Compare commits
4 Commits
imports/c8
...
c8
Author | SHA1 | Date | |
---|---|---|---|
17b71b09d7 | |||
9c66bdd153 | |||
|
9a403b1a7e | ||
|
87cae3c020 |
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/sssd-2.7.3.tar.gz
|
||||
SOURCES/sssd-2.9.4.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz
|
||||
574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz
|
||||
|
@ -1,51 +0,0 @@
|
||||
From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 20:16:32 +0200
|
||||
Subject: [PATCH] Makefile: remove unneeded dependency
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f)
|
||||
---
|
||||
Makefile.am | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 669a0fc56..92d046888 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \
|
||||
$(KRB5_CFLAGS) \
|
||||
$(UUID_CFLAGS) \
|
||||
$(CURL_CFLAGS) \
|
||||
- $(JANSSON_CFLAGS) \
|
||||
$(NULL)
|
||||
sssd_kcm_LDADD = \
|
||||
$(LIBADD_DL) \
|
||||
$(KRB5_LIBS) \
|
||||
- $(JANSSON_LIBS) \
|
||||
$(SSSD_LIBS) \
|
||||
$(UUID_LIBS) \
|
||||
$(SYSTEMD_DAEMON_LIBS) \
|
||||
@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \
|
||||
$(UUID_CFLAGS) \
|
||||
$(NULL)
|
||||
test_kcm_marshalling_LDADD = \
|
||||
- $(JANSSON_LIBS) \
|
||||
$(UUID_LIBS) \
|
||||
$(KRB5_LIBS) \
|
||||
$(CMOCKA_LIBS) \
|
||||
@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \
|
||||
test_kcm_renewals_LDADD = \
|
||||
$(LIBADD_DL) \
|
||||
$(UUID_LIBS) \
|
||||
- $(JANSSON_LIBS) \
|
||||
$(KRB5_LIBS) \
|
||||
$(CARES_LIBS) \
|
||||
$(CMOCKA_LIBS) \
|
||||
--
|
||||
2.37.1
|
||||
|
144
SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch
Normal file
144
SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch
Normal file
@ -0,0 +1,144 @@
|
||||
From dd0f63246aa75d5f53b44cbc185e88833e79976e Mon Sep 17 00:00:00 2001
|
||||
From: Andre Boscatto <andreboscatto@gmail.com>
|
||||
Date: Wed, 7 Feb 2024 12:28:28 +0100
|
||||
Subject: [PATCH] sssd: adding mail as case insensitive
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7173
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51)
|
||||
---
|
||||
src/db/sysdb_init.c | 7 ++++++
|
||||
src/db/sysdb_private.h | 5 +++-
|
||||
src/db/sysdb_upgrade.c | 56 ++++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 67 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
||||
index c2ea6c369..38a9cd64a 100644
|
||||
--- a/src/db/sysdb_init.c
|
||||
+++ b/src/db/sysdb_init.c
|
||||
@@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (strcmp(version, SYSDB_VERSION_0_23) == 0) {
|
||||
+ ret = sysdb_upgrade_23(sysdb, &version);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
done:
|
||||
sysdb->ldb = save_ldb;
|
||||
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
||||
index 1f55007bc..63f7b5601 100644
|
||||
--- a/src/db/sysdb_private.h
|
||||
+++ b/src/db/sysdb_private.h
|
||||
@@ -23,6 +23,7 @@
|
||||
#ifndef __INT_SYS_DB_H__
|
||||
#define __INT_SYS_DB_H__
|
||||
|
||||
+#define SYSDB_VERSION_0_24 "0.24"
|
||||
#define SYSDB_VERSION_0_23 "0.23"
|
||||
#define SYSDB_VERSION_0_22 "0.22"
|
||||
#define SYSDB_VERSION_0_21 "0.21"
|
||||
@@ -47,7 +48,7 @@
|
||||
#define SYSDB_VERSION_0_2 "0.2"
|
||||
#define SYSDB_VERSION_0_1 "0.1"
|
||||
|
||||
-#define SYSDB_VERSION SYSDB_VERSION_0_23
|
||||
+#define SYSDB_VERSION SYSDB_VERSION_0_24
|
||||
|
||||
#define SYSDB_BASE_LDIF \
|
||||
"dn: @ATTRIBUTES\n" \
|
||||
@@ -60,6 +61,7 @@
|
||||
"objectclass: CASE_INSENSITIVE\n" \
|
||||
"ipHostNumber: CASE_INSENSITIVE\n" \
|
||||
"ipNetworkNumber: CASE_INSENSITIVE\n" \
|
||||
+ "mail: CASE_INSENSITIVE\n" \
|
||||
"\n" \
|
||||
"dn: @INDEXLIST\n" \
|
||||
"@IDXATTR: cn\n" \
|
||||
@@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
|
||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
|
||||
|
||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
|
||||
|
||||
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
|
||||
index 346a1cb0b..56083e6be 100644
|
||||
--- a/src/db/sysdb_upgrade.c
|
||||
+++ b/src/db/sysdb_upgrade.c
|
||||
@@ -2718,6 +2718,62 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ int ret;
|
||||
+ struct ldb_message *msg;
|
||||
+ struct upgrade_ctx *ctx;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (!tmp_ctx) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx);
|
||||
+ if (ret) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ /* Add new indexes */
|
||||
+ msg = ldb_msg_new(tmp_ctx);
|
||||
+ if (!msg) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES");
|
||||
+ if (!msg->dn) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Case insensitive search for mail */
|
||||
+ ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE");
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_modify(sysdb->ldb, msg);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* conversion done, update version number */
|
||||
+ ret = update_version(ctx);
|
||||
+
|
||||
+done:
|
||||
+ ret = finish_upgrade(ret, &ctx, ver);
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
|
||||
{
|
||||
struct upgrade_ctx *ctx;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,155 +0,0 @@
|
||||
From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 29 Jul 2022 14:57:20 +0200
|
||||
Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it
|
||||
should survive context destruction / re-initialization
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911)
|
||||
---
|
||||
src/sss_client/nss_mc.h | 4 ++--
|
||||
src/sss_client/nss_mc_common.c | 10 ++++++++--
|
||||
src/sss_client/nss_mc_group.c | 5 +++++
|
||||
src/sss_client/nss_mc_initgr.c | 5 +++++
|
||||
src/sss_client/nss_mc_passwd.c | 5 +++++
|
||||
src/sss_client/nss_mc_sid.c | 5 +++++
|
||||
6 files changed, 30 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
|
||||
index b66e8f09f..de1496ccc 100644
|
||||
--- a/src/sss_client/nss_mc.h
|
||||
+++ b/src/sss_client/nss_mc.h
|
||||
@@ -48,7 +48,7 @@ enum sss_mc_state {
|
||||
struct sss_cli_mc_ctx {
|
||||
enum sss_mc_state initialized;
|
||||
#if HAVE_PTHREAD
|
||||
- pthread_mutex_t mutex;
|
||||
+ pthread_mutex_t *mutex;
|
||||
#endif
|
||||
int fd;
|
||||
|
||||
@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx {
|
||||
};
|
||||
|
||||
#if HAVE_PTHREAD
|
||||
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
#else
|
||||
#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
#endif
|
||||
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
|
||||
index c73a93a9a..f38a4a85a 100644
|
||||
--- a/src/sss_client/nss_mc_common.c
|
||||
+++ b/src/sss_client/nss_mc_common.c
|
||||
@@ -58,14 +58,14 @@ do { \
|
||||
static void sss_mt_lock(struct sss_cli_mc_ctx *ctx)
|
||||
{
|
||||
#if HAVE_PTHREAD
|
||||
- pthread_mutex_lock(&ctx->mutex);
|
||||
+ pthread_mutex_lock(ctx->mutex);
|
||||
#endif
|
||||
}
|
||||
|
||||
static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx)
|
||||
{
|
||||
#if HAVE_PTHREAD
|
||||
- pthread_mutex_unlock(&ctx->mutex);
|
||||
+ pthread_mutex_unlock(ctx->mutex);
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
|
||||
{
|
||||
uint32_t active_threads = ctx->active_threads;
|
||||
+#if HAVE_PTHREAD
|
||||
+ pthread_mutex_t *mutex = ctx->mutex;
|
||||
+#endif
|
||||
|
||||
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
|
||||
munmap(ctx->mmap_base, ctx->mmap_size);
|
||||
@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
|
||||
|
||||
/* restore count of active threads */
|
||||
ctx->active_threads = active_threads;
|
||||
+#if HAVE_PTHREAD
|
||||
+ ctx->mutex = mutex;
|
||||
+#endif
|
||||
}
|
||||
|
||||
static errno_t sss_nss_mc_init_ctx(const char *name,
|
||||
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
|
||||
index 2ea40c435..d4f2a82ab 100644
|
||||
--- a/src/sss_client/nss_mc_group.c
|
||||
+++ b/src/sss_client/nss_mc_group.c
|
||||
@@ -29,7 +29,12 @@
|
||||
#include "nss_mc.h"
|
||||
#include "shared/safealign.h"
|
||||
|
||||
+#if HAVE_PTHREAD
|
||||
+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex);
|
||||
+#else
|
||||
static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
|
||||
+#endif
|
||||
|
||||
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
|
||||
struct group *result,
|
||||
diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c
|
||||
index b05946263..bd7282935 100644
|
||||
--- a/src/sss_client/nss_mc_initgr.c
|
||||
+++ b/src/sss_client/nss_mc_initgr.c
|
||||
@@ -32,7 +32,12 @@
|
||||
#include "nss_mc.h"
|
||||
#include "shared/safealign.h"
|
||||
|
||||
+#if HAVE_PTHREAD
|
||||
+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex);
|
||||
+#else
|
||||
static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
|
||||
+#endif
|
||||
|
||||
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
|
||||
long int *start, long int *size,
|
||||
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
|
||||
index 01c6801da..256d48444 100644
|
||||
--- a/src/sss_client/nss_mc_passwd.c
|
||||
+++ b/src/sss_client/nss_mc_passwd.c
|
||||
@@ -28,7 +28,12 @@
|
||||
#include <time.h>
|
||||
#include "nss_mc.h"
|
||||
|
||||
+#if HAVE_PTHREAD
|
||||
+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex);
|
||||
+#else
|
||||
static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
|
||||
+#endif
|
||||
|
||||
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
|
||||
struct passwd *result,
|
||||
diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c
|
||||
index af7d7bbd5..52e684da5 100644
|
||||
--- a/src/sss_client/nss_mc_sid.c
|
||||
+++ b/src/sss_client/nss_mc_sid.c
|
||||
@@ -30,7 +30,12 @@
|
||||
#include "util/mmap_cache.h"
|
||||
#include "idmap/sss_nss_idmap.h"
|
||||
|
||||
+#if HAVE_PTHREAD
|
||||
+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex);
|
||||
+#else
|
||||
static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
|
||||
+#endif
|
||||
|
||||
static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type,
|
||||
char **sid, uint32_t *type,
|
||||
--
|
||||
2.37.1
|
||||
|
@ -0,0 +1,154 @@
|
||||
From a7621a5b464af7a3c8409dcbde038b35fee2c895 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 23 Jan 2024 13:47:53 +0100
|
||||
Subject: [PATCH 2/3] sdap: add search_bases option to groups_by_user_send()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD handles users and computer objects very similar and so does SSSD's
|
||||
GPO code when lookup up the host's group-memberships. But users and
|
||||
computers might be stored in different sub-tree of the AD LDAP tree and
|
||||
if a dedicated user search base is given with the ldap_user_search_base
|
||||
option in sssd.conf the host object might be in a different sub-tree. To
|
||||
make sure the host can still be found this patch uses the base DN of
|
||||
the LDAP tree when searching for hosts in the GPO code.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 10 ++++++++++
|
||||
src/providers/ldap/ldap_common.h | 1 +
|
||||
src/providers/ldap/ldap_id.c | 6 +++++-
|
||||
src/providers/ldap/sdap_async.h | 1 +
|
||||
src/providers/ldap/sdap_async_initgroups.c | 4 +++-
|
||||
5 files changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 94959c36b..b0ee3e616 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2091,6 +2091,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
char *server_uri;
|
||||
LDAPURLDesc *lud;
|
||||
struct sdap_domain *sdom;
|
||||
+ struct sdap_search_base **search_bases;
|
||||
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct ad_gpo_access_state);
|
||||
@@ -2184,9 +2185,18 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
||||
+ "AD_HOSTS", NULL, &search_bases);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to create dedicated search base for host lookups, "
|
||||
+ "trying with user search base.");
|
||||
+ }
|
||||
+
|
||||
subreq = groups_by_user_send(state, state->ev,
|
||||
state->access_ctx->ad_id_ctx->sdap_id_ctx,
|
||||
sdom, state->conn,
|
||||
+ search_bases,
|
||||
state->host_fqdn,
|
||||
BE_FILTER_NAME,
|
||||
NULL,
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index 7159d6356..2c984ef50 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -304,6 +304,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
struct sdap_id_ctx *ctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
||||
index da54816bd..b3ea2333f 100644
|
||||
--- a/src/providers/ldap/ldap_id.c
|
||||
+++ b/src/providers/ldap/ldap_id.c
|
||||
@@ -1139,6 +1139,7 @@ struct groups_by_user_state {
|
||||
struct sdap_id_op *op;
|
||||
struct sysdb_ctx *sysdb;
|
||||
struct sss_domain_info *domain;
|
||||
+ struct sdap_search_base **search_bases;
|
||||
|
||||
const char *filter_value;
|
||||
int filter_type;
|
||||
@@ -1160,6 +1161,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
struct sdap_id_ctx *ctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
@@ -1192,6 +1194,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
state->extra_value = extra_value;
|
||||
state->domain = sdom->dom;
|
||||
state->sysdb = sdom->dom->sysdb;
|
||||
+ state->search_bases = search_bases;
|
||||
|
||||
if (state->domain->type == DOM_TYPE_APPLICATION || set_non_posix) {
|
||||
state->non_posix = true;
|
||||
@@ -1254,6 +1257,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
|
||||
sdap_id_op_handle(state->op),
|
||||
state->ctx,
|
||||
state->conn,
|
||||
+ state->search_bases,
|
||||
state->filter_value,
|
||||
state->filter_type,
|
||||
state->extra_value,
|
||||
@@ -1449,7 +1453,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
|
||||
- sdom, conn,
|
||||
+ sdom, conn, NULL,
|
||||
ar->filter_value,
|
||||
ar->filter_type,
|
||||
ar->extra_value,
|
||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
||||
index 5458d21f1..89245f41f 100644
|
||||
--- a/src/providers/ldap/sdap_async.h
|
||||
+++ b/src/providers/ldap/sdap_async.h
|
||||
@@ -158,6 +158,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *name,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index 97be594a3..fb3d8fe24 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -2732,6 +2732,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
@@ -2764,7 +2765,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
state->orig_user = NULL;
|
||||
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
||||
state->user_base_iter = 0;
|
||||
- state->user_search_bases = sdom->user_search_bases;
|
||||
+ state->user_search_bases = (search_bases == NULL) ? sdom->user_search_bases
|
||||
+ : search_bases;
|
||||
if (!state->user_search_bases) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Initgroups lookup request without a user search base\n");
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,36 +0,0 @@
|
||||
From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 1 Aug 2022 09:54:51 -0400
|
||||
Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Skip calling cache_req_data_set_hybrid_lookup() when hybrid data
|
||||
is NULL for certain NSS request types (e.g. Service by Name).
