Compare commits

..

4 Commits

Author SHA1 Message Date
17b71b09d7 Import from CS git 2024-08-14 08:33:24 +00:00
9c66bdd153 import CS sssd-2.9.4-3.el8 2024-05-22 13:48:55 +00:00
eabdullin
9a403b1a7e import CS sssd-2.9.1-2.el8 2023-11-15 08:26:28 +00:00
CentOS Sources
87cae3c020 import sssd-2.8.2-2.el8 2023-05-17 03:12:13 +00:00
32 changed files with 1159 additions and 2549 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.7.3.tar.gz
SOURCES/sssd-2.9.4.tar.gz

View File

@ -1 +1 @@
0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz
574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz

View File

@ -1,51 +0,0 @@
From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 21 Jul 2022 20:16:32 +0200
Subject: [PATCH] Makefile: remove unneeded dependency
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f)
---
Makefile.am | 4 ----
1 file changed, 4 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 669a0fc56..92d046888 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \
$(KRB5_CFLAGS) \
$(UUID_CFLAGS) \
$(CURL_CFLAGS) \
- $(JANSSON_CFLAGS) \
$(NULL)
sssd_kcm_LDADD = \
$(LIBADD_DL) \
$(KRB5_LIBS) \
- $(JANSSON_LIBS) \
$(SSSD_LIBS) \
$(UUID_LIBS) \
$(SYSTEMD_DAEMON_LIBS) \
@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \
$(UUID_CFLAGS) \
$(NULL)
test_kcm_marshalling_LDADD = \
- $(JANSSON_LIBS) \
$(UUID_LIBS) \
$(KRB5_LIBS) \
$(CMOCKA_LIBS) \
@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \
test_kcm_renewals_LDADD = \
$(LIBADD_DL) \
$(UUID_LIBS) \
- $(JANSSON_LIBS) \
$(KRB5_LIBS) \
$(CARES_LIBS) \
$(CMOCKA_LIBS) \
--
2.37.1

View File

@ -0,0 +1,144 @@
From dd0f63246aa75d5f53b44cbc185e88833e79976e Mon Sep 17 00:00:00 2001
From: Andre Boscatto <andreboscatto@gmail.com>
Date: Wed, 7 Feb 2024 12:28:28 +0100
Subject: [PATCH] sssd: adding mail as case insensitive
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7173
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51)
---
src/db/sysdb_init.c | 7 ++++++
src/db/sysdb_private.h | 5 +++-
src/db/sysdb_upgrade.c | 56 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index c2ea6c369..38a9cd64a 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
}
}
+ if (strcmp(version, SYSDB_VERSION_0_23) == 0) {
+ ret = sysdb_upgrade_23(sysdb, &version);
+ if (ret != EOK) {
+ goto done;
+ }
+ }
+
ret = EOK;
done:
sysdb->ldb = save_ldb;
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
index 1f55007bc..63f7b5601 100644
--- a/src/db/sysdb_private.h
+++ b/src/db/sysdb_private.h
@@ -23,6 +23,7 @@
#ifndef __INT_SYS_DB_H__
#define __INT_SYS_DB_H__
+#define SYSDB_VERSION_0_24 "0.24"
#define SYSDB_VERSION_0_23 "0.23"
#define SYSDB_VERSION_0_22 "0.22"
#define SYSDB_VERSION_0_21 "0.21"
@@ -47,7 +48,7 @@
#define SYSDB_VERSION_0_2 "0.2"
#define SYSDB_VERSION_0_1 "0.1"
-#define SYSDB_VERSION SYSDB_VERSION_0_23
+#define SYSDB_VERSION SYSDB_VERSION_0_24
#define SYSDB_BASE_LDIF \
"dn: @ATTRIBUTES\n" \
@@ -60,6 +61,7 @@
"objectclass: CASE_INSENSITIVE\n" \
"ipHostNumber: CASE_INSENSITIVE\n" \
"ipNetworkNumber: CASE_INSENSITIVE\n" \
+ "mail: CASE_INSENSITIVE\n" \
"\n" \
"dn: @INDEXLIST\n" \
"@IDXATTR: cn\n" \
@@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
index 346a1cb0b..56083e6be 100644
--- a/src/db/sysdb_upgrade.c
+++ b/src/db/sysdb_upgrade.c
@@ -2718,6 +2718,62 @@ done:
return ret;
}
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver)
+{
+ TALLOC_CTX *tmp_ctx;
+ int ret;
+ struct ldb_message *msg;
+ struct upgrade_ctx *ctx;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx);
+ if (ret) {
+ return ret;
+ }
+
+ /* Add new indexes */
+ msg = ldb_msg_new(tmp_ctx);
+ if (!msg) {
+ ret = ENOMEM;
+ goto done;
+ }
+ msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES");
+ if (!msg->dn) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* Case insensitive search for mail */
+ ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE");
+ if (ret != LDB_SUCCESS) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_modify(sysdb->ldb, msg);
+ if (ret != LDB_SUCCESS) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ /* conversion done, update version number */
+ ret = update_version(ctx);
+
+done:
+ ret = finish_upgrade(ret, &ctx, ver);
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
{
struct upgrade_ctx *ctx;
--
2.41.0

View File

@ -1,155 +0,0 @@
From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 29 Jul 2022 14:57:20 +0200
Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it
should survive context destruction / re-initialization
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911)
---
src/sss_client/nss_mc.h | 4 ++--
src/sss_client/nss_mc_common.c | 10 ++++++++--
src/sss_client/nss_mc_group.c | 5 +++++
src/sss_client/nss_mc_initgr.c | 5 +++++
src/sss_client/nss_mc_passwd.c | 5 +++++
src/sss_client/nss_mc_sid.c | 5 +++++
6 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
index b66e8f09f..de1496ccc 100644
--- a/src/sss_client/nss_mc.h
+++ b/src/sss_client/nss_mc.h
@@ -48,7 +48,7 @@ enum sss_mc_state {
struct sss_cli_mc_ctx {
enum sss_mc_state initialized;
#if HAVE_PTHREAD
- pthread_mutex_t mutex;
+ pthread_mutex_t *mutex;
#endif
int fd;
@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx {
};
#if HAVE_PTHREAD
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#else
#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#endif
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index c73a93a9a..f38a4a85a 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -58,14 +58,14 @@ do { \
static void sss_mt_lock(struct sss_cli_mc_ctx *ctx)
{
#if HAVE_PTHREAD
- pthread_mutex_lock(&ctx->mutex);
+ pthread_mutex_lock(ctx->mutex);
#endif
}
static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx)
{
#if HAVE_PTHREAD
- pthread_mutex_unlock(&ctx->mutex);
+ pthread_mutex_unlock(ctx->mutex);
#endif
}
@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
{
uint32_t active_threads = ctx->active_threads;
+#if HAVE_PTHREAD
+ pthread_mutex_t *mutex = ctx->mutex;
+#endif
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
munmap(ctx->mmap_base, ctx->mmap_size);
@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
/* restore count of active threads */
ctx->active_threads = active_threads;
+#if HAVE_PTHREAD
+ ctx->mutex = mutex;
+#endif
}
static errno_t sss_nss_mc_init_ctx(const char *name,
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
index 2ea40c435..d4f2a82ab 100644
--- a/src/sss_client/nss_mc_group.c
+++ b/src/sss_client/nss_mc_group.c
@@ -29,7 +29,12 @@
#include "nss_mc.h"
#include "shared/safealign.h"
+#if HAVE_PTHREAD
+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex);
+#else
static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
+#endif
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
struct group *result,
diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c
index b05946263..bd7282935 100644
--- a/src/sss_client/nss_mc_initgr.c
+++ b/src/sss_client/nss_mc_initgr.c
@@ -32,7 +32,12 @@
#include "nss_mc.h"
#include "shared/safealign.h"
+#if HAVE_PTHREAD
+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex);
+#else
static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
+#endif
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
long int *start, long int *size,
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
index 01c6801da..256d48444 100644
--- a/src/sss_client/nss_mc_passwd.c
+++ b/src/sss_client/nss_mc_passwd.c
@@ -28,7 +28,12 @@
#include <time.h>
#include "nss_mc.h"
+#if HAVE_PTHREAD
+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex);
+#else
static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
+#endif
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
struct passwd *result,
diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c
index af7d7bbd5..52e684da5 100644
--- a/src/sss_client/nss_mc_sid.c
+++ b/src/sss_client/nss_mc_sid.c
@@ -30,7 +30,12 @@
#include "util/mmap_cache.h"
#include "idmap/sss_nss_idmap.h"
+#if HAVE_PTHREAD
+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex);
+#else
static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
+#endif
static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type,
char **sid, uint32_t *type,
--
2.37.1

View File

@ -0,0 +1,154 @@
From a7621a5b464af7a3c8409dcbde038b35fee2c895 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 23 Jan 2024 13:47:53 +0100
Subject: [PATCH 2/3] sdap: add search_bases option to groups_by_user_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AD handles users and computer objects very similar and so does SSSD's
GPO code when lookup up the host's group-memberships. But users and
computers might be stored in different sub-tree of the AD LDAP tree and
if a dedicated user search base is given with the ldap_user_search_base
option in sssd.conf the host object might be in a different sub-tree. To
make sure the host can still be found this patch uses the base DN of
the LDAP tree when searching for hosts in the GPO code.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196)
---
src/providers/ad/ad_gpo.c | 10 ++++++++++
src/providers/ldap/ldap_common.h | 1 +
src/providers/ldap/ldap_id.c | 6 +++++-
src/providers/ldap/sdap_async.h | 1 +
src/providers/ldap/sdap_async_initgroups.c | 4 +++-
5 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 94959c36b..b0ee3e616 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2091,6 +2091,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
char *server_uri;
LDAPURLDesc *lud;
struct sdap_domain *sdom;
+ struct sdap_search_base **search_bases;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_gpo_access_state);
@@ -2184,9 +2185,18 @@ ad_gpo_connect_done(struct tevent_req *subreq)
goto done;
}
+ ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
+ "AD_HOSTS", NULL, &search_bases);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to create dedicated search base for host lookups, "
+ "trying with user search base.");
+ }
+
subreq = groups_by_user_send(state, state->ev,
state->access_ctx->ad_id_ctx->sdap_id_ctx,
sdom, state->conn,
+ search_bases,
state->host_fqdn,
BE_FILTER_NAME,
NULL,
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 7159d6356..2c984ef50 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -304,6 +304,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
struct sdap_id_ctx *ctx,
struct sdap_domain *sdom,
struct sdap_id_conn_ctx *conn,
+ struct sdap_search_base **search_bases,
const char *filter_value,
int filter_type,
const char *extra_value,
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index da54816bd..b3ea2333f 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1139,6 +1139,7 @@ struct groups_by_user_state {
struct sdap_id_op *op;
struct sysdb_ctx *sysdb;
struct sss_domain_info *domain;
+ struct sdap_search_base **search_bases;
const char *filter_value;
int filter_type;
@@ -1160,6 +1161,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
struct sdap_id_ctx *ctx,
struct sdap_domain *sdom,
struct sdap_id_conn_ctx *conn,
+ struct sdap_search_base **search_bases,
const char *filter_value,
int filter_type,
const char *extra_value,
@@ -1192,6 +1194,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
state->extra_value = extra_value;
state->domain = sdom->dom;
state->sysdb = sdom->dom->sysdb;
+ state->search_bases = search_bases;
if (state->domain->type == DOM_TYPE_APPLICATION || set_non_posix) {
state->non_posix = true;
@@ -1254,6 +1257,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
sdap_id_op_handle(state->op),
state->ctx,
state->conn,
+ state->search_bases,
state->filter_value,
state->filter_type,
state->extra_value,
@@ -1449,7 +1453,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
}
subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
- sdom, conn,
+ sdom, conn, NULL,
ar->filter_value,
ar->filter_type,
ar->extra_value,
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 5458d21f1..89245f41f 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -158,6 +158,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
struct sdap_id_conn_ctx *conn,
+ struct sdap_search_base **search_bases,
const char *name,
int filter_type,
const char *extra_value,
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 97be594a3..fb3d8fe24 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2732,6 +2732,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
struct sdap_id_conn_ctx *conn,
+ struct sdap_search_base **search_bases,
const char *filter_value,
int filter_type,
const char *extra_value,
@@ -2764,7 +2765,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->orig_user = NULL;
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
state->user_base_iter = 0;
- state->user_search_bases = sdom->user_search_bases;
+ state->user_search_bases = (search_bases == NULL) ? sdom->user_search_bases
+ : search_bases;
if (!state->user_search_bases) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Initgroups lookup request without a user search base\n");
--
2.41.0

