULL, NULL, NULL, &errnop);
|
||||
if (nret != NSS_STATUS_SUCCESS) {
|
||||
errno = errnop;
|
||||
+ } else {
|
||||
+ errno = saved_errno;
|
||||
}
|
||||
|
||||
sss_nss_unlock();
|
||||
diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c
|
||||
index 13cb4c3ab..f8c2092cb 100644
|
||||
--- a/src/sss_client/nss_services.c
|
||||
+++ b/src/sss_client/nss_services.c
|
||||
@@ -484,6 +484,7 @@ _nss_sss_endservent(void)
|
||||
{
|
||||
enum nss_status nret;
|
||||
int errnop;
|
||||
+ int saved_errno = errno;
|
||||
|
||||
sss_nss_lock();
|
||||
|
||||
@@ -494,6 +495,8 @@ _nss_sss_endservent(void)
|
||||
NULL, NULL, NULL, &errnop);
|
||||
if (nret != NSS_STATUS_SUCCESS) {
|
||||
errno = errnop;
|
||||
+ } else {
|
||||
+ errno = saved_errno;
|
||||
}
|
||||
|
||||
sss_nss_unlock();
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
From df632eec450791559a4a7644f241964397c10ff9 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 5 Jun 2020 13:59:25 +0200
|
||||
Subject: [PATCH] ipa: add failover to subdomain override lookups
|
||||
|
||||
In the ipa_subdomain_account request failover handling was missing.
|
||||
|
||||
Related to https://github.com/SSSD/sssd/issues/5075
|
||||
(was https://pagure.io/SSSD/sssd/issue/4114)
|
||||
|
||||
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_subdomains_id.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
||||
index 1224c7b73..36f32fae8 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains_id.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
||||
@@ -208,6 +208,20 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq)
|
||||
&state->override_attrs);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
+ ret = sdap_id_op_done(state->op, ret, &dp_error);
|
||||
+
|
||||
+ if (dp_error == DP_ERR_OK && ret != EOK) {
|
||||
+ /* retry */
|
||||
+ subreq = sdap_id_op_connect_send(state->op, state, &ret);
|
||||
+ if (subreq == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n");
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ tevent_req_set_callback(subreq, ipa_subdomain_account_connected,
|
||||
+ req);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret);
|
||||
goto fail;
|
||||
}
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,132 +0,0 @@
|
|||
From dce025b882db7247571b135e928afb47f069a60f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 27 Feb 2020 06:54:21 +0100
|
||||
Subject: [PATCH] GPO: fix link order in a SOM
|
||||
|
||||
GPOs of the same OU were applied in the wrong order. Details about how
|
||||
GPOs should be processed can be found e.g. at
|
||||
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5103
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 59 +++++++++++++++++++++++++++++----------
|
||||
1 file changed, 45 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index bbe8d8a1e..1524c4bfc 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -3511,14 +3511,19 @@ ad_gpo_process_som_recv(struct tevent_req *req,
|
||||
* - GPOs linked to an OU will be applied after GPOs linked to a Domain,
|
||||
* which will be applied after GPOs linked to a Site.
|
||||
* - multiple GPOs linked to a single SOM are applied in their link order
|
||||
- * (i.e. 1st GPO linked to SOM is applied after 2nd GPO linked to SOM, etc).
|
||||
+ * (i.e. 1st GPO linked to SOM is applied before 2nd GPO linked to SOM, etc).
|
||||
* - enforced GPOs are applied after unenforced GPOs.
|
||||
*
|
||||
* As such, the _candidate_gpos output's dn fields looks like (in link order):
|
||||
- * [unenforced {Site, Domain, OU}; enforced {Site, Domain, OU}]
|
||||
+ * [unenforced {Site, Domain, OU}; enforced {OU, Domain, Site}]
|
||||
*
|
||||
* Note that in the case of conflicting policy settings, GPOs appearing later
|
||||
- * in the list will trump GPOs appearing earlier in the list.
|
||||
+ * in the list will trump GPOs appearing earlier in the list. Therefore the
|
||||
+ * enforced GPOs are applied in revers order after the unenforced GPOs to
|
||||
+ * make sure the enforced setting form the highest level will be applied.
|
||||
+ *
|
||||
+ * GPO processing details can be found e.g. at
|
||||
+ * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
|
||||
*/
|
||||
static errno_t
|
||||
ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
||||
@@ -3542,6 +3547,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
||||
int i = 0;
|
||||
int j = 0;
|
||||
int ret;
|
||||
+ size_t som_count = 0;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -3568,6 +3574,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
i++;
|
||||
}
|
||||
+ som_count = i;
|
||||
|
||||
num_candidate_gpos = num_enforced + num_unenforced;
|
||||
|
||||
@@ -3590,9 +3597,43 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ i = som_count -1 ;
|
||||
+ while (i >= 0) {
|
||||
+ gp_som = som_list[i];
|
||||
+
|
||||
+ /* For unenforced_gpo_dns the most specific GPOs with the highest
|
||||
+ * priority should be the last. We start with the top-level SOM and go
|
||||
+ * down to the most specific one and add the unenforced following the
|
||||
+ * gplink_list where the GPO with the highest priority comes last. */
|
||||
+ j = 0;
|
||||
+ while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) {
|
||||
+ gp_gplink = gp_som->gplink_list[j];
|
||||
+
|
||||
+ if (!gp_gplink->enforced) {
|
||||
+ unenforced_gpo_dns[unenforced_idx] =
|
||||
+ talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn);
|
||||
+
|
||||
+ if (unenforced_gpo_dns[unenforced_idx] == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ unenforced_idx++;
|
||||
+ }
|
||||
+ j++;
|
||||
+ }
|
||||
+ i--;
|
||||
+ }
|
||||
+
|
||||
i = 0;
|
||||
while (som_list[i]) {
|
||||
gp_som = som_list[i];
|
||||
+
|
||||
+ /* For enforced GPOs we start processing with the most specific SOM to
|
||||
+ * make sur enforced GPOs from higher levels override to lower level
|
||||
+ * ones. According to the 'Group Policy Inheritance' tab in the
|
||||
+ * Windows 'Goup Policy Management' utility in the same SOM the link
|
||||
+ * order is still observed and an enforced GPO with a lower link order
|
||||
+ * value still overrides an enforced GPO with a higher link order. */
|
||||
j = 0;
|
||||
while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) {
|
||||
gp_gplink = gp_som->gplink_list[j];
|
||||
@@ -3610,16 +3651,6 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
enforced_idx++;
|
||||
- } else {
|
||||
-
|
||||
- unenforced_gpo_dns[unenforced_idx] =
|
||||
- talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn);
|
||||
-
|
||||
- if (unenforced_gpo_dns[unenforced_idx] == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
- unenforced_idx++;
|
||||
}
|
||||
j++;
|
||||
}
|
||||
@@ -3638,7 +3669,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
gpo_dn_idx = 0;
|
||||
- for (i = num_unenforced - 1; i >= 0; i--) {
|
||||
+ for (i = 0; i < num_unenforced; i++) {
|
||||
candidate_gpos[gpo_dn_idx] = talloc_zero(candidate_gpos, struct gp_gpo);
|
||||
if (candidate_gpos[gpo_dn_idx] == NULL) {
|
||||
ret = ENOMEM;
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
From 8ca799ea968e548337acb0300642a0d88f1bba9b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 7 May 2020 15:47:35 +0200
|
||||
Subject: [PATCH 13/19] sysdb: make sysdb_update_subdomains() more robust
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some NULL checks are added basically to allow that missing values can be
|
||||
set later.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5151
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/db/sysdb_subdomains.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
||||
index b170d1978..d256817a6 100644
|
||||
--- a/src/db/sysdb_subdomains.c
|
||||
+++ b/src/db/sysdb_subdomains.c
|
||||
@@ -421,7 +421,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
|
||||
}
|
||||
|
||||
/* in theory these may change, but it should never happen */
|
||||
- if (strcasecmp(dom->realm, realm) != 0) {
|
||||
+ if ((dom->realm == NULL && realm != NULL)
|
||||
+ || (dom->realm != NULL && realm != NULL
|
||||
+ && strcasecmp(dom->realm, realm) != 0)) {
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
"Realm name changed from [%s] to [%s]!\n",
|
||||
dom->realm, realm);
|
||||
@@ -432,7 +434,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
- if (strcasecmp(dom->flat_name, flat) != 0) {
|
||||
+ if ((dom->flat_name == NULL && flat != NULL)
|
||||
+ || (dom->flat_name != NULL && flat != NULL
|
||||
+ && strcasecmp(dom->flat_name, flat) != 0)) {
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
"Flat name changed from [%s] to [%s]!\n",
|
||||
dom->flat_name, flat);
|
||||
@@ -443,7 +447,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
- if (strcasecmp(dom->domain_id, id) != 0) {
|
||||
+ if ((dom->domain_id == NULL && id != NULL)
|
||||
+ || (dom->domain_id != NULL && id != NULL
|
||||
+ && strcasecmp(dom->domain_id, id) != 0)) {
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
"Domain changed from [%s] to [%s]!\n",
|
||||
dom->domain_id, id);
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,334 +0,0 @@
|
|||
From d3089173dd8be85a83cf0236e116ba8e11326a6d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 7 May 2020 16:51:02 +0200
|
||||
Subject: [PATCH 14/19] ad: rename ad_master_domain_* to ad_domain_info_*
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The ad_master_domain_{send|recv} are not specific to the master domain
|
||||
so a more generic name seems to be suitable.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5151
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_domain_info.c | 64 +++++++++++++++----------------
|
||||
src/providers/ad/ad_domain_info.h | 10 ++---
|
||||
src/providers/ad/ad_gpo.c | 8 ++--
|
||||
src/providers/ad/ad_id.c | 14 +++----
|
||||
src/providers/ad/ad_resolver.c | 8 ++--
|
||||
src/providers/ad/ad_subdomains.c | 8 ++--
|
||||
6 files changed, 56 insertions(+), 56 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
|
||||
index 5302c8083..52b2e2442 100644
|
||||
--- a/src/providers/ad/ad_domain_info.c
|
||||
+++ b/src/providers/ad/ad_domain_info.c
|
||||
@@ -175,7 +175,7 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-struct ad_master_domain_state {
|
||||
+struct ad_domain_info_state {
|
||||
struct tevent_context *ev;
|
||||
struct sdap_id_conn_ctx *conn;
|
||||
struct sdap_id_op *id_op;
|
||||
@@ -191,22 +191,22 @@ struct ad_master_domain_state {
|
||||
char *sid;
|
||||
};
|
||||
|
||||
-static errno_t ad_master_domain_next(struct tevent_req *req);
|
||||
-static void ad_master_domain_next_done(struct tevent_req *subreq);
|
||||
-static void ad_master_domain_netlogon_done(struct tevent_req *req);
|
||||
+static errno_t ad_domain_info_next(struct tevent_req *req);
|
||||
+static void ad_domain_info_next_done(struct tevent_req *subreq);
|
||||
+static void ad_domain_info_netlogon_done(struct tevent_req *req);
|
||||
|
||||
struct tevent_req *
|
||||
-ad_master_domain_send(TALLOC_CTX *mem_ctx,
|
||||
- struct tevent_context *ev,
|
||||
- struct sdap_id_conn_ctx *conn,
|
||||
- struct sdap_id_op *op,
|
||||
- const char *dom_name)
|
||||
+ad_domain_info_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_id_op *op,
|
||||
+ const char *dom_name)
|
||||
{
|
||||
errno_t ret;
|
||||
struct tevent_req *req;
|
||||
- struct ad_master_domain_state *state;
|
||||
+ struct ad_domain_info_state *state;
|
||||
|
||||
- req = tevent_req_create(mem_ctx, &state, struct ad_master_domain_state);
|
||||
+ req = tevent_req_create(mem_ctx, &state, struct ad_domain_info_state);
|
||||
if (!req) return NULL;
|
||||
|
||||
state->ev = ev;
|
||||
@@ -216,7 +216,7 @@ ad_master_domain_send(TALLOC_CTX *mem_ctx,
|
||||
state->opts = conn->id_ctx->opts;
|
||||
state->dom_name = dom_name;
|
||||
|
||||
- ret = ad_master_domain_next(req);
|
||||
+ ret = ad_domain_info_next(req);
|
||||
if (ret != EOK && ret != EAGAIN) {
|
||||
goto immediate;
|
||||
}
|
||||
@@ -234,14 +234,14 @@ immediate:
|
||||
}
|
||||
|
||||
static errno_t
|
||||
-ad_master_domain_next(struct tevent_req *req)
|
||||
+ad_domain_info_next(struct tevent_req *req)
|
||||
{
|
||||
struct tevent_req *subreq;
|
||||
struct sdap_search_base *base;
|
||||
const char *master_sid_attrs[] = {AD_AT_OBJECT_SID, NULL};
|
||||
|
||||
- struct ad_master_domain_state *state =
|
||||
- tevent_req_data(req, struct ad_master_domain_state);
|
||||
+ struct ad_domain_info_state *state =
|
||||
+ tevent_req_data(req, struct ad_domain_info_state);
|
||||
|
||||
base = state->opts->sdom->search_bases[state->base_iter];
|
||||
if (base == NULL) {
|
||||
@@ -261,13 +261,13 @@ ad_master_domain_next(struct tevent_req *req)
|
||||
DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
|
||||
return ENOMEM;
|
||||
}
|
||||
- tevent_req_set_callback(subreq, ad_master_domain_next_done, req);
|
||||
+ tevent_req_set_callback(subreq, ad_domain_info_next_done, req);
|
||||
|
||||
return EAGAIN;
|
||||
}
|
||||
|
||||
static void
|
||||
-ad_master_domain_next_done(struct tevent_req *subreq)
|
||||
+ad_domain_info_next_done(struct tevent_req *subreq)
|
||||
{
|
||||
errno_t ret;
|
||||
size_t reply_count;
|
||||
@@ -281,8 +281,8 @@ ad_master_domain_next_done(struct tevent_req *subreq)
|
||||
|
||||
struct tevent_req *req = tevent_req_callback_data(subreq,
|
||||
struct tevent_req);
|
||||
- struct ad_master_domain_state *state =
|
||||
- tevent_req_data(req, struct ad_master_domain_state);
|
||||
+ struct ad_domain_info_state *state =
|
||||
+ tevent_req_data(req, struct ad_domain_info_state);
|
||||
|
||||
ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply);
|
||||
talloc_zfree(subreq);
|
||||
@@ -293,7 +293,7 @@ ad_master_domain_next_done(struct tevent_req *subreq)
|
||||
|
||||
if (reply_count == 0) {
|
||||
state->base_iter++;
|
||||
- ret = ad_master_domain_next(req);
|
||||
+ ret = ad_domain_info_next(req);
|
||||
if (ret == EAGAIN) {
|
||||
/* Async request will get us back here again */
|
||||
return;
|
||||
@@ -362,7 +362,7 @@ ad_master_domain_next_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- tevent_req_set_callback(subreq, ad_master_domain_netlogon_done, req);
|
||||
+ tevent_req_set_callback(subreq, ad_domain_info_netlogon_done, req);
|
||||
return;
|
||||
|
||||
done:
|
||||
@@ -370,7 +370,7 @@ done:
|
||||
}
|
||||
|
||||
static void
|
||||
-ad_master_domain_netlogon_done(struct tevent_req *subreq)
|
||||
+ad_domain_info_netlogon_done(struct tevent_req *subreq)
|
||||
{
|
||||
int ret;
|
||||
size_t reply_count;
|
||||
@@ -378,8 +378,8 @@ ad_master_domain_netlogon_done(struct tevent_req *subreq)
|
||||
|
||||
struct tevent_req *req = tevent_req_callback_data(subreq,
|
||||
struct tevent_req);
|
||||
- struct ad_master_domain_state *state =
|
||||
- tevent_req_data(req, struct ad_master_domain_state);
|
||||
+ struct ad_domain_info_state *state =
|
||||
+ tevent_req_data(req, struct ad_domain_info_state);
|
||||
|
||||
ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply);
|
||||
talloc_zfree(subreq);
|
||||
@@ -422,15 +422,15 @@ done:
|
||||
}
|
||||
|
||||
errno_t
|
||||
-ad_master_domain_recv(struct tevent_req *req,
|
||||
- TALLOC_CTX *mem_ctx,
|
||||
- char **_flat,
|
||||
- char **_id,
|
||||
- char **_site,
|
||||
- char **_forest)
|
||||
+ad_domain_info_recv(struct tevent_req *req,
|
||||
+ TALLOC_CTX *mem_ctx,
|
||||
+ char **_flat,
|
||||
+ char **_id,
|
||||
+ char **_site,
|
||||
+ char **_forest)
|
||||
{
|
||||
- struct ad_master_domain_state *state = tevent_req_data(req,
|
||||
- struct ad_master_domain_state);
|
||||
+ struct ad_domain_info_state *state = tevent_req_data(req,
|
||||
+ struct ad_domain_info_state);
|
||||
|
||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
|
||||
diff --git a/src/providers/ad/ad_domain_info.h b/src/providers/ad/ad_domain_info.h
|
||||
index b96e8a3c3..631e543f5 100644
|
||||
--- a/src/providers/ad/ad_domain_info.h
|
||||
+++ b/src/providers/ad/ad_domain_info.h
|
||||
@@ -22,22 +22,22 @@
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
-#ifndef _AD_MASTER_DOMAIN_H_
|
||||
-#define _AD_MASTER_DOMAIN_H_
|
||||
+#ifndef _AD_DOMAIN_INFO_H_
|
||||
+#define _AD_DOMAIN_INFO_H_
|
||||
|
||||
struct tevent_req *
|
||||
-ad_master_domain_send(TALLOC_CTX *mem_ctx,
|
||||
+ad_domain_info_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
struct sdap_id_op *op,
|
||||
const char *dom_name);
|
||||
|
||||
errno_t
|
||||
-ad_master_domain_recv(struct tevent_req *req,
|
||||
+ad_domain_info_recv(struct tevent_req *req,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
char **_flat,
|
||||
char **_id,
|
||||
char **_site,
|
||||
char **_forest);
|
||||
|
||||
-#endif /* _AD_MASTER_DOMAIN_H_ */
|
||||
+#endif /* _AD_DOMAIN_INFO_H_ */
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 1524c4bfc..53560a754 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -3151,11 +3151,11 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
|
||||
goto immediately;
|
||||
}
|
||||
|
||||
- subreq = ad_master_domain_send(state, state->ev, conn,
|
||||
- state->sdap_op, domain_name);
|
||||
+ subreq = ad_domain_info_send(state, state->ev, conn,
|
||||
+ state->sdap_op, domain_name);
|
||||
|
||||
if (subreq == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n");
|
||||
ret = ENOMEM;
|
||||
goto immediately;
|
||||
}
|
||||
@@ -3188,7 +3188,7 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
|
||||
state = tevent_req_data(req, struct ad_gpo_process_som_state);
|
||||
|
||||
/* gpo code only cares about the site name */
|
||||
- ret = ad_master_domain_recv(subreq, state, NULL, NULL, &site, NULL);
|
||||
+ ret = ad_domain_info_recv(subreq, state, NULL, NULL, &site, NULL);
|
||||
talloc_zfree(subreq);
|
||||
|
||||
if (ret != EOK || site == NULL) {
|
||||
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
|
||||
index 84e5c42ac..ca6486e03 100644
|
||||
--- a/src/providers/ad/ad_id.c
|
||||
+++ b/src/providers/ad/ad_id.c
|
||||
@@ -663,12 +663,12 @@ ad_enumeration_conn_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- subreq = ad_master_domain_send(state, state->ev,
|
||||
- state->id_ctx->ldap_ctx,
|
||||
- state->sdap_op,
|
||||
- state->sdom->dom->name);
|
||||
+ subreq = ad_domain_info_send(state, state->ev,
|
||||
+ state->id_ctx->ldap_ctx,
|
||||
+ state->sdap_op,
|
||||
+ state->sdom->dom->name);
|
||||
if (subreq == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n");
|
||||
tevent_req_error(req, ret);
|
||||
return;
|
||||
}
|
||||
@@ -687,8 +687,8 @@ ad_enumeration_master_done(struct tevent_req *subreq)
|
||||
char *master_sid;
|
||||
char *forest;
|
||||
|
||||
- ret = ad_master_domain_recv(subreq, state,
|
||||
- &flat_name, &master_sid, NULL, &forest);
|
||||
+ ret = ad_domain_info_recv(subreq, state,
|
||||
+ &flat_name, &master_sid, NULL, &forest);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
|
||||
diff --git a/src/providers/ad/ad_resolver.c b/src/providers/ad/ad_resolver.c
|
||||
index b58f08ecf..c87706094 100644
|
||||
--- a/src/providers/ad/ad_resolver.c
|
||||
+++ b/src/providers/ad/ad_resolver.c
|
||||
@@ -317,10 +317,10 @@ ad_resolver_enumeration_conn_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- subreq = ad_master_domain_send(state, state->ev, id_ctx->conn,
|
||||
- state->sdap_op, state->sdom->dom->name);
|
||||
+ subreq = ad_domain_info_send(state, state->ev, id_ctx->conn,
|
||||
+ state->sdap_op, state->sdom->dom->name);
|
||||
if (subreq == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n");
|
||||
tevent_req_error(req, ret);
|
||||
return;
|
||||
}
|
||||
@@ -346,7 +346,7 @@ ad_resolver_enumeration_master_done(struct tevent_req *subreq)
|
||||
char *forest;
|
||||
struct ad_id_ctx *ad_id_ctx;
|
||||
|
||||
- ret = ad_master_domain_recv(subreq, state,
|
||||
+ ret = ad_domain_info_recv(subreq, state,
|
||||
&flat_name, &master_sid, NULL, &forest);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 06fbdb0ef..c53962283 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -1756,8 +1756,8 @@ static void ad_subdomains_refresh_connect_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
/* connect to the DC we are a member of */
|
||||
- subreq = ad_master_domain_send(state, state->ev, state->id_ctx->conn,
|
||||
- state->sdap_op, state->sd_ctx->domain_name);
|
||||
+ subreq = ad_domain_info_send(state, state->ev, state->id_ctx->conn,
|
||||
+ state->sdap_op, state->sd_ctx->domain_name);
|
||||
if (subreq == NULL) {
|
||||
tevent_req_error(req, ENOMEM);
|
||||
return;
|
||||
@@ -1779,8 +1779,8 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq)
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct ad_subdomains_refresh_state);
|
||||
|
||||
- ret = ad_master_domain_recv(subreq, state, &flat_name, &master_sid,
|
||||
- NULL, &state->forest);
|
||||
+ ret = ad_domain_info_recv(subreq, state, &flat_name, &master_sid,
|
||||
+ NULL, &state->forest);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get master domain information "
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,117 +0,0 @@
|
|||
From 9aa26f6514220bae3b3314f830e3e3f95fab2cf9 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 7 May 2020 21:18:13 +0200
|
||||
Subject: [PATCH 15/19] sysdb: make new_subdomain() public
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5151
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/db/sysdb.h | 18 ++++++++++++++++++
|
||||
src/db/sysdb_private.h | 19 -------------------
|
||||
src/tests/cmocka/test_negcache.c | 1 -
|
||||
src/tests/cmocka/test_nss_srv.c | 1 -
|
||||
src/tests/cmocka/test_responder_cache_req.c | 1 -
|
||||
5 files changed, 18 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index 64e546f5b..e4ed10b54 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -562,6 +562,24 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name);
|
||||
errno_t sysdb_subdomain_content_delete(struct sysdb_ctx *sysdb,
|
||||
const char *name);
|
||||
|
||||
+/* The utility function to create a subdomain sss_domain_info object is handy
|
||||
+ * for unit tests, so it should be available in a headerr.