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7)
|
||||
---
|
||||
src/responder/nss/nss_get_object.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
|
||||
index 9762d6bfe..5a2e7e9bd 100644
|
||||
--- a/src/responder/nss/nss_get_object.c
|
||||
+++ b/src/responder/nss/nss_get_object.c
|
||||
@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx,
|
||||
input_name);
|
||||
}
|
||||
|
||||
- cache_req_data_set_hybrid_lookup(hybrid_data, true);
|
||||
+ if (hybrid_data != NULL) {
|
||||
+ cache_req_data_set_hybrid_lookup(hybrid_data, true);
|
||||
+ }
|
||||
|
||||
return hybrid_data;
|
||||
}
|
||||
--
|
||||
2.37.1
|
||||
|
@ -0,0 +1,194 @@
|
||||
From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 24 Jan 2024 14:21:12 +0100
|
||||
Subject: [PATCH 3/3] sdap: add naming_context as new member of struct
|
||||
sdap_domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The naming_context could be a more reliable source than basedn for the
|
||||
actual base DN because basedn is set very early from the domain name
|
||||
given in sssd.conf. Although it is recommended to use the fully
|
||||
qualified DNS domain name here it is not required. As a result basedn
|
||||
might not reflect the actual based DN of the LDAP server. Also pure LDAP
|
||||
server (i.e. not AD or FreeIPA) might use different schemes to set the
|
||||
base DN which will not be based on the DNS domain of the LDAP server.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 6 ++++--
|
||||
src/providers/ldap/sdap.c | 36 +++++++++++++-----------------------
|
||||
src/providers/ldap/sdap.h | 11 +++++++++++
|
||||
3 files changed, 28 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index b0ee3e616..3d1ad39c7 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
||||
- "AD_HOSTS", NULL, &search_bases);
|
||||
+ ret = common_parse_search_base(state,
|
||||
+ sdom->naming_context == NULL ? sdom->basedn
|
||||
+ : sdom->naming_context,
|
||||
+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to create dedicated search base for host lookups, "
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index f5637c5fb..956eba93a 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
struct sdap_domain *sdom)
|
||||
{
|
||||
int ret;
|
||||
- char *naming_context = NULL;
|
||||
|
||||
- if (!sdom->search_bases
|
||||
- || !sdom->user_search_bases
|
||||
- || !sdom->group_search_bases
|
||||
- || !sdom->netgroup_search_bases
|
||||
- || !sdom->host_search_bases
|
||||
- || !sdom->sudo_search_bases
|
||||
- || !sdom->iphost_search_bases
|
||||
- || !sdom->ipnetwork_search_bases
|
||||
- || !sdom->autofs_search_bases) {
|
||||
- naming_context = get_naming_context(opts->basic, rootdse);
|
||||
- if (naming_context == NULL) {
|
||||
+ if (!sdom->naming_context) {
|
||||
+ sdom->naming_context = get_naming_context(sdom, rootdse);
|
||||
+ if (sdom->naming_context == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
|
||||
|
||||
/* This has to be non-fatal, since some servers offer
|
||||
@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->user_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_USER_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->group_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_GROUP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->netgroup_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_NETGROUP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->host_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_HOST_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->sudo_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SUDO_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->service_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SERVICE_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->autofs_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_AUTOFS_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->iphost_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_IPHOST_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->ipnetwork_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_IPNETWORK_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
- talloc_free(naming_context);
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index 161bc5c26..103d50ed4 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -454,6 +454,17 @@ struct sdap_domain {
|
||||
|
||||
char *basedn;
|
||||
|
||||
+ /* The naming_context could be a more reliable source than basedn for the
|
||||
+ * actual base DN because basedn is set very early from the domain name
|
||||
+ * given in sssd.conf. Although it is recommended to use the fully
|
||||
+ * qualified DNS domain name here it is not required. As a result basedn
|
||||
+ * might not reflect the actual based DN of the LDAP server. Also pure
|
||||
+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
|
||||
+ * the base DN which will not be based on the DNS domain of the LDAP
|
||||
+ * server. naming_context might be NULL even after connection to an LDAP
|
||||
+ * server. */
|
||||
+ char *naming_context;
|
||||
+
|
||||
struct sdap_search_base **search_bases;
|
||||
struct sdap_search_base **user_search_bases;
|
||||
struct sdap_search_base **group_search_bases;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,30 +0,0 @@
|
||||
From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Thu, 14 Jul 2022 11:21:04 -0400
|
||||
Subject: [PATCH] Analyzer: Fix escaping raw fstring
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19)
|
||||
---
|
||||
src/tools/analyzer/modules/request.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
|
||||
index b8dd9b25c..935e13adc 100644
|
||||
--- a/src/tools/analyzer/modules/request.py
|
||||
+++ b/src/tools/analyzer/modules/request.py
|
||||
@@ -243,8 +243,8 @@ class RequestAnalyzer:
|
||||
be_results = False
|
||||
component = source.Component.NSS
|
||||
resp = "nss"
|
||||
- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]']
|
||||
- pattern.append(rf"\[CID#{cid}\\]")
|
||||
+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
|
||||
+ pattern.append(rf"\[CID#{cid}\]")
|
||||
|
||||
if args.pam:
|
||||
component = source.Component.PAM
|
||||
--
|
||||
2.37.1
|
||||
|
@ -0,0 +1,233 @@
|
||||
From 50077c3255177fe1b01837fbe31a7f8fd47dee74 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Jan 2024 13:08:17 +0100
|
||||
Subject: [PATCH] pam: fix SC auth with multiple certs and missing login name
|
||||
|
||||
While introducing the local_auth_policy option a quite specific use-case
|
||||
was not covered correctly. If there are multiple matching certificates
|
||||
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
|
||||
mode was used for login, i.e. there is no user name given and the user
|
||||
has to be derived from the certificate used for login, authentication
|
||||
failed. The main reason for the failure is that in this case the
|
||||
Smartcard interaction and the user mapping has to be done first to
|
||||
determine the user before local_auth_policy is evaluated. As a result
|
||||
when checking if the authentication can be finished the request was in
|
||||
an unexpected state because the indicator for local Smartcard
|
||||
authentication was not enabled.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7109
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Scott Poore <spoore@redhat.com>
|
||||
(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3)
|
||||
---
|
||||
src/responder/pam/pamsrv.h | 10 ++++
|
||||
src/responder/pam/pamsrv_cmd.c | 17 +++++--
|
||||
src/tests/intg/Makefile.am | 2 +
|
||||
src/tests/intg/test_pam_responder.py | 74 +++++++++++++++++++++++++++-
|
||||
4 files changed, 96 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 7013a8edd..618836189 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -93,7 +93,17 @@ struct pam_auth_req {
|
||||
struct ldb_message *user_obj;
|
||||
struct cert_auth_info *cert_list;
|
||||
struct cert_auth_info *current_cert;
|
||||
+ /* Switched to 'true' if the backend indicates that it cannot handle
|
||||
+ * Smartcard authentication, but Smartcard authentication is
|
||||
+ * possible and local Smartcard authentication is allowed. */
|
||||
bool cert_auth_local;
|
||||
+ /* Switched to 'true' if authentication (not pre-authentication) was
|
||||
+ * started without a login name and the name had to be lookup up with the
|
||||
+ * certificate used for authentication. Since reading the certificate from
|
||||
+ * the Smartcard already involves the PIN validation in this case there
|
||||
+ * would be no need for an additional Smartcard interaction if only local
|
||||
+ * Smartcard authentication is possible. */
|
||||
+ bool initial_cert_auth_successful;
|
||||
|
||||
bool passkey_data_exists;
|
||||
uint32_t client_id_num;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index c23ea7ba4..a7c181733 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -2200,8 +2200,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
ret = ENOENT;
|
||||
goto done;
|
||||
}
|
||||
-
|
||||
- if (cert_count > 1) {
|
||||
+ /* Multiple certificates are only expected during pre-auth */
|
||||
+ if (cert_count > 1 && preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
for (preq->current_cert = preq->cert_list;
|
||||
preq->current_cert != NULL;
|
||||
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
|
||||
@@ -2285,7 +2285,9 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
}
|
||||
|
||||
/* If logon_name was not given during authentication add a
|
||||
- * SSS_PAM_CERT_INFO message to send the name to the caller. */
|
||||
+ * SSS_PAM_CERT_INFO message to send the name to the caller.
|
||||
+ * Additionally initial_cert_auth_successful is set to
|
||||
+ * indicate that the user is already authenticated. */
|
||||
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& preq->pd->logon_name == NULL) {
|
||||
ret = add_pam_cert_response(preq->pd,
|
||||
@@ -2297,6 +2299,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
+ preq->initial_cert_auth_successful = true;
|
||||
}
|
||||
|
||||
/* cert_user will be returned to the PAM client as user name, so
|
||||
@@ -2851,12 +2855,15 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
if (found) {
|
||||
if (local_policy != NULL && strcasecmp(local_policy, "only") == 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
- DEBUG(SSSDBG_IMPORTANT_INFO, "Local auth only set, skipping online auth\n");
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Local auth only set and matching certificate was found, "
|
||||
+ "skipping online auth\n");
|
||||
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
} else if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& IS_SC_AUTHTOK(preq->pd->authtok)
|
||||
- && preq->cert_auth_local) {
|
||||
+ && (preq->cert_auth_local
|
||||
+ || preq->initial_cert_auth_successful)) {
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
preq->callback = pam_reply;
|
||||
}
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 3866d3ca6..0cfd268dc 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -199,6 +199,7 @@ clean-local:
|
||||
|
||||
PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
||||
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
||||
+SOFTHSM2_TWO_CONF="$(abs_builddir)/../test_CA/softhsm2_two.conf"
|
||||
|
||||
intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains sss_netgroup_thread_test
|
||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
||||
@@ -233,6 +234,7 @@ intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
|
||||
PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
||||
ABS_SRCDIR=$(abs_srcdir) \
|
||||
SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
||||
+ SOFTHSM2_TWO_CONF=$(SOFTHSM2_TWO_CONF) \
|
||||
KCM_RENEW=$(KCM_RENEW) \
|
||||
FILES_PROVIDER=$(FILES_PROVIDER) \
|
||||
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
||||
index 1fc3937e6..0fbf8065e 100644
|
||||
--- a/src/tests/intg/test_pam_responder.py
|
||||
+++ b/src/tests/intg/test_pam_responder.py
|
||||
@@ -168,7 +168,7 @@ def format_pam_cert_auth_conf(config, provider):
|
||||
{provider.p}
|
||||
|
||||
[certmap/auth_only/user1]
|
||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -201,7 +201,7 @@ def format_pam_cert_auth_conf_name_format(config, provider):
|
||||
{provider.p}
|
||||
|
||||
[certmap/auth_only/user1]
|
||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -380,6 +380,28 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
|
||||
return None
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def simple_pam_cert_auth_two_certs(request, passwd_ops_setup):
|
||||
+ """Setup SSSD with pam_cert_auth=True"""
|
||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
||||
+
|
||||
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
|
||||
+ softhsm2_two_conf = os.environ['SOFTHSM2_TWO_CONF']
|
||||
+ os.environ['SOFTHSM2_CONF'] = softhsm2_two_conf
|
||||
+
|
||||
+ conf = format_pam_cert_auth_conf(config, provider_switch(request.param))
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+
|
||||
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
|
||||
+
|
||||
+ passwd_ops_setup.useradd(**USER1)
|
||||
+ passwd_ops_setup.useradd(**USER2)
|
||||
+ sync_files_provider(USER2['name'])
|
||||
+
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def simple_pam_cert_auth_name_format(request, passwd_ops_setup):
|
||||
"""Setup SSSD with pam_cert_auth=True and full_name_format"""
|
||||
@@ -522,6 +544,54 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
||||
assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
|
||||
|
||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
||||
+def test_sc_auth_two(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth", "--service=pam_sss_service"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="2\n123456")
|
||||
+ except Exception:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
||||
+def test_sc_auth_two_missing_name(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "",
|
||||
+ "--action=auth", "--service=pam_sss_allow_missing_name"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="2\n123456")
|
||||
+ except Exception:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
@pytest.mark.parametrize('simple_pam_cert_auth', ['proxy_password'], indirect=True)
|
||||
def test_sc_proxy_password_fallback(simple_pam_cert_auth, env_for_sssctl):
|
||||
"""
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,34 +0,0 @@
|
||||
From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 16 Aug 2022 21:48:43 +0200
|
||||
Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f)
|
||||
---
|
||||
src/sss_client/nss_mc.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
|
||||
index de1496ccc..0f88521e9 100644
|
||||
--- a/src/sss_client/nss_mc.h
|
||||
+++ b/src/sss_client/nss_mc.h
|
||||
@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx {
|
||||
};
|
||||
|
||||
#if HAVE_PTHREAD
|
||||
-#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
#else
|
||||
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
|
||||
#endif
|
||||
|
||||
errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
|
||||
--
|
||||
2.37.1
|
||||
|
218
SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch
Normal file
218
SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch
Normal file
@ -0,0 +1,218 @@
|
||||
From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 8 Nov 2023 14:50:24 +0100
|
||||
Subject: [PATCH] ad-gpo: use hash to store intermediate results
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently after the evaluation of a single GPO file the intermediate
|
||||
results are stored in the cache and this cache entry is updated until
|
||||
all applicable GPO files are evaluated. Finally the data in the cache is
|
||||
used to make the decision of access is granted or rejected.
|
||||
|
||||
If there are two or more access-control request running in parallel one
|
||||
request might overwrite the cache object with intermediate data while
|
||||
another request reads the cached data for the access decision and as a
|
||||
result will do this decision based on intermediate data.
