rpms
/
sssd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Backport most important bug fixes 

Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in
                          setnetgrent_result_timeout
Resolves: upstream#3562 - Use-after free if more sudo requests run and one
                          of them fails, causing a fail-over to a next server
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
                          or machine swaps
Resolves: failure in glibc tests
          https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
                          auth_provider ldap, login fails if the LDAP server
                          is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
                          corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
                          if krb5_init_context() failed
Resolves: rhbz#1479283 - proxy to files does not work with
                         implicit_files_domain
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
                         in /etc/systemd/system
(cherry picked from commit 6f4bba5546)
This commit is contained in:
Lukas Slebodnik 2017-12-04 21:33:29 +01:00
parent 9499284780
commit 4c9df62bbd
51 changed files with 6308 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0001-KCM-Fix-typo-in-comments.patch Normal file
View File

@ -0,0 +1,38 @@
From fd7226ff51eb9af70d0fcb63727cd1a48ab0534b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 23 Oct 2017 07:35:52 +0200
Subject: [PATCH 01/79] KCM: Fix typo in comments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_json.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c
index 8199bc613e4204859438e1cd820f3f4b2123dd7e..f1cca9880d128d05ad1edfc5c3b2f709d1a67d48 100644
--- a/src/responder/kcm/kcmsrv_ccache_json.c
+++ b/src/responder/kcm/kcmsrv_ccache_json.c
@@ -265,7 +265,7 @@ static json_t *princ_data_to_json(TALLOC_CTX *mem_ctx,
* {
* "type": "number",
* "realm": "string",
- * "componenents": [ "elem1", "elem2", ...]
+ * "components": [ "elem1", "elem2", ...]
* }
*/
static json_t *princ_to_json(TALLOC_CTX *mem_ctx,
@@ -400,7 +400,7 @@ static json_t *creds_to_json_array(struct kcm_cred *creds)
* principal : {
* "type": "number",
* "realm": "string",
- * "componenents": [ "elem1", "elem2", ...]
+ * "components": [ "elem1", "elem2", ...]
* }
* creds : [
* {
--
2.15.1