View File

@ -1,36 +0,0 @@
From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 1 Aug 2022 09:54:51 -0400
Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Skip calling cache_req_data_set_hybrid_lookup() when hybrid data
is NULL for certain NSS request types (e.g. Service by Name).
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7)
---
src/responder/nss/nss_get_object.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
index 9762d6bfe..5a2e7e9bd 100644
--- a/src/responder/nss/nss_get_object.c
+++ b/src/responder/nss/nss_get_object.c
@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx,
input_name);
}
- cache_req_data_set_hybrid_lookup(hybrid_data, true);
+ if (hybrid_data != NULL) {
+ cache_req_data_set_hybrid_lookup(hybrid_data, true);
+ }
return hybrid_data;
}
--
2.37.1

View File

@ -0,0 +1,194 @@
From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 24 Jan 2024 14:21:12 +0100
Subject: [PATCH 3/3] sdap: add naming_context as new member of struct
sdap_domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The naming_context could be a more reliable source than basedn for the
actual base DN because basedn is set very early from the domain name
given in sssd.conf. Although it is recommended to use the fully
qualified DNS domain name here it is not required. As a result basedn
might not reflect the actual based DN of the LDAP server. Also pure LDAP
server (i.e. not AD or FreeIPA) might use different schemes to set the
base DN which will not be based on the DNS domain of the LDAP server.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)
---
src/providers/ad/ad_gpo.c | 6 ++++--
src/providers/ldap/sdap.c | 36 +++++++++++++-----------------------
src/providers/ldap/sdap.h | 11 +++++++++++
3 files changed, 28 insertions(+), 25 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index b0ee3e616..3d1ad39c7 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
goto done;
}
- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
- "AD_HOSTS", NULL, &search_bases);
+ ret = common_parse_search_base(state,
+ sdom->naming_context == NULL ? sdom->basedn
+ : sdom->naming_context,
+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to create dedicated search base for host lookups, "
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index f5637c5fb..956eba93a 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
struct sdap_domain *sdom)
{
int ret;
- char *naming_context = NULL;
- if (!sdom->search_bases
- || !sdom->user_search_bases
- || !sdom->group_search_bases
- || !sdom->netgroup_search_bases
- || !sdom->host_search_bases
- || !sdom->sudo_search_bases
- || !sdom->iphost_search_bases
- || !sdom->ipnetwork_search_bases
- || !sdom->autofs_search_bases) {
- naming_context = get_naming_context(opts->basic, rootdse);
- if (naming_context == NULL) {
+ if (!sdom->naming_context) {
+ sdom->naming_context = get_naming_context(sdom, rootdse);
+ if (sdom->naming_context == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
/* This has to be non-fatal, since some servers offer
@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->user_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_USER_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->group_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_GROUP_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->netgroup_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_NETGROUP_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->host_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_HOST_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->sudo_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SUDO_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->service_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SERVICE_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->autofs_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_AUTOFS_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->iphost_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_IPHOST_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->ipnetwork_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_IPNETWORK_SEARCH_BASE,
- naming_context);
+ sdom->naming_context);
if (ret != EOK) goto done;
}
ret = EOK;
done:
- talloc_free(naming_context);
return ret;
}
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 161bc5c26..103d50ed4 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -454,6 +454,17 @@ struct sdap_domain {
char *basedn;
+ /* The naming_context could be a more reliable source than basedn for the
+ * actual base DN because basedn is set very early from the domain name
+ * given in sssd.conf. Although it is recommended to use the fully
+ * qualified DNS domain name here it is not required. As a result basedn
+ * might not reflect the actual based DN of the LDAP server. Also pure
+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
+ * the base DN which will not be based on the DNS domain of the LDAP
+ * server. naming_context might be NULL even after connection to an LDAP
+ * server. */
+ char *naming_context;
+
struct sdap_search_base **search_bases;
struct sdap_search_base **user_search_bases;
struct sdap_search_base **group_search_bases;
--
2.41.0

View File

@ -1,30 +0,0 @@
From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Thu, 14 Jul 2022 11:21:04 -0400
Subject: [PATCH] Analyzer: Fix escaping raw fstring
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19)
---
src/tools/analyzer/modules/request.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
index b8dd9b25c..935e13adc 100644
--- a/src/tools/analyzer/modules/request.py
+++ b/src/tools/analyzer/modules/request.py
@@ -243,8 +243,8 @@ class RequestAnalyzer:
be_results = False
component = source.Component.NSS
resp = "nss"
- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]']
- pattern.append(rf"\[CID#{cid}\\]")
+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
+ pattern.append(rf"\[CID#{cid}\]")
if args.pam:
component = source.Component.PAM
--
2.37.1

View File

@ -0,0 +1,233 @@
From 50077c3255177fe1b01837fbe31a7f8fd47dee74 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 18 Jan 2024 13:08:17 +0100
Subject: [PATCH] pam: fix SC auth with multiple certs and missing login name
While introducing the local_auth_policy option a quite specific use-case
was not covered correctly. If there are multiple matching certificates
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
mode was used for login, i.e. there is no user name given and the user
has to be derived from the certificate used for login, authentication
failed. The main reason for the failure is that in this case the
Smartcard interaction and the user mapping has to be done first to
determine the user before local_auth_policy is evaluated. As a result
when checking if the authentication can be finished the request was in
an unexpected state because the indicator for local Smartcard
authentication was not enabled.
Resolves: https://github.com/SSSD/sssd/issues/7109
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Scott Poore <spoore@redhat.com>
(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3)
---
src/responder/pam/pamsrv.h | 10 ++++
src/responder/pam/pamsrv_cmd.c | 17 +++++--
src/tests/intg/Makefile.am | 2 +
src/tests/intg/test_pam_responder.py | 74 +++++++++++++++++++++++++++-
4 files changed, 96 insertions(+), 7 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 7013a8edd..618836189 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -93,7 +93,17 @@ struct pam_auth_req {
struct ldb_message *user_obj;
struct cert_auth_info *cert_list;
struct cert_auth_info *current_cert;
+ /* Switched to 'true' if the backend indicates that it cannot handle
+ * Smartcard authentication, but Smartcard authentication is
+ * possible and local Smartcard authentication is allowed. */
bool cert_auth_local;
+ /* Switched to 'true' if authentication (not pre-authentication) was
+ * started without a login name and the name had to be lookup up with the
+ * certificate used for authentication. Since reading the certificate from
+ * the Smartcard already involves the PIN validation in this case there
+ * would be no need for an additional Smartcard interaction if only local
+ * Smartcard authentication is possible. */
+ bool initial_cert_auth_successful;
bool passkey_data_exists;
uint32_t client_id_num;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c23ea7ba4..a7c181733 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -2200,8 +2200,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
ret = ENOENT;
goto done;
}
-
- if (cert_count > 1) {
+ /* Multiple certificates are only expected during pre-auth */
+ if (cert_count > 1 && preq->pd->cmd == SSS_PAM_PREAUTH) {
for (preq->current_cert = preq->cert_list;
preq->current_cert != NULL;
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
@@ -2285,7 +2285,9 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
}
/* If logon_name was not given during authentication add a
- * SSS_PAM_CERT_INFO message to send the name to the caller. */
+ * SSS_PAM_CERT_INFO message to send the name to the caller.
+ * Additionally initial_cert_auth_successful is set to
+ * indicate that the user is already authenticated. */
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
&& preq->pd->logon_name == NULL) {
ret = add_pam_cert_response(preq->pd,
@@ -2297,6 +2299,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
goto done;
}
+
+ preq->initial_cert_auth_successful = true;
}
/* cert_user will be returned to the PAM client as user name, so
@@ -2851,12 +2855,15 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
if (found) {
if (local_policy != NULL && strcasecmp(local_policy, "only") == 0) {
talloc_free(tmp_ctx);
- DEBUG(SSSDBG_IMPORTANT_INFO, "Local auth only set, skipping online auth\n");
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Local auth only set and matching certificate was found, "
+ "skipping online auth\n");
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
preq->pd->pam_status = PAM_SUCCESS;
} else if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
&& IS_SC_AUTHTOK(preq->pd->authtok)
- && preq->cert_auth_local) {
+ && (preq->cert_auth_local
+ || preq->initial_cert_auth_successful)) {
preq->pd->pam_status = PAM_SUCCESS;
preq->callback = pam_reply;
}
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 3866d3ca6..0cfd268dc 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -199,6 +199,7 @@ clean-local:
PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
+SOFTHSM2_TWO_CONF="$(abs_builddir)/../test_CA/softhsm2_two.conf"
intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains sss_netgroup_thread_test
pipepath="$(DESTDIR)$(pipepath)"; \
@@ -233,6 +234,7 @@ intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
ABS_SRCDIR=$(abs_srcdir) \
SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
+ SOFTHSM2_TWO_CONF=$(SOFTHSM2_TWO_CONF) \
KCM_RENEW=$(KCM_RENEW) \
FILES_PROVIDER=$(FILES_PROVIDER) \
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index 1fc3937e6..0fbf8065e 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -168,7 +168,7 @@ def format_pam_cert_auth_conf(config, provider):
{provider.p}
[certmap/auth_only/user1]
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
""").format(**locals())
@@ -201,7 +201,7 @@ def format_pam_cert_auth_conf_name_format(config, provider):
{provider.p}
[certmap/auth_only/user1]
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
""").format(**locals())
@@ -380,6 +380,28 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
return None
+@pytest.fixture
+def simple_pam_cert_auth_two_certs(request, passwd_ops_setup):
+ """Setup SSSD with pam_cert_auth=True"""
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
+ softhsm2_two_conf = os.environ['SOFTHSM2_TWO_CONF']
+ os.environ['SOFTHSM2_CONF'] = softhsm2_two_conf
+
+ conf = format_pam_cert_auth_conf(config, provider_switch(request.param))
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
+
+ passwd_ops_setup.useradd(**USER1)
+ passwd_ops_setup.useradd(**USER2)
+ sync_files_provider(USER2['name'])
+
+ return None
+
+
@pytest.fixture
def simple_pam_cert_auth_name_format(request, passwd_ops_setup):
"""Setup SSSD with pam_cert_auth=True and full_name_format"""
@@ -522,6 +544,54 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
assert err.find("pam_authenticate for user [user1]: Success") != -1
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
+def test_sc_auth_two(simple_pam_cert_auth_two_certs, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth", "--service=pam_sss_service"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="2\n123456")
+ except Exception:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
+def test_sc_auth_two_missing_name(simple_pam_cert_auth_two_certs, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "",
+ "--action=auth", "--service=pam_sss_allow_missing_name"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="2\n123456")
+ except Exception:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
@pytest.mark.parametrize('simple_pam_cert_auth', ['proxy_password'], indirect=True)
def test_sc_proxy_password_fallback(simple_pam_cert_auth, env_for_sssctl):
"""
--
2.41.0