|
||||
|
||||
To avoid this the intermediate results are not stored in the cache
|
||||
anymore but in hash tables which are specific to the request. Only the
|
||||
final result is written to the cache to have it available for offline
|
||||
authentication.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 102 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 3d1ad39c7..b879b0a08 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
|
||||
+{
|
||||
+ int hret;
|
||||
+ hash_key_t k;
|
||||
+ hash_value_t v;
|
||||
+
|
||||
+ if (hash == NULL || key == NULL || value == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ k.type = HASH_KEY_CONST_STRING;
|
||||
+ k.c_str = key;
|
||||
+
|
||||
+ v.type = HASH_VALUE_PTR;
|
||||
+ v.ptr = value;
|
||||
+
|
||||
+ hret = hash_enter(hash, &k, &v);
|
||||
+ if (hret != HASH_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
|
||||
+ key, value, hash_error_string(hret));
|
||||
+ return EIO;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
|
||||
* and stores the allow_key and deny_key of all of the gpo_map_types present
|
||||
@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
static errno_t
|
||||
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
|
||||
const char *filename)
|
||||
{
|
||||
struct ini_cfgfile *file_ctx = NULL;
|
||||
@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
const char *value = allow_value ? allow_value : empty_val;
|
||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
- allow_key,
|
||||
- value);
|
||||
+ ret = add_result_to_hash(allow_maps, allow_key,
|
||||
+ talloc_strdup(allow_maps, value));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
||||
+ "value: [%s] to allow maps "
|
||||
+ "[%d][%s].\n",
|
||||
+ allow_key, value, ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
const char *value = deny_value ? deny_value : empty_val;
|
||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
- deny_key,
|
||||
- value);
|
||||
+ ret = add_result_to_hash(deny_maps, deny_key,
|
||||
+ talloc_strdup(deny_maps, value));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
||||
+ "value: [%s] to deny maps "
|
||||
+ "[%d][%s].\n",
|
||||
+ deny_key, value, ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state {
|
||||
int num_cse_filtered_gpos;
|
||||
int cse_gpo_index;
|
||||
const char *ad_domain;
|
||||
+ hash_table_t *allow_maps;
|
||||
+ hash_table_t *deny_maps;
|
||||
};
|
||||
|
||||
static void ad_gpo_connect_done(struct tevent_req *subreq);
|
||||
@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
||||
goto immediately;
|
||||
}
|
||||
|
||||
+ ret = sss_hash_create(state, 0, &state->allow_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
|
||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_hash_create(state, 0, &state->deny_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
|
||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
|
||||
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
|
||||
if (subreq == NULL) {
|
||||
@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req)
|
||||
return EAGAIN;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+store_hash_maps_in_cache(struct sss_domain_info *domain,
|
||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct hash_iter_context_t *iter;
|
||||
+ hash_entry_t *entry;
|
||||
+ size_t c;
|
||||
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
|
||||
+
|
||||
+
|
||||
+ for (c = 0; hash_list[c] != NULL; c++) {
|
||||
+ iter = new_hash_iter_context(hash_list[c]);
|
||||
+ if (iter == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ while ((entry = iter->next(iter)) != NULL) {
|
||||
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
+ entry->key.c_str,
|
||||
+ entry->value.ptr);
|
||||
+ if (ret != EOK) {
|
||||
+ free(iter);
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
|
||||
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+ talloc_free(iter);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
|
||||
* cse_gpo_index until the policy settings for all applicable GPOs have been
|
||||
@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
* (as part of the GPO Result object in the sysdb cache).
|
||||
*/
|
||||
ret = ad_gpo_store_policy_settings(state->host_domain,
|
||||
+ state->allow_maps, state->deny_maps,
|
||||
cse_filtered_gpo->policy_filename);
|
||||
if (ret != EOK && ret != ENOENT) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
|
||||
if (ret == EOK) {
|
||||
/* ret is EOK only after all GPO policy files have been downloaded */
|
||||
+ ret = store_hash_maps_in_cache(state->host_domain,
|
||||
+ state->allow_maps, state->deny_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
|
||||
+ "[%d][%s].\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
ret = ad_gpo_perform_hbac_processing(state,
|
||||
state->gpo_mode,
|
||||
state->gpo_map_type,
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,78 +0,0 @@
|
||||
From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 16 Aug 2022 21:51:03 +0200
|
||||
Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be
|
||||
touched
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL`
|
||||
was creating a possibility for a race.
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757)
|
||||
---
|
||||
src/sss_client/nss_mc.h | 4 +++-
|
||||
src/sss_client/nss_mc_common.c | 20 ++++++++++----------
|
||||
2 files changed, 13 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
|
||||
index 0f88521e9..9ab2736fa 100644
|
||||
--- a/src/sss_client/nss_mc.h
|
||||
+++ b/src/sss_client/nss_mc.h
|
||||
@@ -44,7 +44,9 @@ enum sss_mc_state {
|
||||
RECYCLED,
|
||||
};
|
||||
|
||||
-/* common stuff */
|
||||
+/* In the case this structure is extended, don't forget to update
|
||||
+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`.
|
||||
+ */
|
||||
struct sss_cli_mc_ctx {
|
||||
enum sss_mc_state initialized;
|
||||
#if HAVE_PTHREAD
|
||||
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
|
||||
index f38a4a85a..3128861bf 100644
|
||||
--- a/src/sss_client/nss_mc_common.c
|
||||
+++ b/src/sss_client/nss_mc_common.c
|
||||
@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||
|
||||
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
|
||||
{
|
||||
- uint32_t active_threads = ctx->active_threads;
|
||||
-#if HAVE_PTHREAD
|
||||
- pthread_mutex_t *mutex = ctx->mutex;
|
||||
-#endif
|
||||
|
||||
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
|
||||
munmap(ctx->mmap_base, ctx->mmap_size);
|
||||
}
|
||||
+ ctx->mmap_base = NULL;
|
||||
+ ctx->mmap_size = 0;
|
||||
+
|
||||
if (ctx->fd != -1) {
|
||||
close(ctx->fd);
|
||||
}
|
||||
- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
|
||||
ctx->fd = -1;
|
||||
|
||||
- /* restore count of active threads */
|
||||
- ctx->active_threads = active_threads;
|
||||
-#if HAVE_PTHREAD
|
||||
- ctx->mutex = mutex;
|
||||
-#endif
|
||||
+ ctx->seed = 0;
|
||||
+ ctx->data_table = NULL;
|
||||
+ ctx->dt_size = 0;
|
||||
+ ctx->hash_table = NULL;
|
||||
+ ctx->ht_size = 0;
|
||||
+ ctx->initialized = UNINITIALIZED;
|
||||
+ /* `mutex` and `active_threads` should be left intact */
|
||||
}
|
||||
|
||||
static errno_t sss_nss_mc_init_ctx(const char *name,
|
||||
--
|
||||
2.37.1
|
||||
|
81
SOURCES/0006-ad-refresh-root-domain-when-read-directly.patch
Normal file
81
SOURCES/0006-ad-refresh-root-domain-when-read-directly.patch
Normal file
@ -0,0 +1,81 @@
|
||||
From db27a51f274640e1aa2f13476c80955a3ec9e91c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 1 Mar 2024 10:50:07 +0100
|
||||
Subject: [PATCH] ad: refresh root domain when read directly
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the domain object of the forest root domain cannot be found in the
|
||||
LDAP tree of the local AD domain SSSD tries to read the request data
|
||||
from an LDAP server of the forest root domain directly. After reading
|
||||
this data the information is stored in the cache but currently the
|
||||
information about the domain store in memory is not updated with the
|
||||
additional data. As a result e.g. the domain SID is missing in this data
|
||||
and only becomes available after a restart where it is read from the
|
||||
cache.
|
||||
|
||||
With this patch an unconditional refresh is triggered at the end of the
|
||||
fallback code path.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7250
|
||||
|
||||
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53)
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index a8d1892cc..d8f3738ce 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state {
|
||||
static void ad_get_root_domain_done(struct tevent_req *subreq);
|
||||
static void ad_check_root_domain_done(struct tevent_req *subreq);
|
||||
static errno_t
|
||||
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
|
||||
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
|
||||
|
||||
struct tevent_req *
|
||||
ad_check_domain_send(TALLOC_CTX *mem_ctx,
|
||||
@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- ret = ad_get_root_domain_refresh(state);
|
||||
+ ret = ad_get_root_domain_refresh(state, false);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
||||
}
|
||||
@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
|
||||
|
||||
state->reply_count = 1;
|
||||
|
||||
- ret = ad_get_root_domain_refresh(state);
|
||||
+ ret = ad_get_root_domain_refresh(state, true);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
||||
}
|
||||
@@ -1697,7 +1697,7 @@ done:
|
||||
}
|
||||
|
||||
static errno_t
|
||||
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
||||
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
|
||||
{
|
||||
struct sss_domain_info *root_domain;
|
||||
bool has_changes;
|
||||
@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (has_changes) {
|
||||
+ if (has_changes || refresh) {
|
||||
ret = ad_subdom_reinit(state->sd_ctx);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
|
||||
--
|
||||
2.45.0
|
||||
|
@ -1,33 +0,0 @@
|
||||
From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 16:17:59 -0400
|
||||
Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup
|
||||
|
||||
Fixes an issue when the sssctl analyzer option is
|
||||
used on systems where SSSD is not running or configured. This is
|
||||
an expected use case when using --logdir option to analyze external
|
||||
log files.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6298
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/tools/sssctl/sssctl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
|
||||
index 3816125ad..f18689f9f 100644
|
||||
--- a/src/tools/sssctl/sssctl.c
|
||||
+++ b/src/tools/sssctl/sssctl.c
|
||||
@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
|
||||
SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
|
||||
SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
|
||||
SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
|
||||
- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze),
|
||||
+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
|
||||
#ifdef HAVE_LIBINI_CONFIG_V1_3
|
||||
SSS_TOOL_DELIMITER("Configuration files tools:"),
|
||||
SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,297 +0,0 @@
|
||||
From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Fri, 19 Aug 2022 09:50:22 -0400
|
||||
Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Client ID is not stored properly to match requests
|
||||
when parallel requests are made to client SSSD
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6307
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 5 +++--
|
||||
.../plugins/cache_req_autofs_entry_by_name.c | 3 ++-
|
||||
.../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++-
|
||||
.../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++-
|
||||
.../plugins/cache_req_ssh_host_id_by_name.c | 3 ++-
|
||||
src/responder/common/responder.h | 2 +-
|
||||
src/responder/common/responder_common.c | 12 +++++++-----
|
||||
src/responder/common/responder_dp.c | 5 +++--
|
||||
src/responder/common/responder_get_domains.c | 3 ++-
|
||||
src/responder/pam/pamsrv_cmd.c | 4 ++--
|
||||
10 files changed, 26 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index 4dd45b038..bc65bae71 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <errno.h>
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "responder/common/cache_req/cache_req_private.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
state->first_iteration = true;
|
||||
|
||||
- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n",
|
||||
- rctx->client_id_num, cr->reqname);
|
||||
+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n",
|
||||
+ sss_chain_id_get(), cr->reqname);
|
||||
|
||||
ret = cache_req_is_well_known_object(state, cr, &result);
|
||||
if (ret == EOK) {
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
index 788b6708c..b2b0a06eb 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include "db/sysdb.h"
|
||||
#include "db/sysdb_autofs.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
|
||||
@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
||||
be_conn->bus_name, SSS_BUS_PATH,
|
||||
0, data->name.name,
|
||||
data->autofs_entry_name,
|
||||
- cr->rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
}
|
||||
|
||||
bool
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
index 5d82641cc..23b11b1cd 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include "db/sysdb.h"
|
||||
#include "db/sysdb_autofs.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
|
||||
@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
||||
return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
|
||||
be_conn->bus_name, SSS_BUS_PATH,
|
||||
0, data->name.name,
|
||||
- cr->rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
}
|
||||
|
||||
bool
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
index 29f289723..18c08ca39 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include "db/sysdb.h"
|
||||
#include "db/sysdb_autofs.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
|
||||
@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
|
||||
return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
|
||||
be_conn->bus_name, SSS_BUS_PATH,
|
||||
0, data->name.name,
|
||||
- cr->rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
}
|
||||
|
||||
bool
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
|
||||
index a8b8f47a8..29f52f10d 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
|
||||
@@ -23,6 +23,7 @@
|
||||
|
||||
#include "db/sysdb_ssh.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
|
||||
@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
||||
return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn,
|
||||
be_conn->bus_name, SSS_BUS_PATH,
|
||||
0, data->name.name, data->alias,
|
||||
- cr->rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
}
|
||||
|
||||
static bool
|
||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
||||
index 5cb79e3e6..259b3ff13 100644
|
||||
--- a/src/responder/common/responder.h
|
||||
+++ b/src/responder/common/responder.h
|
||||
@@ -165,13 +165,13 @@ struct cli_ctx {
|
||||
|
||||
struct cli_creds *creds;
|
||||
char *cmd_line;
|
||||
- uint64_t old_chain_id;
|
||||
|
||||
void *protocol_ctx;
|
||||
void *state_ctx;
|
||||
|
||||
struct tevent_timer *idle;
|
||||
time_t last_request_time;
|
||||
+ uint32_t client_id_num;
|
||||
};
|
||||
|
||||
struct sss_cmd_table {
|
||||
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
|
||||
index 6e3b61ef0..a4ba8ea71 100644
|
||||
--- a/src/responder/common/responder_common.c
|
||||