556
0002-Fix-minor-spelling-mistakes.patch Normal file
View File

@ -0,0 +1,556 @@
From aeb34cfcb9ded4cd7d272220a3d3802be89b7dd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Genz?= <liebundartig@freenet.de>
Date: Sun, 22 Oct 2017 22:24:27 +0200
Subject: [PATCH 02/79] Fix minor spelling mistakes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Merges: https://pagure.io/SSSD/sssd/pull-request/3556
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
contrib/sssd.spec.in | 6 +++---
src/db/sysdb_private.h | 2 +-
src/db/sysdb_views.c | 4 ++--
src/examples/sssd-example.conf | 2 +-
src/lib/idmap/sss_idmap.doxy.in | 2 +-
src/man/sssd-secrets.5.xml | 2 +-
src/providers/ad/ad_gpo.c | 4 ++--
src/providers/be_dyndns.c | 2 +-
src/providers/data_provider/dp_request.c | 2 +-
src/providers/krb5/krb5_child.c | 2 +-
src/providers/ldap/sdap_async_sudo.c | 2 +-
src/responder/kcm/kcmsrv_ccache_json.c | 2 +-
src/responder/kcm/kcmsrv_op_queue.c | 4 ++--
src/sbus/sssd_dbus_connection.c | 4 ++--
src/shared/safealign.h | 4 ++--
src/sss_client/autofs/sss_autofs.c | 4 ++--
src/sss_client/idmap/sss_nss_idmap.doxy.in | 2 +-
src/sss_client/libwbclient/wbc_pwd_sssd.c | 2 +-
src/sss_client/sudo/sss_sudo.h | 10 +++++-----
src/tests/cmocka/common_mock_resp_dp.c | 2 +-
src/tests/cmocka/test_sbus_opath.c | 2 +-
src/tools/common/sss_process.c | 2 +-
src/tools/common/sss_process.h | 2 +-
src/tools/sssctl/sssctl.c | 4 ++--
src/tools/sssctl/sssctl_data.c | 2 +-
src/util/crypto/libcrypto/crypto_sha512crypt.c | 2 +-
src/util/crypto/nss/nss_sha512crypt.c | 2 +-
src/util/server.c | 6 +++---
src/util/sss_ini.h | 2 +-
src/util/tev_curl.c | 2 +-
src/util/util_lock.c | 2 +-
31 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index e76b51833d5dfa3207d28add4af1016c00f25e1f..d6ab73e60863316cbf239d34242959fdfe8d4b1b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -241,7 +241,7 @@ the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.
-The sssd subpackage is a meta-package that contains the deamon as well as all
+The sssd subpackage is a meta-package that contains the daemon as well as all
the existing back ends.
%package common
@@ -496,7 +496,7 @@ Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
%description -n libsss_idmap
-Utility library to convert SIDs to Unix uids and gids
+Utility library to convert SIDs to UNIX UIDs and GIDs
%package -n libsss_idmap-devel
Summary: FreeIPA Idmap library
@@ -505,7 +505,7 @@ License: LGPLv3+
Requires: libsss_idmap = %{version}-%{release}
%description -n libsss_idmap-devel
-Utility library to SIDs to Unix uids and gids
+Utility library to SIDs to UNIX UIDs and GIDs
%package -n libipa_hbac
Summary: FreeIPA HBAC Evaluator library
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
index dbd75615bc212e73c4338a76dceaa68a5889ed1d..7c3347fec99f60160804a6eed178baedafb81d33 100644
--- a/src/db/sysdb_private.h
+++ b/src/db/sysdb_private.h
@@ -185,7 +185,7 @@ int sysdb_delete_ulong(struct ldb_message *msg,
/* The utility function to create a subdomain sss_domain_info object is handy
* for unit tests, so it should be available in a header, but not a public util
- * one, because the only interface for the deamon itself should be adding
+ * one, because the only interface for the daemon itself should be adding
* the sysdb domain object and calling sysdb_update_subdomains()
*/
struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index afc7852ecf402ef144beca9c1b94fbe3cc4bbb6a..f640c813acf4deafe98eb15708d3a94790502dcb 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -722,7 +722,7 @@ static errno_t safe_original_attributes(struct sss_domain_info *domain,
goto done;
}
- /* Safe orginal values in attributes prefixed by OriginalAD. */
+ /* Safe original values in attributes prefixed by OriginalAD. */
for (c = 0; allowed_attrs[c] != NULL; c++) {
el = ldb_msg_find_element(orig_obj->msgs[0], allowed_attrs[c]);
if (el != NULL) {
@@ -753,7 +753,7 @@ static errno_t safe_original_attributes(struct sss_domain_info *domain,
el = ldb_msg_find_element(orig_obj->msgs[0], SYSDB_NAME_ALIAS);
if (el != NULL) {
for (c = 0; c < el->num_values; c++) {
- /* To avoid issue with ldb_modify if e.g. the orginal and the
+ /* To avoid issue with ldb_modify if e.g. the original and the
* override name are the same, we use the *_safe version here. */
ret = sysdb_attrs_add_val_safe(attrs, SYSDB_NAME_ALIAS,
&el->values[c]);
diff --git a/src/examples/sssd-example.conf b/src/examples/sssd-example.conf
index 59df41673586d5c7d2602cc5290c40ec5bd64986..34b2b22c5f619f49bb9aa1edf04849df5e40c787 100644
--- a/src/examples/sssd-example.conf
+++ b/src/examples/sssd-example.conf
@@ -32,7 +32,7 @@ services = nss, pam
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
-# you must install Microsoft Services For Unix and map LDAP attributes onto
+# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
diff --git a/src/lib/idmap/sss_idmap.doxy.in b/src/lib/idmap/sss_idmap.doxy.in
index 991028f65c251e2bc0086487817271b527fa439b..833498b189a038a06414ff623179ef69d24affb7 100644
--- a/src/lib/idmap/sss_idmap.doxy.in
+++ b/src/lib/idmap/sss_idmap.doxy.in
@@ -719,7 +719,7 @@ RECURSIVE = NO
EXCLUDE =
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
-# directories that are symbolic links (a Unix file system feature) are excluded
+# directories that are symbolic links (a UNIX file system feature) are excluded
# from the input.
EXCLUDE_SYMLINKS = NO
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 08ab371c64eb49e4f153bb2183c07681b1050bb0..a738fbfffa1bdb7038e70a4a49651eb6a9286b1c 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -46,7 +46,7 @@
project was born to deal with this problem in cloud like
environments, but we found the idea compelling even at a
single system level. As a security service, SSSD is ideal to
- host this capability while offering the same API via a Unix
+ host this capability while offering the same API via a UNIX
Socket. This will make it possible to use local calls and have
them transparently routed to a local or a remote key management
store like IPA Vault for storage, escrow and recovery.
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index a5237f6fad7fc79fbcbafc8aac28cff15677009f..d9ea311417fc5d57850aa9a6c3736964844675bd 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -680,7 +680,7 @@ ad_gpo_ace_includes_client_sid(const char *user_sid,
* named "ApplyGroupPolicy" (AGP) is allowed, by comparing the specified
* user_sid and group_sids against the specified access control entry (ACE).
* This function returns ALLOWED, DENIED, or NEUTRAL depending on whether
- * the ACE explictly allows, explicitly denies, or does neither.
+ * the ACE explicitly allows, explicitly denies, or does neither.
*
* Note that the 'M' abbreviation used in the evaluation algorithm stands for
* "access_mask", which represents the set of access rights associated with an
@@ -3860,7 +3860,7 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
ret = sysdb_attrs_get_int32_t(result, AD_AT_FUNC_VERSION,
&gp_gpo->gpo_func_version);
if (ret == ENOENT) {
- /* If this attrbute is missing we can skip the GPO. It will
+ /* If this attribute is missing we can skip the GPO. It will
* be filtered out according to MS-GPOL:
* https://msdn.microsoft.com/en-us/library/cc232538.aspx */
DEBUG(SSSDBG_TRACE_ALL, "GPO with GUID %s is missing attribute "
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index ee264156824d7c5ab27c919ae0c56bbd6c0bc54f..b968e67b3e3e6a4f2937dce502c2c9b4ad136a4b 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -706,7 +706,7 @@ nsupdate_get_addrs_done(struct tevent_req *subreq)