View File

@ -1,34 +0,0 @@
From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 Aug 2022 21:48:43 +0200
Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f)
---
src/sss_client/nss_mc.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
index de1496ccc..0f88521e9 100644
--- a/src/sss_client/nss_mc.h
+++ b/src/sss_client/nss_mc.h
@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx {
};
#if HAVE_PTHREAD
-#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#else
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#endif
errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
--
2.37.1

View File

@ -0,0 +1,218 @@
From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 8 Nov 2023 14:50:24 +0100
Subject: [PATCH] ad-gpo: use hash to store intermediate results
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.
If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.
To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
---
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
1 file changed, 102 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 3d1ad39c7..b879b0a08 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
return ret;
}
+static errno_t
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
+{
+ int hret;
+ hash_key_t k;
+ hash_value_t v;
+
+ if (hash == NULL || key == NULL || value == NULL) {
+ return EINVAL;
+ }
+
+ k.type = HASH_KEY_CONST_STRING;
+ k.c_str = key;
+
+ v.type = HASH_VALUE_PTR;
+ v.ptr = value;
+
+ hret = hash_enter(hash, &k, &v);
+ if (hret != HASH_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
+ key, value, hash_error_string(hret));
+ return EIO;
+ }
+
+ return EOK;
+}
+
/*
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
* and stores the allow_key and deny_key of all of the gpo_map_types present
@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
*/
static errno_t
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
const char *filename)
{
struct ini_cfgfile *file_ctx = NULL;
@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = allow_value ? allow_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- allow_key,
- value);
+ ret = add_result_to_hash(allow_maps, allow_key,
+ talloc_strdup(allow_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to allow maps "
+ "[%d][%s].\n",
+ allow_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = deny_value ? deny_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- deny_key,
- value);
+ ret = add_result_to_hash(deny_maps, deny_key,
+ talloc_strdup(deny_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to deny maps "
+ "[%d][%s].\n",
+ deny_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state {
int num_cse_filtered_gpos;
int cse_gpo_index;
const char *ad_domain;
+ hash_table_t *allow_maps;
+ hash_table_t *deny_maps;
};
static void ad_gpo_connect_done(struct tevent_req *subreq);
@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
goto immediately;
}
+ ret = sss_hash_create(state, 0, &state->allow_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
+
+ ret = sss_hash_create(state, 0, &state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
if (subreq == NULL) {
@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req)
return EAGAIN;
}
+static errno_t
+store_hash_maps_in_cache(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
+{
+ int ret;
+ struct hash_iter_context_t *iter;
+ hash_entry_t *entry;
+ size_t c;
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
+
+
+ for (c = 0; hash_list[c] != NULL; c++) {
+ iter = new_hash_iter_context(hash_list[c]);
+ if (iter == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
+ return EINVAL;
+ }
+
+ while ((entry = iter->next(iter)) != NULL) {
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
+ entry->key.c_str,
+ entry->value.ptr);
+ if (ret != EOK) {
+ free(iter);
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
+ return ret;
+ }
+ }
+ talloc_free(iter);
+ }
+
+ return EOK;
+}
+
/*
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
* cse_gpo_index until the policy settings for all applicable GPOs have been
@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
* (as part of the GPO Result object in the sysdb cache).
*/
ret = ad_gpo_store_policy_settings(state->host_domain,
+ state->allow_maps, state->deny_maps,
cse_filtered_gpo->policy_filename);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
if (ret == EOK) {
/* ret is EOK only after all GPO policy files have been downloaded */
+ ret = store_hash_maps_in_cache(state->host_domain,
+ state->allow_maps, state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
+ "[%d][%s].\n", ret, sss_strerror(ret));
+ goto done;
+ }
ret = ad_gpo_perform_hbac_processing(state,
state->gpo_mode,
state->gpo_map_type,
--
2.44.0

View File

@ -1,78 +0,0 @@
From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 Aug 2022 21:51:03 +0200
Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be
touched
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL`
was creating a possibility for a race.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757)
---
src/sss_client/nss_mc.h | 4 +++-
src/sss_client/nss_mc_common.c | 20 ++++++++++----------
2 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
index 0f88521e9..9ab2736fa 100644
--- a/src/sss_client/nss_mc.h
+++ b/src/sss_client/nss_mc.h
@@ -44,7 +44,9 @@ enum sss_mc_state {
RECYCLED,
};
-/* common stuff */
+/* In the case this structure is extended, don't forget to update
+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`.
+ */
struct sss_cli_mc_ctx {
enum sss_mc_state initialized;
#if HAVE_PTHREAD
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index f38a4a85a..3128861bf 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
{
- uint32_t active_threads = ctx->active_threads;
-#if HAVE_PTHREAD
- pthread_mutex_t *mutex = ctx->mutex;
-#endif
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
munmap(ctx->mmap_base, ctx->mmap_size);
}
+ ctx->mmap_base = NULL;
+ ctx->mmap_size = 0;
+
if (ctx->fd != -1) {
close(ctx->fd);
}
- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
ctx->fd = -1;
- /* restore count of active threads */
- ctx->active_threads = active_threads;
-#if HAVE_PTHREAD
- ctx->mutex = mutex;
-#endif
+ ctx->seed = 0;
+ ctx->data_table = NULL;
+ ctx->dt_size = 0;
+ ctx->hash_table = NULL;
+ ctx->ht_size = 0;
+ ctx->initialized = UNINITIALIZED;
+ /* `mutex` and `active_threads` should be left intact */
}
static errno_t sss_nss_mc_init_ctx(const char *name,
--
2.37.1

View File

@ -0,0 +1,81 @@
From db27a51f274640e1aa2f13476c80955a3ec9e91c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Mar 2024 10:50:07 +0100
Subject: [PATCH] ad: refresh root domain when read directly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the domain object of the forest root domain cannot be found in the
LDAP tree of the local AD domain SSSD tries to read the request data
from an LDAP server of the forest root domain directly. After reading
this data the information is stored in the cache but currently the
information about the domain store in memory is not updated with the
additional data. As a result e.g. the domain SID is missing in this data
and only becomes available after a restart where it is read from the
cache.
With this patch an unconditional refresh is triggered at the end of the
fallback code path.
Resolves: https://github.com/SSSD/sssd/issues/7250
Reviewed-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53)
---
src/providers/ad/ad_subdomains.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index a8d1892cc..d8f3738ce 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state {
static void ad_get_root_domain_done(struct tevent_req *subreq);
static void ad_check_root_domain_done(struct tevent_req *subreq);
static errno_t
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
struct tevent_req *
ad_check_domain_send(TALLOC_CTX *mem_ctx,
@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
return;
}
- ret = ad_get_root_domain_refresh(state);
+ ret = ad_get_root_domain_refresh(state, false);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
}
@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
state->reply_count = 1;
- ret = ad_get_root_domain_refresh(state);
+ ret = ad_get_root_domain_refresh(state, true);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
}
@@ -1697,7 +1697,7 @@ done:
}
static errno_t
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
{
struct sss_domain_info *root_domain;
bool has_changes;
@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
goto done;
}
- if (has_changes) {
+ if (has_changes || refresh) {
ret = ad_subdom_reinit(state->sd_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
--
2.45.0

View File

@ -1,33 +0,0 @@
From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 15 Aug 2022 16:17:59 -0400
Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup
Fixes an issue when the sssctl analyzer option is
used on systems where SSSD is not running or configured. This is
an expected use case when using --logdir option to analyze external
log files.
Resolves: https://github.com/SSSD/sssd/issues/6298
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tools/sssctl/sssctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index 3816125ad..f18689f9f 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze),
+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
#ifdef HAVE_LIBINI_CONFIG_V1_3
SSS_TOOL_DELIMITER("Configuration files tools:"),
SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
--
2.37.1

View File

@ -1,297 +0,0 @@
From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 19 Aug 2022 09:50:22 -0400
Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Client ID is not stored properly to match requests
when parallel requests are made to client SSSD
Resolves: https://github.com/SSSD/sssd/issues/6307
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 5 +++--
.../plugins/cache_req_autofs_entry_by_name.c | 3 ++-
.../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++-
.../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++-
.../plugins/cache_req_ssh_host_id_by_name.c | 3 ++-
src/responder/common/responder.h | 2 +-
src/responder/common/responder_common.c | 12 +++++++-----
src/responder/common/responder_dp.c | 5 +++--
src/responder/common/responder_get_domains.c | 3 ++-
src/responder/pam/pamsrv_cmd.c | 4 ++--
10 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 4dd45b038..bc65bae71 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -24,6 +24,7 @@
#include <errno.h>
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "responder/common/responder.h"
#include "responder/common/cache_req/cache_req_private.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx,
}
state->first_iteration = true;
- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n",
- rctx->client_id_num, cr->reqname);
+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n",
+ sss_chain_id_get(), cr->reqname);
ret = cache_req_is_well_known_object(state, cr, &result);
if (ret == EOK) {
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index 788b6708c..b2b0a06eb 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -24,6 +24,7 @@
#include "db/sysdb.h"
#include "db/sysdb_autofs.h"
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "providers/data_provider.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
be_conn->bus_name, SSS_BUS_PATH,
0, data->name.name,
data->autofs_entry_name,
- cr->rctx->client_id_num);
+ sss_chain_id_get());
}
bool
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 5d82641cc..23b11b1cd 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -24,6 +24,7 @@
#include "db/sysdb.h"
#include "db/sysdb_autofs.h"
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "providers/data_provider.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
0, data->name.name,
- cr->rctx->client_id_num);
+ sss_chain_id_get());
}
bool
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index 29f289723..18c08ca39 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -24,6 +24,7 @@
#include "db/sysdb.h"
#include "db/sysdb_autofs.h"
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "providers/data_provider.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
0, data->name.name,
- cr->rctx->client_id_num);
+ sss_chain_id_get());
}
bool
diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
index a8b8f47a8..29f52f10d 100644
--- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
@@ -23,6 +23,7 @@
#include "db/sysdb_ssh.h"
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "providers/data_provider.h"
#include "responder/common/cache_req/cache_req_plugin.h"
@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH,
0, data->name.name, data->alias,
- cr->rctx->client_id_num);
+ sss_chain_id_get());
}
static bool
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 5cb79e3e6..259b3ff13 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -165,13 +165,13 @@ struct cli_ctx {
struct cli_creds *creds;
char *cmd_line;
- uint64_t old_chain_id;
void *protocol_ctx;
void *state_ctx;
struct tevent_timer *idle;
time_t last_request_time;
+ uint32_t client_id_num;
};
struct sss_cmd_table {
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 6e3b61ef0..a4ba8ea71 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev,
"Failed to close fd [%d]: [%s]\n",
ctx->cfd, strerror(ret));
}
- /* Restore the original chain id */
- sss_chain_id_set(ctx->old_chain_id);
DEBUG(SSSDBG_TRACE_INTERNAL,
"Terminated client [%p][%d]\n",
@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev,
int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd;
rctx->client_id_num++;
-
if (accept_ctx->is_private) {
ret = stat(rctx->priv_sock_name, &stat_buf);
if (ret == -1) {
@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev,
talloc_set_destructor(cctx, cli_ctx_destructor);
+ cctx->client_id_num = rctx->client_id_num;
+
len = sizeof(cctx->addr);
cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
if (cctx->cfd == -1) {
@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev,
DEBUG(SSSDBG_TRACE_FUNC,
"[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n",
- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : "");
return;
@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr,
uint16_t flags)
{
errno_t ret;
+ uint64_t old_chain_id;
struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx);
/* Always reset the responder idle timer on any activity */
@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr,
}
/* Set the chain id */
- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num);
+ old_chain_id = sss_chain_id_set(cctx->client_id_num);
if (flags & TEVENT_FD_READ) {
recv_fn(cctx);
@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr,
send_fn(cctx);
return;
}
+ /* Restore the original chain id */
+ sss_chain_id_set(old_chain_id);
}
int sss_connection_setup(struct cli_ctx *cctx)
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index d549e02d3..4b4770da1 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -23,6 +23,7 @@
#include <sys/time.h>
#include <time.h>
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "responder/common/responder_packet.h"
#include "responder/common/responder.h"
#include "providers/data_provider.h"
@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn,
be_conn->bus_name, SSS_BUS_PATH, dp_flags,
entry_type, filter, dom->name, extra,
- rctx->client_id_num);
+ sss_chain_id_get());
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
ret = ENOMEM;
@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx,
SSS_BUS_PATH,
dp_flags, entry_type,
filter_type, filter_value,
- rctx->client_id_num);
+ sss_chain_id_get());
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
ret = ENOMEM;
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
index 918124756..aeff28d73 100644
--- a/src/responder/common/responder_get_domains.c
+++ b/src/responder/common/responder_get_domains.c
@@ -19,6 +19,7 @@
*/
#include "util/util.h"
+#include "util/sss_chain_id.h"
#include "responder/common/responder.h"
#include "providers/data_provider.h"
#include "db/sysdb.h"
@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx,
be_conn->bus_name,
SSS_BUS_PATH, dp_flags,
entry_type, filter,
- rctx->client_id_num);
+ sss_chain_id_get());
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
ret = ENOMEM;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index cb0e1b82f..1695554fc 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
}
preq->cctx = cctx;
preq->cert_auth_local = false;
- preq->client_id_num = pctx->rctx->client_id_num;
+ preq->client_id_num = cctx->client_id_num;
preq->pd = create_pam_data(preq);
if (!preq->pd) {
@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
pd->cmd = pam_cmd;
pd->priv = cctx->priv;
- pd->client_id_num = pctx->rctx->client_id_num;
+ pd->client_id_num = cctx->client_id_num;
ret = pam_forwarder_parse_data(cctx, pd);
if (ret == EAGAIN) {
--
2.37.1