+++ b/src/responder/common/responder_common.c
|
||||
@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev,
|
||||
"Failed to close fd [%d]: [%s]\n",
|
||||
ctx->cfd, strerror(ret));
|
||||
}
|
||||
- /* Restore the original chain id */
|
||||
- sss_chain_id_set(ctx->old_chain_id);
|
||||
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
"Terminated client [%p][%d]\n",
|
||||
@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev,
|
||||
int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd;
|
||||
|
||||
rctx->client_id_num++;
|
||||
-
|
||||
if (accept_ctx->is_private) {
|
||||
ret = stat(rctx->priv_sock_name, &stat_buf);
|
||||
if (ret == -1) {
|
||||
@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev,
|
||||
|
||||
talloc_set_destructor(cctx, cli_ctx_destructor);
|
||||
|
||||
+ cctx->client_id_num = rctx->client_id_num;
|
||||
+
|
||||
len = sizeof(cctx->addr);
|
||||
cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
|
||||
if (cctx->cfd == -1) {
|
||||
@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev,
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
"[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n",
|
||||
- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
|
||||
+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
|
||||
cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : "");
|
||||
|
||||
return;
|
||||
@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr,
|
||||
uint16_t flags)
|
||||
{
|
||||
errno_t ret;
|
||||
+ uint64_t old_chain_id;
|
||||
struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx);
|
||||
|
||||
/* Always reset the responder idle timer on any activity */
|
||||
@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr,
|
||||
}
|
||||
|
||||
/* Set the chain id */
|
||||
- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num);
|
||||
+ old_chain_id = sss_chain_id_set(cctx->client_id_num);
|
||||
|
||||
if (flags & TEVENT_FD_READ) {
|
||||
recv_fn(cctx);
|
||||
@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr,
|
||||
send_fn(cctx);
|
||||
return;
|
||||
}
|
||||
+ /* Restore the original chain id */
|
||||
+ sss_chain_id_set(old_chain_id);
|
||||
}
|
||||
|
||||
int sss_connection_setup(struct cli_ctx *cctx)
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index d549e02d3..4b4770da1 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <sys/time.h>
|
||||
#include <time.h>
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "responder/common/responder_packet.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "providers/data_provider.h"
|
||||
@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn,
|
||||
be_conn->bus_name, SSS_BUS_PATH, dp_flags,
|
||||
entry_type, filter, dom->name, extra,
|
||||
- rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
|
||||
ret = ENOMEM;
|
||||
@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx,
|
||||
SSS_BUS_PATH,
|
||||
dp_flags, entry_type,
|
||||
filter_type, filter_value,
|
||||
- rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
|
||||
ret = ENOMEM;
|
||||
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
|
||||
index 918124756..aeff28d73 100644
|
||||
--- a/src/responder/common/responder_get_domains.c
|
||||
+++ b/src/responder/common/responder_get_domains.c
|
||||
@@ -19,6 +19,7 @@
|
||||
*/
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_chain_id.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "db/sysdb.h"
|
||||
@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx,
|
||||
be_conn->bus_name,
|
||||
SSS_BUS_PATH, dp_flags,
|
||||
entry_type, filter,
|
||||
- rctx->client_id_num);
|
||||
+ sss_chain_id_get());
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
|
||||
ret = ENOMEM;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index cb0e1b82f..1695554fc 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
||||
}
|
||||
preq->cctx = cctx;
|
||||
preq->cert_auth_local = false;
|
||||
- preq->client_id_num = pctx->rctx->client_id_num;
|
||||
+ preq->client_id_num = cctx->client_id_num;
|
||||
|
||||
preq->pd = create_pam_data(preq);
|
||||
if (!preq->pd) {
|
||||
@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
||||
|
||||
pd->cmd = pam_cmd;
|
||||
pd->priv = cctx->priv;
|
||||
- pd->client_id_num = pctx->rctx->client_id_num;
|
||||
+ pd->client_id_num = cctx->client_id_num;
|
||||
|
||||
ret = pam_forwarder_parse_data(cctx, pd);
|
||||
if (ret == EAGAIN) {
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,185 +0,0 @@
|
||||
From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Fri, 19 Aug 2022 14:44:11 -0400
|
||||
Subject: [PATCH 9/9] Analyzer: support parallel requests parsing
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Analyzer code(primarily the list verbose command) needs
|
||||
changes to handle parsing the necessary lines from
|
||||
NSS/PAM log files when multiple intermixed/parallel
|
||||
client requests are sent to SSSD.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6307
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/tools/analyzer/modules/request.py | 119 +++++++++++++++-----------
|
||||
1 file changed, 67 insertions(+), 52 deletions(-)
|
||||
|
||||
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
|
||||
index 935e13adc..b9fe3caf8 100644
|
||||
--- a/src/tools/analyzer/modules/request.py
|
||||
+++ b/src/tools/analyzer/modules/request.py
|
||||
@@ -16,7 +16,6 @@ class RequestAnalyzer:
|
||||
"""
|
||||
module_parser = None
|
||||
consumed_logs = []
|
||||
- done = ""
|
||||
list_opts = [
|
||||
Option('--verbose', 'Verbose output', bool, '-v'),
|
||||
Option('--pam', 'Filter only PAM requests', bool),
|
||||
@@ -149,58 +148,74 @@ class RequestAnalyzer:
|
||||
print(line)
|
||||
return found_results
|
||||
|
||||
- def print_formatted(self, line, verbose):
|
||||
+ def print_formatted_verbose(self, source, patterns):
|
||||
+ """
|
||||
+ Parse line and print formatted verbose list_requests output
|
||||
+
|
||||
+ Args:
|
||||
+ source (Reader): source Reader object
|
||||
+ patterns (list): List of regex patterns to use for
|
||||
+ matching lines
|
||||
+ """
|
||||
+ # Get CID number, and print the basic line first
|
||||
+ for line in self.matched_line(source, patterns):
|
||||
+ cid = self.print_formatted(line)
|
||||
+
|
||||
+ # Loop through each line with this CID number to extract and
|
||||
+ # print the verbose data needed
|
||||
+ verbose_patterns = ["(cache_req_send|cache_req_process_input|"
|
||||
+ "cache_req_search_send)"]
|
||||
+ for cidline in self.matched_line(source, verbose_patterns):
|
||||
+ plugin = ""
|
||||
+ name = ""
|
||||
+ id = ""
|
||||
+
|
||||
+ # skip any lines not pertaining to this CID
|
||||
+ if f"CID#{cid}]" not in cidline:
|
||||
+ continue
|
||||
+ if "refreshed" in cidline:
|
||||
+ continue
|
||||
+ # CR Plugin name
|
||||
+ if re.search("cache_req_send", cidline):
|
||||
+ plugin = cidline.split('\'')[1]
|
||||
+ # CR Input name
|
||||
+ elif re.search("cache_req_process_input", cidline):
|
||||
+ name = cidline.rsplit('[')[-1]
|
||||
+ # CR Input id
|
||||
+ elif re.search("cache_req_search_send", cidline):
|
||||
+ id = cidline.rsplit()[-1]
|
||||
+
|
||||
+ if plugin:
|
||||
+ print(" - " + plugin)
|
||||
+ if name:
|
||||
+ print(" - " + name[:-2])
|
||||
+ if (id and ("UID" in cidline or "GID" in cidline)):
|
||||
+ print(" - " + id)
|
||||
+
|
||||
+ def print_formatted(self, line):
|
||||
"""
|
||||
Parse line and print formatted list_requests output
|
||||
|
||||
Args:
|
||||
line (str): line to parse
|
||||
- verbose (bool): If true, enable verbose output
|
||||
+ Returns:
|
||||
+ Client ID from printed line, 0 otherwise
|
||||
"""
|
||||
- plugin = ""
|
||||
- name = ""
|
||||
- id = ""
|
||||
-
|
||||
# exclude backtrace logs
|
||||
if line.startswith(' * '):
|
||||
- return
|
||||
- fields = line.split("[")
|
||||
- cr_field = fields[3][7:]
|
||||
- cr = cr_field.split(":")[0][4:]
|
||||
+ return 0
|
||||
if "refreshed" in line:
|
||||
- return
|
||||
- # CR Plugin name
|
||||
- if re.search("cache_req_send", line):
|
||||
- plugin = line.split('\'')[1]
|
||||
- # CR Input name
|
||||
- elif re.search("cache_req_process_input", line):
|
||||
- name = line.rsplit('[')[-1]
|
||||
- # CR Input id
|
||||
- elif re.search("cache_req_search_send", line):
|
||||
- id = line.rsplit()[-1]
|
||||
- # CID and client process name
|
||||
- else:
|
||||
- ts = line.split(")")[0]
|
||||
- ts = ts[1:]
|
||||
- fields = line.split("[")
|
||||
- cid = fields[3][4:-9]
|
||||
- cmd = fields[4][4:-1]
|
||||
- uid = fields[5][4:-1]
|
||||
- if not uid.isnumeric():
|
||||
- uid = fields[6][4:-1]
|
||||
- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
|
||||
-
|
||||
- if verbose:
|
||||
- if plugin:
|
||||
- print(" - " + plugin)
|
||||
- if name:
|
||||
- if cr not in self.done:
|
||||
- print(" - " + name[:-2])
|
||||
- self.done = cr
|
||||
- if id:
|
||||
- if cr not in self.done:
|
||||
- print(" - " + id)
|
||||
- self.done = cr
|
||||
+ return 0
|
||||
+ ts = line.split(")")[0]
|
||||
+ ts = ts[1:]
|
||||
+ fields = line.split("[")
|
||||
+ cid = fields[3][4:-9]
|
||||
+ cmd = fields[4][4:-1]
|
||||
+ uid = fields[5][4:-1]
|
||||
+ if not uid.isnumeric():
|
||||
+ uid = fields[6][4:-1]
|
||||
+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
|
||||
+ return cid
|
||||
|
||||
def list_requests(self, args):
|
||||
"""
|
||||
@@ -215,20 +230,20 @@ class RequestAnalyzer:
|
||||
# Log messages matching the following regex patterns contain
|
||||
# the useful info we need to produce list output
|
||||
patterns = [r'\[cmd']
|
||||
- patterns.append("(cache_req_send|cache_req_process_input|"
|
||||
- "cache_req_search_send)")
|
||||
if args.pam:
|
||||
component = source.Component.PAM
|
||||
resp = "pam"
|
||||
|
||||
logger.info(f"******** Listing {resp} client requests ********")
|
||||
source.set_component(component, False)
|
||||
- self.done = ""
|
||||
- for line in self.matched_line(source, patterns):
|
||||
- if isinstance(source, Journald):
|
||||
- print(line)
|
||||
- else:
|
||||
- self.print_formatted(line, args.verbose)
|
||||
+ if args.verbose:
|
||||
+ self.print_formatted_verbose(source, patterns)
|
||||
+ else:
|
||||
+ for line in self.matched_line(source, patterns):
|
||||
+ if isinstance(source, Journald):
|
||||
+ print(line)
|
||||
+ else:
|
||||
+ self.print_formatted(line)
|
||||
|
||||
def track_request(self, args):
|
||||
"""
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,295 +0,0 @@
|
||||
From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 18:10:46 +0200
|
||||
Subject: [PATCH] CLIENT: fix client fd leak
|
||||
|
||||
- close client socket at thread exit
|
||||
- only build lock-free client support if libc has required
|
||||
functionality for a proper cleanup
|
||||
- use proper mechanisms to init lock_mode only once
|
||||
|
||||
:relnote:Lock-free client support will be only built if libc
|
||||
provides `pthread_key_create()` and `pthread_once()`. For glibc
|
||||
this means version 2.34+
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb)
|
||||
---
|
||||
configure.ac | 29 +++++++++--
|
||||
src/man/Makefile.am | 5 +-
|
||||
src/man/sssd.8.xml | 2 +-
|
||||
src/sss_client/common.c | 83 +++++++++++++++++++-------------
|
||||
src/sss_client/idmap/common_ex.c | 4 ++
|
||||
5 files changed, 84 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 93bd93b85..5a05de41e 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
|
||||
m4_include([src/build_macros.m4])
|
||||
BUILD_WITH_SHARED_BUILD_DIR
|
||||
|
||||
-AC_COMPILE_IFELSE(
|
||||
+
|
||||
+SAVE_LIBS=$LIBS
|
||||
+LIBS=
|
||||
+AC_LINK_IFELSE(
|
||||
[AC_LANG_PROGRAM([[#include <pthread.h>]],
|
||||
[[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
|
||||
- (void) m; /* unused */
|
||||
+ pthread_mutex_lock(&m);
|
||||
+ pthread_mutex_unlock(&m);
|
||||
]])],
|
||||
[AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.])
|
||||
HAVE_PTHREAD=1
|
||||
],
|
||||
- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])])
|
||||
+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])])
|
||||
+LIBS=$SAVE_LIBS
|
||||
+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
|
||||
|
||||
|
||||
-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
|
||||
+SAVE_LIBS=$LIBS
|
||||
+LIBS=
|
||||
+AC_LINK_IFELSE(
|
||||
+ [AC_LANG_PROGRAM([[#include <pthread.h>]],
|
||||
+ [[static pthread_key_t k;
|
||||
+ static pthread_once_t f = PTHREAD_ONCE_INIT;
|
||||
+ pthread_once(&f, NULL);
|
||||
+ pthread_key_create(&k, NULL);
|
||||
+ ]])],
|
||||
+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.])
|
||||
+ HAVE_PTHREAD_EXT=1
|
||||
+ ],
|
||||
+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])])
|
||||
+LIBS=$SAVE_LIBS
|
||||
+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"])
|
||||
+
|
||||
|
||||
# Check library for the timer_create function
|
||||
SAVE_LIBS=$LIBS
|
||||
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
|
||||
index 93dd14819..063ff1bf0 100644
|
||||
--- a/src/man/Makefile.am
|
||||
+++ b/src/man/Makefile.am
|
||||
@@ -46,9 +46,12 @@ endif
|
||||
if BUILD_KCM_RENEWAL
|
||||
KCM_RENEWAL_CONDS = ;enable_kcm_renewal
|
||||
endif
|
||||
+if BUILD_LOCKFREE_CLIENT
|
||||
+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support
|
||||
+endif
|
||||
|
||||
|
||||
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)
|
||||
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)
|
||||
|
||||
|
||||
#Special Rules:
|
||||
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
|
||||
index df07b7f29..5f507c631 100644
|
||||
--- a/src/man/sssd.8.xml
|
||||
+++ b/src/man/sssd.8.xml
|
||||
@@ -240,7 +240,7 @@
|
||||
If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
|
||||
client applications will not use the fast in-memory cache.
|
||||
</para>
|
||||
- <para>
|
||||
+ <para condition="enable_lockfree_support">
|
||||
If the environment variable SSS_LOCKFREE is set to "NO", requests
|
||||
from multiple threads of a single application will be serialized.
|
||||
</para>
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 29c751a50..d762dff49 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -35,7 +35,6 @@
|
||||
#include <stdlib.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
-#include <stdatomic.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <poll.h>
|
||||
@@ -62,8 +61,15 @@
|
||||
|
||||
/* common functions */
|
||||
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+static pthread_key_t sss_sd_key;
|
||||
+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
|
||||
static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
|
||||
static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
|
||||
+#else
|
||||
+static int sss_cli_sd = -1; /* the sss client socket descriptor */
|
||||
+static struct stat sss_cli_sb; /* the sss client stat buffer */
|
||||
+#endif
|
||||
|
||||
#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
|
||||
__attribute__((destructor))
|
||||
@@ -76,6 +82,18 @@ void sss_cli_close_socket(void)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+static void sss_at_thread_exit(void *v)
|
||||
+{
|
||||
+ sss_cli_close_socket();
|
||||
+}
|
||||
+
|
||||
+static void init_sd_key(void)
|
||||
+{
|
||||
+ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Requests:
|
||||
*
|
||||
* byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
|
||||
@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
|
||||
return -1;
|
||||
}
|
||||
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
|
||||
+
|
||||
+ /* It actually doesn't matter what value to set for a key.