return;
}
- /* The second address matched either immediatelly or after a retry.
+ /* The second address matched either immediately or after a retry.
* No need to retry again. */
ret = EOK;
diff --git a/src/providers/data_provider/dp_request.c b/src/providers/data_provider/dp_request.c
index a6bc020e0649760c46637d6f90569248792f7f04..295758a765bfdedd539d44f86a37efae0846763f 100644
--- a/src/providers/data_provider/dp_request.c
+++ b/src/providers/data_provider/dp_request.c
@@ -412,7 +412,7 @@ static void dp_terminate_request(struct dp_req *dp_req)
{
if (dp_req->handler_req == NULL) {
/* This may occur when the handler already finished but the caller
- * of dp request did not yet recieved data/free dp_req. We just
+ * of dp request did not yet received data/free dp_req. We just
* return here. */
return;
}
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 888cc5d6f5c554901cc46d4315844d7bbbe582b8..b8ee497728b4b70fae89e528172e9d5bd42239c0 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1612,7 +1612,7 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
goto done;
}
- /* Successfull authentication! Check if ccache contains the
+ /* Successful authentication! Check if ccache contains the
* right principal...
*/
kerr = sss_krb5_check_ccache_princ(kr->ctx, kr->ccname, kr->creds->client);
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
index 3c69837fda313b2645c3a8497252670312f600ea..f33d5b5fa86dc1806695482d627bd71a2b040d6e 100644
--- a/src/providers/ldap/sdap_async_sudo.c
+++ b/src/providers/ldap/sdap_async_sudo.c
@@ -616,7 +616,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
}
in_transaction = false;
- DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfuly stored in cache\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfully stored in cache\n");
/* remember new usn */
ret = sysdb_get_highest_usn(state, rules, rules_count, &usn);
diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c
index f1cca9880d128d05ad1edfc5c3b2f709d1a67d48..33cb51621f26a11051e2fac4c5d7c959b30d9f00 100644
--- a/src/responder/kcm/kcmsrv_ccache_json.c
+++ b/src/responder/kcm/kcmsrv_ccache_json.c
@@ -210,7 +210,7 @@ bool sec_key_match_uuid(const char *sec_key,
/*
* Creates an array of principal elements that will be used later
* in the form of:
- * "componenets": [ "elem1", "elem2", ...]
+ * "components": [ "elem1", "elem2", ...]
*/
static json_t *princ_data_to_json(TALLOC_CTX *mem_ctx,
krb5_principal princ)
diff --git a/src/responder/kcm/kcmsrv_op_queue.c b/src/responder/kcm/kcmsrv_op_queue.c
index 55c8b65d94f70979fe56fcc4d8747547a9cc9d33..ee1aa47ab629022bb726c4d5deb1eb1456124df1 100644
--- a/src/responder/kcm/kcmsrv_op_queue.c
+++ b/src/responder/kcm/kcmsrv_op_queue.c
@@ -179,7 +179,7 @@ static struct kcm_ops_queue *kcm_op_queue_get(struct kcm_ops_queue_ctx *qctx,
case HASH_ERROR_KEY_NOT_FOUND:
/* No request for this UID yet. Enqueue this request in case
* another one comes in and return EOK to run the current request
- * immediatelly
+ * immediately
*/
DEBUG(SSSDBG_TRACE_LIBS, "No existing queue for this ID\n");
@@ -220,7 +220,7 @@ static errno_t kcm_op_queue_add_req(struct kcm_ops_queue *kq,
* Enqueue a request.
*
* If the request queue /for the given ID/ is empty, that is, if this
- * request is the first one in the queue, run the request immediatelly.
+ * request is the first one in the queue, run the request immediately.
*
* Otherwise just add it to the queue and wait until the previous request
* finishes and only at that point mark the current request as done, which
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
index de134f2f21bfb9697fcc8a42622817bc50b54f2a..bdd4a247a670f1928573a1bd18dc8e585b997b7d 100644
--- a/src/sbus/sssd_dbus_connection.c
+++ b/src/sbus/sssd_dbus_connection.c
@@ -179,7 +179,7 @@ int sbus_init_connection(TALLOC_CTX *ctx,
conn->incoming_signals = sbus_incoming_signal_hash_init(conn);
if (conn->incoming_signals == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming singals "
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming signals "
"hash table\n");
talloc_free(conn);
return EIO;
@@ -327,7 +327,7 @@ static int connection_destructor(void *ctx)
/*
* sbus_get_connection
- * Utility function to retreive the DBusConnection object
+ * Utility function to retrieve the DBusConnection object
* from a sbus_connection
*/
DBusConnection *sbus_get_connection(struct sbus_connection *conn)
diff --git a/src/shared/safealign.h b/src/shared/safealign.h
index 2316ed14245c4469171f9eb4a42e70fc6b3fd8a8..b00c37f5b98bd4bf7ff6cea8e1208d80c77f0228 100644
--- a/src/shared/safealign.h
+++ b/src/shared/safealign.h
@@ -98,8 +98,8 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
SAFEALIGN_SETMEM_VALUE(dest, value, uint16_t, pctr)
/* These macros are the same as their equivalents without _CHECK suffix,
- * but additionally make the caller return EINVAL immediatelly if *pctr
- * would excceed len. */
+ * but additionally make the caller return EINVAL immediately if *pctr
+ * would exceed len. */
#define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \
if ((*(pctr) + sizeof(uint32_t)) > (len) || \
SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) { return EINVAL; } \
diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c
index 02f91ab2b3d29a189e949f6a8d645ea4ccd7f6e3..482ff2c400b10829ccb6d6a921c8c2e15c7fcdd2 100644
--- a/src/sss_client/autofs/sss_autofs.c
+++ b/src/sss_client/autofs/sss_autofs.c
@@ -30,7 +30,7 @@
#define MAX_AUTOMNTMAPNAME_LEN NAME_MAX
#define MAX_AUTOMNTKEYNAME_LEN PATH_MAX
-/* How many entries shall _sss_getautomntent_r retreive at once */
+/* How many entries shall _sss_getautomntent_r retrieve at once */
#define GETAUTOMNTENT_MAX_ENTRIES 512
struct automtent {
@@ -287,7 +287,7 @@ _sss_getautomntent_r(char **key, char **value, void *context)
data_len = sizeof(uint32_t) + /* mapname len */
name_len + 1 + /* mapname\0 */
sizeof(uint32_t) + /* index into the map */
- sizeof(uint32_t); /* num entries to retreive */
+ sizeof(uint32_t); /* num entries to retrieve */
data = malloc(data_len);
if (!data) {
diff --git a/src/sss_client/idmap/sss_nss_idmap.doxy.in b/src/sss_client/idmap/sss_nss_idmap.doxy.in
index d75237622507d2a43ef382815544b8339054f474..f6c18ba1f0d368e989ce0d18a500b6523622b9c1 100644
--- a/src/sss_client/idmap/sss_nss_idmap.doxy.in
+++ b/src/sss_client/idmap/sss_nss_idmap.doxy.in
@@ -616,7 +616,7 @@ RECURSIVE = NO
EXCLUDE =
# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
-# directories that are symbolic links (a Unix filesystem feature) are excluded
+# directories that are symbolic links (a UNIX filesystem feature) are excluded
# from the input.
EXCLUDE_SYMLINKS = NO
diff --git a/src/sss_client/libwbclient/wbc_pwd_sssd.c b/src/sss_client/libwbclient/wbc_pwd_sssd.c
index 08c3b86372c86f228aeeb584068f82bd97cfe0fe..cacad9d3230c341ae478a4e4e41864ecdc4209b3 100644
--- a/src/sss_client/libwbclient/wbc_pwd_sssd.c
+++ b/src/sss_client/libwbclient/wbc_pwd_sssd.c
@@ -606,7 +606,7 @@ wbcErr wbcGetgrlist(struct group **grp)
WBC_SSSD_NOT_IMPLEMENTED;
}
-/* Return the unix group array belonging to the given user */
+/* Return the Unix group array belonging to the given user */
wbcErr wbcGetGroups(const char *account,
uint32_t *num_groups,
gid_t **_groups)
diff --git a/src/sss_client/sudo/sss_sudo.h b/src/sss_client/sudo/sss_sudo.h
index 1a275cfafbb0476b163599854cbbc1f91101f360..1dcd569a59cde2eec88476aef2bc3ab35a089c86 100644
--- a/src/sss_client/sudo/sss_sudo.h