View File

@ -1,185 +0,0 @@
From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 19 Aug 2022 14:44:11 -0400
Subject: [PATCH 9/9] Analyzer: support parallel requests parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Analyzer code(primarily the list verbose command) needs
changes to handle parsing the necessary lines from
NSS/PAM log files when multiple intermixed/parallel
client requests are sent to SSSD.
Resolves: https://github.com/SSSD/sssd/issues/6307
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/tools/analyzer/modules/request.py | 119 +++++++++++++++-----------
1 file changed, 67 insertions(+), 52 deletions(-)
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
index 935e13adc..b9fe3caf8 100644
--- a/src/tools/analyzer/modules/request.py
+++ b/src/tools/analyzer/modules/request.py
@@ -16,7 +16,6 @@ class RequestAnalyzer:
"""
module_parser = None
consumed_logs = []
- done = ""
list_opts = [
Option('--verbose', 'Verbose output', bool, '-v'),
Option('--pam', 'Filter only PAM requests', bool),
@@ -149,58 +148,74 @@ class RequestAnalyzer:
print(line)
return found_results
- def print_formatted(self, line, verbose):
+ def print_formatted_verbose(self, source, patterns):
+ """
+ Parse line and print formatted verbose list_requests output
+
+ Args:
+ source (Reader): source Reader object
+ patterns (list): List of regex patterns to use for
+ matching lines
+ """
+ # Get CID number, and print the basic line first
+ for line in self.matched_line(source, patterns):
+ cid = self.print_formatted(line)
+
+ # Loop through each line with this CID number to extract and
+ # print the verbose data needed
+ verbose_patterns = ["(cache_req_send|cache_req_process_input|"
+ "cache_req_search_send)"]
+ for cidline in self.matched_line(source, verbose_patterns):
+ plugin = ""
+ name = ""
+ id = ""
+
+ # skip any lines not pertaining to this CID
+ if f"CID#{cid}]" not in cidline:
+ continue
+ if "refreshed" in cidline:
+ continue
+ # CR Plugin name
+ if re.search("cache_req_send", cidline):
+ plugin = cidline.split('\'')[1]
+ # CR Input name
+ elif re.search("cache_req_process_input", cidline):
+ name = cidline.rsplit('[')[-1]
+ # CR Input id
+ elif re.search("cache_req_search_send", cidline):
+ id = cidline.rsplit()[-1]
+
+ if plugin:
+ print(" - " + plugin)
+ if name:
+ print(" - " + name[:-2])
+ if (id and ("UID" in cidline or "GID" in cidline)):
+ print(" - " + id)
+
+ def print_formatted(self, line):
"""
Parse line and print formatted list_requests output
Args:
line (str): line to parse
- verbose (bool): If true, enable verbose output
+ Returns:
+ Client ID from printed line, 0 otherwise
"""
- plugin = ""
- name = ""
- id = ""
-
# exclude backtrace logs
if line.startswith(' * '):
- return
- fields = line.split("[")
- cr_field = fields[3][7:]
- cr = cr_field.split(":")[0][4:]
+ return 0
if "refreshed" in line:
- return
- # CR Plugin name
- if re.search("cache_req_send", line):
- plugin = line.split('\'')[1]
- # CR Input name
- elif re.search("cache_req_process_input", line):
- name = line.rsplit('[')[-1]
- # CR Input id
- elif re.search("cache_req_search_send", line):
- id = line.rsplit()[-1]
- # CID and client process name
- else:
- ts = line.split(")")[0]
- ts = ts[1:]
- fields = line.split("[")
- cid = fields[3][4:-9]
- cmd = fields[4][4:-1]
- uid = fields[5][4:-1]
- if not uid.isnumeric():
- uid = fields[6][4:-1]
- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
-
- if verbose:
- if plugin:
- print(" - " + plugin)
- if name:
- if cr not in self.done:
- print(" - " + name[:-2])
- self.done = cr
- if id:
- if cr not in self.done:
- print(" - " + id)
- self.done = cr
+ return 0
+ ts = line.split(")")[0]
+ ts = ts[1:]
+ fields = line.split("[")
+ cid = fields[3][4:-9]
+ cmd = fields[4][4:-1]
+ uid = fields[5][4:-1]
+ if not uid.isnumeric():
+ uid = fields[6][4:-1]
+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
+ return cid
def list_requests(self, args):
"""
@@ -215,20 +230,20 @@ class RequestAnalyzer:
# Log messages matching the following regex patterns contain
# the useful info we need to produce list output
patterns = [r'\[cmd']
- patterns.append("(cache_req_send|cache_req_process_input|"
- "cache_req_search_send)")
if args.pam:
component = source.Component.PAM
resp = "pam"
logger.info(f"******** Listing {resp} client requests ********")
source.set_component(component, False)
- self.done = ""
- for line in self.matched_line(source, patterns):
- if isinstance(source, Journald):
- print(line)
- else:
- self.print_formatted(line, args.verbose)
+ if args.verbose:
+ self.print_formatted_verbose(source, patterns)
+ else:
+ for line in self.matched_line(source, patterns):
+ if isinstance(source, Journald):
+ print(line)
+ else:
+ self.print_formatted(line)
def track_request(self, args):
"""
--
2.37.1

View File

@ -1,295 +0,0 @@
From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 25 Aug 2022 18:10:46 +0200
Subject: [PATCH] CLIENT: fix client fd leak
- close client socket at thread exit
- only build lock-free client support if libc has required
functionality for a proper cleanup
- use proper mechanisms to init lock_mode only once
:relnote:Lock-free client support will be only built if libc
provides `pthread_key_create()` and `pthread_once()`. For glibc
this means version 2.34+
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb)
---
configure.ac | 29 +++++++++--
src/man/Makefile.am | 5 +-
src/man/sssd.8.xml | 2 +-
src/sss_client/common.c | 83 +++++++++++++++++++-------------
src/sss_client/idmap/common_ex.c | 4 ++
5 files changed, 84 insertions(+), 39 deletions(-)
diff --git a/configure.ac b/configure.ac
index 93bd93b85..5a05de41e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
m4_include([src/build_macros.m4])
BUILD_WITH_SHARED_BUILD_DIR
-AC_COMPILE_IFELSE(
+
+SAVE_LIBS=$LIBS
+LIBS=
+AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[#include <pthread.h>]],
[[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
- (void) m; /* unused */
+ pthread_mutex_lock(&m);
+ pthread_mutex_unlock(&m);
]])],
[AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.])
HAVE_PTHREAD=1
],
- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])])
+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])])
+LIBS=$SAVE_LIBS
+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
+SAVE_LIBS=$LIBS
+LIBS=
+AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[#include <pthread.h>]],
+ [[static pthread_key_t k;
+ static pthread_once_t f = PTHREAD_ONCE_INIT;
+ pthread_once(&f, NULL);
+ pthread_key_create(&k, NULL);
+ ]])],
+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.])
+ HAVE_PTHREAD_EXT=1
+ ],
+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])])
+LIBS=$SAVE_LIBS
+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"])
+
# Check library for the timer_create function
SAVE_LIBS=$LIBS
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 93dd14819..063ff1bf0 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -46,9 +46,12 @@ endif
if BUILD_KCM_RENEWAL
KCM_RENEWAL_CONDS = ;enable_kcm_renewal
endif
+if BUILD_LOCKFREE_CLIENT
+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support
+endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)
#Special Rules:
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
index df07b7f29..5f507c631 100644
--- a/src/man/sssd.8.xml
+++ b/src/man/sssd.8.xml
@@ -240,7 +240,7 @@
If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
client applications will not use the fast in-memory cache.
</para>
- <para>
+ <para condition="enable_lockfree_support">
If the environment variable SSS_LOCKFREE is set to "NO", requests
from multiple threads of a single application will be serialized.
</para>
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 29c751a50..d762dff49 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -35,7 +35,6 @@
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>
-#include <stdatomic.h>
#include <string.h>
#include <fcntl.h>
#include <poll.h>
@@ -62,8 +61,15 @@
/* common functions */
+#ifdef HAVE_PTHREAD_EXT
+static pthread_key_t sss_sd_key;
+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
+#else
+static int sss_cli_sd = -1; /* the sss client socket descriptor */
+static struct stat sss_cli_sb; /* the sss client stat buffer */
+#endif
#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
__attribute__((destructor))
@@ -76,6 +82,18 @@ void sss_cli_close_socket(void)
}
}
+#ifdef HAVE_PTHREAD_EXT
+static void sss_at_thread_exit(void *v)
+{
+ sss_cli_close_socket();
+}
+
+static void init_sd_key(void)
+{
+ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
+}
+#endif
+
/* Requests:
*
* byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
return -1;
}
+#ifdef HAVE_PTHREAD_EXT
+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
+
+ /* It actually doesn't matter what value to set for a key.
+ * The only important thing: key must be non-NULL to ensure
+ * destructor is executed at thread exit.
+ */
+ pthread_setspecific(sss_sd_key, &sss_cli_sd);
+#endif
+
/* set as non-blocking, close on exec, and make sure standard
* descriptors are not used */
sd = make_safe_fd(sd);
@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len)
}
#if HAVE_PTHREAD
-bool sss_is_lockfree_mode(void)
+
+#ifdef HAVE_PTHREAD_EXT
+static bool sss_lock_free = true;
+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT;
+
+static void init_lock_mode(void)
{
- const char *env = NULL;
- enum {
- MODE_UNDEF,
- MODE_LOCKING,
- MODE_LOCKFREE
- };
- static atomic_int mode = MODE_UNDEF;
-
- if (mode == MODE_UNDEF) {
- env = getenv("SSS_LOCKFREE");
- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
- mode = MODE_LOCKING;
- } else {
- mode = MODE_LOCKFREE;
- }
+ const char *env = getenv("SSS_LOCKFREE");
+
+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
+ sss_lock_free = false;
}
+}
- return (mode == MODE_LOCKFREE);
+bool sss_is_lockfree_mode(void)
+{
+ pthread_once(&sss_lock_mode_initialized, init_lock_mode);
+ return sss_lock_free;
}
+#endif
struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
-static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
static void sss_mt_lock(struct sss_mutex *m)
{
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return;
}
+#endif
pthread_mutex_lock(&m->mtx);
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m)
static void sss_mt_unlock(struct sss_mutex *m)
{
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return;
}
+#endif
pthread_setcancelstate(m->old_cancel_state, NULL);
pthread_mutex_unlock(&m->mtx);
@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void)
sss_mt_unlock(&sss_nss_mtx);
}
-/* NSS mutex wrappers */
+/* PAM mutex wrappers */
void sss_pam_lock(void)
{
sss_mt_lock(&sss_pam_mtx);
@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void)
sss_mt_unlock(&sss_pam_mtx);
}
-/* NSS mutex wrappers */
-void sss_nss_mc_lock(void)
-{
- sss_mt_lock(&sss_nss_mc_mtx);
-}
-void sss_nss_mc_unlock(void)
-{
- sss_mt_unlock(&sss_nss_mc_mtx);
-}
-
/* PAC mutex wrappers */
void sss_pac_lock(void)
{
diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c
index 4f454cd63..8c4894fd9 100644
--- a/src/sss_client/idmap/common_ex.c
+++ b/src/sss_client/idmap/common_ex.c
@@ -28,7 +28,9 @@
#include "common_private.h"
extern struct sss_mutex sss_nss_mtx;
+#ifdef HAVE_PTHREAD_EXT
bool sss_is_lockfree_mode(void);
+#endif
#define SEC_FROM_MSEC(ms) ((ms) / 1000)
#define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime)
{
int ret;
+#ifdef HAVE_PTHREAD_EXT
if (sss_is_lockfree_mode()) {
return 0;
}
+#endif
ret = pthread_mutex_timedlock(&m->mtx, endtime);
if (ret != 0) {
--
2.37.1