|
||||
+ */
|
||||
+struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
||||
+ struct sss_domain_info *parent,
|
||||
+ const char *name,
|
||||
+ const char *realm,
|
||||
+ const char *flat_name,
|
||||
+ const char *id,
|
||||
+ enum sss_domain_mpg_mode mpg_mode,
|
||||
+ bool enumerate,
|
||||
+ const char *forest,
|
||||
+ const char **upn_suffixes,
|
||||
+ uint32_t trust_direction,
|
||||
+ struct confdb_ctx *confdb,
|
||||
+ bool enabled);
|
||||
+
|
||||
+
|
||||
errno_t sysdb_get_ranges(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
||||
size_t *range_count,
|
||||
struct range_info ***range_list);
|
||||
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
||||
index 3302919a6..70fe3fa18 100644
|
||||
--- a/src/db/sysdb_private.h
|
||||
+++ b/src/db/sysdb_private.h
|
||||
@@ -196,25 +196,6 @@ int sysdb_replace_ulong(struct ldb_message *msg,
|
||||
int sysdb_delete_ulong(struct ldb_message *msg,
|
||||
const char *attr, unsigned long value);
|
||||
|
||||
-/* The utility function to create a subdomain sss_domain_info object is handy
|
||||
- * for unit tests, so it should be available in a header, but not a public util
|
||||
- * one, because the only interface for the daemon itself should be adding
|
||||
- * the sysdb domain object and calling sysdb_update_subdomains()
|
||||
- */
|
||||
-struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
||||
- struct sss_domain_info *parent,
|
||||
- const char *name,
|
||||
- const char *realm,
|
||||
- const char *flat_name,
|
||||
- const char *id,
|
||||
- enum sss_domain_mpg_mode mpg_mode,
|
||||
- bool enumerate,
|
||||
- const char *forest,
|
||||
- const char **upn_suffixes,
|
||||
- uint32_t trust_direction,
|
||||
- struct confdb_ctx *confdb,
|
||||
- bool enabled);
|
||||
-
|
||||
/* Helper functions to deal with the timestamp cache should not be used
|
||||
* outside the sysdb itself. The timestamp cache should be completely
|
||||
* opaque to the sysdb consumers
|
||||
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
|
||||
index 3ed1cb14a..b3a379227 100644
|
||||
--- a/src/tests/cmocka/test_negcache.c
|
||||
+++ b/src/tests/cmocka/test_negcache.c
|
||||
@@ -38,7 +38,6 @@
|
||||
#include "util/util_sss_idmap.h"
|
||||
#include "lib/idmap/sss_idmap.h"
|
||||
#include "util/util.h"
|
||||
-#include "db/sysdb_private.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "responder/common/negcache.h"
|
||||
|
||||
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
||||
index 3cd7809cf..99ba02a80 100644
|
||||
--- a/src/tests/cmocka/test_nss_srv.c
|
||||
+++ b/src/tests/cmocka/test_nss_srv.c
|
||||
@@ -36,7 +36,6 @@
|
||||
#include "util/crypto/sss_crypto.h"
|
||||
#include "util/crypto/nss/nss_util.h"
|
||||
#include "util/sss_endian.h"
|
||||
-#include "db/sysdb_private.h" /* new_subdomain() */
|
||||
#include "db/sysdb_iphosts.h"
|
||||
#include "db/sysdb_ipnetworks.h"
|
||||
|
||||
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
|
||||
index 2611c589b..68a651240 100644
|
||||
--- a/src/tests/cmocka/test_responder_cache_req.c
|
||||
+++ b/src/tests/cmocka/test_responder_cache_req.c
|
||||
@@ -27,7 +27,6 @@
|
||||
#include "tests/cmocka/common_mock_resp.h"
|
||||
#include "db/sysdb.h"
|
||||
#include "responder/common/cache_req/cache_req.h"
|
||||
-#include "db/sysdb_private.h" /* new_subdomain() */
|
||||
|
||||
#define TESTS_PATH "tp_" BASE_FILE_STEM
|
||||
#define TEST_CONF_DB "test_responder_cache_req_conf.ldb"
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,89 +0,0 @@
|
|||
From 2bad4d4b299440d33919a9fdb8c4d75814583e12 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 7 May 2020 21:24:42 +0200
|
||||
Subject: [PATCH 16/19] ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Since the function can be used to get the id ctx of any domain the
|
||||
'root' is removed from the name.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5151
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 32 ++++++++++++++++----------------
|
||||
1 file changed, 16 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index c53962283..a9a552ff7 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -1231,37 +1231,37 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req)
|
||||
}
|
||||
|
||||
static struct ad_id_ctx *
|
||||
-ads_get_root_id_ctx(struct be_ctx *be_ctx,
|
||||
- struct ad_id_ctx *ad_id_ctx,
|
||||
- struct sss_domain_info *root_domain,
|
||||
- struct sdap_options *opts)
|
||||
+ads_get_dom_id_ctx(struct be_ctx *be_ctx,
|
||||
+ struct ad_id_ctx *ad_id_ctx,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ struct sdap_options *opts)
|
||||
{
|
||||
errno_t ret;
|
||||
struct sdap_domain *sdom;
|
||||
- struct ad_id_ctx *root_id_ctx;
|
||||
+ struct ad_id_ctx *dom_id_ctx;
|
||||
|
||||
- sdom = sdap_domain_get(opts, root_domain);
|
||||
+ sdom = sdap_domain_get(opts, domain);
|
||||
if (sdom == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Cannot get the sdom for %s!\n", root_domain->name);
|
||||
+ "Cannot get the sdom for %s!\n", domain->name);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (sdom->pvt == NULL) {
|
||||
- ret = ad_subdom_ad_ctx_new(be_ctx, ad_id_ctx, root_domain,
|
||||
- &root_id_ctx);
|
||||
+ ret = ad_subdom_ad_ctx_new(be_ctx, ad_id_ctx, domain,
|
||||
+ &dom_id_ctx);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ad_subdom_ad_ctx_new failed.\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- sdom->pvt = root_id_ctx;
|
||||
+ sdom->pvt = dom_id_ctx;
|
||||
} else {
|
||||
- root_id_ctx = sdom->pvt;
|
||||
+ dom_id_ctx = sdom->pvt;
|
||||
}
|
||||
|
||||
- root_id_ctx->ldap_ctx->ignore_mark_offline = true;
|
||||
- return root_id_ctx;
|
||||
+ dom_id_ctx->ldap_ctx->ignore_mark_offline = true;
|
||||
+ return dom_id_ctx;
|
||||
}
|
||||
|
||||
struct ad_get_root_domain_state {
|
||||
@@ -1403,9 +1403,9 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- state->root_id_ctx = ads_get_root_id_ctx(state->be_ctx,
|
||||
- state->sd_ctx->ad_id_ctx,
|
||||
- root_domain, state->opts);
|
||||
+ state->root_id_ctx = ads_get_dom_id_ctx(state->be_ctx,
|
||||
+ state->sd_ctx->ad_id_ctx,
|
||||
+ root_domain, state->opts);
|
||||
if (state->root_id_ctx == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Cannot create id ctx for the root domain\n");
|
||||
ret = EFAULT;
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
From 8c642a542245a9f9fde5c2de9c96082b4c0d0963 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 11 May 2020 21:26:13 +0200
|
||||
Subject: [PATCH 17/19] ad: remove unused trust_type from ad_subdom_store()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5151
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 8 --------
|
||||
1 file changed, 8 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index a9a552ff7..198f5c916 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -576,7 +576,6 @@ ad_subdom_store(struct confdb_ctx *cdb,
|
||||
enum idmap_error_code err;
|
||||
struct ldb_message_element *el;
|
||||
char *sid_str = NULL;
|
||||
- uint32_t trust_type;
|
||||
enum sss_domain_mpg_mode mpg_mode;
|
||||
enum sss_domain_mpg_mode default_mpg_mode;
|
||||
|
||||
@@ -586,13 +585,6 @@ ad_subdom_store(struct confdb_ctx *cdb,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sysdb_attrs_get_uint32_t(subdom_attrs, AD_AT_TRUST_TYPE,
|
||||
- &trust_type);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_uint32_t failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
ret = sysdb_attrs_get_string(subdom_attrs, AD_AT_TRUST_PARTNER, &name);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "failed to get subdomain name\n");
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,283 +0,0 @@
|
|||
From 3ae3286d61ed796f0be7a1d72157af3687bc04a5 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 7 May 2020 21:26:16 +0200
|
||||
Subject: [PATCH 18/19] ad: add ad_check_domain_{send|recv}
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This new request tries to get the basic domain information like domain
|
||||
SID and NetBIOS domain name for a domain given by the name. To achieve
|
||||
this the needed data is added to general domain structure and the SDAP
|
||||
domain structure. If the domain data cannot be looked up the data is
|
||||
removed again.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5151
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 251 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 251 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 198f5c916..299aa7391 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -2143,3 +2143,254 @@ errno_t ad_subdomains_init(TALLOC_CTX *mem_ctx,
|
||||
|
||||
return EOK;
|
||||
}
|
||||
+
|
||||
+struct ad_check_domain_state {
|
||||
+ struct tevent_context *ev;
|
||||
+ struct be_ctx *be_ctx;
|
||||
+ struct sdap_id_op *sdap_op;
|
||||
+ struct ad_id_ctx *dom_id_ctx;
|
||||
+ struct sdap_options *opts;
|
||||
+
|
||||
+ const char *dom_name;
|
||||
+ struct sss_domain_info *dom;
|
||||
+ struct sss_domain_info *parent;
|
||||
+ struct sdap_domain *sdom;
|
||||
+
|
||||
+ char *flat;
|
||||
+ char *site;
|
||||
+ char *forest;
|
||||
+ char *sid;
|
||||
+};
|
||||
+
|
||||
+static void ad_check_domain_connect_done(struct tevent_req *subreq);
|
||||
+static void ad_check_domain_done(struct tevent_req *subreq);
|
||||
+
|
||||
+static int ad_check_domain_destructor(void *mem)
|
||||
+{
|
||||
+ struct ad_check_domain_state *state = talloc_get_type(mem,
|
||||
+ struct ad_check_domain_state);
|
||||
+
|
||||
+ if (state->sdom != NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Removing sdap domain [%s].\n",
|
||||
+ state->dom->name);
|
||||
+ sdap_domain_remove(state->opts, state->dom);
|
||||
+ /* terminate all requests for this subdomain so we can free it */
|
||||
+ dp_terminate_domain_requests(state->be_ctx->provider, state->dom->name);
|
||||
+ talloc_zfree(state->sdom);
|
||||
+ }
|
||||
+
|
||||
+ if (state->dom != NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Removing domain [%s].\n", state->dom->name);
|
||||
+ sss_domain_set_state(state->dom, DOM_DISABLED);
|
||||
+ DLIST_REMOVE(state->be_ctx->domain->subdomains, state->dom);
|
||||
+ talloc_zfree(state->dom);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+struct tevent_req *
|
||||
+ad_check_domain_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct be_ctx *be_ctx,
|
||||
+ struct ad_id_ctx *ad_id_ctx,
|
||||
+ const char *dom_name,
|
||||
+ const char *parent_dom_name)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ struct tevent_req *req;
|
||||
+ struct tevent_req *subreq;
|
||||
+ struct ad_check_domain_state *state;
|
||||
+
|
||||
+ req = tevent_req_create(mem_ctx, &state, struct ad_check_domain_state);
|
||||
+ if (req == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ state->ev = ev;
|
||||
+ state->be_ctx = be_ctx;
|
||||
+ state->opts = ad_id_ctx->sdap_id_ctx->opts;
|
||||
+ state->dom_name = dom_name;
|
||||
+ state->parent = NULL;
|
||||
+ state->sdom = NULL;
|
||||
+
|
||||
+ state->dom = find_domain_by_name(be_ctx->domain, dom_name, true);
|
||||
+ if (state->dom == NULL) {
|
||||
+ state->parent = find_domain_by_name(be_ctx->domain, parent_dom_name,
|
||||
+ true);
|
||||
+ if (state->parent == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to find domain object for domain [%s].\n",
|
||||
+ parent_dom_name);
|
||||
+ ret = ENOENT;
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ state->dom = new_subdomain(state->parent, state->parent, dom_name,
|
||||
+ dom_name, NULL, NULL, MPG_DISABLED, false,
|
||||
+ state->parent->forest,
|
||||
+ NULL, 0, be_ctx->cdb, true);
|
||||
+ if (state->dom == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "new_subdomain() failed.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ talloc_set_destructor((TALLOC_CTX *) state, ad_check_domain_destructor);
|
||||
+
|
||||
+ DLIST_ADD_END(state->parent->subdomains, state->dom,
|
||||
+ struct sss_domain_info *);
|
||||
+
|
||||
+ ret = sdap_domain_add(state->opts, state->dom, &state->sdom);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_domain_subdom_add failed.\n");
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ ret = ad_set_search_bases(ad_id_ctx->ad_options->id, state->sdom);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "failed to set ldap search bases for "
|
||||
+ "domain '%s'. Will try to use automatically detected search "
|
||||
+ "bases.", state->sdom->dom->name);
|
||||
+ }
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ state->dom_id_ctx = ads_get_dom_id_ctx(be_ctx, ad_id_ctx, state->dom,
|
||||
+ state->opts);
|
||||
+ if (state->dom_id_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ads_get_dom_id_ctx() failed.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ state->sdap_op = sdap_id_op_create(state,
|
||||
+ state->dom_id_ctx->sdap_id_ctx->conn->conn_cache);
|
||||
+ if (state->sdap_op == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
|
||||
+ if (subreq == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed "
|
||||
+ "[%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ tevent_req_set_callback(subreq, ad_check_domain_connect_done, req);
|
||||
+
|
||||
+ return req;
|
||||
+
|
||||
+immediately:
|
||||
+ if (ret == EOK) {
|
||||
+ tevent_req_done(req);
|
||||
+ } else {
|
||||
+ tevent_req_error(req, ret);
|
||||
+ }
|
||||
+ tevent_req_post(req, ev);
|
||||
+
|
||||
+ return req;
|
||||
+}
|
||||
+
|
||||
+static void ad_check_domain_connect_done(struct tevent_req *subreq)
|
||||
+{
|
||||
+ struct tevent_req *req;
|
||||
+ struct ad_check_domain_state *state;
|
||||
+ int ret;
|
||||
+ int dp_error;
|
||||
+
|
||||
+ req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
+ state = tevent_req_data(req, struct ad_check_domain_state);
|
||||
+
|
||||
+ ret = sdap_id_op_connect_recv(subreq, &dp_error);
|
||||
+ talloc_zfree(subreq);
|
||||
+
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to LDAP "
|
||||
+ "[%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ if (dp_error == DP_ERR_OFFLINE) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "No AD server is available, "
|
||||
+ "cannot get the subdomain list while offline\n");
|
||||
+ ret = ERR_OFFLINE;
|
||||
+ }
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ subreq = ad_domain_info_send(state, state->ev,
|
||||
+ state->dom_id_ctx->sdap_id_ctx->conn,
|
||||
+ state->sdap_op, state->dom_name);
|
||||
+
|
||||
+ tevent_req_set_callback(subreq, ad_check_domain_done, req);
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+static void ad_check_domain_done(struct tevent_req *subreq)
|
||||
+{
|
||||
+ struct tevent_req *req;
|
||||
+ struct ad_check_domain_state *state;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+
|
||||
+ req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
+ state = tevent_req_data(req, struct ad_check_domain_state);
|
||||
+
|
||||
+ ret = ad_domain_info_recv(subreq, state, &state->flat, &state->sid,
|
||||
+ &state->site, &state->forest);
|
||||
+ talloc_zfree(subreq);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup domain information "
|
||||
+ "[%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s.\n", state->flat, state->sid,
|
||||
+ state->site, state->forest);
|
||||
+
|
||||
+ /* New domain was successfully checked, remove destructor. */
|
||||
+ talloc_set_destructor(state, NULL);
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ if (ret != EOK) {
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ tevent_req_done(req);
|
||||
+}
|
||||
+
|
||||
+errno_t ad_check_domain_recv(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_req *req,
|
||||
+ char **_flat,
|
||||
+ char **_id,
|
||||
+ char **_site,
|
||||
+ char **_forest)
|
||||
+{
|
||||
+ struct ad_check_domain_state *state = tevent_req_data(req,
|
||||
+ struct ad_check_domain_state);
|
||||
+
|
||||
+ TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
+
|
||||
+ if (_flat) {
|
||||
+ *_flat = talloc_steal(mem_ctx, state->flat);
|
||||
+ }
|
||||
+
|
||||
+ if (_site) {
|
||||
+ *_site = talloc_steal(mem_ctx, state->site);
|
||||
+ }
|
||||
+
|
||||
+ if (_forest) {
|
||||
+ *_forest = talloc_steal(mem_ctx, state->forest);
|
||||
+ }
|
||||
+
|
||||
+ if (_id) {
|
||||
+ *_id = talloc_steal(mem_ctx, state->sid);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,281 +0,0 @@
|
|||
From e25e1e9228a6108d8e94f2e99f3004e6cbfc3349 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 12 May 2020 16:55:32 +0200
|
||||
Subject: [PATCH 19/19] ad: check forest root directly if not present on local
|
||||
DC
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the information about the forest root domain cannot be read from the
|
||||
local domain-controller it is tried to read it from a DC of the forest
|
||||
root directly.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5151
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 184 +++++++++++++++++++++++++++----
|
||||
1 file changed, 164 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 299aa7391..7c6f51db7 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -35,6 +35,10 @@
|
||||
#include <ndr.h>
|
||||
#include <ndr/ndr_nbt.h>
|
||||
|
||||
+/* Avoid that ldb_val is overwritten by data_blob.h */
|
||||
+#undef ldb_val
|
||||
+#include <ldb.h>
|
||||
+
|
||||
/* Attributes of AD trusted domains */
|
||||
#define AD_AT_FLATNAME "flatName"
|
||||
#define AD_AT_SID "securityIdentifier"
|
||||
@@ -1258,15 +1262,37 @@ ads_get_dom_id_ctx(struct be_ctx *be_ctx,
|
||||
|
||||
struct ad_get_root_domain_state {
|
||||
struct ad_subdomains_ctx *sd_ctx;
|
||||
+ struct tevent_context *ev;
|
||||
struct be_ctx *be_ctx;
|
||||
struct sdap_idmap_ctx *idmap_ctx;
|
||||
struct sdap_options *opts;
|
||||
+ const char *domain;
|
||||
+ const char *forest;
|
||||
|
||||
+ struct sysdb_attrs **reply;
|
||||
+ size_t reply_count;
|
||||
struct ad_id_ctx *root_id_ctx;
|
||||
struct sysdb_attrs *root_domain_attrs;
|
||||
};
|
||||
|
||||
static void ad_get_root_domain_done(struct tevent_req *subreq);
|
||||
+static void ad_check_root_domain_done(struct tevent_req *subreq);
|
||||
+static errno_t
|
||||
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
|
||||
+
|
||||
+struct tevent_req *
|
||||
+ad_check_domain_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct be_ctx *be_ctx,
|
||||
+ struct ad_id_ctx *ad_id_ctx,
|
||||
+ const char *dom_name,
|
||||
+ const char *parent_dom_name);
|
||||
+errno_t ad_check_domain_recv(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_req *req,
|
||||
+ char **_flat,
|
||||
+ char **_id,
|
||||
+ char **_site,
|
||||
+ char **_forest);
|
||||
|
||||
static struct tevent_req *
|
||||
ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||
@@ -1305,6 +1331,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||
state->opts = opts = sd_ctx->sdap_id_ctx->opts;
|
||||
state->be_ctx = sd_ctx->be_ctx;
|
||||
state->idmap_ctx = opts->idmap_ctx;
|
||||
+ state->ev = ev;
|
||||
+ state->domain = domain;
|
||||
+ state->forest = forest;
|
||||
|
||||
filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest);
|
||||
if (filter == NULL) {
|
||||
@@ -1340,17 +1369,14 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
{
|
||||
struct tevent_req *req;
|
||||
struct ad_get_root_domain_state *state;
|
||||
- struct sysdb_attrs **reply;
|
||||
- struct sss_domain_info *root_domain;
|
||||
- size_t reply_count;
|
||||
- bool has_changes;
|
||||
errno_t ret;
|
||||
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct ad_get_root_domain_state);
|
||||
|
||||
- ret = sdap_search_bases_return_first_recv(subreq, state, &reply_count,
|
||||
- &reply);
|
||||
+ ret = sdap_search_bases_return_first_recv(subreq, state,
|
||||
+ &state->reply_count,
|
||||
+ &state->reply);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information "
|
||||
@@ -1358,19 +1384,142 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (reply_count == 0) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "No information provided for root domain\n");
|
||||
- ret = ENOENT;
|
||||
- goto done;
|
||||
- } else if (reply_count > 1) {
|
||||
+ if (state->reply_count == 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "No information provided for root domain, trying directly.\n");
|
||||
+ subreq = ad_check_domain_send(state, state->ev, state->be_ctx,
|
||||
+ state->sd_ctx->ad_id_ctx, state->forest,
|
||||
+ state->domain);
|
||||
+ if (subreq == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ad_check_domain_send() failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ tevent_req_set_callback(subreq, ad_check_root_domain_done, req);
|
||||
+ return;
|
||||
+ } else if (state->reply_count > 1) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, "
|
||||
"domain list might be incomplete!\n");
|
||||
ret = ERR_MALFORMED_ENTRY;
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = ad_get_root_domain_refresh(state);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ if (ret != EOK) {
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ tevent_req_done(req);
|
||||
+}
|
||||
+
|
||||
+static void ad_check_root_domain_done(struct tevent_req *subreq)
|
||||
+{
|
||||
+ struct tevent_req *req;
|
||||
+ struct ad_get_root_domain_state *state;
|
||||
+ errno_t ret;
|
||||
+ char *flat = NULL;
|
||||
+ char *id = NULL;
|
||||
+ enum idmap_error_code err;
|
||||
+ struct ldb_val id_val;
|
||||
+
|
||||
+ req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
+ state = tevent_req_data(req, struct ad_get_root_domain_state);
|
||||
+
|
||||
+ ret = ad_check_domain_recv(state, subreq, &flat, &id, NULL, NULL);
|
||||
+ talloc_zfree(subreq);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to check forest root information "
|
||||
+ "[%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (flat == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "NetBIOS name of forest root not available.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (id == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Domain SID of forest root not available.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ state->reply = talloc_array(state, struct sysdb_attrs *, 1);
|
||||
+ if (state->reply == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_array() failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ state->reply[0] = sysdb_new_attrs(state->reply);
|
||||
+ if (state->reply[0] == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs() failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_FLATNAME, flat);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_TRUST_PARTNER,
|
||||
+ state->forest);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
|
||||
+ &id_val.data, &id_val.length);
|
||||
+ if (err != IDMAP_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not convert SID: [%s].\n", idmap_error_string(err));
|
||||
+ ret = EFAULT;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_val(state->reply[0], AD_AT_SID, &id_val);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ state->reply_count = 1;
|
||||
+
|
||||
+ ret = ad_get_root_domain_refresh(state);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ if (ret != EOK) {
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ tevent_req_done(req);
|
||||
+}
|
||||
+
|
||||
+static errno_t
|
||||
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
||||
+{
|
||||
+ struct sss_domain_info *root_domain;
|
||||
+ bool has_changes;
|
||||
+ errno_t ret;
|
||||
+
|
||||
ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts,
|
||||
- reply, reply_count, true,
|
||||
+ state->reply, state->reply_count, true,
|
||||
&state->sd_ctx->last_refreshed,
|
||||
&has_changes);
|
||||
if (ret != EOK) {
|
||||
@@ -1387,8 +1536,8 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
}
|
||||
}
|
||||
|
||||
- state->root_domain_attrs = reply[0];
|
||||
- root_domain = ads_get_root_domain(state->be_ctx, reply[0]);
|
||||
+ state->root_domain_attrs = state->reply[0];
|
||||
+ root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]);
|
||||
if (root_domain == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n");
|
||||
ret = EFAULT;
|
||||
@@ -1407,12 +1556,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
- if (ret != EOK) {
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- tevent_req_done(req);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static errno_t ad_get_root_domain_recv(TALLOC_CTX *mem_ctx,
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
From d8d743870c459b5ff283c89d78b70d1684bd19a9 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Wed, 13 May 2020 09:45:56 +0200
|
||||
Subject: [PATCH] man: Document invalid selinux context for homedirs
|
||||
|
||||
The default value of fallback_homedir expands into path, that is not
|
||||
expected by selinux. Generally not only selinux might be affected by
|
||||
this default value. This PR documents the issue and recommends
|
||||
further steps.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5155
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
|
||||
---
|
||||
src/man/include/ad_modified_defaults.xml | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
|
||||
index 91623d57a..65c9a0140 100644
|
||||
--- a/src/man/include/ad_modified_defaults.xml
|
||||
+++ b/src/man/include/ad_modified_defaults.xml
|
||||
@@ -92,6 +92,18 @@
|
||||
this fallback behavior, you can explicitly
|
||||
set "fallback_homedir = %o".