+++ b/src/sss_client/sudo/sss_sudo.h
@@ -87,11 +87,11 @@ struct sss_sudo_result {
};
/**
- * @brief Send a request to SSSD to retreive all SUDO rules for a given
+ * @brief Send a request to SSSD to retrieve all SUDO rules for a given
* user.
*
- * @param[in] uid The uid of the user to retreive the rules for.
- * @param[in] username The username to retreive the rules for
+ * @param[in] uid The uid of the user to retrieve the rules for.
+ * @param[in] username The username to retrieve the rules for
* @param[in] domainname The domain name the user is a member of.
* @param[out] _error The result of the search in SSSD's domains. If the
* user was present in the domain, the _error code is
@@ -122,9 +122,9 @@ int sss_sudo_send_recv(uid_t uid,
* @brief Send a request to SSSD to retrieve the default options, commonly
* stored in the "cn=defaults" record,
*
- * @param[in] uid The uid of the user to retreive the rules for.
+ * @param[in] uid The uid of the user to retrieve the rules for.
*
- * @param[in] username The username to retreive the rules for.
+ * @param[in] username The username to retrieve the rules for.
*
* @param[out] _error The result of the search in SSSD's domains. If the
* options were present in the domain, the _error code
diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
index 4b38a38e6f53499132f9fe14a0ec0af157cf85ca..ece887b12d472c3fb01477d213f4308a535f8fe7 100644
--- a/src/tests/cmocka/common_mock_resp_dp.c
+++ b/src/tests/cmocka/common_mock_resp_dp.c
@@ -24,7 +24,7 @@
#include "responder/common/responder.h"
#include "tests/cmocka/common_mock_resp.h"
-/* Mock DP requests that finish immediatelly and return
+/* Mock DP requests that finish immediately and return
* mocked values as per previous set by mock_account_recv
*/
struct tevent_req *
diff --git a/src/tests/cmocka/test_sbus_opath.c b/src/tests/cmocka/test_sbus_opath.c
index e38eaf1972b55f01d712584b67c731ac0031736d..b469fa8da90b6f54e15a590014be650e32221136 100644
--- a/src/tests/cmocka/test_sbus_opath.c
+++ b/src/tests/cmocka/test_sbus_opath.c
@@ -72,7 +72,7 @@ void test_sbus_opath_escape_unescape(void **state)
escaped = sbus_opath_escape_part(mem_ctx, "path_with_underscore");
assert_non_null(escaped);
- /* underscore is 0x5F in ascii */
+ /* underscore is 0x5F in ASCII */
assert_string_equal(escaped, "path_5fwith_5funderscore");
raw = sbus_opath_unescape_part(mem_ctx, escaped);
talloc_free(escaped);
diff --git a/src/tools/common/sss_process.c b/src/tools/common/sss_process.c
index 574ccab24d0ff20784f6223e743bf9561ea2281e..fc710a553dbf6a27e23693be79bb333dcbcd3a3e 100644
--- a/src/tools/common/sss_process.c
+++ b/src/tools/common/sss_process.c
@@ -97,7 +97,7 @@ done:
return ret;
}
-bool sss_deamon_running(void)
+bool sss_daemon_running(void)
{
return sss_signal(0) == EOK;
}
diff --git a/src/tools/common/sss_process.h b/src/tools/common/sss_process.h
index 43408afc7fab3caed3febd1a159dbfc6acbbb3f9..6bbb0947570a5fc9e77b479c7386db1cead05aaf 100644
--- a/src/tools/common/sss_process.h
+++ b/src/tools/common/sss_process.h
@@ -23,7 +23,7 @@
#include "util/util.h"
-bool sss_deamon_running(void);
+bool sss_daemon_running(void);
errno_t sss_signal(int signum);
#endif /* _SSS_PROCESS_H_ */
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index 1e061c00d2238bf34adff4183e560dc127dd62c7..d9bc897c1a32954bbdd2d4ae2b0a9fb6d2c34752 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -148,7 +148,7 @@ bool sssctl_start_sssd(bool force)
enum sssctl_prompt_result prompt;
errno_t ret;
- if (sss_deamon_running()) {
+ if (sss_daemon_running()) {
return true;
}
@@ -187,7 +187,7 @@ bool sssctl_stop_sssd(bool force)
enum sssctl_prompt_result prompt;
errno_t ret;
- if (!sss_deamon_running()) {
+ if (!sss_daemon_running()) {
return true;
}
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
index 4b7f1dfff666743f9c47bc34515bbe63ee85eff1..b16fede1e2f3f743f65f8f86b0a5bdcfdca71f0b 100644
--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
@@ -270,7 +270,7 @@ errno_t sssctl_cache_upgrade(struct sss_cmdline *cmdline,
return ret;
}
- if (sss_deamon_running()) {
+ if (sss_daemon_running()) {
return ERR_SSSD_RUNNING;
}
diff --git a/src/util/crypto/libcrypto/crypto_sha512crypt.c b/src/util/crypto/libcrypto/crypto_sha512crypt.c
index 1023566624f0e7b8fc08e30d4ea7ad031fbffff9..b074eee555fafac6e486bfdf9efb9ddf4964a990 100644
--- a/src/util/crypto/libcrypto/crypto_sha512crypt.c
+++ b/src/util/crypto/libcrypto/crypto_sha512crypt.c
@@ -7,7 +7,7 @@
* Sumit Bose <sbose@redhat.com>
* George McCollister <georgem@novatech-llc.com>
*/
-/* SHA512-based Unix crypt implementation.
+/* SHA512-based UNIX crypt implementation.
Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
#include "config.h"
diff --git a/src/util/crypto/nss/nss_sha512crypt.c b/src/util/crypto/nss/nss_sha512crypt.c
index 9fedd5ec6c62855d9cc0c9c2869d8c9be7fb5ade..2f1624e6396c40f539a4e2034ab545cad8f05434 100644
--- a/src/util/crypto/nss/nss_sha512crypt.c
+++ b/src/util/crypto/nss/nss_sha512crypt.c
@@ -5,7 +5,7 @@
*
* Sumit Bose <sbose@redhat.com>
*/
-/* SHA512-based Unix crypt implementation.
+/* SHA512-based UNIX crypt implementation.
Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
#include "config.h"
diff --git a/src/util/server.c b/src/util/server.c
index 0046c9737bc0d9aea7be59b4fed5e0f8930ff66e..4e65cc66c01ba020b13a88df8e017765ac97f76e 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -69,7 +69,7 @@ static void close_low_fds(void)
#endif
}
-static void deamon_parent_sigterm(int sig)
+static void daemon_parent_sigterm(int sig)
{
_exit(0);
}
@@ -88,10 +88,10 @@ void become_daemon(bool Fork)
pid = fork();
if (pid != 0) {
/* Terminate parent process on demand so we can hold systemd
- * or initd from starting next service until sssd in initialized.
+ * or initd from starting next service until sssd is initialized.
* We use signals directly here because we don't have a tevent
* context yet. */
- CatchSignal(SIGTERM, deamon_parent_sigterm);
+ CatchSignal(SIGTERM, daemon_parent_sigterm);
/* or exit when sssd monitor is terminated */
do {
diff --git a/src/util/sss_ini.h b/src/util/sss_ini.h
index 77fbddc3ab073d930eecd68dacb00dae52847744..0b173831d4fd7c283fa939a2f3bfda2a3bb97515 100644
--- a/src/util/sss_ini.h
+++ b/src/util/sss_ini.h
@@ -94,7 +94,7 @@ int sss_ini_call_validators_strs(TALLOC_CTX *mem_ctx,
struct ref_array *
sss_ini_get_ra_error_list(struct sss_ini_initdata *init_data);
-/* Get pointer to list of successfuly merged snippet files */
+/* Get pointer to list of successfully merged snippet files */
struct ref_array *
sss_ini_get_ra_success_list(struct sss_ini_initdata *init_data);
diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
index 52c86adde65c173a874534a7001d7859789581cd..4c2f1ec9ff0127ccfd72010460ed75dad43e9ce3 100644
--- a/src/util/tev_curl.c
+++ b/src/util/tev_curl.c
@@ -67,7 +67,7 @@ struct tcurl_ctx {
struct tcurl_sock {
struct tcurl_ctx *tctx; /* Backchannel to the main context */
- curl_socket_t sockfd; /* curl socket is an int typedef on Unix */
+ curl_socket_t sockfd; /* curl socket is an int typedef on UNIX */
struct tevent_fd *fde; /* tevent tracker of the fd events */
};
diff --git a/src/util/util_lock.c b/src/util/util_lock.c
index b8e41cc29fbdcf3b5b75bf1507a4d33f5ba07be0..58d3b1bdf60f411fb7116055a5de775355d1839e 100644
--- a/src/util/util_lock.c
+++ b/src/util/util_lock.c
@@ -74,7 +74,7 @@ errno_t sss_br_lock_file(int fd, size_t start, size_t len,
return ret;
}
} else if (ret == 0) {
- /* File successfuly locked */
+ /* File successfully locked */
break;
}
}
--
2.15.1