|
||||
+ * The only important thing: key must be non-NULL to ensure
|
||||
+ * destructor is executed at thread exit.
|
||||
+ */
|
||||
+ pthread_setspecific(sss_sd_key, &sss_cli_sd);
|
||||
+#endif
|
||||
+
|
||||
/* set as non-blocking, close on exec, and make sure standard
|
||||
* descriptors are not used */
|
||||
sd = make_safe_fd(sd);
|
||||
@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len)
|
||||
}
|
||||
|
||||
#if HAVE_PTHREAD
|
||||
-bool sss_is_lockfree_mode(void)
|
||||
+
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+static bool sss_lock_free = true;
|
||||
+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT;
|
||||
+
|
||||
+static void init_lock_mode(void)
|
||||
{
|
||||
- const char *env = NULL;
|
||||
- enum {
|
||||
- MODE_UNDEF,
|
||||
- MODE_LOCKING,
|
||||
- MODE_LOCKFREE
|
||||
- };
|
||||
- static atomic_int mode = MODE_UNDEF;
|
||||
-
|
||||
- if (mode == MODE_UNDEF) {
|
||||
- env = getenv("SSS_LOCKFREE");
|
||||
- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
|
||||
- mode = MODE_LOCKING;
|
||||
- } else {
|
||||
- mode = MODE_LOCKFREE;
|
||||
- }
|
||||
+ const char *env = getenv("SSS_LOCKFREE");
|
||||
+
|
||||
+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
|
||||
+ sss_lock_free = false;
|
||||
}
|
||||
+}
|
||||
|
||||
- return (mode == MODE_LOCKFREE);
|
||||
+bool sss_is_lockfree_mode(void)
|
||||
+{
|
||||
+ pthread_once(&sss_lock_mode_initialized, init_lock_mode);
|
||||
+ return sss_lock_free;
|
||||
}
|
||||
+#endif
|
||||
|
||||
struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
|
||||
-
|
||||
static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
|
||||
-
|
||||
-static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
|
||||
-
|
||||
static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
|
||||
|
||||
static void sss_mt_lock(struct sss_mutex *m)
|
||||
{
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
if (sss_is_lockfree_mode()) {
|
||||
return;
|
||||
}
|
||||
+#endif
|
||||
|
||||
pthread_mutex_lock(&m->mtx);
|
||||
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
|
||||
@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m)
|
||||
|
||||
static void sss_mt_unlock(struct sss_mutex *m)
|
||||
{
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
if (sss_is_lockfree_mode()) {
|
||||
return;
|
||||
}
|
||||
+#endif
|
||||
|
||||
pthread_setcancelstate(m->old_cancel_state, NULL);
|
||||
pthread_mutex_unlock(&m->mtx);
|
||||
@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void)
|
||||
sss_mt_unlock(&sss_nss_mtx);
|
||||
}
|
||||
|
||||
-/* NSS mutex wrappers */
|
||||
+/* PAM mutex wrappers */
|
||||
void sss_pam_lock(void)
|
||||
{
|
||||
sss_mt_lock(&sss_pam_mtx);
|
||||
@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void)
|
||||
sss_mt_unlock(&sss_pam_mtx);
|
||||
}
|
||||
|
||||
-/* NSS mutex wrappers */
|
||||
-void sss_nss_mc_lock(void)
|
||||
-{
|
||||
- sss_mt_lock(&sss_nss_mc_mtx);
|
||||
-}
|
||||
-void sss_nss_mc_unlock(void)
|
||||
-{
|
||||
- sss_mt_unlock(&sss_nss_mc_mtx);
|
||||
-}
|
||||
-
|
||||
/* PAC mutex wrappers */
|
||||
void sss_pac_lock(void)
|
||||
{
|
||||
diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c
|
||||
index 4f454cd63..8c4894fd9 100644
|
||||
--- a/src/sss_client/idmap/common_ex.c
|
||||
+++ b/src/sss_client/idmap/common_ex.c
|
||||
@@ -28,7 +28,9 @@
|
||||
#include "common_private.h"
|
||||
|
||||
extern struct sss_mutex sss_nss_mtx;
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
bool sss_is_lockfree_mode(void);
|
||||
+#endif
|
||||
|
||||
#define SEC_FROM_MSEC(ms) ((ms) / 1000)
|
||||
#define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
|
||||
@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime)
|
||||
{
|
||||
int ret;
|
||||
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
if (sss_is_lockfree_mode()) {
|
||||
return 0;
|
||||
}
|
||||
+#endif
|
||||
|
||||
ret = pthread_mutex_timedlock(&m->mtx, endtime);
|
||||
if (ret != 0) {
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,124 +0,0 @@
|
||||
From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 20 Sep 2022 15:37:01 +0200
|
||||
Subject: [PATCH] krb5: respect krb5_validate for PAC checks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The first step of checking the PAC is the same as during the Kerberos
|
||||
ticket validation, requesting a service ticket for a service principal
|
||||
from the local keytab. By default ticket validation is enable for the
|
||||
IPA and AD provider where checking the PAC might become important. If
|
||||
ticket validation is disabled manually it is most probably because there
|
||||
are issues requesting the service ticket and fixing those is currently
|
||||
not possible.
|
||||
|
||||
Currently when SSSD is configured to check the PAC it ignores the
|
||||
krb5_validate setting and tries to request a service ticket which would
|
||||
fail in the case ticket validation is disabled for a reason. To not
|
||||
cause regressions with this patch SSSD will skip the PAC checks if
|
||||
ticket validation is disabled.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6355
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc)
|
||||
---
|
||||
src/man/include/krb5_options.xml | 11 ++++++++++-
|
||||
src/man/sssd.conf.5.xml | 13 ++++++++++---
|
||||
src/providers/krb5/krb5_child.c | 9 ++++-----
|
||||
src/providers/krb5/krb5_init_shared.c | 10 ++++++++++
|
||||
4 files changed, 34 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml
|
||||
index c3292d1bb..d82be7bfa 100644
|
||||
--- a/src/man/include/krb5_options.xml
|
||||
+++ b/src/man/include/krb5_options.xml
|
||||
@@ -26,7 +26,16 @@
|
||||
keytab entry as the last entry or the only entry in the keytab file.
|
||||
</para>
|
||||
<para>
|
||||
- Default: false
|
||||
+ Default: false (IPA and AD provider: true)
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Please note that the ticket validation is the first step when
|
||||
+ checking the PAC (see 'pac_check' in the
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sssd.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry> manual page for details). If ticket
|
||||
+ validation is disabled the PAC checks will be skipped as well.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 615b41550..7a9920815 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
<para>
|
||||
Apply additional checks on the PAC of the Kerberos
|
||||
ticket which is available in Active Directory and
|
||||
- FreeIPA domains, if configured. The following
|
||||
- options can be used alone or in a comma-separated
|
||||
- list:
|
||||
+ FreeIPA domains, if configured. Please note that
|
||||
+ Kerberos ticket validation must be enabled to be
|
||||
+ able to check the PAC, i.e. the krb5_validate option
|
||||
+ must be set to 'True' which is the default for the
|
||||
+ IPA and AD provider. If krb5_validate is set to
|
||||
+ 'False' the PAC checks will be skipped.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The following options can be used alone or in a
|
||||
+ comma-separated list:
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>no_check</term>
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index 0a592da00..8727b4202 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[])
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* To be able to read the PAC we have to request a service ticket where we
|
||||
- * have a key to decrypt it, this is the same step we use for validating
|
||||
- * the ticket. */
|
||||
- if (cli_opts.check_pac_flags != 0) {
|
||||
- kr->validate = true;
|
||||
+ if (cli_opts.check_pac_flags != 0 && !kr->validate) {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "PAC check is requested but krb5_validate is set to false. "
|
||||
+ "PAC checks will be skipped.\n");
|
||||
}
|
||||
|
||||
kerr = privileged_krb5_setup(kr, offline);
|
||||
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
|
||||
index ee48f459b..3e6ebe2ed 100644
|
||||
--- a/src/providers/krb5/krb5_init_shared.c
|
||||
+++ b/src/providers/krb5/krb5_init_shared.c
|
||||
@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (krb5_auth_ctx->check_pac_flags != 0
|
||||
+ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "PAC check is requested but krb5_validate is set to false. "
|
||||
+ "PAC checks will be skipped.\n");
|
||||
+ sss_log(SSS_LOG_WARNING,
|
||||
+ "PAC check is requested but krb5_validate is set to false. "
|
||||
+ "PAC checks will be skipped.");
|
||||
+ }
|
||||
+
|
||||
ret = parse_krb5_map_user(krb5_auth_ctx,
|
||||
dp_opt_get_cstring(krb5_auth_ctx->opts,
|
||||
KRB5_MAP_USER),
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,141 +0,0 @@
|
||||
From 70e254653edb21923d7565c80704e1ce6865d991 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Wed, 12 Oct 2022 08:48:45 -0400
|
||||
Subject: [PATCH] Analyzer: Optimize list verbose output
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Modify the analyzer to parse the responder log file in one pass. This
|
||||
avoids repeated parsing of a single log file. This operation will now
|
||||
store log lines in a dictionary on a single pass then format and print
|
||||
the output accordingly. Does not affect 'list' or 'show' output.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
---
|
||||
src/tools/analyzer/modules/request.py | 71 ++++++++++++++++++---------
|
||||
1 file changed, 48 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
|
||||
index b9fe3caf8..15c8e6bfb 100644
|
||||
--- a/src/tools/analyzer/modules/request.py
|
||||
+++ b/src/tools/analyzer/modules/request.py
|
||||
@@ -148,36 +148,57 @@ class RequestAnalyzer:
|
||||
print(line)
|
||||
return found_results
|
||||
|
||||
- def print_formatted_verbose(self, source, patterns):
|
||||
+ def print_formatted_verbose(self, source):
|
||||
"""
|
||||
- Parse line and print formatted verbose list_requests output
|
||||
+ Parse log file and print formatted verbose list_requests output
|
||||
|
||||
Args:
|
||||
source (Reader): source Reader object
|
||||
- patterns (list): List of regex patterns to use for
|
||||
- matching lines
|
||||
"""
|
||||
- # Get CID number, and print the basic line first
|
||||
- for line in self.matched_line(source, patterns):
|
||||
- cid = self.print_formatted(line)
|
||||
-
|
||||
- # Loop through each line with this CID number to extract and
|
||||
- # print the verbose data needed
|
||||
- verbose_patterns = ["(cache_req_send|cache_req_process_input|"
|
||||
- "cache_req_search_send)"]
|
||||
- for cidline in self.matched_line(source, verbose_patterns):
|
||||
+ data = {}
|
||||
+ # collect cid log lines from single run through of parsing the log
|
||||
+ # into dictionary # (cid, ts) -> logline_output
|
||||
+ for line in source:
|
||||
+ if "CID#" not in line:
|
||||
+ continue
|
||||
+
|
||||
+ # parse CID and ts from line, key is a tuple of (cid,ts)
|
||||
+ fields = line.split("[")
|
||||
+ # timestamp to the minute, cut off seconds, ms
|
||||
+ ts = fields[0][:17]
|
||||
+ result = re.search('CID#[0-9]*', fields[3])
|
||||
+ cid = result.group(0)
|
||||
+
|
||||
+ # if mapping exists, append line to output. Otherwise create new mapping
|
||||
+ if (cid, ts) in data.keys():
|
||||
+ data[(cid, ts)] += line
|
||||
+ else:
|
||||
+ data[(cid, ts)] = line
|
||||
+
|
||||
+ # pretty print the data
|
||||
+ for k, v in data.items():
|
||||
+ cr_done = []
|
||||
+ id_done = []
|
||||
+ for cidline in v.splitlines():
|
||||
plugin = ""
|
||||
name = ""
|
||||
id = ""
|
||||
|
||||
- # skip any lines not pertaining to this CID
|
||||
- if f"CID#{cid}]" not in cidline:
|
||||
- continue
|
||||
- if "refreshed" in cidline:
|
||||
- continue
|
||||
+ # CR number
|
||||
+ fields = cidline.split("[")
|
||||
+ cr_field = fields[3][7:]
|
||||
+ cr = cr_field.split(":")[0][4:]
|
||||
+ # Client connected, top-level info line
|
||||
+ if re.search(r'\[cmd', cidline):
|
||||
+ self.print_formatted(cidline)
|
||||
# CR Plugin name
|
||||
if re.search("cache_req_send", cidline):
|
||||
plugin = cidline.split('\'')[1]
|
||||
+ id_done.clear()
|
||||
+ # Extract CR number
|
||||
+ fields = cidline.split("[")
|
||||
+ cr_field = fields[3][7:]
|
||||
+ cr = cr_field.split(":")[0][4:]
|
||||
# CR Input name
|
||||
elif re.search("cache_req_process_input", cidline):
|
||||
name = cidline.rsplit('[')[-1]
|
||||
@@ -188,9 +209,14 @@ class RequestAnalyzer:
|
||||
if plugin:
|
||||
print(" - " + plugin)
|
||||
if name:
|
||||
- print(" - " + name[:-2])
|
||||
+ # Avoid duplicate output with the same CR #
|
||||
+ if cr not in cr_done:
|
||||
+ print(" - " + name[:-1])
|
||||
+ cr_done.append(cr)
|
||||
if (id and ("UID" in cidline or "GID" in cidline)):
|
||||
- print(" - " + id)
|
||||
+ if id not in id_done:
|
||||
+ print(" - " + id)
|
||||
+ id_done.append(id)
|
||||
|
||||
def print_formatted(self, line):
|
||||
"""
|
||||
@@ -237,7 +263,7 @@ class RequestAnalyzer:
|
||||
logger.info(f"******** Listing {resp} client requests ********")
|
||||
source.set_component(component, False)
|
||||
if args.verbose:
|
||||
- self.print_formatted_verbose(source, patterns)
|
||||
+ self.print_formatted_verbose(source)
|
||||
else:
|
||||
for line in self.matched_line(source, patterns):
|
||||
if isinstance(source, Journald):
|
||||
@@ -258,8 +284,7 @@ class RequestAnalyzer:
|
||||
be_results = False
|
||||
component = source.Component.NSS
|
||||
resp = "nss"
|
||||
- pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
|
||||
- pattern.append(rf"\[CID#{cid}\]")
|
||||
+ pattern = [rf"\[CID#{cid}\]"]
|
||||
|
||||
if args.pam:
|
||||
component = source.Component.PAM
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,43 +0,0 @@
|
||||
From 89ea4a5feaf30f80a79ca3ba8166f304cc414e07 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Tue, 15 Nov 2022 12:47:51 -0500
|
||||
Subject: [PATCH] Analyzer: Ensure parsed id contains digit
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In analyzer list verbose output, we parse the last field of cache_req_search_send() lines.