|
||||
</para>
|
||||
+ <para>
|
||||
+ Note that the system typically expects a home directory
|
||||
+ in /home/%u folder. If you decide to use a different
|
||||
+ directory structure, some other parts of your system may
|
||||
+ need adjustments.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ For example automated creation of home directories in
|
||||
+ combination with selinux requires selinux adjustment,
|
||||
+ otherwise the home directory will be created with wrong
|
||||
+ selinux context.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</refsect2>
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From 26c794da31c215fef3e41429f6f13afdaf349bee Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 3 Jun 2020 20:35:04 +0200
|
||||
Subject: [PATCH 21/22] pam_sss: add SERVICE_IS_GDM_SMARTCARD
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5190
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index 69b440774..7e59f0487 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -71,6 +71,8 @@
|
||||
#define DEBUG_MGS_LEN 1024
|
||||
#define MAX_AUTHTOK_SIZE (1024*1024)
|
||||
#define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)")
|
||||
+#define SERVICE_IS_GDM_SMARTCARD(pitem) (strcmp((pitem)->pam_service, \
|
||||
+ "gdm-smartcard") == 0)
|
||||
|
||||
static void logger(pam_handle_t *pamh, int level, const char *fmt, ...) {
|
||||
va_list ap;
|
||||
@@ -2580,7 +2582,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
return PAM_AUTHINFO_UNAVAIL;
|
||||
}
|
||||
|
||||
- if (strcmp(pi.pam_service, "gdm-smartcard") == 0
|
||||
+ if (SERVICE_IS_GDM_SMARTCARD(&pi)
|
||||
|| (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
|
||||
ret = check_login_token_name(pamh, &pi, retries,
|
||||
quiet_mode);
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
From 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 3 Jun 2020 20:36:54 +0200
|
||||
Subject: [PATCH 22/22] pam_sss: special handling for gdm-smartcard
|
||||
|
||||
The gdm-smartcard service is special since it is triggered by the
|
||||
presence of a Smartcard and even in the case of an error it will
|
||||
immediately try again. To break this loop we should ask for an user
|
||||
input and asking for a PIN is most straight forward and would show the
|
||||
same behavior as pam_pkcs11.
|
||||
|
||||
Additionally it does not make sense to fall back the a password prompt
|
||||
for gdm-smartcard so also here a PIN prompt should be shown.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5190
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 16 ++++++++++++----
|
||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index 7e59f0487..093e53af5 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -1835,8 +1835,13 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
|
||||
struct pam_message m[2] = { { 0 }, { 0 } };
|
||||
struct pam_response *resp = NULL;
|
||||
struct cert_auth_info *cai = pi->selected_cert;
|
||||
+ struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
|
||||
+ NULL, NULL, NULL, NULL, NULL };
|
||||
|
||||
- if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') {
|
||||
+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
|
||||
+ cai = &empty_cai;
|
||||
+ } else if (cai == NULL || cai->token_name == NULL
|
||||
+ || *cai->token_name == '\0') {
|
||||
return PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
@@ -2188,6 +2193,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
||||
}
|
||||
}
|
||||
ret = prompt_sc_pin(pamh, pi);
|
||||
+ } else if (SERVICE_IS_GDM_SMARTCARD(pi)) {
|
||||
+ /* Use pin prompt as fallback for gdm-smartcard */
|
||||
+ ret = prompt_sc_pin(pamh, pi);
|
||||
} else {
|
||||
ret = prompt_password(pamh, pi, _("Password: "));
|
||||
}
|
||||
@@ -2496,7 +2504,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
{
|
||||
int ret;
|
||||
int pam_status;
|
||||
- struct pam_items pi;
|
||||
+ struct pam_items pi = { 0 };
|
||||
uint32_t flags = 0;
|
||||
const int *exp_data;
|
||||
int *pw_exp_data;
|
||||
@@ -2570,7 +2578,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
/*
|
||||
* Since we are only interested in the result message
|
||||
* and will always use password authentication
|
||||
- * as a fallback, errors can be ignored here.
|
||||
+ * as a fallback (except for gdm-smartcard),
|
||||
+ * errors can be ignored here.
|
||||
*/
|
||||
}
|
||||
}
|
||||
@@ -2588,7 +2597,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
quiet_mode);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("check_login_token_name failed.\n"));
|
||||
- return ret;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From 31e57432537b9d248839159d83cfa9049faf192b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 19 Jun 2020 13:32:30 +0200
|
||||
Subject: [PATCH] pam_sss: make sure old certificate data is removed before
|
||||
retry
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
To avoid that certificates will be shown in the certificate selection
|
||||
which are not available anymore they must be remove before a new request
|
||||
to look up the certificates is send to SSSD's PAM responder.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5190
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index e3ad2c9b2..6a3ba2f50 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -2467,6 +2467,8 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
||||
&& strcmp(login_token_name,
|
||||
pi->cert_list->token_name) != 0)) {
|
||||
|
||||
+ free_cert_list(pi->cert_list);
|
||||
+ pi->cert_list = NULL;
|
||||
if (retries < 0) {
|
||||
ret = PAM_AUTHINFO_UNAVAIL;
|
||||
goto done;
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From 66029529fa0f0e2d16999f22294822deeec5f60b Mon Sep 17 00:00:00 2001
|
||||
From: Alejandro Visiedo <avisiedo@redhat.com>
|
||||
Date: Thu, 11 Jun 2020 00:36:04 +0200
|
||||
Subject: [PATCH] systemtap: Missing a comma
|
||||
|
||||
sssd_functions.stp was missing a comma.
|
||||
|
||||
Thanks to William Cohen for reporting the issue and the patch to fix it.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1840194
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5201
|
||||
|
||||
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||
---
|
||||
src/systemtap/sssd_functions.stp | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/systemtap/sssd_functions.stp b/src/systemtap/sssd_functions.stp
|
||||
index 1eb140ccf..01f553177 100644
|
||||
--- a/src/systemtap/sssd_functions.stp
|
||||
+++ b/src/systemtap/sssd_functions.stp
|
||||
@@ -7,7 +7,7 @@ global TARGET_ID=0, TARGET_AUTH=1, TARGET_ACCESS=2, TARGET_CHPASS=3,
|
||||
global METHOD_CHECK_ONLINE=0, METHOD_ACCOUNT_HANDLER=1, METHOD_AUTH_HANDLER=2,
|
||||
METHOD_ACCESS_HANDLER=3, METHOD_SELINUX_HANDLER=4, METHOD_SUDO_HANDLER=5,
|
||||
METHOD_AUTOFS_HANDLER=6, METHOD_HOSTID_HANDLER=7, METHOD_DOMAINS_HANDLER=8,
|
||||
- METHOD_RESOLVER_HANDLER=9 METHOD_SENTINEL=10
|
||||
+ METHOD_RESOLVER_HANDLER=9, METHOD_SENTINEL=10
|
||||
|
||||
function acct_req_desc(entry_type)
|
||||
{
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,94 +0,0 @@
|
|||
From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 26 Jun 2020 12:07:48 +0200
|
||||
Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils
|
||||
target
|
||||
|
||||
To avoid regression for case where files is used for proxy but authentication
|
||||
is handled by other module then pam_unix. E.g. auth_provider = krb
|
||||
|
||||
This provides different solution to the ticket and improves the documentation.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5129
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 25 ++++++++++++++++++++-----
|
||||
src/man/sssd.conf.5.xml | 12 +++++++++---
|
||||
2 files changed, 29 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 65ad18dcf..c2daa9a2c 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
struct sss_domain_info *domain;
|
||||
struct ldb_result *res;
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
- const char *tmp;
|
||||
+ const char *tmp, *tmp_pam_target, *tmp_auth;
|
||||
int ret, val;
|
||||
uint32_t entry_cache_timeout;
|
||||
char *default_domain;
|
||||
@@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
}
|
||||
|
||||
if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) {
|
||||
- /* The password field must be reported as 'x' for proxy provider
|
||||
- * using files library, else pam_unix won't
|
||||
- * authenticate this entry. */
|
||||
+ /* The password field must be reported as 'x' for proxy provider
|
||||
+ * using files library, else pam_unix won't authenticate this entry.
|
||||
+ * We set this only for sssd-shadowutils target which can be used
|
||||
+ * to authenticate with pam_unix only. Otherwise we let administrator
|
||||
+ * to overwrite default * value with pwfield option to avoid regression
|
||||
+ * on more common use case where remote authentication is required. */
|
||||
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
|
||||
CONFDB_PROXY_LIBNAME,
|
||||
NULL);
|
||||
- if (tmp != NULL && strcasecmp(tmp, "files") == 0) {
|
||||
+
|
||||
+ tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0],
|
||||
+ CONFDB_DOMAIN_AUTH_PROVIDER,
|
||||
+ NULL);
|
||||
+
|
||||
+ tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0],
|
||||
+ CONFDB_PROXY_PAM_TARGET,
|
||||
+ NULL);
|
||||
+
|
||||
+ if (tmp != NULL && tmp_pam_target != NULL
|
||||
+ && strcasecmp(tmp, "files") == 0
|
||||
+ && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0)
|
||||
+ && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) {
|
||||
domain->pwfield = "x";
|
||||
}
|
||||
}
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index cae24bb63..44b3b8f20 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u
|
||||
<quote>password</quote> field.
|
||||
</para>
|
||||
<para>
|
||||
- This option can also be set per-domain.
|
||||
+ Default: <quote>*</quote>
|
||||
</para>
|
||||
<para>
|
||||
- Default: <quote>*</quote> (remote domains)
|
||||
- or <quote>x</quote> (the files domain)
|
||||
+ Note: This option can also be set per-domain which
|
||||
+ overwrites the value in [nss] section.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: <quote>not set</quote> (remote domains),
|
||||
+ <quote>x</quote> (the files domain),
|
||||
+ <quote>x</quote> (proxy domain with nss_files
|
||||
+ and sssd-shadowutils target)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,291 +0,0 @@
|
|||
From 8969c43dc2d8d0800c2f0b509d078378db855622 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 23 Jun 2020 12:05:08 +0200
|
||||
Subject: [PATCH] files: allow root membership
|
||||
|
||||
There are two use cases that do not work with files provider:
|
||||
|
||||
1. User has primary GID 0:
|
||||
|
||||
This is fine by itself since SSSD does not store this user in cache and it is
|
||||
handled only by `nss_files` so the user (`tuser`) is returned correctly. The
|
||||
problem is when you try to resolve group that the user is member of. In this
|
||||
case that the membership is missing the group (but only if the user was
|
||||
previously resolved and thus stored in negative cache).
|
||||
|
||||
```
|
||||
tuser:x:1001:0::/home/tuser:/bin/bash
|
||||
tuser:x:1001:tuser
|
||||
|
||||
// tuser@files is ghost member of the group so it is returned because it is not in negative cache
|
||||
$ getent group tuser
|
||||
tuser:x:1001:tuser
|
||||
|
||||
// expire memcache
|
||||
// tuser@files is ghost member but not returned because it is in negative cache
|
||||
$ id tuser // returned from nss_files
|
||||
uid=1001(tuser) gid=0(root) groups=0(root),1001(tuser)
|
||||
[pbrezina /dev/shm/sssd]$ getent group tuser
|
||||
tuser:x:1001:
|
||||
```
|
||||
|
||||
**2. root is member of other group**
|
||||
|
||||
The root member is missing from the membership since it was filtered out by
|
||||
negative cache.
|
||||
|
||||
```
|
||||
tuser:x:1001:root
|
||||
|
||||
$ id root
|
||||
uid=0(root) gid=0(root) groups=0(root),1001(tuser)
|
||||
[pbrezina /dev/shm/sssd]$ getent group tuser
|
||||
tuser:x:1001:
|
||||
```
|
||||
|
||||
In files provider, only the users that we do not want to managed are stored
|
||||
as ghost member, therefore we can let nss_files handle group that has ghost
|
||||
members.
|
||||
|
||||
Tests are changed as well to work with this behavior. Users are added when
|
||||
required and ghost are expected to return ENOENT.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5170
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/responder/nss/nss_protocol_grent.c | 18 +++++++
|
||||
src/tests/intg/files_ops.py | 13 +++++
|
||||
src/tests/intg/test_files_provider.py | 73 ++++++++++++++++----------
|
||||
3 files changed, 77 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
|
||||
index 9c443d0e7..6d8e71083 100644
|
||||
--- a/src/responder/nss/nss_protocol_grent.c
|
||||
+++ b/src/responder/nss/nss_protocol_grent.c
|
||||
@@ -141,6 +141,24 @@ nss_protocol_fill_members(struct sss_packet *packet,
|
||||
members[0] = nss_get_group_members(domain, msg);
|
||||
members[1] = nss_get_group_ghosts(domain, msg, group_name);
|
||||
|
||||
+ if (is_files_provider(domain) && members[1] != NULL) {
|
||||
+ /* If there is a ghost member in files provider it means that we
|
||||
+ * did not store the user on purpose (e.g. it has uid or gid 0).
|
||||
+ * Therefore nss_files does handle the user and therefore we
|
||||
+ * must let nss_files to also handle this group in order to
|
||||
+ * provide correct membership. */
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Unknown members found. nss_files will handle it.\n");
|
||||
+
|
||||
+ ret = sss_ncache_set_group(rctx->ncache, false, domain, group_name);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_ncache_set_group failed.\n");
|
||||
+ }
|
||||
+
|
||||
+ ret = ENOENT;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
sss_packet_get_body(packet, &body, &body_len);
|
||||
|
||||
num_members = 0;
|
||||
diff --git a/src/tests/intg/files_ops.py b/src/tests/intg/files_ops.py
|
||||
index c1c4465e7..57959f501 100644
|
||||
--- a/src/tests/intg/files_ops.py
|
||||
+++ b/src/tests/intg/files_ops.py
|
||||
@@ -103,6 +103,13 @@ class FilesOps(object):
|
||||
|
||||
contents = self._read_contents()
|
||||
|
||||
+ def _has_line(self, key):
|
||||
+ try:
|
||||
+ self._get_named_line(key, self._read_contents())
|
||||
+ return True
|
||||
+ except KeyError:
|
||||
+ return False
|
||||
+
|
||||
|
||||
class PasswdOps(FilesOps):
|
||||
"""
|
||||
@@ -132,6 +139,9 @@ class PasswdOps(FilesOps):
|
||||
def userdel(self, name):
|
||||
self._del_line(name)
|
||||
|
||||
+ def userexist(self, name):
|
||||
+ return self._has_line(name)
|
||||
+
|
||||
|
||||
class GroupOps(FilesOps):
|
||||
"""
|
||||
@@ -158,3 +168,6 @@ class GroupOps(FilesOps):
|
||||
|
||||
def groupdel(self, name):
|
||||
self._del_line(name)
|
||||
+
|
||||
+ def groupexist(self, name):
|
||||
+ return self._has_line(name)
|
||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
||||
index 023333020..90be198c3 100644
|
||||
--- a/src/tests/intg/test_files_provider.py
|
||||
+++ b/src/tests/intg/test_files_provider.py
|
||||
@@ -60,11 +60,13 @@ OV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010,
|
||||
dir='/home/ov/user1',
|
||||
shell='/bin/ov_user1_shell')
|
||||
|
||||
-ALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001,
|
||||
+ALT_USER1 = dict(name='alt_user1', passwd='x', uid=60001, gid=70001,
|
||||
gecos='User for tests from alt files',
|
||||
dir='/home/altuser1',
|
||||
shell='/bin/bash')
|
||||
|
||||
+ALL_USERS = [CANARY, USER1, USER2, OV_USER1, ALT_USER1]
|
||||
+
|
||||
CANARY_GR = dict(name='canary',
|
||||
gid=300001,
|
||||
mem=[])
|
||||
@@ -365,21 +367,34 @@ def setup_pw_with_canary(passwd_ops_setup):
|
||||
return setup_pw_with_list(passwd_ops_setup, [CANARY])
|
||||
|
||||
|
||||
-def setup_gr_with_list(grp_ops, group_list):
|
||||
+def add_group_members(pwd_ops, group):
|
||||
+ members = {x['name']: x for x in ALL_USERS}
|
||||
+ for member in group['mem']:
|
||||
+ if pwd_ops.userexist(member):
|
||||
+ continue
|
||||
+
|
||||
+ pwd_ops.useradd(**members[member])
|
||||
+
|
||||
+
|
||||
+def setup_gr_with_list(pwd_ops, grp_ops, group_list):
|
||||
for group in group_list:
|
||||
+ add_group_members(pwd_ops, group)
|
||||
grp_ops.groupadd(**group)
|
||||
+
|
||||
ent.assert_group_by_name(CANARY_GR['name'], CANARY_GR)
|
||||
return grp_ops
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
-def add_group_with_canary(group_ops_setup):
|
||||
- return setup_gr_with_list(group_ops_setup, [GROUP1, CANARY_GR])
|
||||
+def add_group_with_canary(passwd_ops_setup, group_ops_setup):
|
||||
+ return setup_gr_with_list(
|
||||
+ passwd_ops_setup, group_ops_setup, [GROUP1, CANARY_GR]
|
||||
+ )
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
-def setup_gr_with_canary(group_ops_setup):
|
||||
- return setup_gr_with_list(group_ops_setup, [CANARY_GR])
|
||||
+def setup_gr_with_canary(passwd_ops_setup, group_ops_setup):
|
||||
+ return setup_gr_with_list(passwd_ops_setup, group_ops_setup, [CANARY_GR])
|
||||
|
||||
|
||||
def poll_canary(fn, name, threshold=20):
|
||||
@@ -766,7 +781,9 @@ def test_gid_zero_does_not_resolve(files_domain_only):
|
||||
assert res == NssReturnCode.NOTFOUND
|
||||
|
||||
|
||||
-def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only):
|
||||
+def test_add_remove_add_file_group(
|
||||
+ setup_pw_with_canary, setup_gr_with_canary, files_domain_only
|
||||
+):
|
||||
"""
|
||||
Test that removing a group is detected and the group
|
||||
is removed from the sssd database. Similarly, an add
|
||||
@@ -776,6 +793,7 @@ def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only):
|
||||
res, group = call_sssd_getgrnam(GROUP1["name"])
|
||||
assert res == NssReturnCode.NOTFOUND
|
||||
|
||||
+ add_group_members(setup_pw_with_canary, GROUP1)
|
||||
setup_gr_with_canary.groupadd(**GROUP1)
|
||||
check_group(GROUP1)
|
||||
|
||||
@@ -817,8 +835,10 @@ def test_mod_group_gid(add_group_with_canary, files_domain_only):
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
-def add_group_nomem_with_canary(group_ops_setup):
|
||||
- return setup_gr_with_list(group_ops_setup, [GROUP_NOMEM, CANARY_GR])
|
||||
+def add_group_nomem_with_canary(passwd_ops_setup, group_ops_setup):
|
||||
+ return setup_gr_with_list(
|
||||
+ passwd_ops_setup, group_ops_setup, [GROUP_NOMEM, CANARY_GR]
|
||||
+ )
|
||||
|
||||
|
||||
def test_getgrnam_no_members(add_group_nomem_with_canary, files_domain_only):
|
||||
@@ -911,16 +931,19 @@ def test_getgrnam_ghost(setup_pw_with_canary,
|
||||
setup_gr_with_canary,
|
||||
files_domain_only):
|
||||
"""
|
||||
- Test that a group with members while the members are not present
|
||||
- are added as ghosts. This is also what nss_files does, getgrnam would
|
||||
- return group members that do not exist as well.
|
||||
+ Test that group if not found (and will be handled by nss_files) if there
|
||||
+ are any ghost members.
|
||||
"""
|
||||
user_and_group_setup(setup_pw_with_canary,
|
||||
setup_gr_with_canary,
|
||||
[],
|
||||
[GROUP12],
|
||||
False)
|
||||
- check_group(GROUP12)
|
||||
+
|
||||
+ time.sleep(1)
|
||||
+ res, group = call_sssd_getgrnam(GROUP12["name"])
|
||||
+ assert res == NssReturnCode.NOTFOUND
|
||||
+
|
||||
for member in GROUP12['mem']:
|
||||
res, _ = call_sssd_getpwnam(member)
|
||||
assert res == NssReturnCode.NOTFOUND
|
||||
@@ -932,7 +955,10 @@ def ghost_and_member_test(pw_ops, grp_ops, reverse):
|
||||
[USER1],
|
||||
[GROUP12],
|
||||
reverse)
|
||||
- check_group(GROUP12)
|
||||
+
|
||||
+ time.sleep(1)
|
||||
+ res, group = call_sssd_getgrnam(GROUP12["name"])
|
||||
+ assert res == NssReturnCode.NOTFOUND
|
||||
|
||||
# We checked that the group added has the same members as group12,
|
||||
# so both user1 and user2. Now check that user1 is a member of
|
||||
@@ -1027,28 +1053,21 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
|
||||
modgroup = dict(GROUP_NOMEM)
|
||||
modgroup['mem'] = ['user1', 'user2']
|
||||
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
|
||||
- check_group(modgroup)
|
||||
+ time.sleep(1)
|
||||
+ res, group = call_sssd_getgrnam(modgroup['name'])
|
||||
+ assert res == sssd_id.NssReturnCode.NOTFOUND
|
||||
|
||||
modgroup['mem'] = ['user2']
|
||||
add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup)
|
||||
- check_group(modgroup)
|
||||
+ time.sleep(1)
|
||||
+ res, group = call_sssd_getgrnam(modgroup['name'])
|
||||
+ assert res == sssd_id.NssReturnCode.NOTFOUND
|
||||
|
||||
res, _ = call_sssd_getpwnam('user1')
|
||||
assert res == NssReturnCode.NOTFOUND
|
||||
res, _ = call_sssd_getpwnam('user2')
|
||||
assert res == NssReturnCode.NOTFOUND
|
||||
|
||||
- # Add this user and verify it's been added as a member
|
||||
- pwd_ops.useradd(**USER2)
|
||||
- # The negative cache might still have user2 from the previous request,
|
||||
- # flushing the caches might help to prevent a failed lookup after adding
|
||||
- # the user.
|
||||
- subprocess.call(["sss_cache", "-E"])
|
||||
- res, groups = sssd_id_sync('user2')
|
||||
- assert res == sssd_id.NssReturnCode.SUCCESS
|
||||
- assert len(groups) == 2
|
||||
- assert 'group_nomem' in groups
|
||||
-
|
||||
|
||||
def realloc_users(pwd_ops, num):
|
||||
# Intentionally not including the last one because
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From 100839b64390d7010bfa28552fd9381ef4366496 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 26 Jun 2020 09:48:17 +0200
|
||||
Subject: [PATCH] PAM: do not treat error for cache-only lookups as fatal
|
||||
|
||||
The original fatal error came from a time where at this place in the
|
||||
code the response form the backend was checked and an error was clearly
|
||||
fatal.
|
||||
|
||||
Now we only check if the entry is in the cache and valid. An error would
|
||||
mean that the backend is called to lookup or refresh the entry. So the
|
||||
backend can change the state of the cache and make upcoming cache
|
||||
lookups successful. So it makes sense to not only call the backend if
|
||||
ENOENT is returned but for all kind of errors.
|
||||
|
||||
Resolves https://pagure.io/SSSD/sssd/issue/4098
|
||||
|
||||
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||
---
|
||||
src/responder/pam/pamsrv_cmd.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 1cd901f15..666131cb7 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1941,10 +1941,8 @@ static void pam_check_user_search_next(struct tevent_req *req)
|
||||
ret = cache_req_single_domain_recv(preq, req, &result);
|
||||
talloc_zfree(req);
|
||||
if (ret != EOK && ret != ENOENT) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Fatal error, killing connection!\n");
|
||||
- talloc_zfree(preq->cctx);
|
||||
- return;
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cache lookup failed, trying to get fresh "
|
||||
+ "data from the backened.\n");
|
||||
}
|
||||
|
||||
DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,193 +0,0 @@
|
|||
From 2d90e642078c15f001b34a0a50a67fa6eac9a3b9 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 3 Mar 2020 18:44:11 +0100
|
||||
Subject: [PATCH 28/35] mem-cache: sizes of free and data tables were made
|
||||
consistent
|
||||
|
||||
Since size of "free table" didn't account for SSS_AVG_*_PAYLOAD factor
|
||||
only small fraction of "data table" was actually used.