158
0003-CONFIG-Add-a-new-option-auto_private_groups.patch Normal file
View File

@ -0,0 +1,158 @@
From 04fc0d758ae1e5c4ab71ab3bf8b8f50b99a6c63a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 3 Oct 2017 12:34:33 +0200
Subject: [PATCH 03/79] CONFIG: Add a new option auto_private_groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The auto_private_groups option is used to configure the domain->mpg flag
which was already set automatically for subdomains, but for some time was
not settable by the admin via the configuration file.
The new option name, instead of the old magic_private_groups, was chosen
purely because this name would hopefully be better understood by admins.
The option doesn't do anything yet, it is just added to all the places a
new option should be added to.
Related:
https://pagure.io/SSSD/sssd/issue/1872
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb.c | 8 ++++++++
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 6 ++++--
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 20 ++++++++++++++++++++
7 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index fefecc03d554f6eca12efe07990bfae17033bd02..a028224817f12ace2a0c4165d7b9cb0bb80ce5a1 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -936,6 +936,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
+ ret = get_entry_as_bool(res->msgs[0], &domain->mpg,
+ CONFDB_DOMAIN_AUTO_UPG, 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Invalid value for %s\n", CONFDB_DOMAIN_AUTO_UPG);
+ goto done;
+ }
+
if (strcasecmp(domain->provider, "local") == 0) {
/* If this is the local provider, we need to ensure that
* no other provider was specified for other types, since
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index bcea99ae49a3fa5f0393ce6b2c215b5b2d4bc3fc..2539b906993edbceb38aac9265e04deed69cf2e4 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -198,6 +198,7 @@
#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
#define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
#define CONFDB_DOMAIN_MPG "magic_private_groups"
+#define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups"
#define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
#define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout"
#define CONFDB_DOMAIN_ACCOUNT_CACHE_EXPIRATION "account_cache_expiration"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index d99b718e09283d113f73639e0f94e7f1cec55f68..d2bb709d69c8790558b5c06a7e405463b508c189 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -195,6 +195,7 @@ option_strings = {
'cached_auth_timeout' : _('How long can cached credentials be used for cached authentication'),
'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
're_expression' : _('Regex to parse username and domain'),
+ 'auto_private_groups' : _('Whether to automatically create private groups for users'),
# [provider/ipa]
'ipa_domain' : _('IPA domain'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 4a583bdd3124dc05a116d2e6bd48afb92aa0b54d..87d1f6e6410dfeafc77d578cf0b950dc71a1f0a2 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -624,7 +624,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'subdomain_homedir',
'full_name_format',
're_expression',
- 'cached_auth_timeout']
+ 'cached_auth_timeout',
+ 'auto_private_groups']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -994,7 +995,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'subdomain_homedir',
'full_name_format',
're_expression',
- 'cached_auth_timeout']
+ 'cached_auth_timeout',
+ 'auto_private_groups']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index e49e8d43f4aead14d833866110784fd62382cc2b..4e70bf7b6f0fa7421a0c35bd4279830265bf3470 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -382,6 +382,7 @@ option = cached_auth_timeout
option = wildcard_limit
option = full_name_format
option = re_expression
+option = auto_private_groups
#Entry cache timeouts
option = entry_cache_user_timeout
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 7f2b8977b7e67fcfc20df49056cda8ebe6da0be8..2be2e3e685ba3abd9a4a419f93332a89ff774262 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -185,6 +185,7 @@ subdomain_homedir = str, None, false
cached_auth_timeout = int, None, false
full_name_format = str, None, false
re_expression = str, None, false
+auto_private_groups = str, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 7752e450835b5beba50ddc4c635ff985d38ca421..1e8d9537517c85c3021b9c2c4185ea272c5bfffa 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2816,6 +2816,26 @@ subdomain_inherit = ldap_purge_cache_timeout
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>auto_private_groups (string)</term>
+ <listitem>
+ <para>
+ If this option is enabled, SSSD will automatically
+ create user private groups based on user's
+ UID number. The GID number is ignored in this case.
+ </para>
+ <para>
+ NOTE: Because the GID number and the user private group
+ are inferred frm the UID number, it is not supported
+ to have multiple entries with the same UID or GID number
+ with this option. In other words, enabling this option
+ enforces uniqueness across the ID space.
+ </para>
+ <para>
+ Default: False
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
--
2.15.1