View File

@ -1,124 +0,0 @@
From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 20 Sep 2022 15:37:01 +0200
Subject: [PATCH] krb5: respect krb5_validate for PAC checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The first step of checking the PAC is the same as during the Kerberos
ticket validation, requesting a service ticket for a service principal
from the local keytab. By default ticket validation is enable for the
IPA and AD provider where checking the PAC might become important. If
ticket validation is disabled manually it is most probably because there
are issues requesting the service ticket and fixing those is currently
not possible.
Currently when SSSD is configured to check the PAC it ignores the
krb5_validate setting and tries to request a service ticket which would
fail in the case ticket validation is disabled for a reason. To not
cause regressions with this patch SSSD will skip the PAC checks if
ticket validation is disabled.
Resolves: https://github.com/SSSD/sssd/issues/6355
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc)
---
src/man/include/krb5_options.xml | 11 ++++++++++-
src/man/sssd.conf.5.xml | 13 ++++++++++---
src/providers/krb5/krb5_child.c | 9 ++++-----
src/providers/krb5/krb5_init_shared.c | 10 ++++++++++
4 files changed, 34 insertions(+), 9 deletions(-)
diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml
index c3292d1bb..d82be7bfa 100644
--- a/src/man/include/krb5_options.xml
+++ b/src/man/include/krb5_options.xml
@@ -26,7 +26,16 @@
keytab entry as the last entry or the only entry in the keytab file.
</para>
<para>
- Default: false
+ Default: false (IPA and AD provider: true)
+ </para>
+ <para>
+ Please note that the ticket validation is the first step when
+ checking the PAC (see 'pac_check' in the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page for details). If ticket
+ validation is disabled the PAC checks will be skipped as well.
</para>
</listitem>
</varlistentry>
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 615b41550..7a9920815 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
<para>
Apply additional checks on the PAC of the Kerberos
ticket which is available in Active Directory and
- FreeIPA domains, if configured. The following
- options can be used alone or in a comma-separated
- list:
+ FreeIPA domains, if configured. Please note that
+ Kerberos ticket validation must be enabled to be
+ able to check the PAC, i.e. the krb5_validate option
+ must be set to 'True' which is the default for the
+ IPA and AD provider. If krb5_validate is set to
+ 'False' the PAC checks will be skipped.
+ </para>
+ <para>
+ The following options can be used alone or in a
+ comma-separated list:
<variablelist>
<varlistentry>
<term>no_check</term>
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 0a592da00..8727b4202 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[])
goto done;
}
- /* To be able to read the PAC we have to request a service ticket where we
- * have a key to decrypt it, this is the same step we use for validating
- * the ticket. */
- if (cli_opts.check_pac_flags != 0) {
- kr->validate = true;
+ if (cli_opts.check_pac_flags != 0 && !kr->validate) {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "PAC check is requested but krb5_validate is set to false. "
+ "PAC checks will be skipped.\n");
}
kerr = privileged_krb5_setup(kr, offline);
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
index ee48f459b..3e6ebe2ed 100644
--- a/src/providers/krb5/krb5_init_shared.c
+++ b/src/providers/krb5/krb5_init_shared.c
@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
goto done;
}
+ if (krb5_auth_ctx->check_pac_flags != 0
+ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "PAC check is requested but krb5_validate is set to false. "
+ "PAC checks will be skipped.\n");
+ sss_log(SSS_LOG_WARNING,
+ "PAC check is requested but krb5_validate is set to false. "
+ "PAC checks will be skipped.");
+ }
+
ret = parse_krb5_map_user(krb5_auth_ctx,
dp_opt_get_cstring(krb5_auth_ctx->opts,
KRB5_MAP_USER),
--
2.37.3

View File

@ -1,141 +0,0 @@
From 70e254653edb21923d7565c80704e1ce6865d991 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Wed, 12 Oct 2022 08:48:45 -0400
Subject: [PATCH] Analyzer: Optimize list verbose output
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Modify the analyzer to parse the responder log file in one pass. This
avoids repeated parsing of a single log file. This operation will now
store log lines in a dictionary on a single pass then format and print
the output accordingly. Does not affect 'list' or 'show' output.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/tools/analyzer/modules/request.py | 71 ++++++++++++++++++---------
1 file changed, 48 insertions(+), 23 deletions(-)
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
index b9fe3caf8..15c8e6bfb 100644
--- a/src/tools/analyzer/modules/request.py
+++ b/src/tools/analyzer/modules/request.py
@@ -148,36 +148,57 @@ class RequestAnalyzer:
print(line)
return found_results
- def print_formatted_verbose(self, source, patterns):
+ def print_formatted_verbose(self, source):
"""
- Parse line and print formatted verbose list_requests output
+ Parse log file and print formatted verbose list_requests output
Args:
source (Reader): source Reader object
- patterns (list): List of regex patterns to use for
- matching lines
"""
- # Get CID number, and print the basic line first
- for line in self.matched_line(source, patterns):
- cid = self.print_formatted(line)
-
- # Loop through each line with this CID number to extract and
- # print the verbose data needed
- verbose_patterns = ["(cache_req_send|cache_req_process_input|"
- "cache_req_search_send)"]
- for cidline in self.matched_line(source, verbose_patterns):
+ data = {}
+ # collect cid log lines from single run through of parsing the log
+ # into dictionary # (cid, ts) -> logline_output
+ for line in source:
+ if "CID#" not in line:
+ continue
+
+ # parse CID and ts from line, key is a tuple of (cid,ts)
+ fields = line.split("[")
+ # timestamp to the minute, cut off seconds, ms
+ ts = fields[0][:17]
+ result = re.search('CID#[0-9]*', fields[3])
+ cid = result.group(0)
+
+ # if mapping exists, append line to output. Otherwise create new mapping
+ if (cid, ts) in data.keys():
+ data[(cid, ts)] += line
+ else:
+ data[(cid, ts)] = line
+
+ # pretty print the data
+ for k, v in data.items():
+ cr_done = []
+ id_done = []
+ for cidline in v.splitlines():
plugin = ""
name = ""
id = ""
- # skip any lines not pertaining to this CID
- if f"CID#{cid}]" not in cidline:
- continue
- if "refreshed" in cidline:
- continue
+ # CR number
+ fields = cidline.split("[")
+ cr_field = fields[3][7:]
+ cr = cr_field.split(":")[0][4:]
+ # Client connected, top-level info line
+ if re.search(r'\[cmd', cidline):
+ self.print_formatted(cidline)
# CR Plugin name
if re.search("cache_req_send", cidline):
plugin = cidline.split('\'')[1]
+ id_done.clear()
+ # Extract CR number
+ fields = cidline.split("[")
+ cr_field = fields[3][7:]
+ cr = cr_field.split(":")[0][4:]
# CR Input name
elif re.search("cache_req_process_input", cidline):
name = cidline.rsplit('[')[-1]
@@ -188,9 +209,14 @@ class RequestAnalyzer:
if plugin:
print(" - " + plugin)
if name:
- print(" - " + name[:-2])
+ # Avoid duplicate output with the same CR #
+ if cr not in cr_done:
+ print(" - " + name[:-1])
+ cr_done.append(cr)
if (id and ("UID" in cidline or "GID" in cidline)):
- print(" - " + id)
+ if id not in id_done:
+ print(" - " + id)
+ id_done.append(id)
def print_formatted(self, line):
"""
@@ -237,7 +263,7 @@ class RequestAnalyzer:
logger.info(f"******** Listing {resp} client requests ********")
source.set_component(component, False)
if args.verbose:
- self.print_formatted_verbose(source, patterns)
+ self.print_formatted_verbose(source)
else:
for line in self.matched_line(source, patterns):
if isinstance(source, Journald):
@@ -258,8 +284,7 @@ class RequestAnalyzer:
be_results = False
component = source.Component.NSS
resp = "nss"
- pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
- pattern.append(rf"\[CID#{cid}\]")
+ pattern = [rf"\[CID#{cid}\]"]
if args.pam:
component = source.Component.PAM
--
2.37.3

View File

@ -1,43 +0,0 @@
From 89ea4a5feaf30f80a79ca3ba8166f304cc414e07 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Tue, 15 Nov 2022 12:47:51 -0500
Subject: [PATCH] Analyzer: Ensure parsed id contains digit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In analyzer list verbose output, we parse the last field of cache_req_search_send() lines.
Certain log messages need to be filtered out by ensuring the parsed field is
a digit, such as the last line below.
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@domain-zflo.com
[cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119@domain-zflo.com] from cache
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit bfa8d50c479cf8ef7b299eb5848309a3a9ea7f12)
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/tools/analyzer/modules/request.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
index 15c8e6bfb..bf279ea75 100644
--- a/src/tools/analyzer/modules/request.py
+++ b/src/tools/analyzer/modules/request.py
@@ -214,7 +214,7 @@ class RequestAnalyzer:
print(" - " + name[:-1])
cr_done.append(cr)
if (id and ("UID" in cidline or "GID" in cidline)):
- if id not in id_done:
+ if id not in id_done and bool(re.search(r'\d', id)):
print(" - " + id)
id_done.append(id)
--
2.37.3