|
||||
Certain log messages need to be filtered out by ensuring the parsed field is
|
||||
a digit, such as the last line below.
|
||||
|
||||
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test
|
||||
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test
|
||||
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@domain-zflo.com
|
||||
[cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119@domain-zflo.com] from cache
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit bfa8d50c479cf8ef7b299eb5848309a3a9ea7f12)
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
---
|
||||
src/tools/analyzer/modules/request.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
|
||||
index 15c8e6bfb..bf279ea75 100644
|
||||
--- a/src/tools/analyzer/modules/request.py
|
||||
+++ b/src/tools/analyzer/modules/request.py
|
||||
@@ -214,7 +214,7 @@ class RequestAnalyzer:
|
||||
print(" - " + name[:-1])
|
||||
cr_done.append(cr)
|
||||
if (id and ("UID" in cidline or "GID" in cidline)):
|
||||
- if id not in id_done:
|
||||
+ if id not in id_done and bool(re.search(r'\d', id)):
|
||||
print(" - " + id)
|
||||
id_done.append(id)
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,94 +0,0 @@
|
||||
From 7e23e6394b518dd013c6b03a1a63715899180935 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Sun, 6 Nov 2022 11:22:22 +0100
|
||||
Subject: [PATCH 14/16] TOOLS: don't export internal helpers
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 6ef3aade0394e32540242f902c9f21bb8d6c41f2)
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/tools/common/sss_tools.c | 16 ++++++++--------
|
||||
src/tools/common/sss_tools.h | 12 ------------
|
||||
2 files changed, 8 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index c066ddc5c..47b85bdd2 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -178,9 +178,9 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
|
||||
- int *argc, const char **argv,
|
||||
- struct sss_tool_ctx **_tool_ctx)
|
||||
+static errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
|
||||
+ int *argc, const char **argv,
|
||||
+ struct sss_tool_ctx **_tool_ctx)
|
||||
{
|
||||
struct sss_tool_ctx *tool_ctx;
|
||||
|
||||
@@ -235,7 +235,7 @@ static size_t sss_tool_max_length(struct sss_route_cmd *commands)
|
||||
return max;
|
||||
}
|
||||
|
||||
-void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands)
|
||||
+static void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands)
|
||||
{
|
||||
int min_len;
|
||||
int i;
|
||||
@@ -304,10 +304,10 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-errno_t sss_tool_route(int argc, const char **argv,
|
||||
- struct sss_tool_ctx *tool_ctx,
|
||||
- struct sss_route_cmd *commands,
|
||||
- void *pvt)
|
||||
+static errno_t sss_tool_route(int argc, const char **argv,
|
||||
+ struct sss_tool_ctx *tool_ctx,
|
||||
+ struct sss_route_cmd *commands,
|
||||
+ void *pvt)
|
||||
{
|
||||
struct sss_cmdline cmdline;
|
||||
const char *cmd;
|
||||
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
|
||||
index 0e4308ee6..578186633 100644
|
||||
--- a/src/tools/common/sss_tools.h
|
||||
+++ b/src/tools/common/sss_tools.h
|
||||
@@ -35,10 +35,6 @@ struct sss_tool_ctx {
|
||||
struct sss_domain_info *domains;
|
||||
};
|
||||
|
||||
-errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
|
||||
- int *argc, const char **argv,
|
||||
- struct sss_tool_ctx **_tool_ctx);
|
||||
-
|
||||
struct sss_cmdline {
|
||||
const char *exec; /* argv[0] */
|
||||
const char *command; /* command name */
|
||||
@@ -69,14 +65,6 @@ struct sss_route_cmd {
|
||||
int flags;
|
||||
};
|
||||
|
||||
-void sss_tool_usage(const char *tool_name,
|
||||
- struct sss_route_cmd *commands);
|
||||
-
|
||||
-errno_t sss_tool_route(int argc, const char **argv,
|
||||
- struct sss_tool_ctx *tool_ctx,
|
||||
- struct sss_route_cmd *commands,
|
||||
- void *pvt);
|
||||
-
|
||||
typedef errno_t (*sss_popt_fn)(poptContext pc, char option, void *pvt);
|
||||
|
||||
enum sss_tool_opt {
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,71 +0,0 @@
|
||||
From bd16242ef6780fd2808bf03f79eda5d940094bc5 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Sun, 6 Nov 2022 12:25:37 +0100
|
||||
Subject: [PATCH 15/16] TOOLS: fixed handling of init error
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Before execution of `tool_cmd_init()` `init_err` wasn't set,
|
||||
so `sss_tools_handles_init_error()` check was a no-op.
|
||||
|
||||
Consequently, a proper check after `tool_cmd_init()` was missing.
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 7af46ba0e925da61b7b4003c3fa6d51c05c1116e)
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/tools/common/sss_tools.c | 17 ++++-------------
|
||||
src/tools/common/sss_tools.h | 1 -
|
||||
2 files changed, 4 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index 47b85bdd2..38ae88306 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -336,22 +336,13 @@ static errno_t sss_tool_route(int argc, const char **argv,
|
||||
cmdline.argc = argc - 2;
|
||||
cmdline.argv = argv + 2;
|
||||
|
||||
- if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Command %s does not handle initialization error [%d] %s\n",
|
||||
- cmdline.command, tool_ctx->init_err,
|
||||
- sss_strerror(tool_ctx->init_err));
|
||||
- return tool_ctx->init_err;
|
||||
- }
|
||||
-
|
||||
if (!tool_ctx->print_help) {
|
||||
ret = tool_cmd_init(tool_ctx, &commands[i]);
|
||||
- if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
|
||||
- tool_ctx->init_err = ret;
|
||||
- } else if (ret != EOK) {
|
||||
+
|
||||
+ if (!sss_tools_handles_init_error(&commands[i], ret)) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Command initialization failed [%d] %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
+ "Command %s does not handle initialization error [%d] %s\n",
|
||||
+ cmdline.command, ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
|
||||
index 578186633..75dc15391 100644
|
||||
--- a/src/tools/common/sss_tools.h
|
||||
+++ b/src/tools/common/sss_tools.h
|
||||
@@ -30,7 +30,6 @@ struct sss_tool_ctx {
|
||||
struct confdb_ctx *confdb;
|
||||
|
||||
bool print_help;
|
||||
- errno_t init_err;
|
||||
char *default_domain;
|
||||
struct sss_domain_info *domains;
|
||||
};
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,89 +0,0 @@
|
||||
From 66c318d212d56e26f303fc52d5fecbde4a6b9589 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 22:18:06 +0100
|
||||
Subject: [PATCH 16/16] SSSCTL: don't require 'root' for "analyze" cmd
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
:relnote: `sssctl analyze` tool doesn't require anymore to be run under root.
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 99791400bec1054cf0081884e013a3cbed75fe8a)
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/tools/common/sss_tools.c | 16 +++++++++-------
|
||||
src/tools/common/sss_tools.h | 3 ++-
|
||||
src/tools/sssctl/sssctl.c | 2 +-
|
||||
3 files changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index 38ae88306..d16de7c4d 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -267,6 +267,15 @@ static int tool_cmd_init(struct sss_tool_ctx *tool_ctx,
|
||||
struct sss_route_cmd *command)
|
||||
{
|
||||
int ret;
|
||||
+ uid_t uid;
|
||||
+
|
||||
+ if (!(command->flags & SSS_TOOL_FLAG_SKIP_ROOT_CHECK)) {
|
||||
+ uid = getuid();
|
||||
+ if (uid != 0) {
|
||||
+ ERROR("'%s' must be run as root\n", command->command);
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (command->flags & SSS_TOOL_FLAG_SKIP_CMD_INIT) {
|
||||
return EOK;
|
||||
@@ -515,15 +524,8 @@ int sss_tool_main(int argc, const char **argv,
|
||||
void *pvt)
|
||||
{
|
||||
struct sss_tool_ctx *tool_ctx;
|
||||
- uid_t uid;
|
||||
errno_t ret;
|
||||
|
||||
- uid = getuid();
|
||||
- if (uid != 0) {
|
||||
- ERROR("%1$s must be run as root\n", argv[0]);
|
||||
- return EXIT_FAILURE;
|
||||
- }
|
||||
-
|
||||
ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
|
||||
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
|
||||
index 75dc15391..24dd4b559 100644
|
||||
--- a/src/tools/common/sss_tools.h
|
||||
+++ b/src/tools/common/sss_tools.h
|
||||
@@ -54,7 +54,8 @@ typedef errno_t
|
||||
#define SSS_TOOL_DELIMITER(message) {"", _(message), 0, NULL, 0}
|
||||
#define SSS_TOOL_LAST {NULL, NULL, 0, NULL, 0}
|
||||
|
||||
-#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01
|
||||
+#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01
|
||||
+#define SSS_TOOL_FLAG_SKIP_ROOT_CHECK 0x02
|
||||
|
||||
struct sss_route_cmd {
|
||||
const char *command;
|
||||
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
|
||||
index f18689f9f..b73d19ffe 100644
|
||||
--- a/src/tools/sssctl/sssctl.c
|
||||
+++ b/src/tools/sssctl/sssctl.c
|
||||
@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
|
||||
SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
|
||||
SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
|
||||
SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
|
||||
- SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
|
||||
+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
|
||||
#ifdef HAVE_LIBINI_CONFIG_V1_3
|
||||
SSS_TOOL_DELIMITER("Configuration files tools:"),
|
||||
SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,49 +0,0 @@
|
||||
From a86d1740167031bf6444ff821a201164c11ba09c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 09:28:54 +0100
|
||||
Subject: [PATCH 17/19] PAC: allow to disable UPN check
|
||||
|
||||
Currently it was not possible to skip the UPN check which checks if the
|
||||
UPN in the PAC and the one stored in SSSD's cache are different.
|
||||
Additionally the related debug message will show both principals if they
|
||||
differ.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6451
|
||||
|
||||
(cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_pac_common.c | 16 +++++++++++++---
|
||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
|
||||
index 0ed817111..79f79b7a7 100644
|
||||
--- a/src/providers/ad/ad_pac_common.c
|
||||
+++ b/src/providers/ad/ad_pac_common.c
|
||||
@@ -224,9 +224,19 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
|
||||
|
||||
if (user_data != NULL) {
|
||||
if (strcasecmp(user_data, upn_dns_info->upn_name) != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "UPN of user entry and PAC do not match.\n");
|
||||
- return ERR_CHECK_PAC_FAILED;
|
||||
+ if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "UPN of user entry [%s] and "
|
||||
+ "PAC [%s] do not match.\n",
|
||||
+ user_data,
|
||||
+ upn_dns_info->upn_name);
|
||||
+ return ERR_CHECK_PAC_FAILED;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO, "UPN of user entry [%s] and "
|
||||
+ "PAC [%s] do not match, "
|
||||
+ "ignored.\n", user_data,
|
||||
+ upn_dns_info->upn_name);
|
||||
+ return EOK;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,90 +0,0 @@
|
||||
From 29aa434816ce6ae2aaf3b0bcf24b89f05f426d1b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 22 Nov 2022 13:39:26 +0100
|
||||
Subject: [PATCH 18/19] ipa: do not add guessed principal to the cache
|
||||
|
||||
Currently on IPA clients a calculated principal based on the user name
|
||||
and the Kerberos realm is added to the cached user object. This code is
|
||||
quite old and might have been necessary at times when sub-domain support
|
||||
was added to SSSD. But since quite some time SSSD is capable of
|
||||
generating the principal on the fly during authentication if nothing is
|
||||
stored in the cache.
|
||||
|
||||
Removing the code makes the cache more consistent with other use-cases,
|
||||
e.g. with the IPA server where this attribute is empty, and allows to
|
||||
properly detect a missing UPN, e.g. during the PAC validation.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6451
|
||||
|
||||
(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_s2n_exop.c | 44 --------------------------------
|
||||
1 file changed, 44 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
||||
index c68c1de26..81927a6b8 100644
|
||||
--- a/src/providers/ipa/ipa_s2n_exop.c
|
||||
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
||||
@@ -2467,8 +2467,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
time_t now;
|
||||
struct sss_nss_homedir_ctx homedir_ctx;
|
||||
char *name = NULL;
|
||||
- char *realm;
|
||||
- char *short_name = NULL;
|
||||
char *upn = NULL;
|
||||
gid_t gid;
|
||||
gid_t orig_gid = 0;
|
||||
@@ -2607,48 +2605,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (upn == NULL) {
|
||||
- /* We also have to store a fake UPN here, because otherwise the
|
||||
- * krb5 child later won't be able to properly construct one as
|
||||
- * the username is fully qualified but the child doesn't have
|
||||
- * access to the regex to deconstruct it */
|
||||
- /* FIXME: The real UPN is available from the PAC, we should get
|
||||
- * it from there. */
|
||||
- realm = get_uppercase_realm(tmp_ctx, dom->name);
|
||||
- if (!realm) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
|
||||
- &short_name, NULL);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot parse internal name %s\n",
|
||||
- attrs->a.user.pw_name);
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
|
||||
- if (!upn) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* We might already have the SID or the UPN from other sources
|
||||
- * hence sysdb_attrs_add_string_safe is used to avoid double
|
||||
- * entries. */
|
||||
- ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN,
|
||||
- upn);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "sysdb_attrs_add_string failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
if (req_input->type == REQ_INP_SECID) {
|
||||
ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs,
|
||||
SYSDB_SID_STR,
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,164 +0,0 @@
|
||||
From 0e618c36ed74c240f7acd071ccb7bfd405b2d827 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 22 Nov 2022 14:43:21 +0100
|
||||
Subject: [PATCH 19/19] pac: relax default check
|
||||
|
||||
To avoid issues with the UPN check during PAC validation when
|
||||
'ldap_user_principal' is set to a not existing attribute to skip reading
|
||||
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
|
||||
added to the default options. With this option only a log message is
|
||||
shown but the check will not fail.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6451
|
||||
|
||||
(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 2 +-
|
||||
src/man/sssd.conf.5.xml | 30 +++++++++++++++++++++++++++++-
|
||||
src/providers/ad/ad_pac_common.c | 24 ++++++++++++++++++++----
|
||||
src/util/pac_utils.c | 10 ++++++++++
|
||||
src/util/util.h | 2 ++
|
||||
5 files changed, 62 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 83f6be7f9..5fda67585 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -181,7 +181,7 @@
|
||||
#define CONFDB_PAC_LIFETIME "pac_lifetime"
|
||||
#define CONFDB_PAC_CHECK "pac_check"
|
||||
#define CONFDB_PAC_CHECK_DEFAULT "no_check"
|
||||
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
|
||||
+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_allow_missing, check_upn_dns_info_ex"
|
||||
|
||||
/* InfoPipe */
|
||||
#define CONFDB_IFP_CONF_ENTRY "config/ifp"
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 7a9920815..d9f4a7481 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -2275,6 +2275,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
consistent.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>check_upn_allow_missing</term>
|
||||
+ <listitem>
|
||||
+ <para>This option should be used together
|
||||
+ with 'check_upn' and handles the case where
|
||||
+ a UPN is set on the server-side but is not
|
||||
+ read by SSSD. The typical example is a
|
||||
+ FreeIPA domain where 'ldap_user_principal'
|
||||
+ is set to a not existing attribute name.