32
0004-CONFDB-Remove-the-obsolete-option-magic_private_grou.patch Normal file
View File

@ -0,0 +1,32 @@
From bd4e962128c7ea95fa0bdc5aa8f360ab11cda178 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 3 Oct 2017 12:36:02 +0200
Subject: [PATCH 04/79] CONFDB: Remove the obsolete option magic_private_groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since this confdb definition was completely unused across the codebase,
this patch just removes the definition.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/confdb/confdb.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2539b906993edbceb38aac9265e04deed69cf2e4..1471949623e9dd7a8536e3ac3048a10227a5d857 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -197,7 +197,6 @@
"cache_credentials_minimal_first_factor_length"
#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
#define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
-#define CONFDB_DOMAIN_MPG "magic_private_groups"
#define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups"
#define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
#define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout"
--
2.15.1

166
0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch Normal file
View File

@ -0,0 +1,166 @@
From f7c559955ab380d097f8e98786ba710c7bff812c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 3 Oct 2017 12:34:49 +0200
Subject: [PATCH 05/79] SDAP: Allow the mpg flag for the main domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This commit allows saving the users in the MPG domain in the SDAP
layer.
The commit contains the following changes:
- abstracts the change where if the primary GID exists in the original
object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute,
which will allow the original primary GID to be exposed as a
secondary group
- if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM
is added. This will allow to handle LDAP objects that only contain
the UID but no GID. Since this is a new use-case, a test is added
later
- a branch that handles the above is added to sdap_save_user() also
for joined domains that set the MPG flag. Previously, only
subdomains were handled.
- to allow passing GID=0 to the sysdb layer, the range check is
relaxed.
Related:
https://pagure.io/SSSD/sssd/issue/1872
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ldap/sdap_async_users.c | 83 +++++++++++++++++++++++++++++++----
1 file changed, 75 insertions(+), 8 deletions(-)
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 09d096e84cac6c9d52bcde0e1587c47dbd88b504..7338b4a15694b1d0a16723990130a23a7280af5f 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -136,6 +136,38 @@ static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs,
return EOK;
}
+static int sdap_user_set_mpg(struct sysdb_attrs *user_attrs,
+ gid_t *_gid)
+{
+ errno_t ret;
+
+ if (_gid == NULL) {
+ return EINVAL;
+ }
+
+ if (*_gid == 0) {
+ /* The original entry had no GID number. This is OK, we just won't add
+ * the SYSDB_PRIMARY_GROUP_GIDNUM attribute
+ */
+ return EOK;
+ }
+
+ ret = sysdb_attrs_add_uint32(user_attrs,
+ SYSDB_PRIMARY_GROUP_GIDNUM,
+ (uint32_t) *_gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
+ return ret;
+ }
+
+ /* We won't really store gidNumber=0, but the zero value tells
+ * the sysdb layer that no GID is set, which sysdb requires for
+ * MPG-enabled domains
+ */
+ *_gid = 0;
+ return EOK;
+}
+
/* FIXME: support storing additional attributes */
int sdap_save_user(TALLOC_CTX *memctx,
struct sdap_options *opts,
@@ -357,7 +389,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
goto done;
}
- if (IS_SUBDOMAIN(dom)) {
+ if (IS_SUBDOMAIN(dom) || dom->mpg == true) {
/* For subdomain users, only create the private group as
* the subdomain is an MPG domain.
* But we have to save the GID of the original primary group
@@ -365,14 +397,13 @@ int sdap_save_user(TALLOC_CTX *memctx,
* typically (Unix and AD) the user is not listed in his primary
* group as a member.
*/
- ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM,
- (uint32_t) gid);
+ ret = sdap_user_set_mpg(user_attrs, &gid);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sdap_user_set_mpg failed [%d]: %s\n", ret,
+ sss_strerror(ret));
goto done;
}
-
- gid = 0;
}
/* Store the GID in the ldap_attrs so it doesn't get
@@ -380,6 +411,41 @@ int sdap_save_user(TALLOC_CTX *memctx,
*/
ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid);
if (ret != EOK) goto done;
+ } else if (dom->mpg) {
+ /* Likewise, if a domain is set to contain 'magic private groups', do
+ * not process the real GID, but save it in the cache as originalGID
+ * (if available)
+ */
+ ret = sysdb_attrs_get_uint32_t(attrs,
+ opts->user_map[SDAP_AT_USER_GID].sys_name,
+ &gid);
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Missing GID, won't save the %s attribute\n",
+ SYSDB_PRIMARY_GROUP_GIDNUM);
+
+ /* Store the UID as GID (since we're in a MPG domain so that it doesn't
+ * get treated as a missing attribute and removed
+ */
+ ret = sdap_replace_id(attrs, SYSDB_GIDNUM, uid);
+ if (ret) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n");
+ goto done;
+ }
+ gid = 0;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Cannot retrieve GID, won't save the %s attribute\n",
+ SYSDB_PRIMARY_GROUP_GIDNUM);
+ gid = 0;
+ }
+
+ ret = sdap_user_set_mpg(user_attrs, &gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sdap_user_set_mpg failed [%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
} else {
ret = sysdb_attrs_get_uint32_t(attrs,
opts->user_map[SDAP_AT_USER_GID].sys_name,
@@ -403,8 +469,9 @@ int sdap_save_user(TALLOC_CTX *memctx,
}
/* check that the gid is valid for this domain */
- if (is_posix == true && IS_SUBDOMAIN(dom) == false &&
- OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
+ if (is_posix == true && IS_SUBDOMAIN(dom) == false
+ && dom->mpg == false
+ && OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
DEBUG(SSSDBG_CRIT_FAILURE,
"User [%s] filtered out! (primary gid out of range)\n",
user_name);
--
2.15.1