|
||||
SSS_AVG_*_PAYLOAD differentiation for different payload types only
|
||||
affected size of hash table and was removed as unjustified.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5115
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/responder/nss/nsssrv.c | 22 +++++++++++-------
|
||||
src/responder/nss/nsssrv_mmap_cache.c | 33 +++++++--------------------
|
||||
src/responder/nss/nsssrv_mmap_cache.h | 2 --
|
||||
src/util/mmap_cache.h | 3 ---
|
||||
4 files changed, 22 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
|
||||
index 87300058f..21d93ae77 100644
|
||||
--- a/src/responder/nss/nsssrv.c
|
||||
+++ b/src/responder/nss/nsssrv.c
|
||||
@@ -83,10 +83,9 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- /* TODO: read cache sizes from configuration */
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "Clearing memory caches.\n");
|
||||
ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_CACHE_ELEMENTS,
|
||||
+ -1, /* keep current size */
|
||||
(time_t) memcache_timeout,
|
||||
&nctx->pwd_mc_ctx);
|
||||
if (ret != EOK) {
|
||||
@@ -96,7 +95,7 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_CACHE_ELEMENTS,
|
||||
+ -1, /* keep current size */
|
||||
(time_t) memcache_timeout,
|
||||
&nctx->grp_mc_ctx);
|
||||
if (ret != EOK) {
|
||||
@@ -106,7 +105,7 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_CACHE_ELEMENTS,
|
||||
+ -1, /* keep current size */
|
||||
(time_t)memcache_timeout,
|
||||
&nctx->initgr_mc_ctx);
|
||||
if (ret != EOK) {
|
||||
@@ -210,6 +209,11 @@ done:
|
||||
|
||||
static int setup_memcaches(struct nss_ctx *nctx)
|
||||
{
|
||||
+ /* TODO: read cache sizes from configuration */
|
||||
+ static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */
|
||||
+ static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */
|
||||
+ static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */
|
||||
+
|
||||
int ret;
|
||||
int memcache_timeout;
|
||||
|
||||
@@ -239,11 +243,11 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
- /* TODO: read cache sizes from configuration */
|
||||
ret = sss_mmap_cache_init(nctx, "passwd",
|
||||
nctx->mc_uid, nctx->mc_gid,
|
||||
SSS_MC_PASSWD,
|
||||
- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
|
||||
+ SSS_MC_CACHE_PASSWD_SLOTS,
|
||||
+ (time_t)memcache_timeout,
|
||||
&nctx->pwd_mc_ctx);
|
||||
if (ret) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
|
||||
@@ -252,7 +256,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
ret = sss_mmap_cache_init(nctx, "group",
|
||||
nctx->mc_uid, nctx->mc_gid,
|
||||
SSS_MC_GROUP,
|
||||
- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
|
||||
+ SSS_MC_CACHE_GROUP_SLOTS,
|
||||
+ (time_t)memcache_timeout,
|
||||
&nctx->grp_mc_ctx);
|
||||
if (ret) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
|
||||
@@ -261,7 +266,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
ret = sss_mmap_cache_init(nctx, "initgroups",
|
||||
nctx->mc_uid, nctx->mc_gid,
|
||||
SSS_MC_INITGROUPS,
|
||||
- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout,
|
||||
+ SSS_MC_CACHE_INITGROUP_SLOTS,
|
||||
+ (time_t)memcache_timeout,
|
||||
&nctx->initgr_mc_ctx);
|
||||
if (ret) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
|
||||
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
index 69e767690..5e23bbe6f 100644
|
||||
--- a/src/responder/nss/nsssrv_mmap_cache.c
|
||||
+++ b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
@@ -28,13 +28,6 @@
|
||||
#include "responder/nss/nss_private.h"
|
||||
#include "responder/nss/nsssrv_mmap_cache.h"
|
||||
|
||||
-/* arbitrary (avg of my /etc/passwd) */
|
||||
-#define SSS_AVG_PASSWD_PAYLOAD (MC_SLOT_SIZE * 4)
|
||||
-/* short group name and no gids (private user group */
|
||||
-#define SSS_AVG_GROUP_PAYLOAD (MC_SLOT_SIZE * 3)
|
||||
-/* average place for 40 supplementary groups + 2 names */
|
||||
-#define SSS_AVG_INITGROUP_PAYLOAD (MC_SLOT_SIZE * 5)
|
||||
-
|
||||
#define MC_NEXT_BARRIER(val) ((((val) + 1) & 0x00ffffff) | 0xf0000000)
|
||||
|
||||
#define MC_RAISE_BARRIER(m) do { \
|
||||
@@ -1251,24 +1244,14 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
|
||||
enum sss_mc_type type, size_t n_elem,
|
||||
time_t timeout, struct sss_mc_ctx **mcc)
|
||||
{
|
||||
+ /* sss_mc_header alone occupies whole slot,
|
||||
+ * so each entry takes 2 slots at the very least
|
||||
+ */
|
||||
+ static const int PAYLOAD_FACTOR = 2;
|
||||
+
|
||||
struct sss_mc_ctx *mc_ctx = NULL;
|
||||
- int payload;
|
||||
int ret, dret;
|
||||
|
||||
- switch (type) {
|
||||
- case SSS_MC_PASSWD:
|
||||
- payload = SSS_AVG_PASSWD_PAYLOAD;
|
||||
- break;
|
||||
- case SSS_MC_GROUP:
|
||||
- payload = SSS_AVG_GROUP_PAYLOAD;
|
||||
- break;
|
||||
- case SSS_MC_INITGROUPS:
|
||||
- payload = SSS_AVG_INITGROUP_PAYLOAD;
|
||||
- break;
|
||||
- default:
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
mc_ctx = talloc_zero(mem_ctx, struct sss_mc_ctx);
|
||||
if (!mc_ctx) {
|
||||
return ENOMEM;
|
||||
@@ -1303,9 +1286,9 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
|
||||
|
||||
/* hash table is double the size because it will store both forward and
|
||||
* reverse keys (name/uid, name/gid, ..) */
|
||||
- mc_ctx->ht_size = MC_HT_SIZE(n_elem * 2);
|
||||
- mc_ctx->dt_size = MC_DT_SIZE(n_elem, payload);
|
||||
- mc_ctx->ft_size = MC_FT_SIZE(n_elem);
|
||||
+ mc_ctx->ht_size = MC_HT_SIZE(2 * n_elem / PAYLOAD_FACTOR);
|
||||
+ mc_ctx->dt_size = n_elem * MC_SLOT_SIZE;
|
||||
+ mc_ctx->ft_size = n_elem / 8; /* 1 bit per slot */
|
||||
mc_ctx->mmap_size = MC_HEADER_SIZE +
|
||||
MC_ALIGN64(mc_ctx->dt_size) +
|
||||
MC_ALIGN64(mc_ctx->ft_size) +
|
||||
diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h
|
||||
index e06257949..c40af2fb4 100644
|
||||
--- a/src/responder/nss/nsssrv_mmap_cache.h
|
||||
+++ b/src/responder/nss/nsssrv_mmap_cache.h
|
||||
@@ -22,8 +22,6 @@
|
||||
#ifndef _NSSSRV_MMAP_CACHE_H_
|
||||
#define _NSSSRV_MMAP_CACHE_H_
|
||||
|
||||
-#define SSS_MC_CACHE_ELEMENTS 50000
|
||||
-
|
||||
struct sss_mc_ctx;
|
||||
|
||||
enum sss_mc_type {
|
||||
diff --git a/src/util/mmap_cache.h b/src/util/mmap_cache.h
|
||||
index 63e096027..d3d92bc98 100644
|
||||
--- a/src/util/mmap_cache.h
|
||||
+++ b/src/util/mmap_cache.h
|
||||
@@ -40,9 +40,6 @@ typedef uint32_t rel_ptr_t;
|
||||
|
||||
#define MC_HT_SIZE(elems) ( (elems) * MC_32 )
|
||||
#define MC_HT_ELEMS(size) ( (size) / MC_32 )
|
||||
-#define MC_DT_SIZE(elems, payload) ( (elems) * (payload) )
|
||||
-#define MC_FT_SIZE(elems) ( (elems) / 8 )
|
||||
-/* ^^ 8 bits per byte so we need just elems/8 bytes to represent all blocks */
|
||||
|
||||
#define MC_PTR_ADD(ptr, bytes) (void *)((uint8_t *)(ptr) + (bytes))
|
||||
#define MC_PTR_DIFF(ptr, base) ((uint8_t *)(ptr) - (uint8_t *)(base))
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,543 +0,0 @@
|
|||
From 80e7163b7bf512a45e2fa31494f3bdff9e9e2dce Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Wed, 4 Mar 2020 16:26:18 +0100
|
||||
Subject: [PATCH 29/35] NSS: make memcache size configurable
|
||||
|
||||
Added options to configure memcache size:
|
||||
memcache_size_passwd
|
||||
memcache_size_group
|
||||
memcache_size_initgroups
|
||||
|
||||
Related:
|
||||
https://github.com/SSSD/sssd/issues/4578
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 3 +
|
||||
src/config/SSSDConfig/sssdoptions.py | 3 +
|
||||
src/config/cfg_rules.ini | 3 +
|
||||
src/man/sssd.conf.5.xml | 78 +++++++++
|
||||
src/responder/nss/nsssrv.c | 104 ++++++++----
|
||||
src/tests/intg/test_memory_cache.py | 236 +++++++++++++++++++++++++++
|
||||
6 files changed, 398 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index a5d35fd70..c96896da5 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -115,6 +115,9 @@
|
||||
#define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
|
||||
#define CONFDB_NSS_DEFAULT_SHELL "default_shell"
|
||||
#define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout"
|
||||
+#define CONFDB_NSS_MEMCACHE_SIZE_PASSWD "memcache_size_passwd"
|
||||
+#define CONFDB_NSS_MEMCACHE_SIZE_GROUP "memcache_size_group"
|
||||
+#define CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS "memcache_size_initgroups"
|
||||
#define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring"
|
||||
#define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home"
|
||||
|
||||
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
|
||||
index 9c071f70a..16d85cfa3 100644
|
||||
--- a/src/config/SSSDConfig/sssdoptions.py
|
||||
+++ b/src/config/SSSDConfig/sssdoptions.py
|
||||
@@ -72,6 +72,9 @@ class SSSDOptions(object):
|
||||
'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
|
||||
'default_shell': _('Shell to use if the provider does not list one'),
|
||||
'memcache_timeout': _('How long will be in-memory cache records valid'),
|
||||
+ 'memcache_size_passwd': _('Number of slots in fast in-memory cache for passwd requests'),
|
||||
+ 'memcache_size_group': _('Number of slots in fast in-memory cache for group requests'),
|
||||
+ 'memcache_size_initgroups': _('Number of slots in fast in-memory cache for initgroups requests'),
|
||||
'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
|
||||
'if the template contains the format string %H.'),
|
||||
'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 1a7e2c5cd..2874ea048 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -92,6 +92,9 @@ option = shell_fallback
|
||||
option = default_shell
|
||||
option = get_domains_timeout
|
||||
option = memcache_timeout
|
||||
+option = memcache_size_passwd
|
||||
+option = memcache_size_group
|
||||
+option = memcache_size_initgroups
|
||||
|
||||
[rule/allowed_pam_options]
|
||||
validator = ini_allowed_options
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 9a9679a4b..9bc2e26e5 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -1100,6 +1100,84 @@ fallback_homedir = /home/%u
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>memcache_size_passwd (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Number of slots allocated inside fast in-memory
|
||||
+ cache for passwd requests. Note that one entry
|
||||
+ in fast in-memory cache can occupy more than one slot.
|
||||
+ Setting the size to 0 will disable the passwd in-memory
|
||||
+ cache.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: 200000
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ WARNING: Disabled or too small in-memory cache can
|
||||
+ have significant negative impact on SSSD's
|
||||
+ performance.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ NOTE: If the environment variable
|
||||
+ SSS_NSS_USE_MEMCACHE is set to "NO", client
|
||||
+ applications will not use the fast in-memory
|
||||
+ cache.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>memcache_size_group (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Number of slots allocated inside fast in-memory
|
||||
+ cache for group requests. Note that one entry
|
||||
+ in fast in-memory cache can occupy more than one
|
||||
+ slot. Setting the size to 0 will disable the group
|
||||
+ in-memory cache.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: 150000
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ WARNING: Disabled or too small in-memory cache can
|
||||
+ have significant negative impact on SSSD's
|
||||
+ performance.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ NOTE: If the environment variable
|
||||
+ SSS_NSS_USE_MEMCACHE is set to "NO", client
|
||||
+ applications will not use the fast in-memory
|
||||
+ cache.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>memcache_size_initgroups (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Number of slots allocated inside fast in-memory
|
||||
+ cache for initgroups requests. Note that one entry
|
||||
+ in fast in-memory cache can occupy more than one
|
||||
+ slot. Setting the size to 0 will disable the
|
||||
+ initgroups in-memory cache.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: 250000
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ WARNING: Disabled or too small in-memory cache can
|
||||
+ have significant negative impact on SSSD's
|
||||
+ performance.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ NOTE: If the environment variable
|
||||
+ SSS_NSS_USE_MEMCACHE is set to "NO", client
|
||||
+ applications will not use the fast in-memory
|
||||
+ cache.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
<varlistentry>
|
||||
<term>user_attributes (string)</term>
|
||||
<listitem>
|
||||
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
|
||||
index 21d93ae77..0a201d3ae 100644
|
||||
--- a/src/responder/nss/nsssrv.c
|
||||
+++ b/src/responder/nss/nsssrv.c
|
||||
@@ -209,13 +209,16 @@ done:
|
||||
|
||||
static int setup_memcaches(struct nss_ctx *nctx)
|
||||
{
|
||||
- /* TODO: read cache sizes from configuration */
|
||||
+ /* Default memcache sizes */
|
||||
static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */
|
||||
static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */
|
||||
static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */
|
||||
|
||||
int ret;
|
||||
int memcache_timeout;
|
||||
+ int mc_size_passwd;
|
||||
+ int mc_size_group;
|
||||
+ int mc_size_initgroups;
|
||||
|
||||
/* Remove the CLEAR_MC_FLAG file if exists. */
|
||||
ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG);
|
||||
@@ -243,34 +246,77 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
- ret = sss_mmap_cache_init(nctx, "passwd",
|
||||
- nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_PASSWD,
|
||||
- SSS_MC_CACHE_PASSWD_SLOTS,
|
||||
- (time_t)memcache_timeout,
|
||||
- &nctx->pwd_mc_ctx);
|
||||
- if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
|
||||
- }
|
||||
-
|
||||
- ret = sss_mmap_cache_init(nctx, "group",
|
||||
- nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_GROUP,
|
||||
- SSS_MC_CACHE_GROUP_SLOTS,
|
||||
- (time_t)memcache_timeout,
|
||||
- &nctx->grp_mc_ctx);
|
||||
- if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
|
||||
- }
|
||||
-
|
||||
- ret = sss_mmap_cache_init(nctx, "initgroups",
|
||||
- nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_INITGROUPS,
|
||||
- SSS_MC_CACHE_INITGROUP_SLOTS,
|
||||
- (time_t)memcache_timeout,
|
||||
- &nctx->initgr_mc_ctx);
|
||||
- if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
|
||||
+ /* Get all memcache sizes from confdb (pwd, grp, initgr) */
|
||||
+
|
||||
+ ret = confdb_get_int(nctx->rctx->cdb,
|
||||
+ CONFDB_NSS_CONF_ENTRY,
|
||||
+ CONFDB_NSS_MEMCACHE_SIZE_PASSWD,
|
||||
+ SSS_MC_CACHE_PASSWD_SLOTS,
|
||||
+ &mc_size_passwd);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Failed to get 'memcache_size_passwd' option from confdb.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_get_int(nctx->rctx->cdb,
|
||||
+ CONFDB_NSS_CONF_ENTRY,
|
||||
+ CONFDB_NSS_MEMCACHE_SIZE_GROUP,
|
||||
+ SSS_MC_CACHE_GROUP_SLOTS,
|
||||
+ &mc_size_group);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Failed to get 'memcache_size_group' option from confdb.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_get_int(nctx->rctx->cdb,
|
||||
+ CONFDB_NSS_CONF_ENTRY,
|
||||
+ CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS,
|
||||
+ SSS_MC_CACHE_INITGROUP_SLOTS,
|
||||
+ &mc_size_initgroups);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Failed to get 'memcache_size_nitgroups' option from confdb.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ /* Initialize the fast in-memory caches if they were not disabled */
|
||||
+
|
||||
+ if (mc_size_passwd != 0) {
|
||||
+ ret = sss_mmap_cache_init(nctx, "passwd",
|
||||
+ nctx->mc_uid, nctx->mc_gid,
|
||||
+ SSS_MC_PASSWD,
|
||||
+ mc_size_passwd,
|
||||
+ (time_t)memcache_timeout,
|
||||
+ &nctx->pwd_mc_ctx);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (mc_size_group != 0) {
|
||||
+ ret = sss_mmap_cache_init(nctx, "group",
|
||||
+ nctx->mc_uid, nctx->mc_gid,
|
||||
+ SSS_MC_GROUP,
|
||||
+ mc_size_group,
|
||||
+ (time_t)memcache_timeout,
|
||||
+ &nctx->grp_mc_ctx);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (mc_size_initgroups != 0) {
|
||||
+ ret = sss_mmap_cache_init(nctx, "initgroups",
|
||||
+ nctx->mc_uid, nctx->mc_gid,
|
||||
+ SSS_MC_INITGROUPS,
|
||||
+ mc_size_initgroups,
|
||||
+ (time_t)memcache_timeout,
|
||||
+ &nctx->initgr_mc_ctx);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
|
||||
+ }
|
||||
}
|
||||
|
||||
return EOK;
|
||||
diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py
|
||||
index 322f76fe0..6ed696e00 100644
|
||||
--- a/src/tests/intg/test_memory_cache.py
|
||||
+++ b/src/tests/intg/test_memory_cache.py
|
||||
@@ -135,6 +135,112 @@ def load_data_to_ldap(request, ldap_conn):
|
||||
create_ldap_fixture(request, ldap_conn, ent_list)
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def disable_memcache_rfc2307(request, ldap_conn):
|
||||
+ load_data_to_ldap(request, ldap_conn)
|
||||
+
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ domains = LDAP
|
||||
+ services = nss
|
||||
+
|
||||
+ [nss]
|
||||
+ memcache_size_group = 0
|
||||
+ memcache_size_passwd = 0
|
||||
+ memcache_size_initgroups = 0
|
||||
+
|
||||
+ [domain/LDAP]
|
||||
+ ldap_auth_disable_tls_never_use_in_production = true
|
||||
+ ldap_schema = rfc2307
|
||||
+ id_provider = ldap
|
||||
+ auth_provider = ldap
|
||||
+ sudo_provider = ldap
|
||||
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
|
||||
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def disable_pwd_mc_rfc2307(request, ldap_conn):
|
||||
+ load_data_to_ldap(request, ldap_conn)
|
||||
+
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ domains = LDAP
|
||||
+ services = nss
|
||||
+
|
||||
+ [nss]
|
||||
+ memcache_size_passwd = 0
|
||||
+
|
||||
+ [domain/LDAP]
|
||||
+ ldap_auth_disable_tls_never_use_in_production = true
|
||||
+ ldap_schema = rfc2307
|
||||
+ id_provider = ldap
|
||||
+ auth_provider = ldap
|
||||
+ sudo_provider = ldap
|
||||
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
|
||||
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def disable_grp_mc_rfc2307(request, ldap_conn):
|
||||
+ load_data_to_ldap(request, ldap_conn)
|
||||
+
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ domains = LDAP
|
||||
+ services = nss
|
||||
+
|
||||
+ [nss]
|
||||
+ memcache_size_group = 0
|
||||
+
|
||||
+ [domain/LDAP]
|
||||
+ ldap_auth_disable_tls_never_use_in_production = true
|
||||
+ ldap_schema = rfc2307
|
||||
+ id_provider = ldap
|
||||
+ auth_provider = ldap
|
||||
+ sudo_provider = ldap
|
||||
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
|
||||
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def disable_initgr_mc_rfc2307(request, ldap_conn):
|
||||
+ load_data_to_ldap(request, ldap_conn)
|
||||
+
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ domains = LDAP
|
||||
+ services = nss
|
||||
+
|
||||
+ [nss]
|
||||
+ memcache_size_initgroups = 0
|
||||
+
|
||||
+ [domain/LDAP]
|
||||
+ ldap_auth_disable_tls_never_use_in_production = true
|
||||
+ ldap_schema = rfc2307
|
||||
+ id_provider = ldap
|
||||
+ auth_provider = ldap
|
||||
+ sudo_provider = ldap
|
||||
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
|
||||
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def sanity_rfc2307(request, ldap_conn):
|
||||
load_data_to_ldap(request, ldap_conn)
|
||||
@@ -354,6 +460,19 @@ def test_getgrnam_simple_with_mc(ldap_conn, sanity_rfc2307):
|
||||
test_getgrnam_simple(ldap_conn, sanity_rfc2307)
|
||||
|
||||
|
||||
+def test_getgrnam_simple_disabled_pwd_mc(ldap_conn, disable_pwd_mc_rfc2307):
|
||||
+ test_getgrnam_simple(ldap_conn, disable_pwd_mc_rfc2307)
|
||||
+ stop_sssd()
|
||||
+ test_getgrnam_simple(ldap_conn, disable_pwd_mc_rfc2307)
|
||||
+
|
||||
+
|
||||
+def test_getgrnam_simple_disabled_intitgr_mc(ldap_conn,
|
||||
+ disable_initgr_mc_rfc2307):
|
||||
+ test_getgrnam_simple(ldap_conn, disable_initgr_mc_rfc2307)
|
||||
+ stop_sssd()
|
||||
+ test_getgrnam_simple(ldap_conn, disable_initgr_mc_rfc2307)
|
||||
+
|
||||
+
|
||||
def test_getgrnam_membership(ldap_conn, sanity_rfc2307):
|
||||
ent.assert_group_by_name(
|
||||
"group1",
|
||||
@@ -919,3 +1038,120 @@ def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307):
|
||||
grp.getgrnam('group1')
|
||||
with pytest.raises(KeyError):
|
||||
grp.getgrgid(2001)
|
||||
+
|
||||
+
|
||||
+def test_disabled_mc(ldap_conn, disable_memcache_rfc2307):
|
||||
+ ent.assert_passwd_by_name(
|
||||
+ 'user1',
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+ ent.assert_passwd_by_uid(
|
||||
+ 1001,
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+
|
||||
+ ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
|
||||
+ ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
|
||||
+
|
||||
+ assert_user_gids_equal('user1', [2000, 2001])
|
||||
+
|
||||
+ stop_sssd()
|
||||
+
|
||||
+ # sssd is stopped and the memory cache is disabled;
|
||||
+ # so pytest should not be able to find anything
|
||||
+ with pytest.raises(KeyError):
|
||||
+ pwd.getpwnam('user1')
|
||||
+ with pytest.raises(KeyError):
|
||||
+ pwd.getpwuid(1001)
|
||||
+
|
||||
+ with pytest.raises(KeyError):
|
||||
+ grp.getgrnam('group1')
|
||||
+ with pytest.raises(KeyError):
|
||||
+ grp.getgrgid(2001)
|
||||
+
|
||||
+ with pytest.raises(KeyError):
|
||||
+ (res, errno, gids) = sssd_id.get_user_gids('user1')
|
||||
+
|
||||
+
|
||||
+def test_disabled_passwd_mc(ldap_conn, disable_pwd_mc_rfc2307):
|
||||
+ ent.assert_passwd_by_name(
|
||||
+ 'user1',
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+ ent.assert_passwd_by_uid(
|
||||
+ 1001,
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+
|
||||
+ assert_user_gids_equal('user1', [2000, 2001])
|
||||
+
|
||||
+ stop_sssd()
|
||||
+
|
||||
+ # passwd cache is disabled
|
||||
+ with pytest.raises(KeyError):
|
||||
+ pwd.getpwnam('user1')
|
||||
+ with pytest.raises(KeyError):
|
||||
+ pwd.getpwuid(1001)
|
||||
+
|
||||
+ # Initgroups looks up the user first, hence KeyError from the
|
||||
+ # passwd database even if the initgroups cache is active.