|
||||
+ This was typically done to work-around
|
||||
+ issues in the handling of enterprise
|
||||
+ principals. But this is fixed since quite
|
||||
+ some time and FreeIPA can handle enterprise
|
||||
+ principals just fine and there is no need
|
||||
+ anymore to set 'ldap_user_principal'.</para>
|
||||
+ <para>Currently this option is set by
|
||||
+ default to avoid regressions in such
|
||||
+ environments. A log message will be added
|
||||
+ to the system log and SSSD's debug log in
|
||||
+ case a UPN is found in the PAC but not in
|
||||
+ SSSD's cache. To avoid this log message it
|
||||
+ would be best to evaluate if the
|
||||
+ 'ldap_user_principal' option can be removed.
|
||||
+ If this is not possible, removing
|
||||
+ 'check_upn' will skip the test and avoid the
|
||||
+ log message.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
<varlistentry>
|
||||
<term>upn_dns_info_present</term>
|
||||
<listitem>
|
||||
@@ -2305,7 +2333,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
</para>
|
||||
<para>
|
||||
Default: no_check (AD and IPA provider
|
||||
- 'check_upn, check_upn_dns_info_ex')
|
||||
+ 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex')
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
|
||||
index 79f79b7a7..fcb54cd2c 100644
|
||||
--- a/src/providers/ad/ad_pac_common.c
|
||||
+++ b/src/providers/ad/ad_pac_common.c
|
||||
@@ -215,10 +215,26 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "User object does not have a UPN but PAC "
|
||||
"says otherwise, maybe ldap_user_principal option is set.\n");
|
||||
if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "UPN is missing but PAC UPN check required, "
|
||||
- "PAC validation failed.\n");
|
||||
- return ERR_CHECK_PAC_FAILED;
|
||||
+ if (pac_check_opts & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "UPN is missing but PAC UPN check required, "
|
||||
+ "PAC validation failed. However, "
|
||||
+ "'check_upn_allow_missing' is set and the error is "
|
||||
+ "ignored. To make this message go away please check "
|
||||
+ "why the UPN is not read from the server. In FreeIPA "
|
||||
+ "environments 'ldap_user_principal' is most probably "
|
||||
+ "set to a non-existing attribute name to avoid "
|
||||
+ "issues with enterprise principals. This is not "
|
||||
+ "needed anymore with recent versions of FreeIPA.\n");
|
||||
+ sss_log(SSS_LOG_CRIT, "PAC validation issue, please check "
|
||||
+ "sssd_pac.log for details");
|
||||
+ return EOK;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "UPN is missing but PAC UPN check required, "
|
||||
+ "PAC validation failed.\n");
|
||||
+ return ERR_CHECK_PAC_FAILED;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/util/pac_utils.c b/src/util/pac_utils.c
|
||||
index c53b0c082..4499d8dfd 100644
|
||||
--- a/src/util/pac_utils.c
|
||||
+++ b/src/util/pac_utils.c
|
||||
@@ -64,6 +64,8 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
|
||||
flags |= CHECK_PAC_CHECK_UPN_DNS_INFO_EX;
|
||||
flags |= CHECK_PAC_UPN_DNS_INFO_PRESENT;
|
||||
flags |= CHECK_PAC_CHECK_UPN;
|
||||
+ } else if (strcasecmp(list[c], CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR) == 0) {
|
||||
+ flags |= CHECK_PAC_CHECK_UPN_ALLOW_MISSING;
|
||||
} else {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Unknown value [%s] for pac_check.\n",
|
||||
list[c]);
|
||||
@@ -72,6 +74,14 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
|
||||
}
|
||||
}
|
||||
|
||||
+ if ((flags & CHECK_PAC_CHECK_UPN_ALLOW_MISSING)
|
||||
+ && !(flags & CHECK_PAC_CHECK_UPN)) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "pac_check option '%s' is set but '%s' is not set, this means "
|
||||
+ "the UPN is not checked.\n",
|
||||
+ CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR, CHECK_PAC_CHECK_UPN_STR);
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
diff --git a/src/util/util.h b/src/util/util.h
|
||||
index 6d9111874..4b2651c2c 100644
|
||||
--- a/src/util/util.h
|
||||
+++ b/src/util/util.h
|
||||
@@ -818,6 +818,8 @@ uint64_t get_spend_time_us(uint64_t st);
|
||||
#define CHECK_PAC_CHECK_UPN_DNS_INFO_EX (1 << 3)
|
||||
#define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT_STR "upn_dns_info_ex_present"
|
||||
#define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT (1 << 4)
|
||||
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR "check_upn_allow_missing"
|
||||
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING (1 << 5)
|
||||
|
||||
errno_t get_pac_check_config(struct confdb_ctx *cdb, uint32_t *pac_check_opts);
|
||||
#endif /* __SSSD_UTIL_H__ */
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,102 +0,0 @@
|
||||
From ace43c8ce02d19cf536ce35749aa2ed734089189 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Aug 2022 13:55:21 +0200
|
||||
Subject: [PATCH 20/23] oidc_child: escape scopes
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Before using the user provided scopes in the HTTP request they should be
|
||||
properly escaped according to RFC-3986.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6146
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/oidc_child/oidc_child.c | 4 ++--
|
||||
src/oidc_child/oidc_child_curl.c | 35 ++++++++++++++++++++++++++++++++
|
||||
src/oidc_child/oidc_child_util.h | 2 ++
|
||||
3 files changed, 39 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
|
||||
index e58afccd3..aeeac3595 100644
|
||||
--- a/src/oidc_child/oidc_child.c
|
||||
+++ b/src/oidc_child/oidc_child.c
|
||||
@@ -119,9 +119,9 @@ static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
|
||||
}
|
||||
|
||||
if (scope != NULL && *scope != '\0') {
|
||||
- dc_ctx->scope = talloc_strdup(dc_ctx, scope);
|
||||
+ dc_ctx->scope = url_encode_string(dc_ctx, scope);
|
||||
if (dc_ctx->scope == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy scopes.\n");
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to encode and copy scopes.\n");
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
||||
index 20e17a566..df438e007 100644
|
||||
--- a/src/oidc_child/oidc_child_curl.c
|
||||
+++ b/src/oidc_child/oidc_child_curl.c
|
||||
@@ -26,6 +26,41 @@
|
||||
#include <curl/curl.h>
|
||||
#include "oidc_child/oidc_child_util.h"
|
||||
|
||||
+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp)
|
||||
+{
|
||||
+ CURL *curl_ctx = NULL;
|
||||
+ char *tmp;
|
||||
+ char *out = NULL;
|
||||
+
|
||||
+ if (inp == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Empty input.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ curl_ctx = curl_easy_init();
|
||||
+ if (curl_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize curl.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ tmp = curl_easy_escape(curl_ctx, inp, 0);
|
||||
+ if (tmp == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "curl_easy_escape failed for [%s].\n", inp);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ out = talloc_strdup(mem_ctx, tmp);
|
||||
+ curl_free(tmp);
|
||||
+ if (out == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "talloc_strdup failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ curl_easy_cleanup(curl_ctx);
|
||||
+ return (out);
|
||||
+}
|
||||
+
|
||||
/* The curl write_callback will always append the received data. To start a
|
||||
* new string call clean_http_data() before the curl request.*/
|
||||
void clean_http_data(struct devicecode_ctx *dc_ctx)
|
||||
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
|
||||
index c781bf1b1..ae5a72bc2 100644
|
||||
--- a/src/oidc_child/oidc_child_util.h
|
||||
+++ b/src/oidc_child/oidc_child_util.h
|
||||
@@ -61,6 +61,8 @@ struct devicecode_ctx {
|
||||
};
|
||||
|
||||
/* oidc_child_curl.c */
|
||||
+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp);
|
||||
+
|
||||
errno_t init_curl(void *p);
|
||||
|
||||
void clean_http_data(struct devicecode_ctx *dc_ctx);
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,89 +0,0 @@
|
||||
From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Aug 2022 14:01:34 +0200
|
||||
Subject: [PATCH 21/23] oidc_child: use client secret if available to get
|
||||
device code
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some IdP have the concept of confidential client, i.e. clients where the
|
||||
client's secret can be stored safely by the related application. For a
|
||||
confidential client some IdPs expects that the client secret is used in
|
||||
all requests together with the client ID although OAuth2 specs currently
|
||||
only mention this explicitly for the token request. To make sure the
|
||||
device code can be requested in this case the client secret is added to
|
||||
the device code request if the secret is provided.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6146
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/oidc_child/oidc_child.c | 2 +-
|
||||
src/oidc_child/oidc_child_curl.c | 12 +++++++++++-
|
||||
src/oidc_child/oidc_child_util.h | 2 +-
|
||||
3 files changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
|
||||
index aeeac3595..c8d35d5d8 100644
|
||||
--- a/src/oidc_child/oidc_child.c
|
||||
+++ b/src/oidc_child/oidc_child.c
|
||||
@@ -454,7 +454,7 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
|
||||
if (opts.get_device_code) {
|
||||
- ret = get_devicecode(dc_ctx, opts.client_id);
|
||||
+ ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
|
||||
goto done;
|
||||
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
||||
index df438e007..6e80c3abf 100644
|
||||
--- a/src/oidc_child/oidc_child_curl.c
|
||||
+++ b/src/oidc_child/oidc_child_curl.c
|
||||
@@ -428,7 +428,7 @@ done:
|
||||
#define DEFAULT_SCOPE "user"
|
||||
|
||||
errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
||||
- const char *client_id)
|
||||
+ const char *client_id, const char *client_secret)
|
||||
{
|
||||
int ret;
|
||||
|
||||
@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
+ if (client_secret != NULL) {
|
||||
+ post_data = talloc_asprintf_append(post_data, "&client_secret=%s",
|
||||
+ client_secret);
|
||||
+ if (post_data == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to add client secret to POST data.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
clean_http_data(dc_ctx);
|
||||
ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint,
|
||||
post_data, NULL);
|
||||
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
|
||||
index ae5a72bc2..8b106ae79 100644
|
||||
--- a/src/oidc_child/oidc_child_util.h
|
||||
+++ b/src/oidc_child/oidc_child_util.h
|
||||
@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx,
|
||||
errno_t get_jwks(struct devicecode_ctx *dc_ctx);
|
||||
|
||||
errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
||||
- const char *client_id);
|
||||
+ const char *client_id, const char *client_secret);
|
||||
|
||||
errno_t get_token(TALLOC_CTX *mem_ctx,
|
||||
struct devicecode_ctx *dc_ctx, const char *client_id,
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,67 +0,0 @@
|
||||
From 55bfa944ad0197ae294d85ac42abf98297fa3a5d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Aug 2022 14:19:59 +0200
|
||||
Subject: [PATCH 22/23] oidc_child: increase wait interval by 5s if 'slow_down'
|
||||
is returned
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
While waiting for the user to authenticate with the IdP oidc_child
|
||||
currently only handles the error code 'authorization_pending' and waits
|
||||
for the given interval until a new request is send. But there is also
|
||||
'slow_down' which should not be treated as fatal error but should just
|
||||
increase the waiting time permanently for 5s.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6146
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 5ed7670766483040211713f8182510775c76b962)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/oidc_child/oidc_child_curl.c | 8 +++++++-
|
||||
src/oidc_child/oidc_child_json.c | 6 ++++++
|
||||
2 files changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
||||
index 6e80c3abf..cf0976021 100644
|
||||
--- a/src/oidc_child/oidc_child_curl.c
|
||||
+++ b/src/oidc_child/oidc_child_curl.c
|
||||
@@ -378,8 +378,14 @@ errno_t get_token(TALLOC_CTX *mem_ctx,
|
||||
break;
|
||||
}
|
||||
|
||||
- sleep(dc_ctx->interval);
|
||||
waiting_time += dc_ctx->interval;
|
||||
+ if (waiting_time >= dc_ctx->expires_in) {
|
||||
+ /* Next sleep will end after the request is expired on the
|
||||
+ * server side, so we can just error out now. */
|
||||
+ ret = ETIMEDOUT;
|
||||
+ break;
|
||||
+ }
|
||||
+ sleep(dc_ctx->interval);
|
||||
} while (waiting_time < dc_ctx->expires_in);
|
||||
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/oidc_child/oidc_child_json.c b/src/oidc_child/oidc_child_json.c
|
||||
index efc1997aa..a89794c4c 100644
|
||||
--- a/src/oidc_child/oidc_child_json.c
|
||||
+++ b/src/oidc_child/oidc_child_json.c
|
||||
@@ -413,6 +413,12 @@ errno_t parse_token_result(struct devicecode_ctx *dc_ctx,
|
||||
if (strcmp(json_string_value(tmp), "authorization_pending") == 0) {
|
||||
json_decref(result);
|
||||
return EAGAIN;
|
||||
+ } else if (strcmp(json_string_value(tmp), "slow_down") == 0) {
|
||||
+ /* RFC 8628: "... the interval MUST be increased by 5 seconds for"
|
||||
+ * "this and all subsequent requests." */
|
||||
+ dc_ctx->interval += 5;
|
||||
+ json_decref(result);
|
||||
+ return EAGAIN;
|
||||
} else {
|
||||
*error_description = get_json_string(dc_ctx, result,
|
||||
"error_description");
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,194 +0,0 @@
|
||||
From 2f3cd781879e7063fcd996389071458587623e1c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 22 Aug 2022 11:37:07 +0200
|
||||
Subject: [PATCH 23/23] oidc_child: add --client-secret-stdin option
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Since there is the use-case of confidential client which requires that
|
||||
the client secret must be sent to the IdP we should handle it
|
||||
confidentially by not putting it on the command line but sending it via
|
||||
stdin.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6146
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 1a475e0c537c905c80406ceb88c7b34e6400bc40)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/oidc_child/oidc_child.c | 89 ++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 82 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
|
||||
index c8d35d5d8..7758cdc25 100644
|
||||
--- a/src/oidc_child/oidc_child.c
|
||||
+++ b/src/oidc_child/oidc_child.c
|
||||
@@ -34,7 +34,7 @@
|
||||
#include "util/atomic_io.h"
|
||||
|
||||
#define IN_BUF_SIZE 4096
|
||||
-static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
|
||||
+static errno_t read_from_stdin(TALLOC_CTX *mem_ctx, char **out)
|
||||
{
|
||||
uint8_t buf[IN_BUF_SIZE];
|
||||
ssize_t len;
|
||||
@@ -56,7 +56,7 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- str = talloc_strndup(dc_ctx, (char *) buf, len);
|
||||
+ str = talloc_strndup(mem_ctx, (char *) buf, len);
|
||||
sss_erase_mem_securely(buf, IN_BUF_SIZE);
|
||||