View File

@ -1,94 +0,0 @@
From 7e23e6394b518dd013c6b03a1a63715899180935 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sun, 6 Nov 2022 11:22:22 +0100
Subject: [PATCH 14/16] TOOLS: don't export internal helpers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 6ef3aade0394e32540242f902c9f21bb8d6c41f2)
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/tools/common/sss_tools.c | 16 ++++++++--------
src/tools/common/sss_tools.h | 12 ------------
2 files changed, 8 insertions(+), 20 deletions(-)
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index c066ddc5c..47b85bdd2 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -178,9 +178,9 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx,
return ret;
}
-errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
- int *argc, const char **argv,
- struct sss_tool_ctx **_tool_ctx)
+static errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
+ int *argc, const char **argv,
+ struct sss_tool_ctx **_tool_ctx)
{
struct sss_tool_ctx *tool_ctx;
@@ -235,7 +235,7 @@ static size_t sss_tool_max_length(struct sss_route_cmd *commands)
return max;
}
-void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands)
+static void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands)
{
int min_len;
int i;
@@ -304,10 +304,10 @@ done:
return ret;
}
-errno_t sss_tool_route(int argc, const char **argv,
- struct sss_tool_ctx *tool_ctx,
- struct sss_route_cmd *commands,
- void *pvt)
+static errno_t sss_tool_route(int argc, const char **argv,
+ struct sss_tool_ctx *tool_ctx,
+ struct sss_route_cmd *commands,
+ void *pvt)
{
struct sss_cmdline cmdline;
const char *cmd;
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
index 0e4308ee6..578186633 100644
--- a/src/tools/common/sss_tools.h
+++ b/src/tools/common/sss_tools.h
@@ -35,10 +35,6 @@ struct sss_tool_ctx {
struct sss_domain_info *domains;
};
-errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
- int *argc, const char **argv,
- struct sss_tool_ctx **_tool_ctx);
-
struct sss_cmdline {
const char *exec; /* argv[0] */
const char *command; /* command name */
@@ -69,14 +65,6 @@ struct sss_route_cmd {
int flags;
};
-void sss_tool_usage(const char *tool_name,
- struct sss_route_cmd *commands);
-
-errno_t sss_tool_route(int argc, const char **argv,
- struct sss_tool_ctx *tool_ctx,
- struct sss_route_cmd *commands,
- void *pvt);
-
typedef errno_t (*sss_popt_fn)(poptContext pc, char option, void *pvt);
enum sss_tool_opt {
--
2.37.3

View File

@ -1,71 +0,0 @@
From bd16242ef6780fd2808bf03f79eda5d940094bc5 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sun, 6 Nov 2022 12:25:37 +0100
Subject: [PATCH 15/16] TOOLS: fixed handling of init error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Before execution of `tool_cmd_init()` `init_err` wasn't set,
so `sss_tools_handles_init_error()` check was a no-op.
Consequently, a proper check after `tool_cmd_init()` was missing.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 7af46ba0e925da61b7b4003c3fa6d51c05c1116e)
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/tools/common/sss_tools.c | 17 ++++-------------
src/tools/common/sss_tools.h | 1 -
2 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index 47b85bdd2..38ae88306 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -336,22 +336,13 @@ static errno_t sss_tool_route(int argc, const char **argv,
cmdline.argc = argc - 2;
cmdline.argv = argv + 2;
- if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Command %s does not handle initialization error [%d] %s\n",
- cmdline.command, tool_ctx->init_err,
- sss_strerror(tool_ctx->init_err));
- return tool_ctx->init_err;
- }
-
if (!tool_ctx->print_help) {
ret = tool_cmd_init(tool_ctx, &commands[i]);
- if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
- tool_ctx->init_err = ret;
- } else if (ret != EOK) {
+
+ if (!sss_tools_handles_init_error(&commands[i], ret)) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Command initialization failed [%d] %s\n",
- ret, sss_strerror(ret));
+ "Command %s does not handle initialization error [%d] %s\n",
+ cmdline.command, ret, sss_strerror(ret));
return ret;
}
}
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
index 578186633..75dc15391 100644
--- a/src/tools/common/sss_tools.h
+++ b/src/tools/common/sss_tools.h
@@ -30,7 +30,6 @@ struct sss_tool_ctx {
struct confdb_ctx *confdb;
bool print_help;
- errno_t init_err;
char *default_domain;
struct sss_domain_info *domains;
};
--
2.37.3

View File

@ -1,89 +0,0 @@
From 66c318d212d56e26f303fc52d5fecbde4a6b9589 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 10 Nov 2022 22:18:06 +0100
Subject: [PATCH 16/16] SSSCTL: don't require 'root' for "analyze" cmd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
:relnote: `sssctl analyze` tool doesn't require anymore to be run under root.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 99791400bec1054cf0081884e013a3cbed75fe8a)
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/tools/common/sss_tools.c | 16 +++++++++-------
src/tools/common/sss_tools.h | 3 ++-
src/tools/sssctl/sssctl.c | 2 +-
3 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index 38ae88306..d16de7c4d 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -267,6 +267,15 @@ static int tool_cmd_init(struct sss_tool_ctx *tool_ctx,
struct sss_route_cmd *command)
{
int ret;
+ uid_t uid;
+
+ if (!(command->flags & SSS_TOOL_FLAG_SKIP_ROOT_CHECK)) {
+ uid = getuid();
+ if (uid != 0) {
+ ERROR("'%s' must be run as root\n", command->command);
+ return EXIT_FAILURE;
+ }
+ }
if (command->flags & SSS_TOOL_FLAG_SKIP_CMD_INIT) {
return EOK;
@@ -515,15 +524,8 @@ int sss_tool_main(int argc, const char **argv,
void *pvt)
{
struct sss_tool_ctx *tool_ctx;
- uid_t uid;
errno_t ret;
- uid = getuid();
- if (uid != 0) {
- ERROR("%1$s must be run as root\n", argv[0]);
- return EXIT_FAILURE;
- }
-
ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
index 75dc15391..24dd4b559 100644
--- a/src/tools/common/sss_tools.h
+++ b/src/tools/common/sss_tools.h
@@ -54,7 +54,8 @@ typedef errno_t
#define SSS_TOOL_DELIMITER(message) {"", _(message), 0, NULL, 0}
#define SSS_TOOL_LAST {NULL, NULL, 0, NULL, 0}
-#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01
+#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01
+#define SSS_TOOL_FLAG_SKIP_ROOT_CHECK 0x02
struct sss_route_cmd {
const char *command;
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index f18689f9f..b73d19ffe 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
- SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
#ifdef HAVE_LIBINI_CONFIG_V1_3
SSS_TOOL_DELIMITER("Configuration files tools:"),
SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
--
2.37.3

View File

@ -1,49 +0,0 @@
From a86d1740167031bf6444ff821a201164c11ba09c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 16 Nov 2022 09:28:54 +0100
Subject: [PATCH 17/19] PAC: allow to disable UPN check
Currently it was not possible to skip the UPN check which checks if the
UPN in the PAC and the one stored in SSSD's cache are different.
Additionally the related debug message will show both principals if they
differ.
Resolves: https://github.com/SSSD/sssd/issues/6451
(cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a)
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ad/ad_pac_common.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
index 0ed817111..79f79b7a7 100644
--- a/src/providers/ad/ad_pac_common.c
+++ b/src/providers/ad/ad_pac_common.c
@@ -224,9 +224,19 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
if (user_data != NULL) {
if (strcasecmp(user_data, upn_dns_info->upn_name) != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "UPN of user entry and PAC do not match.\n");
- return ERR_CHECK_PAC_FAILED;
+ if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "UPN of user entry [%s] and "
+ "PAC [%s] do not match.\n",
+ user_data,
+ upn_dns_info->upn_name);
+ return ERR_CHECK_PAC_FAILED;
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO, "UPN of user entry [%s] and "
+ "PAC [%s] do not match, "
+ "ignored.\n", user_data,
+ upn_dns_info->upn_name);
+ return EOK;
+ }
}
}
--
2.37.3

View File

@ -1,90 +0,0 @@
From 29aa434816ce6ae2aaf3b0bcf24b89f05f426d1b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 22 Nov 2022 13:39:26 +0100
Subject: [PATCH 18/19] ipa: do not add guessed principal to the cache
Currently on IPA clients a calculated principal based on the user name
and the Kerberos realm is added to the cached user object. This code is
quite old and might have been necessary at times when sub-domain support
was added to SSSD. But since quite some time SSSD is capable of
generating the principal on the fly during authentication if nothing is
stored in the cache.
Removing the code makes the cache more consistent with other use-cases,
e.g. with the IPA server where this attribute is empty, and allows to
properly detect a missing UPN, e.g. during the PAC validation.
Resolves: https://github.com/SSSD/sssd/issues/6451
(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 44 --------------------------------
1 file changed, 44 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index c68c1de26..81927a6b8 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2467,8 +2467,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
time_t now;
struct sss_nss_homedir_ctx homedir_ctx;
char *name = NULL;
- char *realm;
- char *short_name = NULL;
char *upn = NULL;
gid_t gid;
gid_t orig_gid = 0;
@@ -2607,48 +2605,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
goto done;
}
- if (upn == NULL) {
- /* We also have to store a fake UPN here, because otherwise the
- * krb5 child later won't be able to properly construct one as
- * the username is fully qualified but the child doesn't have
- * access to the regex to deconstruct it */
- /* FIXME: The real UPN is available from the PAC, we should get
- * it from there. */
- realm = get_uppercase_realm(tmp_ctx, dom->name);
- if (!realm) {
- DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n");
- ret = ENOMEM;
- goto done;
- }
-
- ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
- &short_name, NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot parse internal name %s\n",
- attrs->a.user.pw_name);
- goto done;
- }
-
- upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
- if (!upn) {
- DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
- ret = ENOMEM;
- goto done;
- }
-
- /* We might already have the SID or the UPN from other sources
- * hence sysdb_attrs_add_string_safe is used to avoid double
- * entries. */
- ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN,
- upn);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sysdb_attrs_add_string failed.\n");
- goto done;
- }
- }
-
if (req_input->type == REQ_INP_SECID) {
ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs,
SYSDB_SID_STR,
--
2.37.3