|
||||
+ with pytest.raises(KeyError):
|
||||
+ (res, errno, gids) = sssd_id.get_user_gids('user1')
|
||||
+
|
||||
+
|
||||
+def test_disabled_group_mc(ldap_conn, disable_grp_mc_rfc2307):
|
||||
+ ent.assert_passwd_by_name(
|
||||
+ 'user1',
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+ ent.assert_passwd_by_uid(
|
||||
+ 1001,
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+
|
||||
+ ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
|
||||
+ ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
|
||||
+
|
||||
+ assert_user_gids_equal('user1', [2000, 2001])
|
||||
+
|
||||
+ stop_sssd()
|
||||
+
|
||||
+ # group cache is disabled, other caches should work
|
||||
+ ent.assert_passwd_by_name(
|
||||
+ 'user1',
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+ ent.assert_passwd_by_uid(
|
||||
+ 1001,
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+
|
||||
+ with pytest.raises(KeyError):
|
||||
+ grp.getgrnam('group1')
|
||||
+ with pytest.raises(KeyError):
|
||||
+ grp.getgrgid(2001)
|
||||
+
|
||||
+ assert_user_gids_equal('user1', [2000, 2001])
|
||||
+
|
||||
+
|
||||
+def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307):
|
||||
+ # Even if initgroups is disabled, passwd should work
|
||||
+ ent.assert_passwd_by_name(
|
||||
+ 'user1',
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+ ent.assert_passwd_by_uid(
|
||||
+ 1001,
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+
|
||||
+ stop_sssd()
|
||||
+
|
||||
+ ent.assert_passwd_by_name(
|
||||
+ 'user1',
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+ ent.assert_passwd_by_uid(
|
||||
+ 1001,
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,83 +0,0 @@
|
|||
From e12340e7d9efe5f272e58d69333c1c09c3bcc44d Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 4 Mar 2020 21:09:33 +0100
|
||||
Subject: [PATCH 30/35] NSS: avoid excessive log messages
|
||||
|
||||
- do not log error message if mem-cache was disabled explicitly
|
||||
- increase message severity in case of fail to store entry in mem-cache
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/responder/nss/nss_protocol_grent.c | 12 +++++++-----
|
||||
src/responder/nss/nss_protocol_pwent.c | 7 ++++---
|
||||
2 files changed, 11 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
|
||||
index 2f6d869ef..8f1d3fe81 100644
|
||||
--- a/src/responder/nss/nss_protocol_grent.c
|
||||
+++ b/src/responder/nss/nss_protocol_grent.c
|
||||
@@ -292,16 +292,17 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
|
||||
num_results++;
|
||||
|
||||
/* Do not store entry in memory cache during enumeration or when
|
||||
- * requested. */
|
||||
+ * requested or if cache explicitly disabled. */
|
||||
if (!cmd_ctx->enumeration
|
||||
- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) {
|
||||
+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0)
|
||||
+ && (nss_ctx->grp_mc_ctx != NULL)) {
|
||||
members = (char *)&body[rp_members];
|
||||
members_size = body_len - rp_members;
|
||||
ret = sss_mmap_cache_gr_store(&nss_ctx->grp_mc_ctx, name, &pwfield,
|
||||
gid, num_members, members,
|
||||
members_size);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to store group %s (%s) in mem-cache [%d]: %s!\n",
|
||||
name->str, result->domain->name, ret, sss_strerror(ret));
|
||||
}
|
||||
@@ -423,7 +424,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
||||
}
|
||||
|
||||
if (nss_ctx->initgr_mc_ctx
|
||||
- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) {
|
||||
+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0)
|
||||
+ && (nss_ctx->initgr_mc_ctx != NULL)) {
|
||||
to_sized_string(&rawname, cmd_ctx->rawname);
|
||||
to_sized_string(&unique_name, result->lookup_name);
|
||||
|
||||
@@ -431,7 +433,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
||||
&unique_name, num_results,
|
||||
body + 2 * sizeof(uint32_t));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to store initgroups %s (%s) in mem-cache [%d]: %s!\n",
|
||||
rawname.str, domain->name, ret, sss_strerror(ret));
|
||||
sss_packet_set_size(packet, 0);
|
||||
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
|
||||
index 31fd01698..f9f3f0cf0 100644
|
||||
--- a/src/responder/nss/nss_protocol_pwent.c
|
||||
+++ b/src/responder/nss/nss_protocol_pwent.c
|
||||
@@ -301,13 +301,14 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
|
||||
num_results++;
|
||||
|
||||
/* Do not store entry in memory cache during enumeration or when
|
||||
- * requested. */
|
||||
+ * requested or if cache explicitly disabled. */
|
||||
if (!cmd_ctx->enumeration
|
||||
- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) {
|
||||
+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0)
|
||||
+ && (nss_ctx->pwd_mc_ctx != NULL)) {
|
||||
ret = sss_mmap_cache_pw_store(&nss_ctx->pwd_mc_ctx, name, &pwfield,
|
||||
uid, gid, &gecos, &homedir, &shell);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to store user %s (%s) in mmap cache [%d]: %s!\n",
|
||||
name->str, result->domain->name, ret, sss_strerror(ret));
|
||||
}
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,101 +0,0 @@
|
|||
From be8052bbb61c572702fe16e2850539f445dcc0e2 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 4 Mar 2020 22:13:52 +0100
|
||||
Subject: [PATCH 31/35] NSS: enhanced debug during mem-cache initialization
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/responder/nss/nsssrv.c | 39 ++++++++++++++++++++++++++++++++------
|
||||
1 file changed, 33 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
|
||||
index 0a201d3ae..42a63d9bb 100644
|
||||
--- a/src/responder/nss/nsssrv.c
|
||||
+++ b/src/responder/nss/nsssrv.c
|
||||
@@ -255,7 +255,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
&mc_size_passwd);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Failed to get 'memcache_size_passwd' option from confdb.\n");
|
||||
+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_PASSWD
|
||||
+ "' option from confdb.\n");
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -266,7 +267,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
&mc_size_group);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Failed to get 'memcache_size_group' option from confdb.\n");
|
||||
+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_GROUP
|
||||
+ "' option from confdb.\n");
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -277,7 +279,8 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
&mc_size_initgroups);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Failed to get 'memcache_size_nitgroups' option from confdb.\n");
|
||||
+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS
|
||||
+ "' option from confdb.\n");
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -291,8 +294,16 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
(time_t)memcache_timeout,
|
||||
&nctx->pwd_mc_ctx);
|
||||
if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize passwd mmap cache: '%s'\n",
|
||||
+ sss_strerror(ret));
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "Passwd mmap cache size is %d\n",
|
||||
+ mc_size_passwd);
|
||||
}
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Passwd mmap cache is explicitly DISABLED\n");
|
||||
}
|
||||
|
||||
if (mc_size_group != 0) {
|
||||
@@ -303,8 +314,16 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
(time_t)memcache_timeout,
|
||||
&nctx->grp_mc_ctx);
|
||||
if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize group mmap cache: '%s'\n",
|
||||
+ sss_strerror(ret));
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "Group mmap cache size is %d\n",
|
||||
+ mc_size_group);
|
||||
}
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Group mmap cache is explicitly DISABLED\n");
|
||||
}
|
||||
|
||||
if (mc_size_initgroups != 0) {
|
||||
@@ -315,8 +334,16 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
(time_t)memcache_timeout,
|
||||
&nctx->initgr_mc_ctx);
|
||||
if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize initgroups mmap cache: '%s'\n",
|
||||
+ sss_strerror(ret));
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "Initgroups mmap cache size is %d\n",
|
||||
+ mc_size_initgroups);
|
||||
}
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Initgroups mmap cache is explicitly DISABLED\n");
|
||||
}
|
||||
|
||||
return EOK;
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From 2ad4aa8f265e02d01f77e5d29d8377d849c78d11 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 4 Mar 2020 22:33:17 +0100
|
||||
Subject: [PATCH 32/35] mem-cache: added log message in case cache is full
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/responder/nss/nsssrv_mmap_cache.c | 22 ++++++++++++++++++++++
|
||||
1 file changed, 22 insertions(+)
|
||||
|
||||
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
index 5e23bbe6f..23df164da 100644
|
||||
--- a/src/responder/nss/nsssrv_mmap_cache.c
|
||||
+++ b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
@@ -371,6 +371,20 @@ static bool sss_mc_is_valid_rec(struct sss_mc_ctx *mcc, struct sss_mc_rec *rec)
|
||||
return true;
|
||||
}
|
||||
|
||||
+static const char *mc_type_to_str(enum sss_mc_type type)
|
||||
+{
|
||||
+ switch (type) {
|
||||
+ case SSS_MC_PASSWD:
|
||||
+ return "PASSWD";
|
||||
+ case SSS_MC_GROUP:
|
||||
+ return "GROUP";
|
||||
+ case SSS_MC_INITGROUPS:
|
||||
+ return "INITGROUPS";
|
||||
+ default:
|
||||
+ return "-UNKNOWN-";
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* FIXME: This is a very simplistic, inefficient, memory allocator,
|
||||
* it will just free the oldest entries regardless of expiration if it
|
||||
* cycled the whole free bits map and found no empty slot */
|
||||
@@ -438,6 +452,14 @@ static errno_t sss_mc_find_free_slots(struct sss_mc_ctx *mcc,
|
||||
} else {
|
||||
cur = mcc->next_slot;
|
||||
}
|
||||
+ if (cur == 0) {
|
||||
+ /* inform only once per full loop to avoid excessive spam */
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO, "mmap cache of type '%s' is full\n",
|
||||
+ mc_type_to_str(mcc->type));
|
||||
+ sss_log(SSS_LOG_NOTICE, "mmap cache of type '%s' is full, if you see "
|
||||
+ "this message often then please consider increase of cache size",
|
||||
+ mc_type_to_str(mcc->type));
|
||||
+ }
|
||||
for (i = 0; i < num_slots; i++) {
|
||||
MC_PROBE_BIT(mcc->free_table, cur + i, used);
|
||||
if (used) {
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,189 +0,0 @@
|
|||
From b7f31936e21b109b5446c48513619cd87974be54 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 31 Mar 2020 22:57:25 +0200
|
||||
Subject: [PATCH 33/35] NSS: make memcache size configurable in megabytes
|
||||
|
||||
Memcache size was made configurable in megabytes and not in slots
|
||||
to hide internal implementation from users.
|
||||
|
||||
Relates: https://github.com/SSSD/sssd/issues/5115
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/config/SSSDConfig/sssdoptions.py | 6 ++---
|
||||
src/man/sssd.conf.5.xml | 33 +++++++++++++---------------
|
||||
src/responder/nss/nsssrv.c | 20 +++++++++--------
|
||||
3 files changed, 29 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
|
||||
index 16d85cfa3..f57ad4b41 100644
|
||||
--- a/src/config/SSSDConfig/sssdoptions.py
|
||||
+++ b/src/config/SSSDConfig/sssdoptions.py
|
||||
@@ -72,9 +72,9 @@ class SSSDOptions(object):
|
||||
'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
|
||||
'default_shell': _('Shell to use if the provider does not list one'),
|
||||
'memcache_timeout': _('How long will be in-memory cache records valid'),
|
||||
- 'memcache_size_passwd': _('Number of slots in fast in-memory cache for passwd requests'),
|
||||
- 'memcache_size_group': _('Number of slots in fast in-memory cache for group requests'),
|
||||
- 'memcache_size_initgroups': _('Number of slots in fast in-memory cache for initgroups requests'),
|
||||
+ 'memcache_size_passwd': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for passwd requests'),
|
||||
+ 'memcache_size_group': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for group requests'),
|
||||
+ 'memcache_size_initgroups': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for initgroups requests'),
|
||||
'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
|
||||
'if the template contains the format string %H.'),
|
||||
'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 9bc2e26e5..874a09c49 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -1076,7 +1076,7 @@ fallback_homedir = /home/%u
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
- <term>memcache_timeout (int)</term>
|
||||
+ <term>memcache_timeout (integer)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies time in seconds for which records
|
||||
@@ -1104,14 +1104,13 @@ fallback_homedir = /home/%u
|
||||
<term>memcache_size_passwd (integer)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- Number of slots allocated inside fast in-memory
|
||||
- cache for passwd requests. Note that one entry
|
||||
- in fast in-memory cache can occupy more than one slot.
|
||||
- Setting the size to 0 will disable the passwd in-memory
|
||||
- cache.
|
||||
+ Size (in megabytes) of the data table allocated inside
|
||||
+ fast in-memory cache for passwd requests.
|
||||
+ Setting the size to 0 will disable the passwd
|
||||
+ in-memory cache.
|
||||
</para>
|
||||
<para>
|
||||
- Default: 200000
|
||||
+ Default: 8
|
||||
</para>
|
||||
<para>
|
||||
WARNING: Disabled or too small in-memory cache can
|
||||
@@ -1130,14 +1129,13 @@ fallback_homedir = /home/%u
|
||||
<term>memcache_size_group (integer)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- Number of slots allocated inside fast in-memory
|
||||
- cache for group requests. Note that one entry
|
||||
- in fast in-memory cache can occupy more than one
|
||||
- slot. Setting the size to 0 will disable the group
|
||||
+ Size (in megabytes) of the data table allocated inside
|
||||
+ fast in-memory cache for group requests.
|
||||
+ Setting the size to 0 will disable the group
|
||||
in-memory cache.
|
||||
</para>
|
||||
<para>
|
||||
- Default: 150000
|
||||
+ Default: 6
|
||||
</para>
|
||||
<para>
|
||||
WARNING: Disabled or too small in-memory cache can
|
||||
@@ -1156,14 +1154,13 @@ fallback_homedir = /home/%u
|
||||
<term>memcache_size_initgroups (integer)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- Number of slots allocated inside fast in-memory
|
||||
- cache for initgroups requests. Note that one entry
|
||||
- in fast in-memory cache can occupy more than one
|
||||
- slot. Setting the size to 0 will disable the
|
||||
- initgroups in-memory cache.
|
||||
+ Size (in megabytes) of the data table allocated inside
|
||||
+ fast in-memory cache for initgroups requests.
|
||||
+ Setting the size to 0 will disable the initgroups
|
||||
+ in-memory cache.
|
||||
</para>
|
||||
<para>
|
||||
- Default: 250000
|
||||
+ Default: 10
|
||||
</para>
|
||||
<para>
|
||||
WARNING: Disabled or too small in-memory cache can
|
||||
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
|
||||
index 42a63d9bb..741e94aaa 100644
|
||||
--- a/src/responder/nss/nsssrv.c
|
||||
+++ b/src/responder/nss/nsssrv.c
|
||||
@@ -34,6 +34,7 @@
|
||||
|
||||
#include "util/util.h"
|
||||
#include "util/sss_ptr_hash.h"
|
||||
+#include "util/mmap_cache.h"
|
||||
#include "responder/nss/nss_private.h"
|
||||
#include "responder/nss/nss_iface.h"
|
||||
#include "responder/nss/nsssrv_mmap_cache.h"
|
||||
@@ -210,9 +211,10 @@ done:
|
||||
static int setup_memcaches(struct nss_ctx *nctx)
|
||||
{
|
||||
/* Default memcache sizes */
|
||||
- static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */
|
||||
- static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */
|
||||
- static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */
|
||||
+ static const size_t SSS_MC_CACHE_SLOTS_PER_MB = 1024*1024/MC_SLOT_SIZE;
|
||||
+ static const size_t SSS_MC_CACHE_PASSWD_SIZE = 8;
|
||||
+ static const size_t SSS_MC_CACHE_GROUP_SIZE = 6;
|
||||
+ static const size_t SSS_MC_CACHE_INITGROUP_SIZE = 10;
|
||||
|
||||
int ret;
|
||||
int memcache_timeout;
|
||||
@@ -251,7 +253,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
ret = confdb_get_int(nctx->rctx->cdb,
|
||||
CONFDB_NSS_CONF_ENTRY,
|
||||
CONFDB_NSS_MEMCACHE_SIZE_PASSWD,
|
||||
- SSS_MC_CACHE_PASSWD_SLOTS,
|
||||
+ SSS_MC_CACHE_PASSWD_SIZE,
|
||||
&mc_size_passwd);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
@@ -263,7 +265,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
ret = confdb_get_int(nctx->rctx->cdb,
|
||||
CONFDB_NSS_CONF_ENTRY,
|
||||
CONFDB_NSS_MEMCACHE_SIZE_GROUP,
|
||||
- SSS_MC_CACHE_GROUP_SLOTS,
|
||||
+ SSS_MC_CACHE_GROUP_SIZE,
|
||||
&mc_size_group);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
@@ -275,7 +277,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
ret = confdb_get_int(nctx->rctx->cdb,
|
||||
CONFDB_NSS_CONF_ENTRY,
|
||||
CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS,
|
||||
- SSS_MC_CACHE_INITGROUP_SLOTS,
|
||||
+ SSS_MC_CACHE_INITGROUP_SIZE,
|
||||
&mc_size_initgroups);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
@@ -290,7 +292,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
ret = sss_mmap_cache_init(nctx, "passwd",
|
||||
nctx->mc_uid, nctx->mc_gid,
|
||||
SSS_MC_PASSWD,
|
||||
- mc_size_passwd,
|
||||
+ mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
(time_t)memcache_timeout,
|
||||
&nctx->pwd_mc_ctx);
|
||||
if (ret) {
|
||||
@@ -310,7 +312,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
ret = sss_mmap_cache_init(nctx, "group",
|
||||
nctx->mc_uid, nctx->mc_gid,
|
||||
SSS_MC_GROUP,
|
||||
- mc_size_group,
|
||||
+ mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
(time_t)memcache_timeout,
|
||||
&nctx->grp_mc_ctx);
|
||||
if (ret) {
|
||||
@@ -330,7 +332,7 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
ret = sss_mmap_cache_init(nctx, "initgroups",
|
||||
nctx->mc_uid, nctx->mc_gid,
|
||||
SSS_MC_INITGROUPS,
|
||||
- mc_size_initgroups,
|
||||
+ mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
(time_t)memcache_timeout,
|
||||
&nctx->initgr_mc_ctx);
|
||||
if (ret) {
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
From b96b05bc40757b26f177e4093d7f4f5b96a0f7d0 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 3 Jul 2020 18:45:11 +0200
|
||||
Subject: [PATCH 34/35] mem-cache: comment added
|
||||
|
||||
Added comment explaining usage of `mcc->next_slot`
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/responder/nss/nsssrv_mmap_cache.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
index 23df164da..71919e4ac 100644
|
||||
--- a/src/responder/nss/nsssrv_mmap_cache.c
|
||||
+++ b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
@@ -65,7 +65,7 @@ struct sss_mc_ctx {
|
||||
|
||||
uint8_t *free_table; /* free list bitmaps */
|
||||
uint32_t ft_size; /* size of free table */
|
||||
- uint32_t next_slot; /* the next slot after last allocation */
|
||||
+ uint32_t next_slot; /* the next slot after last allocation done via erasure */
|
||||
|
||||
uint8_t *data_table; /* data table address (in mmap) */
|
||||
uint32_t dt_size; /* size of data table */
|
||||
@@ -442,6 +442,9 @@ static errno_t sss_mc_find_free_slots(struct sss_mc_ctx *mcc,
|
||||
if (cur == t) {
|
||||
/* ok found num_slots consecutive free bits */
|
||||
*free_slot = cur - num_slots;
|
||||
+ /* `mcc->next_slot` is not updated here intentionally.
|
||||
+ * For details see discussion in https://github.com/SSSD/sssd/pull/999
|
||||
+ */
|
||||
return EOK;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,262 +0,0 @@
|
|||
From 484507bf20d27afd700d52c67651e6f08d1da1a3 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 11:34:12 +0200
|
||||
Subject: [PATCH 35/35] mem-cache: always cleanup old content
|
||||
|
||||
(Try to) cleanup old files even if currently mem-cache is disabled.
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/responder/nss/nsssrv.c | 98 ++++++++++-----------------
|
||||
src/responder/nss/nsssrv_mmap_cache.c | 74 ++++++++++++--------
|
||||
2 files changed, 79 insertions(+), 93 deletions(-)
|
||||
|
||||
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
|
||||
index 741e94aaa..ffb1ca29d 100644
|
||||
--- a/src/responder/nss/nsssrv.c
|
||||
+++ b/src/responder/nss/nsssrv.c
|
||||
@@ -242,12 +242,6 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
- if (memcache_timeout == 0) {
|
||||
- DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
- "Fast in-memory cache will not be initialized.");
|
||||
- return EOK;
|
||||
- }
|
||||
-
|
||||
/* Get all memcache sizes from confdb (pwd, grp, initgr) */
|
||||
|
||||
ret = confdb_get_int(nctx->rctx->cdb,
|
||||
@@ -288,64 +282,40 @@ static int setup_memcaches(struct nss_ctx *nctx)
|
||||
|
||||
/* Initialize the fast in-memory caches if they were not disabled */
|
||||
|
||||
- if (mc_size_passwd != 0) {
|
||||
- ret = sss_mmap_cache_init(nctx, "passwd",
|
||||
- nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_PASSWD,
|
||||
- mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
- (time_t)memcache_timeout,
|
||||
- &nctx->pwd_mc_ctx);
|
||||
- if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Failed to initialize passwd mmap cache: '%s'\n",
|
||||
- sss_strerror(ret));
|
||||
- } else {
|
||||
- DEBUG(SSSDBG_CONF_SETTINGS, "Passwd mmap cache size is %d\n",
|
||||
- mc_size_passwd);
|
||||
- }
|
||||
- } else {
|
||||
- DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
- "Passwd mmap cache is explicitly DISABLED\n");
|
||||
- }
|
||||
-
|
||||
- if (mc_size_group != 0) {
|
||||
- ret = sss_mmap_cache_init(nctx, "group",
|
||||
- nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_GROUP,
|
||||
- mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
- (time_t)memcache_timeout,
|
||||
- &nctx->grp_mc_ctx);
|
||||
- if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Failed to initialize group mmap cache: '%s'\n",
|
||||
- sss_strerror(ret));
|
||||
- } else {
|
||||
- DEBUG(SSSDBG_CONF_SETTINGS, "Group mmap cache size is %d\n",
|
||||
- mc_size_group);
|
||||
- }
|
||||
- } else {
|
||||
- DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
- "Group mmap cache is explicitly DISABLED\n");
|
||||
- }
|
||||
-
|
||||
- if (mc_size_initgroups != 0) {
|
||||
- ret = sss_mmap_cache_init(nctx, "initgroups",
|
||||
- nctx->mc_uid, nctx->mc_gid,
|
||||
- SSS_MC_INITGROUPS,
|
||||
- mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
- (time_t)memcache_timeout,
|
||||
- &nctx->initgr_mc_ctx);
|
||||
- if (ret) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Failed to initialize initgroups mmap cache: '%s'\n",
|
||||
- sss_strerror(ret));
|
||||
- } else {
|
||||
- DEBUG(SSSDBG_CONF_SETTINGS, "Initgroups mmap cache size is %d\n",
|
||||
- mc_size_initgroups);
|
||||
- }
|
||||
- } else {
|
||||
- DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
- "Initgroups mmap cache is explicitly DISABLED\n");
|
||||
+ ret = sss_mmap_cache_init(nctx, "passwd",
|
||||
+ nctx->mc_uid, nctx->mc_gid,
|
||||
+ SSS_MC_PASSWD,
|
||||
+ mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
+ (time_t)memcache_timeout,
|
||||
+ &nctx->pwd_mc_ctx);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize passwd mmap cache: '%s'\n",
|
||||
+ sss_strerror(ret));
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_mmap_cache_init(nctx, "group",
|
||||
+ nctx->mc_uid, nctx->mc_gid,
|
||||
+ SSS_MC_GROUP,
|
||||
+ mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
+ (time_t)memcache_timeout,
|
||||
+ &nctx->grp_mc_ctx);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize group mmap cache: '%s'\n",
|
||||
+ sss_strerror(ret));
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_mmap_cache_init(nctx, "initgroups",
|
||||
+ nctx->mc_uid, nctx->mc_gid,
|
||||
+ SSS_MC_INITGROUPS,
|
||||
+ mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB,
|
||||
+ (time_t)memcache_timeout,
|
||||
+ &nctx->initgr_mc_ctx);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize initgroups mmap cache: '%s'\n",
|
||||
+ sss_strerror(ret));
|
||||
}
|
||||
|
||||
return EOK;
|
||||
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
index 71919e4ac..f66e76ce4 100644
|
||||
--- a/src/responder/nss/nsssrv_mmap_cache.c
|
||||
+++ b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
@@ -1108,48 +1108,48 @@ static errno_t sss_mc_set_recycled(int fd)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * When we (re)create a new file we must mark the current file as recycled
|
||||
- * so active clients will abandon its use ASAP.
|
||||
- * We unlink the current file and make a new one.