221
0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch Normal file
View File

@ -0,0 +1,221 @@
From 80ea108ab4263c1a1ac67ce6eac41dc6040b21dd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 3 Oct 2017 14:31:18 +0200
Subject: [PATCH 06/79] LDAP: Turn group request into user request for MPG
domains if needed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the primary group GID or the group name is requested before the user
is, we need to also search the user space to save the user in the back
end which then allows the responder to generate the group from the
user entry.
Related:
https://pagure.io/SSSD/sssd/issue/1872
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ldap/ldap_id.c | 162 +++++++++++++++++++++++++++++++------------
1 file changed, 118 insertions(+), 44 deletions(-)
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 93204d35ea3782c9aa5d622a962c295869472631..e89fc6133316f684810afe4c1a0731b8a04f2931 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -694,6 +694,8 @@ struct groups_get_state {
static int groups_get_retry(struct tevent_req *req);
static void groups_get_connect_done(struct tevent_req *subreq);
static void groups_get_posix_check_done(struct tevent_req *subreq);
+static void groups_get_mpg_done(struct tevent_req *subreq);
+static errno_t groups_get_handle_no_group(struct tevent_req *req);
static void groups_get_search(struct tevent_req *req);
static void groups_get_done(struct tevent_req *subreq);
@@ -1051,8 +1053,6 @@ static void groups_get_done(struct tevent_req *subreq)
struct tevent_req);
struct groups_get_state *state = tevent_req_data(req,
struct groups_get_state);
- char *endptr;
- gid_t gid;
int dp_error = DP_ERR_FATAL;
int ret;
@@ -1078,49 +1078,33 @@ static void groups_get_done(struct tevent_req *subreq)
return;
}
- if (ret == ENOENT && state->noexist_delete == true) {
- switch (state->filter_type) {
- case BE_FILTER_ENUM:
- tevent_req_error(req, ret);
+ if (ret == ENOENT
+ && state->domain->mpg == true) {
+ /* The requested filter did not find a group. Before giving up, we must
+ * also check if the GID can be resolved through a primary group of a
+ * user
+ */
+ subreq = users_get_send(state,
+ state->ev,
+ state->ctx,
+ state->sdom,
+ state->conn,
+ state->filter_value,
+ state->filter_type,
+ NULL,
+ state->noexist_delete);
+ if (subreq == NULL) {
+ tevent_req_error(req, ENOMEM);
return;
- case BE_FILTER_NAME:
- ret = sysdb_delete_group(state->domain, state->filter_value, 0);
- if (ret != EOK && ret != ENOENT) {
- tevent_req_error(req, ret);
- return;
- }
- break;
-
- case BE_FILTER_IDNUM:
- gid = (gid_t) strtouint32(state->filter_value, &endptr, 10);
- if (errno || *endptr || (state->filter_value == endptr)) {
- tevent_req_error(req, errno ? errno : EINVAL);
- return;
- }
-
- ret = sysdb_delete_group(state->domain, NULL, gid);
- if (ret != EOK && ret != ENOENT) {
- tevent_req_error(req, ret);
- return;
- }
- break;
-
- case BE_FILTER_SECID:
- case BE_FILTER_UUID:
- /* Since it is not clear if the SID/UUID belongs to a user or a
- * group we have nothing to do here. */
- break;
-
- case BE_FILTER_WILDCARD:
- /* We can't know if all groups are up-to-date, especially in
- * a large environment. Do not delete any records, let the
- * responder fetch the entries they are requested in.
- */
- break;
-
-
- default:
- tevent_req_error(req, EINVAL);
+ }
+ tevent_req_set_callback(subreq, groups_get_mpg_done, req);
+ return;
+ } else if (ret == ENOENT && state->noexist_delete == true) {
+ ret = groups_get_handle_no_group(req);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not delete group [%d]: %s\n", ret, sss_strerror(ret));
+ tevent_req_error(req, ret);
return;
}
}
@@ -1129,6 +1113,96 @@ static void groups_get_done(struct tevent_req *subreq)
tevent_req_done(req);
}
+static void groups_get_mpg_done(struct tevent_req *subreq)
+{
+ errno_t ret;
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct groups_get_state *state = tevent_req_data(req,
+ struct groups_get_state);
+
+ ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret);
+ talloc_zfree(subreq);
+
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ if (state->sdap_ret == ENOENT && state->noexist_delete == true) {
+ ret = groups_get_handle_no_group(req);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not delete group [%d]: %s\n", ret, sss_strerror(ret));
+ tevent_req_error(req, ret);
+ return;
+ }
+ }
+
+ /* GID resolved to a user private group, done */
+ tevent_req_done(req);
+ return;
+}
+
+static errno_t groups_get_handle_no_group(struct tevent_req *req)
+{
+ struct groups_get_state *state = tevent_req_data(req,
+ struct groups_get_state);
+ errno_t ret;
+ char *endptr;
+ gid_t gid;
+
+ switch (state->filter_type) {
+ case BE_FILTER_ENUM:
+ ret = ENOENT;
+ break;
+ case BE_FILTER_NAME:
+ ret = sysdb_delete_group(state->domain, state->filter_value, 0);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot delete group %s [%d]: %s\n",
+ state->filter_value, ret, sss_strerror(ret));
+ return ret;
+ }
+ ret = EOK;
+ break;
+ case BE_FILTER_IDNUM:
+ gid = (gid_t) strtouint32(state->filter_value, &endptr, 10);
+ if (errno || *endptr || (state->filter_value == endptr)) {
+ ret = errno ? errno : EINVAL;
+ break;
+ }
+
+ ret = sysdb_delete_group(state->domain, NULL, gid);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot delete group %"SPRIgid" [%d]: %s\n",
+ gid, ret, sss_strerror(ret));
+ return ret;
+ }
+ ret = EOK;
+ break;
+ case BE_FILTER_SECID:
+ case BE_FILTER_UUID:
+ /* Since it is not clear if the SID/UUID belongs to a user or a
+ * group we have nothing to do here. */
+ ret = EOK;
+ break;
+ case BE_FILTER_WILDCARD:
+ /* We can't know if all groups are up-to-date, especially in
+ * a large environment. Do not delete any records, let the
+ * responder fetch the entries they are requested in.
+ */
+ ret = EOK;
+ break;
+ default:
+ ret = EINVAL;
+ break;
+ }
+
+ return ret;
+}
+
int groups_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret)
{
struct groups_get_state *state = tevent_req_data(req,
--
2.15.1