if (str == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
|
||||
@@ -65,21 +65,72 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
|
||||
talloc_set_destructor((void *) str, sss_erase_talloc_mem_securely);
|
||||
|
||||
if (strlen(str) != len) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Input contains additional data, "
|
||||
- "only JSON encoded device code expected.\n");
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Input contains additional data.\n");
|
||||
talloc_free(str);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
+ *out = str;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx,
|
||||
+ const char **out)
|
||||
+{
|
||||
+ char *str;
|
||||
+ errno_t ret;
|
||||
+ char *sep;
|
||||
+
|
||||
+ ret = read_from_stdin(dc_ctx, &str);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ if (out != NULL) {
|
||||
+ /* expect the client secret in the first line */
|
||||
+ sep = strchr(str, '\n');
|
||||
+ if (sep == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Format error, expecting client secret and JSON data.\n");
|
||||
+ talloc_free(str);
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ *sep = '\0';
|
||||
+ *out = str;
|
||||
+ sep++;
|
||||
+ } else {
|
||||
+ sep = str;
|
||||
+ }
|
||||
+
|
||||
clean_http_data(dc_ctx);
|
||||
- dc_ctx->http_data = str;
|
||||
+ dc_ctx->http_data = talloc_strdup(dc_ctx, sep);
|
||||
|
||||
DEBUG(SSSDBG_TRACE_ALL, "JSON device code: [%s].\n", dc_ctx->http_data);
|
||||
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static errno_t read_client_secret_from_stdin(struct devicecode_ctx *dc_ctx,
|
||||
+ const char **out)
|
||||
+{
|
||||
+ char *str;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = read_from_stdin(dc_ctx, &str);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ *out = str;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Client secret: [%s].\n", *out);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
|
||||
const char *device_auth_endpoint,
|
||||
const char *token_endpoint,
|
||||
@@ -210,6 +261,7 @@ struct cli_opts {
|
||||
const char *jwks_uri;
|
||||
const char *scope;
|
||||
const char *client_secret;
|
||||
+ bool client_secret_stdin;
|
||||
const char *ca_db;
|
||||
const char *user_identifier_attr;
|
||||
bool libcurl_debug;
|
||||
@@ -253,6 +305,8 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
|
||||
{"client-id", 0, POPT_ARG_STRING, &opts->client_id, 0, _("Client ID"), NULL},
|
||||
{"client-secret", 0, POPT_ARG_STRING, &opts->client_secret, 0,
|
||||
_("Client secret (if needed)"), NULL},
|
||||
+ {"client-secret-stdin", 0, POPT_ARG_NONE, NULL, 's',
|
||||
+ _("Read client secret from standard input"), NULL},
|
||||
{"ca-db", 0, POPT_ARG_STRING, &opts->ca_db, 0,
|
||||
_("Path to PEM file with CA certificates"), NULL},
|
||||
{"libcurl-debug", 0, POPT_ARG_NONE, NULL, 'c',
|
||||
@@ -280,6 +334,9 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
|
||||
case 'c':
|
||||
opts->libcurl_debug = true;
|
||||
break;
|
||||
+ case 's':
|
||||
+ opts->client_secret_stdin = true;
|
||||
+ break;
|
||||
default:
|
||||
fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
||||
poptBadOption(pc, 0), poptStrerror(opt));
|
||||
@@ -324,6 +381,12 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (opts->client_secret != NULL && opts->client_secret_stdin) {
|
||||
+ fprintf(stderr, "\n--client-secret and --client-secret-stdin are "
|
||||
+ "mutually exclusive.\n\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
poptFreeContext(pc);
|
||||
print_usage = false;
|
||||
|
||||
@@ -454,6 +517,15 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
|
||||
if (opts.get_device_code) {
|
||||
+ if (opts.client_secret_stdin) {
|
||||
+ ret = read_client_secret_from_stdin(dc_ctx, &opts.client_secret);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to read client secret from stdin.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
|
||||
@@ -463,7 +535,10 @@ int main(int argc, const char *argv[])
|
||||
|
||||
if (opts.get_access_token) {
|
||||
if (dc_ctx->device_code == NULL) {
|
||||
- ret = read_device_code_from_stdin(dc_ctx);
|
||||
+ ret = read_device_code_from_stdin(dc_ctx,
|
||||
+ opts.client_secret_stdin
|
||||
+ ? &opts.client_secret
|
||||
+ : NULL);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to read device code from stdin.\n");
|
||||
--
|
||||
2.37.3
|
||||
|
169
SPECS/sssd.spec
169
SPECS/sssd.spec
@ -18,8 +18,8 @@
|
||||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
Name: sssd
|
||||
Version: 2.7.3
|
||||
Release: 4%{?dist}.3
|
||||
Version: 2.9.4
|
||||
Release: 4%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -27,29 +27,12 @@ URL: https://github.com/SSSD/sssd
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-Makefile-remove-unneeded-dependency.patch
|
||||
Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
|
||||
Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
|
||||
Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch
|
||||
Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
|
||||
Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
|
||||
Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
|
||||
Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
|
||||
Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
|
||||
Patch0010: 0010-CLIENT-fix-client-fd-leak.patch
|
||||
Patch0011: 0011-krb5-respect-krb5_validate-for-PAC-checks.patch
|
||||
Patch0012: 0012-Analyzer-Optimize-list-verbose-output.patch
|
||||
Patch0013: 0013-Analyzer-Ensure-parsed-id-contains-digit.patch
|
||||
Patch0014: 0014-TOOLS-don-t-export-internal-helpers.patch
|
||||
Patch0015: 0015-TOOLS-fixed-handling-of-init-error.patch
|
||||
Patch0016: 0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch
|
||||
Patch0017: 0017-PAC-allow-to-disable-UPN-check.patch
|
||||
Patch0018: 0018-ipa-do-not-add-guessed-principal-to-the-cache.patch
|
||||
Patch0019: 0019-pac-relax-default-check.patch
|
||||
Patch0020: 0020-oidc_child-escape-scopes.patch
|
||||
Patch0021: 0021-oidc_child-use-client-secret-if-available-to-get-dev.patch
|
||||
Patch0022: 0022-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch
|
||||
Patch0023: 0023-oidc_child-add-client-secret-stdin-option.patch
|
||||
Patch0001: 0001-sssd-adding-mail-as-case-insensitive.patch
|
||||
Patch0002: 0002-sdap-add-search_bases-option-to-groups_by_user_send.patch
|
||||
Patch0003: 0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch
|
||||
Patch0004: 0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
|
||||
Patch0005: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch
|
||||
Patch0006: 0006-ad-refresh-root-domain-when-read-directly.patch
|
||||
|
||||
### Downstream Patches ###
|
||||
|
||||
@ -127,6 +110,7 @@ BuildRequires: jansson-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: libjose-devel
|
||||
BuildRequires: softhsm >= 2.1.0
|
||||
BuildRequires: bc
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssh
|
||||
BuildRequires: libnl3-devel
|
||||
@ -232,7 +216,6 @@ Summary: Userspace tools for use with the SSSD
|
||||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: libsss_simpleifp = %{version}-%{release}
|
||||
# required by sss_obfuscate
|
||||
Requires: python3-sss = %{version}-%{release}
|
||||
Requires: python3-sssdconfig = %{version}-%{release}
|
||||
@ -373,6 +356,7 @@ Group: Applications/System
|
||||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Requires(pre): shadow-utils
|
||||
|
||||
%description proxy
|
||||
@ -612,8 +596,9 @@ autoreconf -ivf
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
--with-subid \
|
||||
--with-files-provider \
|
||||
--with-libsifp \
|
||||
--enable-sss-default-nss-plugin \
|
||||
--enable-files-domain \
|
||||
--without-python2-bindings \
|
||||
--with-sssd-user=sssd \
|
||||
%{?with_cifs_utils_plugin_option} \
|
||||
@ -929,7 +914,7 @@ done
|
||||
%{_mandir}/man5/sssd-ifp.5*
|
||||
%{_unitdir}/sssd-ifp.service
|
||||
# InfoPipe DBus plumbing
|
||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
|
||||
|
||||
%files -n libsss_simpleifp
|
||||
@ -1117,6 +1102,38 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
|
||||
%systemd_post sssd-ssh.socket
|
||||
%systemd_post sssd-sudo.socket
|
||||
|
||||
function mod_nss() {
|
||||
if [ -f "$1" ] ; then
|
||||
# Change order 'sss <-> files' if default pattern is found
|
||||
match_pattern="^[[:blank:]]*(passwd|group):(.*)sss[[:blank:]]+files(.*)"
|
||||
if grep -E -r -q -s "$match_pattern" "$1"; then
|
||||
sed -i.save_by_rpm -E -e "
|
||||
s/$match_pattern/\1:\2files sss\3/
|
||||
" "$1" &>/dev/null || :
|
||||
# Remove obsolete comment
|
||||
sed -i -E -e '/# .sssd. performs its own .files.-based caching, so it should generally/d' "$1" &>/dev/null || :
|
||||
sed -i -E -e '/# come before .files.\./d' "$1" &>/dev/null || :
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if grep -E -r -q -s "[[:blank:]]*id_provider[[:blank:]]*=[[:blank:]]*files" /etc/sssd/ ||
|
||||
grep -E -i -r -q -s "[[:blank:]]*enable_files_domain[[:blank:]]*=[[:blank:]]*true" /etc/sssd ; then
|
||||
# "files provider" configured explicitly, leave nsswitch.conf intact
|
||||
:
|
||||
else
|
||||
NSSFILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)"
|
||||
if [ "$NSSFILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then
|
||||
mod_nss "/etc/authselect/user-nsswitch.conf"
|
||||
authselect apply-changes &> /dev/null || :
|
||||
else
|
||||
mod_nss "$NSSFILE"
|
||||
# also apply the same changes to user-nsswitch.conf to affect
|
||||
# possible future authselect configuration
|
||||
mod_nss "/etc/authselect/user-nsswitch.conf"
|
||||
fi
|
||||
fi
|
||||
|
||||
%preun common
|
||||
%systemd_preun sssd.service
|
||||
%systemd_preun sssd-autofs.socket
|
||||
@ -1200,16 +1217,96 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Thu Dec 15 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.3
|
||||
- Resolves: rhbz#2152883 - authenticating against external IdP services okta (native app) with OAuth client secret failed [rhel-8.7.0.z]
|
||||
* Fri May 17 2024 Arun Bansal <arbansal@redhat.com> - 2.9.4-4
|
||||
- Resolves: RHEL-33957 - ad: refresh root domain when read directly
|
||||
|
||||
* Fri Dec 9 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.2
|
||||
- Resolves: rhbz#2139871 - Analyzer: Optimize and remove duplicate messages in verbose list [rhel-8.7.0.z]
|
||||
- Resolves: rhbz#2142961 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged [rhel-8.7.0.z]
|
||||
- Resolves: rhbz#2148989 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around [rhel-8.7.0.z]
|
||||
* Thu Apr 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-3
|
||||
- Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently
|
||||
|
||||
* Thu Oct 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.1
|
||||
- Resolves: rhbz#2128544 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) [rhel-8.7.0.z]
|
||||
* Mon Feb 12 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-2
|
||||
- Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8]
|
||||
- Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8]
|
||||
- Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8]
|
||||
|
||||
* Sat Jan 13 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache
|
||||
- Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP'
|
||||
- Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider')
|
||||
- Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest
|
||||
- Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf
|
||||
- Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8]
|
||||
- Resolves: RHEL-10721 - very bad performance when requesting service tickets
|
||||
- Resolves: RHEL-19011 - Invalid handling groups from child domain
|
||||
- Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8]
|
||||
|
||||
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-2
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
|
||||
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication
|
||||
- Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user
|
||||
|
||||
* Mon Sep 11 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.2-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code
|
||||
- Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7)
|
||||
|
||||
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
|
||||
- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
|
||||
|
||||
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
|
||||
- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
|
||||
- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
|
||||
- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
|
||||
- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
|
||||
- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
|
||||
- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
|
||||
- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
|
||||
- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
|
||||
|
||||
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
|
||||
- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
|
||||
Rebuild against rebased Samba libs
|
||||
|
||||
* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
|
||||
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
|
||||
- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
|
||||
- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
|
||||
- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
|
||||
- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
|
||||
- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
|
||||
|
||||
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
|
||||
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
|
||||
|
||||
* Mon Dec 19 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
|
||||
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
|
||||
- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
|
||||
- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization
|
||||
- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list
|
||||
- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
|
||||
- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
|
||||
- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required)
|
||||
|
||||
* Tue Nov 22 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
|
||||
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
|
||||
- Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr
|
||||
- Resolves: rhbz#2144579 - sssd timezone issues sudonotafter
|
||||
- Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file
|
||||
- Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
|
||||
- Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed
|
||||
|
||||
* Mon Oct 31 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-5
|
||||
- Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release
|
||||
Rebuild against Samba rebase.
|
||||
|
||||
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
|
||||
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
|
||||
|
Loading…
Reference in New Issue
Block a user