|
||||
- */
|
||||
-static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx)
|
||||
+static void sss_mc_destroy_file(const char *filename)
|
||||
{
|
||||
- mode_t old_mask;
|
||||
+ const useconds_t t = 50000;
|
||||
+ const int retries = 3;
|
||||
int ofd;
|
||||
- int ret, uret;
|
||||
- useconds_t t = 50000;
|
||||
- int retries = 3;
|
||||
+ int ret;
|
||||
|
||||
- ofd = open(mc_ctx->file, O_RDWR);
|
||||
+ ofd = open(filename, O_RDWR);
|
||||
if (ofd != -1) {
|
||||
ret = sss_br_lock_file(ofd, 0, 1, retries, t);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Failed to lock file %s.\n", mc_ctx->file);
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to lock file %s.\n", filename);
|
||||
}
|
||||
ret = sss_mc_set_recycled(ofd);
|
||||
if (ret) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to mark mmap file %s as"
|
||||
- " recycled: %d(%s)\n",
|
||||
- mc_ctx->file, ret, strerror(ret));
|
||||
+ " recycled: %d (%s)\n",
|
||||
+ filename, ret, strerror(ret));
|
||||
}
|
||||
-
|
||||
close(ofd);
|
||||
} else if (errno != ENOENT) {
|
||||
ret = errno;
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Failed to open old memory cache file %s: %d(%s).\n",
|
||||
- mc_ctx->file, ret, strerror(ret));
|
||||
+ "Failed to open old memory cache file %s: %d (%s)\n",
|
||||
+ filename, ret, strerror(ret));
|
||||
}
|
||||
|
||||
errno = 0;
|
||||
- ret = unlink(mc_ctx->file);
|
||||
+ ret = unlink(filename);
|
||||
if (ret == -1 && errno != ENOENT) {
|
||||
ret = errno;
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "Failed to rm mmap file %s: %d(%s)\n",
|
||||
- mc_ctx->file, ret, strerror(ret));
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Failed to delete mmap file %s: %d (%s)\n",
|
||||
+ filename, ret, strerror(ret));
|
||||
}
|
||||
+}
|
||||
+
|
||||
+static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx)
|
||||
+{
|
||||
+ const useconds_t t = 50000;
|
||||
+ const int retries = 3;
|
||||
+ mode_t old_mask;
|
||||
+ int ret, uret;
|
||||
|
||||
/* temporarily relax umask as we need the file to be readable
|
||||
* by everyone for now */
|
||||
@@ -1276,9 +1276,32 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
|
||||
|
||||
struct sss_mc_ctx *mc_ctx = NULL;
|
||||
int ret, dret;
|
||||
+ char *filename;
|
||||
+
|
||||
+ filename = talloc_asprintf(mem_ctx, "%s/%s", SSS_NSS_MCACHE_DIR, name);
|
||||
+ if (!filename) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ /*
|
||||
+ * First of all mark the current file as recycled
|
||||
+ * and unlink so active clients will abandon its use ASAP
|
||||
+ */
|
||||
+ sss_mc_destroy_file(filename);
|
||||
+
|
||||
+ if ((timeout == 0) || (n_elem == 0)) {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Fast '%s' mmap cache is explicitly DISABLED\n",
|
||||
+ mc_type_to_str(type));
|
||||
+ *mcc = NULL;
|
||||
+ return EOK;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "Fast '%s' mmap cache: timeout = %d, slots = %zu\n",
|
||||
+ mc_type_to_str(type), (int)timeout, n_elem);
|
||||
|
||||
mc_ctx = talloc_zero(mem_ctx, struct sss_mc_ctx);
|
||||
if (!mc_ctx) {
|
||||
+ talloc_free(filename);
|
||||
return ENOMEM;
|
||||
}
|
||||
mc_ctx->fd = -1;
|
||||
@@ -1297,12 +1320,7 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
|
||||
|
||||
mc_ctx->valid_time_slot = timeout;
|
||||
|
||||
- mc_ctx->file = talloc_asprintf(mc_ctx, "%s/%s",
|
||||
- SSS_NSS_MCACHE_DIR, name);
|
||||
- if (!mc_ctx->file) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
+ mc_ctx->file = talloc_steal(mc_ctx, filename);
|
||||
|
||||
/* elements must always be multiple of 8 to make things easier to handle,
|
||||
* so we increase by the necessary amount if they are not a multiple */
|
||||
@@ -1320,8 +1338,6 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name,
|
||||
MC_ALIGN64(mc_ctx->ht_size);
|
||||
|
||||
|
||||
- /* for now ALWAYS create a new file on restart */
|
||||
-
|
||||
ret = sss_mc_create_file(mc_ctx);
|
||||
if (ret) {
|
||||
goto done;
|
||||
--
|
||||
2.21.3
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -1,63 +0,0 @@
|
|||
From 72b8e02c77f0b0b7e36663fa3bd3fd6987ea1b80 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Mon, 13 Jul 2020 18:11:40 +0200
|
||||
Subject: [PATCH] sssctl: sssctl config-check alternative snippet dir
|
||||
|
||||
The sssctl config-check now allows to specify not only alternative
|
||||
config file but also snippet dir.
|
||||
|
||||
sssctl config-check -c ./sssd.conf -s /etc/sssd/conf.d
|
||||
|
||||
Configuration snippets are still looked up in the same place under
|
||||
conf.d directory by default. It would be in ./conf.d/ for the example
|
||||
above.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5142
|
||||
|
||||
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||
---
|
||||
src/tools/sssctl/sssctl_config.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
|
||||
index de9f3de6e..db4aeeae4 100644
|
||||
--- a/src/tools/sssctl/sssctl_config.c
|
||||
+++ b/src/tools/sssctl/sssctl_config.c
|
||||
@@ -75,6 +75,11 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||
struct poptOption long_options[] = {
|
||||
{"config", 'c', POPT_ARG_STRING, &config_path,
|
||||
0, _("Specify a non-default config file"), NULL},
|
||||
+ {"snippet", 's', POPT_ARG_STRING, &config_snippet_path,
|
||||
+ 0, _("Specify a non-default snippet dir (The default is to look in "
|
||||
+ "the same place where the main config file is located. For "
|
||||
+ "example if the config is set to \"/my/path/sssd.conf\", "
|
||||
+ "the snippet dir \"/my/path/conf.d\" is used)"), NULL},
|
||||
POPT_TABLEEND
|
||||
};
|
||||
|
||||
@@ -92,16 +97,17 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (config_path != NULL) {
|
||||
+ if (config_path == NULL) {
|
||||
+ config_path = SSSD_CONFIG_FILE;
|
||||
+ }
|
||||
+
|
||||
+ if (config_snippet_path == NULL) {
|
||||
config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path);
|
||||
if (config_snippet_path == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n");
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
- } else {
|
||||
- config_path = SSSD_CONFIG_FILE;
|
||||
- config_snippet_path = CONFDB_DEFAULT_CONFIG_DIR;
|
||||
}
|
||||
|
||||
ret = sss_ini_read_sssd_conf(init_data,
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,651 +0,0 @@
|
|||
From a2b9a84460429181f2a4fa7e2bb5ab49fd561274 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 9 Dec 2019 11:31:14 +0100
|
||||
Subject: [PATCH] certmap: sanitize LDAP search filter
|
||||
|
||||
The sss_certmap_get_search_filter() will now sanitize the values read
|
||||
from the certificates before adding them to a search filter. To be able
|
||||
to get the plain values as well sss_certmap_expand_mapping_rule() is
|
||||
added.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5135
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
src/lib/certmap/sss_certmap.c | 42 ++++++++++--
|
||||
src/lib/certmap/sss_certmap.exports | 5 ++
|
||||
src/lib/certmap/sss_certmap.h | 35 ++++++++--
|
||||
src/responder/pam/pamsrv_p11.c | 5 +-
|
||||
src/tests/cmocka/test_certmap.c | 98 +++++++++++++++++++++++++++-
|
||||
src/util/util.c | 94 ---------------------------
|
||||
src/util/util_ext.c | 99 +++++++++++++++++++++++++++++
|
||||
8 files changed, 272 insertions(+), 108 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 059e1eaf6..4bacabdda 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -2163,7 +2163,7 @@ libsss_certmap_la_LIBADD = \
|
||||
$(NULL)
|
||||
libsss_certmap_la_LDFLAGS = \
|
||||
-Wl,--version-script,$(srcdir)/src/lib/certmap/sss_certmap.exports \
|
||||
- -version-info 1:0:1
|
||||
+ -version-info 2:0:2
|
||||
|
||||
if HAVE_NSS
|
||||
libsss_certmap_la_SOURCES += \
|
||||
diff --git a/src/lib/certmap/sss_certmap.c b/src/lib/certmap/sss_certmap.c
|
||||
index 703782b53..f19e57732 100644
|
||||
--- a/src/lib/certmap/sss_certmap.c
|
||||
+++ b/src/lib/certmap/sss_certmap.c
|
||||
@@ -441,10 +441,12 @@ static int expand_san(struct sss_certmap_ctx *ctx,
|
||||
static int expand_template(struct sss_certmap_ctx *ctx,
|
||||
struct parsed_template *parsed_template,
|
||||
struct sss_cert_content *cert_content,
|
||||
+ bool sanitize,
|
||||
char **expanded)
|
||||
{
|
||||
int ret;
|
||||
char *exp = NULL;
|
||||
+ char *exp_sanitized = NULL;
|
||||
|
||||
if (strcmp("issuer_dn", parsed_template->name) == 0) {
|
||||
ret = rdn_list_2_dn_str(ctx, parsed_template->conversion,
|
||||
@@ -455,6 +457,8 @@ static int expand_template(struct sss_certmap_ctx *ctx,
|
||||
} else if (strncmp("subject_", parsed_template->name, 8) == 0) {
|
||||
ret = expand_san(ctx, parsed_template, cert_content->san_list, &exp);
|
||||
} else if (strcmp("cert", parsed_template->name) == 0) {
|
||||
+ /* cert blob is already sanitized */
|
||||
+ sanitize = false;
|
||||
ret = expand_cert(ctx, parsed_template, cert_content, &exp);
|
||||
} else {
|
||||
CM_DEBUG(ctx, "Unsupported template name.");
|
||||
@@ -471,6 +475,16 @@ static int expand_template(struct sss_certmap_ctx *ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (sanitize) {
|
||||
+ ret = sss_filter_sanitize(ctx, exp, &exp_sanitized);
|
||||
+ if (ret != EOK) {
|
||||
+ CM_DEBUG(ctx, "Failed to sanitize expanded template.");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ talloc_free(exp);
|
||||
+ exp = exp_sanitized;
|
||||
+ }
|
||||
+
|
||||
ret = 0;
|
||||
|
||||
done:
|
||||
@@ -485,7 +499,7 @@ done:
|
||||
|
||||
static int get_filter(struct sss_certmap_ctx *ctx,
|
||||
struct ldap_mapping_rule *parsed_mapping_rule,
|
||||
- struct sss_cert_content *cert_content,
|
||||
+ struct sss_cert_content *cert_content, bool sanitize,
|
||||
char **filter)
|
||||
{
|
||||
struct ldap_mapping_rule_comp *comp;
|
||||
@@ -503,7 +517,7 @@ static int get_filter(struct sss_certmap_ctx *ctx,
|
||||
result = talloc_strdup_append(result, comp->val);
|
||||
} else if (comp->type == comp_template) {
|
||||
ret = expand_template(ctx, comp->parsed_template, cert_content,
|
||||
- &expanded);
|
||||
+ sanitize, &expanded);
|
||||
if (ret != 0) {
|
||||
CM_DEBUG(ctx, "Failed to expanded template.");
|
||||
goto done;
|
||||
@@ -791,8 +805,9 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
|
||||
+static int expand_mapping_rule_ex(struct sss_certmap_ctx *ctx,
|
||||
const uint8_t *der_cert, size_t der_size,
|
||||
+ bool sanitize,
|
||||
char **_filter, char ***_domains)
|
||||
{
|
||||
int ret;
|
||||
@@ -819,7 +834,8 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, &filter);
|
||||
+ ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, sanitize,
|
||||
+ &filter);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -829,7 +845,7 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
|
||||
if (ret == 0) {
|
||||
/* match */
|
||||
ret = get_filter(ctx, r->parsed_mapping_rule, cert_content,
|
||||
- &filter);
|
||||
+ sanitize, &filter);
|
||||
if (ret != 0) {
|
||||
CM_DEBUG(ctx, "Failed to get filter");
|
||||
goto done;
|
||||
@@ -873,6 +889,22 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
|
||||
+ const uint8_t *der_cert, size_t der_size,
|
||||
+ char **_filter, char ***_domains)
|
||||
+{
|
||||
+ return expand_mapping_rule_ex(ctx, der_cert, der_size, true,
|
||||
+ _filter, _domains);
|
||||
+}
|
||||
+
|
||||
+int sss_certmap_expand_mapping_rule(struct sss_certmap_ctx *ctx,
|
||||
+ const uint8_t *der_cert, size_t der_size,
|
||||
+ char **_expanded, char ***_domains)
|
||||
+{
|
||||
+ return expand_mapping_rule_ex(ctx, der_cert, der_size, false,
|
||||
+ _expanded, _domains);
|
||||
+}
|
||||
+
|
||||
int sss_certmap_init(TALLOC_CTX *mem_ctx,
|
||||
sss_certmap_ext_debug *debug, void *debug_priv,
|
||||
struct sss_certmap_ctx **ctx)
|
||||
diff --git a/src/lib/certmap/sss_certmap.exports b/src/lib/certmap/sss_certmap.exports
|
||||
index a9e48d6d0..7d7667738 100644
|
||||
--- a/src/lib/certmap/sss_certmap.exports
|
||||
+++ b/src/lib/certmap/sss_certmap.exports
|
||||
@@ -16,3 +16,8 @@ SSS_CERTMAP_0.1 {
|
||||
global:
|
||||
sss_certmap_display_cert_content;
|
||||
} SSS_CERTMAP_0.0;
|
||||
+
|
||||
+SSS_CERTMAP_0.2 {
|
||||
+ global:
|
||||
+ sss_certmap_expand_mapping_rule;
|
||||
+} SSS_CERTMAP_0.1;
|
||||
diff --git a/src/lib/certmap/sss_certmap.h b/src/lib/certmap/sss_certmap.h
|
||||
index 7da2d1c58..058d4f9e4 100644
|
||||
--- a/src/lib/certmap/sss_certmap.h
|
||||
+++ b/src/lib/certmap/sss_certmap.h
|
||||
@@ -103,7 +103,7 @@ int sss_certmap_add_rule(struct sss_certmap_ctx *ctx,
|
||||
*
|
||||
* @param[in] ctx certmap context previously initialized with
|
||||
* @ref sss_certmap_init
|
||||
- * @param[in] der_cert binary blog with the DER encoded certificate
|
||||
+ * @param[in] der_cert binary blob with the DER encoded certificate
|
||||
* @param[in] der_size size of the certificate blob
|
||||
*
|
||||
* @return
|
||||
@@ -119,10 +119,11 @@ int sss_certmap_match_cert(struct sss_certmap_ctx *ctx,
|
||||
*
|
||||
* @param[in] ctx certmap context previously initialized with
|
||||
* @ref sss_certmap_init
|
||||
- * @param[in] der_cert binary blog with the DER encoded certificate
|
||||
+ * @param[in] der_cert binary blob with the DER encoded certificate
|
||||
* @param[in] der_size size of the certificate blob
|
||||
- * @param[out] filter LDAP filter string, caller should free the data by
|
||||
- * calling sss_certmap_free_filter_and_domains
|
||||
+ * @param[out] filter LDAP filter string, expanded templates are sanitized,
|
||||
+ * caller should free the data by calling
|
||||
+ * sss_certmap_free_filter_and_domains
|
||||
* @param[out] domains NULL-terminated array of strings with the domains the
|
||||
* rule applies, caller should free the data by calling
|
||||
* sss_certmap_free_filter_and_domains
|
||||
@@ -136,8 +137,32 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx,
|
||||
const uint8_t *der_cert, size_t der_size,
|
||||
char **filter, char ***domains);
|
||||
|
||||
+/**
|
||||
+ * @brief Expand the mapping rule by replacing the templates
|
||||
+ *
|
||||
+ * @param[in] ctx certmap context previously initialized with
|
||||
+ * @ref sss_certmap_init
|
||||
+ * @param[in] der_cert binary blob with the DER encoded certificate
|
||||
+ * @param[in] der_size size of the certificate blob
|
||||
+ * @param[out] expanded expanded mapping rule, templates are filled in
|
||||
+ * verbatim in contrast to sss_certmap_get_search_filter,
|
||||
+ * caller should free the data by
|
||||
+ * calling sss_certmap_free_filter_and_domains
|
||||
+ * @param[out] domains NULL-terminated array of strings with the domains the
|
||||
+ * rule applies, caller should free the data by calling
|
||||
+ * sss_certmap_free_filter_and_domains
|
||||
+ *
|
||||
+ * @return
|
||||
+ * - 0: certificate matches a rule
|
||||
+ * - ENOENT: certificate does not match
|
||||
+ * - EINVAL: internal error
|
||||
+ */
|
||||
+int sss_certmap_expand_mapping_rule(struct sss_certmap_ctx *ctx,
|
||||
+ const uint8_t *der_cert, size_t der_size,
|
||||
+ char **_expanded, char ***_domains);
|
||||
/**
|
||||
* @brief Free data returned by @ref sss_certmap_get_search_filter
|
||||
+ * and @ref sss_certmap_expand_mapping_rule
|
||||
*
|
||||
* @param[in] filter LDAP filter strings returned by
|
||||
* sss_certmap_get_search_filter
|
||||
@@ -150,7 +175,7 @@ void sss_certmap_free_filter_and_domains(char *filter, char **domains);
|
||||
* @brief Get a string with the content of the certificate used by the library
|
||||
*
|
||||
* @param[in] mem_ctx Talloc memory context, may be NULL
|
||||
- * @param[in] der_cert binary blog with the DER encoded certificate
|
||||
+ * @param[in] der_cert binary blob with the DER encoded certificate
|
||||
* @param[in] der_size size of the certificate blob
|
||||
* @param[out] desc Multiline string showing the certificate content
|
||||
* which is used by libsss_certmap
|
||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
||||
index 3f0afaeff..cdf239e07 100644
|
||||
--- a/src/responder/pam/pamsrv_p11.c
|
||||
+++ b/src/responder/pam/pamsrv_p11.c
|
||||
@@ -1049,9 +1049,10 @@ static char *get_cert_prompt(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sss_certmap_get_search_filter(ctx, der, der_size, &filter, &domains);
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, der, der_size,
|
||||
+ &filter, &domains);
|
||||
if (ret != 0) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_get_search_filter failed.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_expand_mapping_rule failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
|
||||
index c882202a0..232ff7878 100644
|
||||
--- a/src/tests/cmocka/test_certmap.c
|
||||
+++ b/src/tests/cmocka/test_certmap.c
|
||||
@@ -1431,6 +1431,15 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
&filter, &domains);
|
||||
assert_int_equal(ret, 0);
|
||||
assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "rule100=<I>CN=Certificate\\20Authority,O=IPA.DEVEL"
|
||||
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
|
||||
+ assert_null(domains);
|
||||
+
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
|
||||
+ sizeof(test_cert_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
assert_string_equal(filter, "rule100=<I>CN=Certificate Authority,O=IPA.DEVEL"
|
||||
"<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
|
||||
assert_null(domains);
|
||||
@@ -1445,6 +1454,17 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
&filter, &domains);
|
||||
assert_int_equal(ret, 0);
|
||||
assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "rule99=<I>CN=Certificate\\20Authority,O=IPA.DEVEL"
|
||||
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
|
||||
+ assert_non_null(domains);
|
||||
+ assert_string_equal(domains[0], "test.dom");
|
||||
+ assert_null(domains[1]);
|
||||
+
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
|
||||
+ sizeof(test_cert_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
assert_string_equal(filter, "rule99=<I>CN=Certificate Authority,O=IPA.DEVEL"
|
||||
"<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
|
||||
assert_non_null(domains);
|
||||
@@ -1466,6 +1486,16 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
assert_string_equal(domains[0], "test.dom");
|
||||
assert_null(domains[1]);
|
||||
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
|
||||
+ sizeof(test_cert_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "rule98=userCertificate;binary=" TEST_CERT_BIN);
|
||||
+ assert_non_null(domains);
|
||||
+ assert_string_equal(domains[0], "test.dom");
|
||||
+ assert_null(domains[1]);
|
||||
+
|
||||
ret = sss_certmap_add_rule(ctx, 97,
|
||||
"KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
|
||||
"LDAP:rule97=<I>{issuer_dn!nss_x500}<S>{subject_dn}",
|
||||
@@ -1476,6 +1506,17 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
&filter, &domains);
|
||||
assert_int_equal(ret, 0);
|
||||
assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "rule97=<I>O=IPA.DEVEL,CN=Certificate\\20Authority"
|
||||
+ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
|
||||
+ assert_non_null(domains);
|
||||
+ assert_string_equal(domains[0], "test.dom");
|
||||
+ assert_null(domains[1]);
|
||||
+
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
|
||||
+ sizeof(test_cert_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
assert_string_equal(filter, "rule97=<I>O=IPA.DEVEL,CN=Certificate Authority"
|
||||
"<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL");
|
||||
assert_non_null(domains);
|
||||
@@ -1492,6 +1533,17 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
&filter, &domains);
|
||||
assert_int_equal(ret, 0);
|
||||
assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "rule96=<I>O=IPA.DEVEL,CN=Certificate\\20Authority"
|
||||
+ "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
|
||||
+ assert_non_null(domains);
|
||||
+ assert_string_equal(domains[0], "test.dom");
|
||||
+ assert_null(domains[1]);
|
||||
+
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
|
||||
+ sizeof(test_cert_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
assert_string_equal(filter, "rule96=<I>O=IPA.DEVEL,CN=Certificate Authority"
|
||||
"<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
|
||||
assert_non_null(domains);
|
||||
@@ -1510,6 +1562,14 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")");
|
||||
assert_null(domains);
|
||||
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
|
||||
+ sizeof(test_cert_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")");
|
||||
+ assert_null(domains);
|
||||
+
|
||||
ret = sss_certmap_add_rule(ctx, 94,
|
||||
"KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL",
|
||||
"LDAP:rule94=<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}",
|
||||
@@ -1520,12 +1580,22 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
&filter, &domains);
|
||||
assert_int_equal(ret, 0);
|
||||
assert_non_null(filter);
|
||||
- assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate Authority"
|
||||
+ assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate\\20Authority"
|
||||
"<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
|
||||
assert_non_null(domains);
|
||||
assert_string_equal(domains[0], "test.dom");
|
||||
assert_null(domains[1]);
|
||||
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der),
|
||||
+ sizeof(test_cert_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate Authority"
|
||||
+ "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel");
|
||||
+ assert_non_null(domains);
|
||||
+ assert_string_equal(domains[0], "test.dom");
|
||||
+ assert_null(domains[1]);
|
||||
|
||||
ret = sss_certmap_add_rule(ctx, 89, NULL,
|
||||
"(rule89={subject_nt_principal})",
|
||||
@@ -1539,6 +1609,14 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
assert_string_equal(filter, "(rule89=tu1@ad.devel)");
|
||||
assert_null(domains);
|
||||
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der),
|
||||
+ sizeof(test_cert2_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "(rule89=tu1@ad.devel)");
|
||||
+ assert_null(domains);
|
||||
+
|
||||
ret = sss_certmap_add_rule(ctx, 88, NULL,
|
||||
"(rule88={subject_nt_principal.short_name})",
|
||||
NULL);
|
||||
@@ -1560,6 +1638,15 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
&filter, &domains);
|
||||
assert_int_equal(ret, 0);
|
||||
assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "rule87=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA"
|
||||
+ "<S>DC=devel,DC=ad,CN=Users,CN=t\\20u,E=test.user@email.domain");
|
||||
+ assert_null(domains);
|
||||
+
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der),
|
||||
+ sizeof(test_cert2_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
assert_string_equal(filter, "rule87=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA"
|
||||
"<S>DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain");
|
||||
assert_null(domains);
|
||||
@@ -1573,6 +1660,15 @@ static void test_sss_certmap_get_search_filter(void **state)
|
||||
&filter, &domains);
|
||||
assert_int_equal(ret, 0);
|
||||
assert_non_null(filter);
|
||||
+ assert_string_equal(filter, "rule86=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA"
|
||||
+ "<S>DC=devel,DC=ad,CN=Users,CN=t\\20u,E=test.user@email.domain");
|
||||
+ assert_null(domains);
|
||||
+
|
||||
+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der),
|
||||
+ sizeof(test_cert2_der),
|
||||
+ &filter, &domains);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_non_null(filter);
|
||||
assert_string_equal(filter, "rule86=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA"
|
||||
"<S>DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain");
|
||||
assert_null(domains);
|
||||
diff --git a/src/util/util.c b/src/util/util.c
|
||||
index d9bd3cb59..19d447328 100644
|
||||
--- a/src/util/util.c
|
||||
+++ b/src/util/util.c
|
||||
@@ -436,100 +436,6 @@ errno_t sss_hash_create(TALLOC_CTX *mem_ctx, unsigned long count,
|
||||
return sss_hash_create_ex(mem_ctx, count, tbl, 0, 0, 0, 0, NULL, NULL);
|
||||
}
|
||||
|
||||
-errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx,
|
||||
- const char *input,
|
||||
- char **sanitized,
|
||||
- const char *ignore)
|
||||
-{
|
||||
- char *output;
|
||||
- size_t i = 0;
|
||||
- size_t j = 0;
|
||||
- char *allowed;
|
||||
-
|
||||
- /* Assume the worst-case. We'll resize it later, once */
|
||||
- output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1);
|
||||
- if (!output) {
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- while (input[i]) {
|
||||
- /* Even though this character might have a special meaning, if it's
|
||||
- * explicitly allowed, just copy it and move on
|
||||
- */
|
||||
- if (ignore == NULL) {
|
||||
- allowed = NULL;
|
||||
- } else {
|
||||
- allowed = strchr(ignore, input[i]);
|
||||
- }
|
||||
- if (allowed) {
|
||||
- output[j++] = input[i++];
|
||||
- continue;
|
||||
- }
|
||||
-
|
||||
- switch(input[i]) {
|
||||
- case '\t':
|
||||
- output[j++] = '\\';
|
||||
- output[j++] = '0';
|
||||
- output[j++] = '9';
|
||||
- break;
|
||||
- case ' ':
|
||||
- output[j++] = '\\';
|
||||
- output[j++] = '2';
|
||||
- output[j++] = '0';
|
||||
- break;
|
||||
- case '*':
|
||||
- output[j++] = '\\';
|
||||
- output[j++] = '2';
|
||||
- output[j++] = 'a';
|
||||
- break;
|
||||
- case '(':
|
||||
- output[j++] = '\\';
|
||||
- output[j++] = '2';
|
||||
- output[j++] = '8';
|
||||
- break;
|
||||
- case ')':
|
||||
- output[j++] = '\\';
|
||||
- output[j++] = '2';
|
||||
- output[j++] = '9';
|
||||
- break;
|
||||
- case '\\':
|
||||
- output[j++] = '\\';
|
||||
- output[j++] = '5';
|
||||
- output[j++] = 'c';
|
||||
- break;
|
||||
- case '\r':
|
||||
- output[j++] = '\\';
|
||||
- output[j++] = '0';
|
||||
- output[j++] = 'd';
|
||||
- break;
|
||||
- case '\n':
|
||||
- output[j++] = '\\';
|
||||
- output[j++] = '0';
|
||||
- output[j++] = 'a';
|
||||
- break;
|
||||
- default:
|
||||
- output[j++] = input[i];
|
||||
- }
|
||||
-
|
||||
- i++;
|
||||
- }
|
||||
- output[j] = '\0';
|
||||
- *sanitized = talloc_realloc(mem_ctx, output, char, j+1);
|
||||
- if (!*sanitized) {
|
||||
- talloc_free(output);
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- return EOK;
|
||||
-}
|
||||
-
|
||||
-errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx,
|
||||
- const char *input,
|
||||
- char **sanitized)
|
||||
-{
|
||||
- return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL);
|
||||
-}
|
||||
-
|
||||
char *
|
||||
sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr)
|
||||
{
|
||||
diff --git a/src/util/util_ext.c b/src/util/util_ext.c
|
||||
index 04dc02a8a..a89b60f76 100644
|
||||
--- a/src/util/util_ext.c
|
||||
+++ b/src/util/util_ext.c
|
||||
@@ -29,6 +29,11 @@
|
||||
|
||||
#define EOK 0
|
||||
|
||||
+#ifndef HAVE_ERRNO_T
|
||||
+#define HAVE_ERRNO_T
|
||||
+typedef int errno_t;
|
||||
+#endif
|
||||
+
|
||||
int split_on_separator(TALLOC_CTX *mem_ctx, const char *str,
|
||||
const char sep, bool trim, bool skip_empty,
|
||||
char ***_list, int *size)
|
||||
@@ -141,3 +146,97 @@ bool string_in_list(const char *string, char **list, bool case_sensitive)
|
||||
|
||||
return false;
|
||||
}
|
||||
+
|
||||
+errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx,
|
||||
+ const char *input,
|
||||
+ char **sanitized,
|
||||
+ const char *ignore)
|
||||
+{
|
||||
+ char *output;
|
||||
+ size_t i = 0;
|
||||
+ size_t j = 0;
|
||||
+ char *allowed;
|
||||
+
|
||||
+ /* Assume the worst-case. We'll resize it later, once */
|
||||
+ output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1);
|
||||
+ if (!output) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ while (input[i]) {
|
||||
+ /* Even though this character might have a special meaning, if it's
|
||||
+ * explicitly allowed, just copy it and move on
|
||||
+ */
|
||||
+ if (ignore == NULL) {
|
||||
+ allowed = NULL;
|
||||
+ } else {
|
||||
+ allowed = strchr(ignore, input[i]);
|
||||
+ }
|
||||
+ if (allowed) {
|
||||
+ output[j++] = input[i++];
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ switch(input[i]) {
|
||||
+ case '\t':
|
||||
+ output[j++] = '\\';
|
||||
+ output[j++] = '0';
|
||||
+ output[j++] = '9';
|
||||
+ break;
|
||||
+ case ' ':
|
||||
+ output[j++] = '\\';
|
||||
+ output[j++] = '2';
|
||||
+ output[j++] = '0';
|
||||
+ break;
|
||||
+ case '*':
|
||||
+ output[j++] = '\\';
|
||||
+ output[j++] = '2';
|
||||
+ output[j++] = 'a';
|
||||
+ break;
|
||||
+ case '(':
|
||||
+ output[j++] = '\\';
|
||||
+ output[j++] = '2';
|
||||
+ output[j++] = '8';
|
||||
+ break;
|
||||
+ case ')':
|
||||
+ output[j++] = '\\';
|
||||
+ output[j++] = '2';
|
||||
+ output[j++] = '9';
|
||||
+ break;
|
||||
+ case '\\':
|
||||
+ output[j++] = '\\';
|
||||
+ output[j++] = '5';
|
||||
+ output[j++] = 'c';
|
||||
+ break;
|
||||
+ case '\r':
|
||||
+ output[j++] = '\\';
|
||||
+ output[j++] = '0';
|
||||
+ output[j++] = 'd';
|
||||
+ break;
|
||||
+ case '\n':
|
||||
+ output[j++] = '\\';
|
||||
+ output[j++] = '0';
|
||||
+ output[j++] = 'a';
|
||||
+ break;
|
||||
+ default:
|
||||
+ output[j++] = input[i];
|
||||
+ }
|
||||
+
|
||||
+ i++;
|
||||
+ }
|
||||
+ output[j] = '\0';
|
||||
+ *sanitized = talloc_realloc(mem_ctx, output, char, j+1);
|
||||
+ if (!*sanitized) {
|
||||
+ talloc_free(output);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx,
|
||||
+ const char *input,
|
||||
+ char **sanitized)
|
||||
+{
|
||||
+ return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL);
|
||||
+}
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
|
||||
Date: Thu, 28 May 2020 12:12:58 +0200
|
||||
Subject: [PATCH] AD: Enforcing GPO rule restriction on user
|
||||
|
||||
This fixes bug related to ad_gpo_implicit_deny option set to True.