View File

@ -1,164 +0,0 @@
From 0e618c36ed74c240f7acd071ccb7bfd405b2d827 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 22 Nov 2022 14:43:21 +0100
Subject: [PATCH 19/19] pac: relax default check
To avoid issues with the UPN check during PAC validation when
'ldap_user_principal' is set to a not existing attribute to skip reading
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
added to the default options. With this option only a log message is
shown but the check will not fail.
Resolves: https://github.com/SSSD/sssd/issues/6451
(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/confdb/confdb.h | 2 +-
src/man/sssd.conf.5.xml | 30 +++++++++++++++++++++++++++++-
src/providers/ad/ad_pac_common.c | 24 ++++++++++++++++++++----
src/util/pac_utils.c | 10 ++++++++++
src/util/util.h | 2 ++
5 files changed, 62 insertions(+), 6 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 83f6be7f9..5fda67585 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -181,7 +181,7 @@
#define CONFDB_PAC_LIFETIME "pac_lifetime"
#define CONFDB_PAC_CHECK "pac_check"
#define CONFDB_PAC_CHECK_DEFAULT "no_check"
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_allow_missing, check_upn_dns_info_ex"
/* InfoPipe */
#define CONFDB_IFP_CONF_ENTRY "config/ifp"
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 7a9920815..d9f4a7481 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2275,6 +2275,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
consistent.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>check_upn_allow_missing</term>
+ <listitem>
+ <para>This option should be used together
+ with 'check_upn' and handles the case where
+ a UPN is set on the server-side but is not
+ read by SSSD. The typical example is a
+ FreeIPA domain where 'ldap_user_principal'
+ is set to a not existing attribute name.
+ This was typically done to work-around
+ issues in the handling of enterprise
+ principals. But this is fixed since quite
+ some time and FreeIPA can handle enterprise
+ principals just fine and there is no need
+ anymore to set 'ldap_user_principal'.</para>
+ <para>Currently this option is set by
+ default to avoid regressions in such
+ environments. A log message will be added
+ to the system log and SSSD's debug log in
+ case a UPN is found in the PAC but not in
+ SSSD's cache. To avoid this log message it
+ would be best to evaluate if the
+ 'ldap_user_principal' option can be removed.
+ If this is not possible, removing
+ 'check_upn' will skip the test and avoid the
+ log message.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>upn_dns_info_present</term>
<listitem>
@@ -2305,7 +2333,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</para>
<para>
Default: no_check (AD and IPA provider
- 'check_upn, check_upn_dns_info_ex')
+ 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex')
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
index 79f79b7a7..fcb54cd2c 100644
--- a/src/providers/ad/ad_pac_common.c
+++ b/src/providers/ad/ad_pac_common.c
@@ -215,10 +215,26 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
DEBUG(SSSDBG_MINOR_FAILURE, "User object does not have a UPN but PAC "
"says otherwise, maybe ldap_user_principal option is set.\n");
if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "UPN is missing but PAC UPN check required, "
- "PAC validation failed.\n");
- return ERR_CHECK_PAC_FAILED;
+ if (pac_check_opts & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "UPN is missing but PAC UPN check required, "
+ "PAC validation failed. However, "
+ "'check_upn_allow_missing' is set and the error is "
+ "ignored. To make this message go away please check "
+ "why the UPN is not read from the server. In FreeIPA "
+ "environments 'ldap_user_principal' is most probably "
+ "set to a non-existing attribute name to avoid "
+ "issues with enterprise principals. This is not "
+ "needed anymore with recent versions of FreeIPA.\n");
+ sss_log(SSS_LOG_CRIT, "PAC validation issue, please check "
+ "sssd_pac.log for details");
+ return EOK;
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "UPN is missing but PAC UPN check required, "
+ "PAC validation failed.\n");
+ return ERR_CHECK_PAC_FAILED;
+ }
}
}
diff --git a/src/util/pac_utils.c b/src/util/pac_utils.c
index c53b0c082..4499d8dfd 100644
--- a/src/util/pac_utils.c
+++ b/src/util/pac_utils.c
@@ -64,6 +64,8 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
flags |= CHECK_PAC_CHECK_UPN_DNS_INFO_EX;
flags |= CHECK_PAC_UPN_DNS_INFO_PRESENT;
flags |= CHECK_PAC_CHECK_UPN;
+ } else if (strcasecmp(list[c], CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR) == 0) {
+ flags |= CHECK_PAC_CHECK_UPN_ALLOW_MISSING;
} else {
DEBUG(SSSDBG_OP_FAILURE, "Unknown value [%s] for pac_check.\n",
list[c]);
@@ -72,6 +74,14 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
}
}
+ if ((flags & CHECK_PAC_CHECK_UPN_ALLOW_MISSING)
+ && !(flags & CHECK_PAC_CHECK_UPN)) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "pac_check option '%s' is set but '%s' is not set, this means "
+ "the UPN is not checked.\n",
+ CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR, CHECK_PAC_CHECK_UPN_STR);
+ }
+
ret = EOK;
done:
diff --git a/src/util/util.h b/src/util/util.h
index 6d9111874..4b2651c2c 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -818,6 +818,8 @@ uint64_t get_spend_time_us(uint64_t st);
#define CHECK_PAC_CHECK_UPN_DNS_INFO_EX (1 << 3)
#define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT_STR "upn_dns_info_ex_present"
#define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT (1 << 4)
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR "check_upn_allow_missing"
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING (1 << 5)
errno_t get_pac_check_config(struct confdb_ctx *cdb, uint32_t *pac_check_opts);
#endif /* __SSSD_UTIL_H__ */
--
2.37.3

View File

@ -1,102 +0,0 @@
From ace43c8ce02d19cf536ce35749aa2ed734089189 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 18 Aug 2022 13:55:21 +0200
Subject: [PATCH 20/23] oidc_child: escape scopes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Before using the user provided scopes in the HTTP request they should be
properly escaped according to RFC-3986.
Resolves: https://github.com/SSSD/sssd/issues/6146
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb)
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/oidc_child/oidc_child.c | 4 ++--
src/oidc_child/oidc_child_curl.c | 35 ++++++++++++++++++++++++++++++++
src/oidc_child/oidc_child_util.h | 2 ++
3 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
index e58afccd3..aeeac3595 100644
--- a/src/oidc_child/oidc_child.c
+++ b/src/oidc_child/oidc_child.c
@@ -119,9 +119,9 @@ static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
}
if (scope != NULL && *scope != '\0') {
- dc_ctx->scope = talloc_strdup(dc_ctx, scope);
+ dc_ctx->scope = url_encode_string(dc_ctx, scope);
if (dc_ctx->scope == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy scopes.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to encode and copy scopes.\n");
ret = ENOMEM;
goto done;
}
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
index 20e17a566..df438e007 100644
--- a/src/oidc_child/oidc_child_curl.c
+++ b/src/oidc_child/oidc_child_curl.c
@@ -26,6 +26,41 @@
#include <curl/curl.h>
#include "oidc_child/oidc_child_util.h"
+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp)
+{
+ CURL *curl_ctx = NULL;
+ char *tmp;
+ char *out = NULL;
+
+ if (inp == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Empty input.\n");
+ return NULL;
+ }
+
+ curl_ctx = curl_easy_init();
+ if (curl_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize curl.\n");
+ return NULL;
+ }
+
+ tmp = curl_easy_escape(curl_ctx, inp, 0);
+ if (tmp == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "curl_easy_escape failed for [%s].\n", inp);
+ goto done;
+ }
+
+ out = talloc_strdup(mem_ctx, tmp);
+ curl_free(tmp);
+ if (out == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "talloc_strdup failed.\n");
+ goto done;
+ }
+
+done:
+ curl_easy_cleanup(curl_ctx);
+ return (out);
+}
+
/* The curl write_callback will always append the received data. To start a
* new string call clean_http_data() before the curl request.*/
void clean_http_data(struct devicecode_ctx *dc_ctx)
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
index c781bf1b1..ae5a72bc2 100644
--- a/src/oidc_child/oidc_child_util.h
+++ b/src/oidc_child/oidc_child_util.h
@@ -61,6 +61,8 @@ struct devicecode_ctx {
};
/* oidc_child_curl.c */
+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp);
+
errno_t init_curl(void *p);
void clean_http_data(struct devicecode_ctx *dc_ctx);
--
2.37.3

View File

@ -1,89 +0,0 @@
From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 18 Aug 2022 14:01:34 +0200
Subject: [PATCH 21/23] oidc_child: use client secret if available to get
device code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some IdP have the concept of confidential client, i.e. clients where the
client's secret can be stored safely by the related application. For a
confidential client some IdPs expects that the client secret is used in
all requests together with the client ID although OAuth2 specs currently
only mention this explicitly for the token request. To make sure the
device code can be requested in this case the client secret is added to
the device code request if the secret is provided.
Resolves: https://github.com/SSSD/sssd/issues/6146
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a)
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/oidc_child/oidc_child.c | 2 +-
src/oidc_child/oidc_child_curl.c | 12 +++++++++++-
src/oidc_child/oidc_child_util.h | 2 +-
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
index aeeac3595..c8d35d5d8 100644
--- a/src/oidc_child/oidc_child.c
+++ b/src/oidc_child/oidc_child.c
@@ -454,7 +454,7 @@ int main(int argc, const char *argv[])
}
if (opts.get_device_code) {
- ret = get_devicecode(dc_ctx, opts.client_id);
+ ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
goto done;
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
index df438e007..6e80c3abf 100644
--- a/src/oidc_child/oidc_child_curl.c
+++ b/src/oidc_child/oidc_child_curl.c
@@ -428,7 +428,7 @@ done:
#define DEFAULT_SCOPE "user"
errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
- const char *client_id)
+ const char *client_id, const char *client_secret)
{
int ret;
@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
return ENOMEM;
}
+ if (client_secret != NULL) {
+ post_data = talloc_asprintf_append(post_data, "&client_secret=%s",
+ client_secret);
+ if (post_data == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to add client secret to POST data.\n");
+ return ENOMEM;
+ }
+ }
+
clean_http_data(dc_ctx);
ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint,
post_data, NULL);
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
index ae5a72bc2..8b106ae79 100644
--- a/src/oidc_child/oidc_child_util.h
+++ b/src/oidc_child/oidc_child_util.h
@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx,
errno_t get_jwks(struct devicecode_ctx *dc_ctx);
errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
- const char *client_id);
+ const char *client_id, const char *client_secret);
errno_t get_token(TALLOC_CTX *mem_ctx,
struct devicecode_ctx *dc_ctx, const char *client_id,
--
2.37.3

View File

@ -1,67 +0,0 @@
From 55bfa944ad0197ae294d85ac42abf98297fa3a5d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 18 Aug 2022 14:19:59 +0200
Subject: [PATCH 22/23] oidc_child: increase wait interval by 5s if 'slow_down'
is returned
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While waiting for the user to authenticate with the IdP oidc_child
currently only handles the error code 'authorization_pending' and waits
for the given interval until a new request is send. But there is also
'slow_down' which should not be treated as fatal error but should just
increase the waiting time permanently for 5s.
Resolves: https://github.com/SSSD/sssd/issues/6146
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 5ed7670766483040211713f8182510775c76b962)
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/oidc_child/oidc_child_curl.c | 8 +++++++-
src/oidc_child/oidc_child_json.c | 6 ++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
index 6e80c3abf..cf0976021 100644
--- a/src/oidc_child/oidc_child_curl.c
+++ b/src/oidc_child/oidc_child_curl.c
@@ -378,8 +378,14 @@ errno_t get_token(TALLOC_CTX *mem_ctx,
break;
}
- sleep(dc_ctx->interval);
waiting_time += dc_ctx->interval;
+ if (waiting_time >= dc_ctx->expires_in) {
+ /* Next sleep will end after the request is expired on the
+ * server side, so we can just error out now. */
+ ret = ETIMEDOUT;
+ break;
+ }
+ sleep(dc_ctx->interval);
} while (waiting_time < dc_ctx->expires_in);
if (ret != EOK) {
diff --git a/src/oidc_child/oidc_child_json.c b/src/oidc_child/oidc_child_json.c
index efc1997aa..a89794c4c 100644
--- a/src/oidc_child/oidc_child_json.c
+++ b/src/oidc_child/oidc_child_json.c
@@ -413,6 +413,12 @@ errno_t parse_token_result(struct devicecode_ctx *dc_ctx,
if (strcmp(json_string_value(tmp), "authorization_pending") == 0) {
json_decref(result);
return EAGAIN;
+ } else if (strcmp(json_string_value(tmp), "slow_down") == 0) {
+ /* RFC 8628: "... the interval MUST be increased by 5 seconds for"
+ * "this and all subsequent requests." */
+ dc_ctx->interval += 5;
+ json_decref(result);
+ return EAGAIN;
} else {
*error_description = get_json_string(dc_ctx, result,
"error_description");
--
2.37.3