|
||||
gpo_implict_denay was checked only for dacl_filtered_gpos,
|
||||
but not for cse_filtered_gpos.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5181
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 53560a754..2c6aa7fa6 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
||||
/* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
"no applicable gpos found after cse_guid filtering\n");
|
||||
- ret = EOK;
|
||||
+
|
||||
+ if (state->gpo_implicit_deny == true) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
|
||||
+ " is set to 'true'. The user will be denied access.\n");
|
||||
+ ret = ERR_ACCESS_DENIED;
|
||||
+ } else {
|
||||
+ ret = EOK;
|
||||
+ }
|
||||
+
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From 3bb910503bb7cbc20105f0a302db400f04436d2a Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 11:45:18 +0200
|
||||
Subject: [PATCH] man: clarify AD certificate rule
|
||||
|
||||
Clarify AD specific certificate rule example by changing userPrincipal to
|
||||
userPrincipalName. Moreover, match the subject principal name in the
|
||||
example with the rule name.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5278
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/man/sss-certmap.5.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
|
||||
index 10343625e..09aec997c 100644
|
||||
--- a/src/man/sss-certmap.5.xml
|
||||
+++ b/src/man/sss-certmap.5.xml
|
||||
@@ -487,7 +487,7 @@
|
||||
sign.
|
||||
</para>
|
||||
<para>
|
||||
- Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
|
||||
+ Example: (|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name}))
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,72 +0,0 @@
|
|||
From 4526858adb58736066a0b2cf2dc793ddfe671b2b Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Tue, 4 Aug 2020 15:39:51 +0200
|
||||
Subject: [PATCH] config: allow prompting options in configuration
|
||||
|
||||
False warnings were logged after enabling prompting options in
|
||||
configuration file. This change modifies the configuration rules to
|
||||
allow prompting options.
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5259
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/config/cfg_rules.ini | 34 ++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 34 insertions(+)
|
||||
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 2874ea048..2d4e7b51d 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -14,6 +14,10 @@ section = session_recording
|
||||
section_re = ^secrets/users/[0-9]\+$
|
||||
section_re = ^secrets/secrets$
|
||||
section_re = ^secrets/kcm$
|
||||
+section_re = ^prompting/password$
|
||||
+section_re = ^prompting/password/[^/\@]\+$
|
||||
+section_re = ^prompting/2fa$
|
||||
+section_re = ^prompting/2fa/[^/\@]\+$
|
||||
section_re = ^domain/[^/\@]\+$
|
||||
section_re = ^domain/[^/\@]\+/[^/\@]\+$
|
||||
section_re = ^application/[^/\@]\+$
|
||||
@@ -332,6 +336,36 @@ option = scope
|
||||
option = users
|
||||
option = groups
|
||||
|
||||
+# Prompting during authentication
|
||||
+[rule/allowed_prompting_password_options]
|
||||
+validator = ini_allowed_options
|
||||
+section_re = ^prompting/password$
|
||||
+
|
||||
+option = password_prompt
|
||||
+
|
||||
+[rule/allowed_prompting_2fa_options]
|
||||
+validator = ini_allowed_options
|
||||
+section_re = ^prompting/2fa$
|
||||
+
|
||||
+option = single_prompt
|
||||
+option = first_prompt
|
||||
+option = second_prompt
|
||||
+
|
||||
+[rule/allowed_prompting_password_subsec_options]
|
||||
+validator = ini_allowed_options
|
||||
+section_re = ^prompting/password/[^/\@]\+$
|
||||
+
|
||||
+option = password_prompt
|
||||
+
|
||||
+[rule/allowed_prompting_2fa_subsec_options]
|
||||
+validator = ini_allowed_options
|
||||
+section_re = ^prompting/2fa/[^/\@]\+$
|
||||
+
|
||||
+option = single_prompt
|
||||
+option = first_prompt
|
||||
+option = second_prompt
|
||||
+
|
||||
+
|
||||
[rule/allowed_domain_options]
|
||||
validator = ini_allowed_options
|
||||
section_re = ^\(domain\|application\)/[^/]\+$
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
From 10366b4ee8c01ea20d908102e92d52fdeda168c3 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 14:37:04 +0200
|
||||
Subject: [PATCH] p11_child: switch default ocsp_dgst to sha1
|
||||
|
||||
For details please see discussion at
|
||||
https://github.com/SSSD/sssd/pull/837#issuecomment-672831519
|
||||
|
||||
:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1
|
||||
|
||||
Resolves:
|
||||
https://github.com/SSSD/sssd/issues/5002
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/man/sssd.conf.5.xml | 3 ++-
|
||||
src/p11_child/p11_child_common_utils.c | 6 +++---
|
||||
src/p11_child/p11_child_openssl.c | 4 ++--
|
||||
3 files changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 874a09c49..50692dfdd 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -507,7 +507,8 @@
|
||||
<listitem><para>sha512</para></listitem>
|
||||
</itemizedlist></para>
|
||||
<para>
|
||||
- Default: sha256
|
||||
+ Default: sha1 (to allow compatibility with
|
||||
+ RFC5019-compliant responder)
|
||||
</para>
|
||||
<para>(NSS Version) This option is
|
||||
ignored, because NSS uses sha1
|
||||
diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c
|
||||
index 6798752c7..95791b1f0 100644
|
||||
--- a/src/p11_child/p11_child_common_utils.c
|
||||
+++ b/src/p11_child/p11_child_common_utils.c
|
||||
@@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
|
||||
cert_verify_opts->ocsp_default_responder = NULL;
|
||||
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
|
||||
cert_verify_opts->crl_file = NULL;
|
||||
- cert_verify_opts->ocsp_dgst = CKM_SHA256;
|
||||
+ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
|
||||
cert_verify_opts->soft_ocsp = false;
|
||||
cert_verify_opts->soft_crl = false;
|
||||
|
||||
@@ -174,8 +174,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
||||
} else {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Unsupported digest for OCSP [%s], "
|
||||
- "using default sha256.\n", &opts[c][OCSP_DGST_LEN]);
|
||||
- cert_verify_opts->ocsp_dgst = CKM_SHA256;
|
||||
+ "using default sha1.\n", &opts[c][OCSP_DGST_LEN]);
|
||||
+ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
|
||||
}
|
||||
#endif
|
||||
} else if (strcasecmp(opts[c], "soft_ocsp") == 0) {
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index 321cf162e..04b3e1467 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -372,8 +372,8 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
|
||||
ocsp_dgst = get_dgst(p11_ctx->cert_verify_opts->ocsp_dgst);
|
||||
if (ocsp_dgst == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Cannot determine configured digest function "
|
||||
- "for OCSP, using default sha256.\n");
|
||||
- ocsp_dgst = EVP_sha256();
|
||||
+ "for OCSP, using default sha1.\n");
|
||||
+ ocsp_dgst = EVP_sha1();
|
||||
}
|
||||
cid = OCSP_cert_to_id(ocsp_dgst, cert, issuer);
|
||||
if (cid == NULL) {
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,181 +0,0 @@
|
|||
From 69e1f5fe79806a530e90c8af09bedd3b9e6b4dac Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 15:30:29 +0200
|
||||
Subject: [PATCH] GPO: respect ad_gpo_implicit_deny when evaluation rules
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently if setting ad_gpo_implicit_deny to 'True' is rejected access
|
||||
if no GPOs applied to the host since in this case there are obvious not
|
||||
allow rules available.
|
||||
|
||||
But according to the man page we have to be more strict "When this
|
||||
option is set to True users will be allowed access only when explicitly
|
||||
allowed by a GPO rule". So if GPOs apply and no allow rules are present
|
||||
we have to reject access as well.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5061
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/man/sssd-ad.5.xml | 59 +++++++++++++++++++++++++++++++++++++++
|
||||
src/providers/ad/ad_gpo.c | 13 +++++++--
|
||||
2 files changed, 69 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index 5c2f46546..fbd4985d7 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -477,9 +477,68 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
||||
built-in Administrators group if no GPO rules
|
||||
apply to them.
|
||||
</para>
|
||||
+
|
||||
<para>
|
||||
Default: False
|
||||
</para>
|
||||
+
|
||||
+ <para>
|
||||
+ The following 2 tables should illustrate when a user
|
||||
+ is allowed or rejected based on the allow and deny
|
||||
+ login rights defined on the server-side and the
|
||||
+ setting of ad_gpo_implicit_deny.
|
||||
+ </para>
|
||||
+ <informaltable frame='all'>
|
||||
+ <tgroup cols='3'>
|
||||
+ <colspec colname='c1' align='center'/>
|
||||
+ <colspec colname='c2' align='center'/>
|
||||
+ <colspec colname='c3' align='center'/>
|
||||
+ <thead>
|
||||
+ <row><entry namest='c1' nameend='c3' align='center'>
|
||||
+ ad_gpo_implicit_deny = False (default)</entry></row>
|
||||
+ <row><entry>allow-rules</entry><entry>deny-rules</entry>
|
||||
+ <entry>results</entry></row>
|
||||
+ </thead>
|
||||
+ <tbody>
|
||||
+ <row><entry>missing</entry><entry>missing</entry>
|
||||
+ <entry><para>all users are allowed</para>
|
||||
+ </entry></row>
|
||||
+ <row><entry>missing</entry><entry>present</entry>
|
||||
+ <entry><para>only users not in deny-rules are
|
||||
+ allowed</para></entry></row>
|
||||
+ <row><entry>present</entry><entry>missing</entry>
|
||||
+ <entry><para>only users in allow-rules are
|
||||
+ allowed</para></entry></row>
|
||||
+ <row><entry>present</entry><entry>present</entry>
|
||||
+ <entry><para>only users in allow-rules and not in
|
||||
+ deny-rules are allowed</para></entry></row>
|
||||
+ </tbody></tgroup></informaltable>
|
||||
+
|
||||
+ <informaltable frame='all'>
|
||||
+ <tgroup cols='3'>
|
||||
+ <colspec colname='c1' align='center'/>
|
||||
+ <colspec colname='c2' align='center'/>
|
||||
+ <colspec colname='c3' align='center'/>
|
||||
+ <thead>
|
||||
+ <row><entry namest='c1' nameend='c3' align='center'>
|
||||
+ ad_gpo_implicit_deny = True</entry></row>
|
||||
+ <row><entry>allow-rules</entry><entry>deny-rules</entry>
|
||||
+ <entry>results</entry></row>
|
||||
+ </thead>
|
||||
+ <tbody>
|
||||
+ <row><entry>missing</entry><entry>missing</entry>
|
||||
+ <entry><para>no users are allowed</para>
|
||||
+ </entry></row>
|
||||
+ <row><entry>missing</entry><entry>present</entry>
|
||||
+ <entry><para>no users are allowed</para>
|
||||
+ </entry></row>
|
||||
+ <row><entry>present</entry><entry>missing</entry>
|
||||
+ <entry><para>only users in allow-rules are
|
||||
+ allowed</para></entry></row>
|
||||
+ <row><entry>present</entry><entry>present</entry>
|
||||
+ <entry><para>only users in allow-rules and not in
|
||||
+ deny-rules are allowed</para></entry></row>
|
||||
+ </tbody></tgroup></informaltable>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 2c6aa7fa6..0cf5da2a1 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -1531,6 +1531,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
|
||||
enum gpo_access_control_mode gpo_mode,
|
||||
enum gpo_map_type gpo_map_type,
|
||||
const char *user,
|
||||
+ bool gpo_implicit_deny,
|
||||
struct sss_domain_info *domain,
|
||||
char **allowed_sids,
|
||||
int allowed_size,
|
||||
@@ -1575,7 +1576,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
|
||||
group_sids[j]);
|
||||
}
|
||||
|
||||
- if (allowed_size == 0) {
|
||||
+ if (allowed_size == 0 && !gpo_implicit_deny) {
|
||||
access_granted = true;
|
||||
} else {
|
||||
access_granted = check_rights(allowed_sids, allowed_size, user_sid,
|
||||
@@ -1694,6 +1695,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
|
||||
enum gpo_access_control_mode gpo_mode,
|
||||
enum gpo_map_type gpo_map_type,
|
||||
const char *user,
|
||||
+ bool gpo_implicit_deny,
|
||||
struct sss_domain_info *user_domain,
|
||||
struct sss_domain_info *host_domain)
|
||||
{
|
||||
@@ -1732,8 +1734,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
|
||||
|
||||
/* perform access check with the final resultant allow_sids and deny_sids */
|
||||
ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user,
|
||||
- user_domain, allow_sids, allow_size, deny_sids,
|
||||
- deny_size);
|
||||
+ gpo_implicit_deny, user_domain,
|
||||
+ allow_sids, allow_size, deny_sids, deny_size);
|
||||
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
@@ -1918,6 +1920,7 @@ immediately:
|
||||
static errno_t
|
||||
process_offline_gpos(TALLOC_CTX *mem_ctx,
|
||||
const char *user,
|
||||
+ bool gpo_implicit_deny,
|
||||
enum gpo_access_control_mode gpo_mode,
|
||||
struct sss_domain_info *user_domain,
|
||||
struct sss_domain_info *host_domain,
|
||||
@@ -1930,6 +1933,7 @@ process_offline_gpos(TALLOC_CTX *mem_ctx,
|
||||
gpo_mode,
|
||||
gpo_map_type,
|
||||
user,
|
||||
+ gpo_implicit_deny,
|
||||
user_domain,
|
||||
host_domain);
|
||||
if (ret != EOK) {
|
||||
@@ -1976,6 +1980,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n");
|
||||
ret = process_offline_gpos(state,
|
||||
state->user,
|
||||
+ state->gpo_implicit_deny,
|
||||
state->gpo_mode,
|
||||
state->user_domain,
|
||||
state->host_domain,
|
||||
@@ -2102,6 +2107,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n");
|
||||
ret = process_offline_gpos(state,
|
||||
state->user,
|
||||
+ state->gpo_implicit_deny,
|
||||
state->gpo_mode,
|
||||
state->user_domain,
|
||||
state->host_domain,
|
||||
@@ -2766,6 +2772,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
state->gpo_mode,
|
||||
state->gpo_map_type,
|
||||
state->user,
|
||||
+ state->gpo_implicit_deny,
|
||||
state->user_domain,
|
||||
state->host_domain);
|
||||
if (ret != EOK) {
|
||||
--
|
||||
2.21.3
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From 8d38a4b28ab7af15406b244910f369ba1aff02db Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 30 Oct 2014 15:59:17 +0100
|
||||
Subject: [PATCH 93/93] NOUPSTREAM: Default to root if sssd user is not
|
||||
specified
|
||||
|
||||
---
|
||||
src/monitor/monitor.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index 0dea327213a1ad04b6f69c0ffb0fb87254420796..20b4aef4ee94fd42de1585d7d7c2e01ea01845ac 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -925,7 +925,7 @@ static int get_service_user(struct mt_ctx *ctx)
|
||||
|
||||
ret = confdb_get_string(ctx->cdb, ctx, CONFDB_MONITOR_CONF_ENTRY,
|
||||
CONFDB_MONITOR_USER_RUNAS,
|
||||
- SSSD_USER, &user_str);
|
||||
+ "root", &user_str);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get the user to run as\n");
|
||||
return ret;
|
||||
--
|
||||
1.9.3
|
||||
|
551
SPECS/sssd.spec
551
SPECS/sssd.spec
|
@ -1,5 +1,5 @@
|
|||
# we don't want to provide private python extension libs
|
||||
%define __provides_exclude_from %{python3_sitearch}/.*\.so$|%{_libdir}/%{name}/modules/libwbclient.so.*$
|
||||
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
|
||||
|
||||
# SSSD fails to build with -Wl,-z,defs
|
||||
%undefine _strict_symbol_defs_build
|
||||
|
@ -17,73 +17,24 @@
|
|||
%global enable_systemtap 1
|
||||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
%global libwbc_alternatives_version 0.14
|
||||
%global libwbc_lib_version %{libwbc_alternatives_version}.0
|
||||
%global libwbc_alternatives_suffix %nil
|
||||
%if 0%{?__isa_bits} == 64
|
||||
%global libwbc_alternatives_suffix -64
|
||||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 2.3.0
|
||||
Release: 9%{?dist}
|
||||
Version: 2.9.4
|
||||
Release: 3%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://pagure.io/SSSD/sssd/
|
||||
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
||||
URL: https://github.com/SSSD/sssd
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-ad_gpo_ndr.c-more-ndr-updates.patch
|
||||
Patch0002: 0002-test-avoid-endian-issues-in-network-tests.patch
|
||||
Patch0003: 0003-sssctl-sssctl-config-check-alternative-config-file.patch
|
||||
Patch0004: 0004-DEBUG-only-open-child-process-log-files-when-require.patch
|
||||
Patch0005: 0005-DEBUG-use-new-exec_child-_ex-interface-in-tests.patch
|
||||
Patch0006: 0006-NEGCACHE-skip-permanent-entries-in-users-groups-rese.patch
|
||||
Patch0007: 0007-util-inotify-fixed-CLANG_WARNING.patch
|
||||
Patch0008: 0008-util-inotify-fixed-bug-in-inotify-event-processing.patch
|
||||
Patch0009: 0009-Replaced-enter-with-insert.patch
|
||||
Patch0010: 0010-NSS-client-preserve-errno-during-_nss_sss_end-calls.patch
|
||||
Patch0011: 0011-ipa-add-failover-to-subdomain-override-lookups.patch
|
||||
Patch0012: 0012-GPO-fix-link-order-in-a-SOM.patch
|
||||
Patch0013: 0013-sysdb-make-sysdb_update_subdomains-more-robust.patch
|
||||
Patch0014: 0014-ad-rename-ad_master_domain_-to-ad_domain_info_.patch
|
||||
Patch0015: 0015-sysdb-make-new_subdomain-public.patch
|
||||
Patch0016: 0016-ad-rename-ads_get_root_id_ctx-to-ads_get_dom_id_ctx.patch
|
||||
Patch0017: 0017-ad-remove-unused-trust_type-from-ad_subdom_store.patch
|
||||
Patch0018: 0018-ad-add-ad_check_domain_-send-recv.patch
|
||||
Patch0019: 0019-ad-check-forest-root-directly-if-not-present-on-loca.patch
|
||||
Patch0020: 0020-man-Document-invalid-selinux-context-for-homedirs.patch
|
||||
Patch0021: 0021-pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch
|
||||
Patch0022: 0022-pam_sss-special-handling-for-gdm-smartcard.patch
|
||||
Patch0023: 0023-pam_sss-make-sure-old-certificate-data-is-removed-be.patch
|
||||
Patch0024: 0024-systemtap-Missing-a-comma.patch
|
||||
Patch0025: 0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch
|
||||
Patch0026: 0026-files-allow-root-membership.patch
|
||||
Patch0027: 0027-PAM-do-not-treat-error-for-cache-only-lookups-as-fat.patch
|
||||
Patch0028: 0028-mem-cache-sizes-of-free-and-data-tables-were-made-co.patch
|
||||
Patch0029: 0029-NSS-make-memcache-size-configurable.patch
|
||||
Patch0030: 0030-NSS-avoid-excessive-log-messages.patch
|
||||
Patch0031: 0031-NSS-enhanced-debug-during-mem-cache-initialization.patch
|
||||
Patch0032: 0032-mem-cache-added-log-message-in-case-cache-is-full.patch
|
||||
Patch0033: 0033-NSS-make-memcache-size-configurable-in-megabytes.patch
|
||||
Patch0034: 0034-mem-cache-comment-added.patch
|
||||
Patch0035: 0035-mem-cache-always-cleanup-old-content.patch
|
||||
Patch0036: 0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch
|
||||
Patch0037: 0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch
|
||||
Patch0038: 0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch
|
||||
Patch0039: 0039-certmap-sanitize-LDAP-search-filter.patch
|
||||
Patch0040: 0040-AD-Enforcing-GPO-rule-restriction-on-user.patch
|
||||
Patch0041: 0041-man-clarify-AD-certificate-rule.patch
|
||||
Patch0042: 0042-config-allow-prompting-options-in-configuration.patch
|
||||
Patch0043: 0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch
|
||||
Patch0044: 0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch
|
||||
Patch0001: 0001-sssd-adding-mail-as-case-insensitive.patch
|
||||
Patch0002: 0002-sdap-add-search_bases-option-to-groups_by_user_send.patch
|
||||
Patch0003: 0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch
|
||||
Patch0004: 0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
|
||||
Patch0005: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch
|
||||
|
||||
### Downstream Patches ###
|
||||
|
||||
#This patch should not be removed in RHEL-8
|
||||
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
@ -128,11 +79,12 @@ BuildRequires: openldap-devel
|
|||
BuildRequires: pam-devel
|
||||
BuildRequires: nss-devel
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: pcre2-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: libxml2
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: krb5-libs >= 1.18.2-11
|
||||
BuildRequires: c-ares-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: check-devel
|
||||
|
@ -145,7 +97,6 @@ BuildRequires: gettext-devel
|
|||
BuildRequires: pkgconfig
|
||||
BuildRequires: diffstat
|
||||
BuildRequires: findutils
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: selinux-policy-targeted
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: uid_wrapper
|
||||
|
@ -154,7 +105,11 @@ BuildRequires: pam_wrapper
|
|||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: libjose-devel
|
||||
BuildRequires: softhsm >= 2.1.0
|
||||
BuildRequires: bc
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssh
|
||||
BuildRequires: libnl3-devel
|
||||
|
@ -167,8 +122,10 @@ BuildRequires: libsmbclient-devel
|
|||
BuildRequires: samba-winbind
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: gdm-pam-extensions-devel
|
||||
BuildRequires: libunistring-devel
|
||||
BuildRequires: shadow-utils-subid-devel
|
||||
BuildRequires: po4a
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
|
@ -187,6 +144,9 @@ License: GPLv3+
|
|||
# Conflicts
|
||||
Conflicts: selinux-policy < 3.10.0-46
|
||||
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
|
||||
# sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5
|
||||
Obsoletes: sssd-libwbclient < 2.5.0
|
||||
Obsoletes: sssd-libwbclient-debuginfo < 2.5.0
|
||||
# Requires
|
||||
# Explicitly require RHEL-8.0 versions of the Samba libraries
|
||||
# in order to prevent untested combinations of a new SSSD and
|
||||
|
@ -202,6 +162,7 @@ Recommends: libsss_sudo = %{version}-%{release}
|
|||
Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
|
||||
Recommends: sssd-nfs-idmap = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Requires(pre): shadow-utils
|
||||
%{?systemd_requires}
|
||||
|
||||
|
@ -254,17 +215,16 @@ Summary: Userspace tools for use with the SSSD
|
|||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: libsss_simpleifp = %{version}-%{release}
|
||||
# required by sss_obfuscate
|
||||
Requires: python3-sss = %{version}-%{release}
|
||||
Requires: python3-sssdconfig = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
# for logger=journald support with sss_analyze
|
||||
Requires: python3-systemd
|
||||
Recommends: sssd-dbus
|
||||
|
||||
%description tools
|
||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
|
||||
Also provides several other administrative tools:
|
||||
Provides several administrative tools:
|
||||
* sss_debuglevel to change the debug level on the fly
|
||||
* sss_seed which pre-creates a user entry for use in kickstarts
|
||||
* sss_obfuscate for generating an obfuscated LDAP password
|
||||
|
@ -288,11 +248,8 @@ Requires: sssd-common = %{version}-%{release}
|
|||
%{?python_provide:%python_provide python3-sss}
|
||||
|
||||
%description -n python3-sss
|
||||
Provides python3 module for manipulating users, groups, and nested groups in
|
||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
|
||||
Also provides several other useful python3 bindings:
|
||||
* function for retrieving list of groups user belongs to.