View File

@ -1,194 +0,0 @@
From 2f3cd781879e7063fcd996389071458587623e1c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 22 Aug 2022 11:37:07 +0200
Subject: [PATCH 23/23] oidc_child: add --client-secret-stdin option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since there is the use-case of confidential client which requires that
the client secret must be sent to the IdP we should handle it
confidentially by not putting it on the command line but sending it via
stdin.
Resolves: https://github.com/SSSD/sssd/issues/6146
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 1a475e0c537c905c80406ceb88c7b34e6400bc40)
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/oidc_child/oidc_child.c | 89 ++++++++++++++++++++++++++++++++++---
1 file changed, 82 insertions(+), 7 deletions(-)
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
index c8d35d5d8..7758cdc25 100644
--- a/src/oidc_child/oidc_child.c
+++ b/src/oidc_child/oidc_child.c
@@ -34,7 +34,7 @@
#include "util/atomic_io.h"
#define IN_BUF_SIZE 4096
-static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
+static errno_t read_from_stdin(TALLOC_CTX *mem_ctx, char **out)
{
uint8_t buf[IN_BUF_SIZE];
ssize_t len;
@@ -56,7 +56,7 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
return EINVAL;
}
- str = talloc_strndup(dc_ctx, (char *) buf, len);
+ str = talloc_strndup(mem_ctx, (char *) buf, len);
sss_erase_mem_securely(buf, IN_BUF_SIZE);
if (str == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
@@ -65,21 +65,72 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
talloc_set_destructor((void *) str, sss_erase_talloc_mem_securely);
if (strlen(str) != len) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Input contains additional data, "
- "only JSON encoded device code expected.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Input contains additional data.\n");
talloc_free(str);
return EINVAL;
}
+ *out = str;
+
+ return EOK;
+}
+
+static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx,
+ const char **out)
+{
+ char *str;
+ errno_t ret;
+ char *sep;
+
+ ret = read_from_stdin(dc_ctx, &str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
+ return ret;
+ }
+
+ if (out != NULL) {
+ /* expect the client secret in the first line */
+ sep = strchr(str, '\n');
+ if (sep == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Format error, expecting client secret and JSON data.\n");
+ talloc_free(str);
+ return EINVAL;
+ }
+ *sep = '\0';
+ *out = str;
+ sep++;
+ } else {
+ sep = str;
+ }
+
clean_http_data(dc_ctx);
- dc_ctx->http_data = str;
+ dc_ctx->http_data = talloc_strdup(dc_ctx, sep);
DEBUG(SSSDBG_TRACE_ALL, "JSON device code: [%s].\n", dc_ctx->http_data);
return EOK;
}
+static errno_t read_client_secret_from_stdin(struct devicecode_ctx *dc_ctx,
+ const char **out)
+{
+ char *str;
+ errno_t ret;
+
+ ret = read_from_stdin(dc_ctx, &str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
+ return ret;
+ }
+
+ *out = str;
+
+ DEBUG(SSSDBG_TRACE_ALL, "Client secret: [%s].\n", *out);
+
+ return EOK;
+}
+
static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
const char *device_auth_endpoint,
const char *token_endpoint,
@@ -210,6 +261,7 @@ struct cli_opts {
const char *jwks_uri;
const char *scope;
const char *client_secret;
+ bool client_secret_stdin;
const char *ca_db;
const char *user_identifier_attr;
bool libcurl_debug;
@@ -253,6 +305,8 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
{"client-id", 0, POPT_ARG_STRING, &opts->client_id, 0, _("Client ID"), NULL},
{"client-secret", 0, POPT_ARG_STRING, &opts->client_secret, 0,
_("Client secret (if needed)"), NULL},
+ {"client-secret-stdin", 0, POPT_ARG_NONE, NULL, 's',
+ _("Read client secret from standard input"), NULL},
{"ca-db", 0, POPT_ARG_STRING, &opts->ca_db, 0,
_("Path to PEM file with CA certificates"), NULL},
{"libcurl-debug", 0, POPT_ARG_NONE, NULL, 'c',
@@ -280,6 +334,9 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
case 'c':
opts->libcurl_debug = true;
break;
+ case 's':
+ opts->client_secret_stdin = true;
+ break;
default:
fprintf(stderr, "\nInvalid option %s: %s\n\n",
poptBadOption(pc, 0), poptStrerror(opt));
@@ -324,6 +381,12 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
goto done;
}
+ if (opts->client_secret != NULL && opts->client_secret_stdin) {
+ fprintf(stderr, "\n--client-secret and --client-secret-stdin are "
+ "mutually exclusive.\n\n");
+ goto done;
+ }
+
poptFreeContext(pc);
print_usage = false;
@@ -454,6 +517,15 @@ int main(int argc, const char *argv[])
}
if (opts.get_device_code) {
+ if (opts.client_secret_stdin) {
+ ret = read_client_secret_from_stdin(dc_ctx, &opts.client_secret);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to read client secret from stdin.\n");
+ goto done;
+ }
+ }
+
ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
@@ -463,7 +535,10 @@ int main(int argc, const char *argv[])
if (opts.get_access_token) {
if (dc_ctx->device_code == NULL) {
- ret = read_device_code_from_stdin(dc_ctx);
+ ret = read_device_code_from_stdin(dc_ctx,
+ opts.client_secret_stdin
+ ? &opts.client_secret
+ : NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to read device code from stdin.\n");
--
2.37.3

View File

@ -18,8 +18,8 @@
%global enable_systemtap_opt --enable-systemtap
Name: sssd
Version: 2.7.3
Release: 4%{?dist}.3
Version: 2.9.4
Release: 4%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -27,29 +27,12 @@ URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-Makefile-remove-unneeded-dependency.patch
Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch
Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
Patch0010: 0010-CLIENT-fix-client-fd-leak.patch
Patch0011: 0011-krb5-respect-krb5_validate-for-PAC-checks.patch
Patch0012: 0012-Analyzer-Optimize-list-verbose-output.patch
Patch0013: 0013-Analyzer-Ensure-parsed-id-contains-digit.patch
Patch0014: 0014-TOOLS-don-t-export-internal-helpers.patch
Patch0015: 0015-TOOLS-fixed-handling-of-init-error.patch
Patch0016: 0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch
Patch0017: 0017-PAC-allow-to-disable-UPN-check.patch
Patch0018: 0018-ipa-do-not-add-guessed-principal-to-the-cache.patch
Patch0019: 0019-pac-relax-default-check.patch
Patch0020: 0020-oidc_child-escape-scopes.patch
Patch0021: 0021-oidc_child-use-client-secret-if-available-to-get-dev.patch
Patch0022: 0022-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch
Patch0023: 0023-oidc_child-add-client-secret-stdin-option.patch
Patch0001: 0001-sssd-adding-mail-as-case-insensitive.patch
Patch0002: 0002-sdap-add-search_bases-option-to-groups_by_user_send.patch
Patch0003: 0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch
Patch0004: 0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
Patch0005: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch
Patch0006: 0006-ad-refresh-root-domain-when-read-directly.patch
### Downstream Patches ###
@ -127,6 +110,7 @@ BuildRequires: jansson-devel
BuildRequires: libcurl-devel
BuildRequires: libjose-devel
BuildRequires: softhsm >= 2.1.0
BuildRequires: bc
BuildRequires: openssl
BuildRequires: openssh
BuildRequires: libnl3-devel
@ -232,7 +216,6 @@ Summary: Userspace tools for use with the SSSD
Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
@ -373,6 +356,7 @@ Group: Applications/System
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Requires(pre): shadow-utils
%description proxy
@ -612,8 +596,9 @@ autoreconf -ivf
--with-initscript=systemd \
--with-syslog=journald \
--with-subid \
--with-files-provider \
--with-libsifp \
--enable-sss-default-nss-plugin \
--enable-files-domain \
--without-python2-bindings \
--with-sssd-user=sssd \
%{?with_cifs_utils_plugin_option} \
@ -929,7 +914,7 @@ done
%{_mandir}/man5/sssd-ifp.5*
%{_unitdir}/sssd-ifp.service
# InfoPipe DBus plumbing
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
%files -n libsss_simpleifp
@ -1117,6 +1102,38 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%systemd_post sssd-ssh.socket
%systemd_post sssd-sudo.socket
function mod_nss() {
if [ -f "$1" ] ; then
# Change order 'sss <-> files' if default pattern is found
match_pattern="^[[:blank:]]*(passwd|group):(.*)sss[[:blank:]]+files(.*)"
if grep -E -r -q -s "$match_pattern" "$1"; then
sed -i.save_by_rpm -E -e "
s/$match_pattern/\1:\2files sss\3/
" "$1" &>/dev/null || :
# Remove obsolete comment
sed -i -E -e '/# .sssd. performs its own .files.-based caching, so it should generally/d' "$1" &>/dev/null || :
sed -i -E -e '/# come before .files.\./d' "$1" &>/dev/null || :
fi
fi
}
if grep -E -r -q -s "[[:blank:]]*id_provider[[:blank:]]*=[[:blank:]]*files" /etc/sssd/ ||
grep -E -i -r -q -s "[[:blank:]]*enable_files_domain[[:blank:]]*=[[:blank:]]*true" /etc/sssd ; then
# "files provider" configured explicitly, leave nsswitch.conf intact
:
else
NSSFILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)"
if [ "$NSSFILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then
mod_nss "/etc/authselect/user-nsswitch.conf"
authselect apply-changes &> /dev/null || :
else
mod_nss "$NSSFILE"
# also apply the same changes to user-nsswitch.conf to affect
# possible future authselect configuration
mod_nss "/etc/authselect/user-nsswitch.conf"
fi
fi
%preun common
%systemd_preun sssd.service
%systemd_preun sssd-autofs.socket
@ -1200,16 +1217,96 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Thu Dec 15 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.3
- Resolves: rhbz#2152883 - authenticating against external IdP services okta (native app) with OAuth client secret failed [rhel-8.7.0.z]
* Fri May 17 2024 Arun Bansal <arbansal@redhat.com> - 2.9.4-4
- Resolves: RHEL-33957 - ad: refresh root domain when read directly
* Fri Dec 9 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.2
- Resolves: rhbz#2139871 - Analyzer: Optimize and remove duplicate messages in verbose list [rhel-8.7.0.z]
- Resolves: rhbz#2142961 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged [rhel-8.7.0.z]
- Resolves: rhbz#2148989 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around [rhel-8.7.0.z]
* Thu Apr 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-3
- Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently
* Thu Oct 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.1
- Resolves: rhbz#2128544 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) [rhel-8.7.0.z]
* Mon Feb 12 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-2
- Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8]
- Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8]
- Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8]
* Sat Jan 13 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-1
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
- Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache
- Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP'
- Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider')
- Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest
- Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf
- Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8]
- Resolves: RHEL-10721 - very bad performance when requesting service tickets
- Resolves: RHEL-19011 - Invalid handling groups from child domain
- Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8]
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-2
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-1
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
- Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication
- Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user
* Mon Sep 11 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.2-1
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
- Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code
- Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7)
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
Rebuild against rebased Samba libs
* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
* Mon Dec 19 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization
- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list
- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required)
* Tue Nov 22 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
- Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr
- Resolves: rhbz#2144579 - sssd timezone issues sudonotafter
- Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the users password when option ldap_pwd_policy equals to shadow in sssd.conf file
- Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
- Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed
* Mon Oct 31 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-5
- Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release
Rebuild against Samba rebase.
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8