|
||||
Provides python3 bindings:
|
||||
* function for retrieving list of groups user belongs to
|
||||
* class for obfuscation of passwords
|
||||
|
||||
%package -n python3-sss-murmur
|
||||
|
@ -312,6 +269,7 @@ Conflicts: sssd < 1.10.0-8.beta2
|
|||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-krb5-common = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
|
||||
%description ldap
|
||||
Provides the LDAP back end that the SSSD can utilize to fetch identity data
|
||||
|
@ -362,6 +320,7 @@ Requires: samba-client-libs >= %{samba_package_version}
|
|||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-krb5-common = %{version}-%{release}
|
||||
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Recommends: bind-utils
|
||||
Requires: sssd-common-pac = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
|
@ -381,9 +340,9 @@ Requires: sssd-common = %{version}-%{release}
|
|||
Requires: sssd-krb5-common = %{version}-%{release}
|
||||
Requires: sssd-common-pac = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Recommends: bind-utils
|
||||
Recommends: adcli
|
||||
Suggests: sssd-libwbclient = %{version}-%{release}
|
||||
Suggests: sssd-winbind-idmap = %{version}-%{release}
|
||||
|
||||
%description ad
|
||||
|
@ -396,6 +355,7 @@ Group: Applications/System
|
|||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Requires(pre): shadow-utils
|
||||
|
||||
%description proxy
|
||||
|
@ -526,27 +486,6 @@ Requires: libsss_simpleifp = %{version}-%{release}
|
|||
%description -n libsss_simpleifp-devel
|
||||
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
|
||||
|
||||
%package libwbclient
|
||||
Summary: The SSSD libwbclient implementation
|
||||
Group: Applications/System
|
||||
License: GPLv3+ and LGPLv3+
|
||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
Conflicts: libwbclient < 4.2.0-0.2.rc2
|
||||
Conflicts: sssd-common < %{version}-%{release}
|
||||
|
||||
%description libwbclient
|
||||
The SSSD libwbclient implementation.
|
||||
|
||||
%package libwbclient-devel
|
||||
Summary: Development libraries for the SSSD libwbclient implementation
|
||||
Group: Development/Libraries
|
||||
License: GPLv3+ and LGPLv3+
|
||||
Requires: sssd-libwbclient = %{version}-%{release}
|
||||
Conflicts: libwbclient-devel < 4.2.0-0.2.rc2
|
||||
|
||||
%description libwbclient-devel
|
||||
Development libraries for the SSSD libwbclient implementation.
|
||||
|
||||
%package winbind-idmap
|
||||
Summary: SSSD's idmap_sss Backend for Winbind
|
||||
Group: Applications/System
|
||||
|
@ -595,12 +534,23 @@ Summary: An implementation of a Kerberos KCM server
|
|||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: krb5-libs >= 1.18.2-11
|
||||
%{?systemd_requires}
|
||||
|
||||
%description kcm
|
||||
An implementation of a Kerberos KCM server. Use this package if you want to
|
||||
use the KCM: Kerberos credentials cache.
|
||||
|
||||
%package idp
|
||||
Summary: Kerberos plugins and OIDC helper for external identity providers.
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
%description idp
|
||||
This package provides Kerberos plugins that are required to enable
|
||||
authentication against external identity providers. Additionally a helper
|
||||
program to handle the OAuth 2.0 Device Authorization Grant is provided.
|
||||
|
||||
%prep
|
||||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||||
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
||||
|
@ -644,8 +594,10 @@ autoreconf -ivf
|
|||
--disable-rpath \
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
--with-subid \
|
||||
--with-files-provider \
|
||||
--with-libsifp \
|
||||
--enable-sss-default-nss-plugin \
|
||||
--enable-files-domain \
|
||||
--without-python2-bindings \
|
||||
--with-sssd-user=sssd \
|
||||
%{?with_cifs_utils_plugin_option} \
|
||||
|
@ -664,16 +616,11 @@ unset CK_TIMEOUT_MULTIPLIER
|
|||
|
||||
%install
|
||||
|
||||
%py3_shebang_fix src/tools/analyzer/sss_analyze
|
||||
sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate
|
||||
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
|
||||
if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ]
|
||||
then
|
||||
echo "Expected libwbclient version not found, please check if version has changed."
|
||||
exit -1
|
||||
fi
|
||||
|
||||
# Prepare language files
|
||||
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
|
||||
|
||||
|
@ -690,6 +637,14 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
|
|||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||
|
||||
# Enable krb5 idp plugins by default (when sssd-idp package is installed)
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||
|
||||
# krb5 configuration snippet
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
|
||||
# Create directory for cifs-idmap alternative
|
||||
# Otherwise this directory could not be owned by sssd-client
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
|
||||
|
@ -872,7 +827,7 @@ done
|
|||
%dir %{_sysconfdir}/rwtab.d
|
||||
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
||||
%dir %{_datadir}/sssd
|
||||
%{_sysconfdir}/pam.d/sssd-shadowutils
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
|
||||
%dir %{_libdir}/%{name}/conf
|
||||
%{_libdir}/%{name}/conf/sssd.conf
|
||||
|
||||
|
@ -921,6 +876,9 @@ done
|
|||
%license COPYING
|
||||
%{_libdir}/%{name}/libsss_krb5.so
|
||||
%{_mandir}/man5/sssd-krb5.5*
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
%dir %{_datadir}/sssd/krb5-snippets
|
||||
%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
|
||||
|
||||
%files common-pac
|
||||
%defattr(-,root,root,-)
|
||||
|
@ -955,7 +913,7 @@ done
|
|||
%{_mandir}/man5/sssd-ifp.5*
|
||||
%{_unitdir}/sssd-ifp.service
|
||||
# InfoPipe DBus plumbing
|
||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
|
||||
|
||||
%files -n libsss_simpleifp
|
||||
|
@ -974,7 +932,9 @@ done
|
|||
%defattr(-,root,root,-)
|
||||
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
%{_libdir}/libnss_sss.so.2
|
||||
%{_libdir}/libsubid_sss.so
|
||||
%{_libdir}/security/pam_sss.so
|
||||
%{_libdir}/security/pam_sss_gss.so
|
||||
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
||||
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
|
||||
%dir %{_libdir}/cifs-utils
|
||||
|
@ -985,7 +945,9 @@ done
|
|||
%dir %{_libdir}/%{name}/modules
|
||||
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
|
||||
%{_mandir}/man8/pam_sss.8*
|
||||
%{_mandir}/man8/pam_sss_gss.8*
|
||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||
%{_mandir}/man8/sssd_krb5_localauth_plugin.8*
|
||||
|
||||
%files -n libsss_sudo
|
||||
%defattr(-,root,root,-)
|
||||
|
@ -1006,6 +968,8 @@ done
|
|||
%{_sbindir}/sss_debuglevel
|
||||
%{_sbindir}/sss_seed
|
||||
%{_sbindir}/sssctl
|
||||
%{_libexecdir}/%{servicename}/sss_analyze
|
||||
%{python3_sitelib}/sssd/
|
||||
%{_mandir}/man8/sss_obfuscate.8*
|
||||
%{_mandir}/man8/sss_override.8*
|
||||
%{_mandir}/man8/sss_debuglevel.8*
|
||||
|
@ -1074,18 +1038,6 @@ done
|
|||
%defattr(-,root,root,-)
|
||||
%{python3_sitearch}/pyhbac.so
|
||||
|
||||
%files libwbclient
|
||||
%defattr(-,root,root,-)
|
||||
%dir %{_libdir}/%{name}
|
||||
%dir %{_libdir}/%{name}/modules
|
||||
%{_libdir}/%{name}/modules/libwbclient.so.*
|
||||
|
||||
%files libwbclient-devel
|
||||
%defattr(-,root,root,-)
|
||||
%{_includedir}/wbclient_sssd.h
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
%{_libdir}/pkgconfig/wbclient_sssd.pc
|
||||
|
||||
%files winbind-idmap -f sssd_winbind_idmap.lang
|
||||
%dir %{_libdir}/samba/idmap
|
||||
%{_libdir}/samba/idmap/sss.so
|
||||
|
@ -1116,7 +1068,12 @@ done
|
|||
%{_unitdir}/sssd-kcm.socket
|
||||
%{_unitdir}/sssd-kcm.service
|
||||
%{_mandir}/man8/sssd-kcm.8*
|
||||
%{_libdir}/%{name}/libsss_secrets.so
|
||||
|
||||
%files idp
|
||||
%{_libexecdir}/%{servicename}/oidc_child
|
||||
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
|
||||
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||
|
||||
%pre ipa
|
||||
getent group sssd >/dev/null || groupadd -r sssd
|
||||
|
@ -1144,6 +1101,38 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
|
|||
%systemd_post sssd-ssh.socket
|
||||
%systemd_post sssd-sudo.socket
|
||||
|
||||
function mod_nss() {
|
||||
if [ -f "$1" ] ; then
|
||||
# Change order 'sss <-> files' if default pattern is found
|
||||
match_pattern="^[[:blank:]]*(passwd|group):(.*)sss[[:blank:]]+files(.*)"
|
||||
if grep -E -r -q -s "$match_pattern" "$1"; then
|
||||
sed -i.save_by_rpm -E -e "
|
||||
s/$match_pattern/\1:\2files sss\3/
|
||||
" "$1" &>/dev/null || :
|
||||
# Remove obsolete comment
|
||||
sed -i -E -e '/# .sssd. performs its own .files.-based caching, so it should generally/d' "$1" &>/dev/null || :
|
||||
sed -i -E -e '/# come before .files.\./d' "$1" &>/dev/null || :
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if grep -E -r -q -s "[[:blank:]]*id_provider[[:blank:]]*=[[:blank:]]*files" /etc/sssd/ ||
|
||||
grep -E -i -r -q -s "[[:blank:]]*enable_files_domain[[:blank:]]*=[[:blank:]]*true" /etc/sssd ; then
|
||||
# "files provider" configured explicitly, leave nsswitch.conf intact
|
||||
:
|
||||
else
|
||||
NSSFILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)"
|
||||
if [ "$NSSFILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then
|
||||
mod_nss "/etc/authselect/user-nsswitch.conf"
|
||||
authselect apply-changes &> /dev/null || :
|
||||
else
|
||||
mod_nss "$NSSFILE"
|
||||
# also apply the same changes to user-nsswitch.conf to affect
|
||||
# possible future authselect configuration
|
||||
mod_nss "/etc/authselect/user-nsswitch.conf"
|
||||
fi
|
||||
fi
|
||||
|
||||
%preun common
|
||||
%systemd_preun sssd.service
|
||||
%systemd_preun sssd-autofs.socket
|
||||
|
@ -1226,30 +1215,300 @@ fi
|
|||
%posttrans common
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%posttrans libwbclient
|
||||
%{_sbindir}/update-alternatives \
|
||||
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
|
||||
libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
|
||||
%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} 5
|
||||
/sbin/ldconfig
|
||||
|
||||
%preun libwbclient
|
||||
%{_sbindir}/update-alternatives \
|
||||
--remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
|
||||
%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version}
|
||||
/sbin/ldconfig
|
||||
|
||||
%posttrans libwbclient-devel
|
||||
%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \
|
||||
libwbclient.so%{libwbc_alternatives_suffix} \
|
||||
%{_libdir}/%{name}/modules/libwbclient.so 5
|
||||
|
||||
%preun libwbclient-devel
|
||||
%{_sbindir}/update-alternatives --remove \
|
||||
libwbclient.so%{libwbc_alternatives_suffix} \
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Thu Apr 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-3
|
||||
- Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently
|
||||
|
||||
* Mon Feb 12 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-2
|
||||
- Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8]
|
||||
- Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8]
|
||||
- Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8]
|
||||
|
||||
* Sat Jan 13 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache
|
||||
- Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP'
|
||||
- Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider')
|
||||
- Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest
|
||||
- Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf
|
||||
- Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8]
|
||||
- Resolves: RHEL-10721 - very bad performance when requesting service tickets
|
||||
- Resolves: RHEL-19011 - Invalid handling groups from child domain
|
||||
- Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8]
|
||||
|
||||
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-2
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
|
||||
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication
|
||||
- Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user
|
||||
|
||||
* Mon Sep 11 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.2-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code
|
||||
- Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7)
|
||||
|
||||
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
|
||||
- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
|
||||
|
||||
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
|
||||
- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
|
||||
- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
|
||||
- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
|
||||
- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
|
||||
- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
|
||||
- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
|
||||
- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
|
||||
- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
|
||||
|
||||
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
|
||||
- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
|
||||
Rebuild against rebased Samba libs
|
||||
|
||||
* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
|
||||
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
|
||||
- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
|
||||
- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
|
||||
- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
|
||||
- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
|
||||
- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
|
||||
|
||||
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
|
||||
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
|
||||
|
||||
* Mon Dec 19 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
|
||||
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
|
||||
- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
|
||||
- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization
|
||||
- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list
|
||||
- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
|
||||
- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
|
||||
- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required)
|
||||
|
||||
* Tue Nov 22 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
|
||||
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
|
||||
- Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr
|
||||
- Resolves: rhbz#2144579 - sssd timezone issues sudonotafter
|
||||
- Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file
|
||||
- Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
|
||||
- Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed
|
||||
|
||||
* Mon Oct 31 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-5
|
||||
- Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release
|
||||
Rebuild against Samba rebase.
|
||||
|
||||
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
|
||||
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
|
||||
|
||||
* Tue Aug 23 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-3
|
||||
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
|
||||
- Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured
|
||||
- Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend
|
||||
|
||||
* Wed Aug 10 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-2
|
||||
- Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases
|
||||
- Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs
|
||||
- Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL
|
||||
|
||||
* Wed Jul 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-1
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization
|
||||
|
||||
* Mon Jun 20 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.2-1
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets
|
||||
- Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file
|
||||
- Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6
|
||||
- Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf
|
||||
- Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP
|
||||
- Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect
|
||||
- Resolves: rhbz#2098617 - Harden kerberos ticket validation
|
||||
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
|
||||
|
||||
* Wed May 18 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-2
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
|
||||
- Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
|
||||
- Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
|
||||
- Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname()
|
||||
- Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd
|
||||
- Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
|
||||
- Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send
|
||||
- Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker
|
||||
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
|
||||
- Resolves: rhbz#2087745 - 2FA prompting setting ineffective
|
||||
- Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language
|
||||
|
||||
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
|
||||
- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
|
||||
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
|
||||
- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
|
||||
- Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update
|
||||
- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
|
||||
|
||||
* Tue Jan 04 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
|
||||
- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)
|
||||
|
||||
* Mon Dec 27 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
|
||||
- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
|
||||
- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files
|
||||
- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
|
||||
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
|
||||
- Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf
|
||||
- Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name
|
||||
- Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry
|
||||
- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
|
||||
- Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon).
|
||||
- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
|
||||
- Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders
|
||||
- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
|
||||
|
||||
* Fri Nov 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-2
|
||||
- Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
|
||||
|
||||
* Mon Nov 15 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-1
|
||||
- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
|
||||
- Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
|
||||
- Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator
|
||||
- Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed
|
||||
- Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb
|
||||
- Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces)
|
||||
- Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
|
||||
- Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD
|
||||
- Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline
|
||||
- Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True'
|
||||
- Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s
|
||||
- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
|
||||
- Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication.
|
||||
- Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA
|
||||
- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
|
||||
- Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing
|
||||
|
||||
* Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
|
||||
- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]
|
||||
- Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization
|
||||
|
||||
* Mon Jul 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-1
|
||||
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
|
||||
- Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU
|
||||
- Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber`
|
||||
- Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling
|
||||
- Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address
|
||||
- Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group
|
||||
- Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade
|
||||
|
||||
* Mon Jun 21 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.1-2
|
||||
- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken
|
||||
- Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument
|
||||
- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)
|
||||
|
||||
* Tue Jun 08 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.1-1
|
||||
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
|
||||
- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools
|
||||
- Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory
|
||||
- Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file
|
||||
- Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout
|
||||
- Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests
|
||||
- Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust
|
||||
- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection
|
||||
- Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found
|
||||
- Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group
|
||||
- Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable
|
||||
- Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory.
|
||||
- Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf
|
||||
|
||||
* Mon May 10 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.0-1
|
||||
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
|
||||
- Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11
|
||||
- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools
|
||||
- Resolves: rhbz#1945888 - Inconsistant debug level for connection logging
|
||||
- Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets
|
||||
- Resolves: rhbz#1949149 - [RFE] Poor man's backtrace
|
||||
- Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR
|
||||
- Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail.
|
||||
- Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs
|
||||
- Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path
|
||||
- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm
|
||||
- Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries
|
||||
- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection
|
||||
- Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries
|
||||
- Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries
|
||||
- Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains.
|
||||
- Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable
|
||||
- Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used
|
||||
- Resolves: rhbz#1703436 - sssd not thread-safe in innetgr()
|
||||
- Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen
|
||||
- Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page
|
||||
- Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page
|
||||
- Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp
|
||||
- Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3)
|
||||
- Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7
|
||||
- Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login
|
||||
- Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive
|
||||
|
||||
* Fri Feb 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-8
|
||||
- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss
|
||||
- Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0.
|
||||
- Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch)
|
||||
|
||||
* Tue Jan 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-7
|
||||
- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules
|
||||
- Resolves: rhbz#1918433 - sssd unable to lookup certmap rules
|
||||
- Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11
|
||||
|
||||
* Mon Jan 18 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-6
|
||||
- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched
|
||||
- Resolves: rhbz#1915395 - Memory leak in the simple access provider
|
||||
- Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup
|
||||
- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches)
|
||||
|
||||
* Mon Dec 28 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-5
|
||||
- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value
|
||||
- Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches)
|
||||
- Resolves: rhbz#1893159 - Default debug level should report all errors / failures
|
||||
- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication
|
||||
|
||||
* Mon Dec 21 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-4
|
||||
- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process
|
||||
- Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8]
|
||||
- Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently
|
||||
|
||||
* Mon Dec 07 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-3
|
||||
- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr()
|
||||
- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process
|
||||
- Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal
|
||||
- Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior
|
||||
|
||||
* Thu Nov 12 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-2
|
||||
- This is to bump version to allow rebuild against rebased libldb.
|
||||
|
||||
* Fri Oct 23 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-1
|
||||
- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4
|
||||
- Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI
|
||||
- Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search()
|
||||
- Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording
|
||||
- Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x
|
||||
- Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD.
|
||||
- Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process
|
||||
- Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL
|
||||
- Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase)
|
||||
- Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page
|
||||
- Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals"
|
||||
- Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains
|
||||
- Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file
|
||||
- Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes
|
||||
- Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level
|
||||
- Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff
|
||||
- Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command
|
||||
- Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate
|
||||
|
||||
* Mon Sep 14 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.3.0-9
|
||||
- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied
|
||||
|
||||
|
@ -1352,10 +1611,10 @@ fi
|
|||
|
||||
|
||||
* Thu Dec 19 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-8
|
||||
* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect
|
||||
* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect
|
||||
|
||||
* Thu Dec 19 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-7
|
||||
* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect
|
||||
* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect
|
||||
|
||||
* Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-6
|
||||
* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized
|
||||
|
@ -1411,7 +1670,7 @@ fi
|
|||
|
||||
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-13
|
||||
- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the
|
||||
systemd-user service in the account phase in RHEL-8
|
||||
systemd-user service in the account phase in RHEL-8
|
||||
|
||||
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-12
|
||||
- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets
|
||||
|
@ -1459,11 +1718,11 @@ fi
|
|||
|
||||
* Fri Jun 14 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
|
||||
- Resolves: rhbz#1687281
|
||||
Rebase sssd in RHEL-8.1 to the latest upstream release
|
||||
Rebase sssd in RHEL-8.1 to the latest upstream release
|
||||
|
||||
* Wed Jun 12 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-1
|
||||
- Resolves: rhbz#1687281
|
||||
Rebase sssd in RHEL-8.1 to the latest upstream release
|
||||
Rebase sssd in RHEL-8.1 to the latest upstream release
|
||||
|
||||
* Thu May 30 2019 Michal Židek <mzidek@redhat.com> - 2.0.0-45
|
||||
- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is
|
||||
|
@ -1514,14 +1773,14 @@ fi
|
|||
|
||||
* Mon Dec 17 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-32
|
||||
- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc
|
||||
and libtevent to avoid an issue in GPO processing
|
||||
and libtevent to avoid an issue in GPO processing
|
||||
|
||||
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-31
|
||||
- Resolves: 1658813 - PKINIT with KCM does not work
|
||||
|
||||
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-30
|
||||
- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to
|
||||
retrieve AD users through IPA Trust
|
||||
retrieve AD users through IPA Trust
|
||||
|
||||
* Sun Dec 16 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-29
|
||||
- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise():
|
||||
|
|
Loading…
Reference in New Issue