96
0007-SYSDB-Prevent-users-and-groups-ID-collision-in-MPG-d.patch Normal file
View File

@ -0,0 +1,96 @@
From 561b887c08c6199a50f1295071626b3e9040a7d1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 19 Oct 2017 17:18:15 +0200
Subject: [PATCH 07/79] SYSDB: Prevent users and groups ID collision in MPG
domains except for id_provider=local
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This commit makes the check when adding an object in a MPG domain
stricter in the sense that not only same names are allowed in a MPG
domain, but also the same groups are not allowed either.
This commit is a backwards-incompatible change, but one that is needed,
otherwise requesting the duplicate group first and then requesting the
user entry would yield two object when searching by GID.
In order to keep backwards-compatibility, this uniqueness is NOT
enforced with id_provider=local. This constraint can be removed in
the future (or the local provider can be dropped altogether)
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/db/sysdb_ops.c | 41 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0e39a629a5823ff49ed02ec4c08a21b66119f06f..2f8e36c6c9a2c2cefe4af5fb78957763304d989a 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1960,16 +1960,34 @@ int sysdb_add_user(struct sss_domain_info *domain,
}
if (domain->mpg) {
- /* In MPG domains you can't have groups with the same name as users,
- * search if a group with the same name exists.
+ /* In MPG domains you can't have groups with the same name or GID
+ * as users, search if a group with the same name exists.
* Don't worry about users, if we try to add a user with the same
* name the operation will fail */
ret = sysdb_search_group_by_name(tmp_ctx, domain, name, NULL, &msg);
if (ret != ENOENT) {
- if (ret == EOK) ret = EEXIST;
+ if (ret == EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Group named %s already exists in an MPG domain\n",
+ name);
+ ret = EEXIST;
+ }
goto done;
}
+
+ if (strcasecmp(domain->provider, "local") != 0) {
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+ if (ret != ENOENT) {
+ if (ret == EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Group with GID [%"SPRIgid"] already exists in an "
+ "MPG domain\n", gid);
+ ret = EEXIST;
+ }
+ goto done;
+ }
+ }
}
/* check no other user with the same uid exist */
@@ -2177,6 +2195,23 @@ int sysdb_add_group(struct sss_domain_info *domain,
}
goto done;
}
+
+ if (strcasecmp(domain->provider, "local") != 0) {
+ ret = sysdb_search_user_by_uid(tmp_ctx, domain, gid, NULL, &msg);
+ if (ret != ENOENT) {
+ if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "User with the same UID exists in MPG domain: "
+ "[%"SPRIgid"].\n", gid);
+ ret = EEXIST;
+ } else {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "sysdb_search_user_by_uid failed for gid: "
+ "[%"SPRIgid"].\n", gid);
+ }
+ goto done;
+ }
+ }
}
/* check no other groups with the same gid exist */
--
2.15.1

345
0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch Normal file
View File

@ -0,0 +1,345 @@
From dc8e3fcdd6807974122e47ff97e9bbd3be16557f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 3 Oct 2017 16:55:40 +0200
Subject: [PATCH 08/79] TESTS: Add integration tests for the
auto_private_groups option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related:
https://pagure.io/SSSD/sssd/issue/1872
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/tests/intg/test_enumeration.py | 79 +++++++++++++-
src/tests/intg/test_ldap.py | 214 +++++++++++++++++++++++++++++++++++++
2 files changed, 290 insertions(+), 3 deletions(-)
diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py
index fdb8d376879f756957f8f25fd28b37d7178aeff5..c7d78155c64dc6c85cb4dc070b205bdcfceff6af 100644
--- a/src/tests/intg/test_enumeration.py
+++ b/src/tests/intg/test_enumeration.py
@@ -237,9 +237,7 @@ def sanity_rfc2307(request, ldap_conn):
create_sssd_fixture(request)
return None
-
-@pytest.fixture
-def sanity_rfc2307_bis(request, ldap_conn):
+def populate_rfc2307bis(request, ldap_conn):
ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
ent_list.add_user("user1", 1001, 2001)
ent_list.add_user("user2", 1002, 2002)
@@ -266,6 +264,11 @@ def sanity_rfc2307_bis(request, ldap_conn):
[], ["one_user_group1", "one_user_group2"])
create_ldap_fixture(request, ldap_conn, ent_list)
+
+
+@pytest.fixture
+def sanity_rfc2307_bis(request, ldap_conn):
+ populate_rfc2307bis(request, ldap_conn)
conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
@@ -695,3 +698,73 @@ def test_vetoed_shells(vetoed_shells):
shell="/bin/default")
)
)
+
+
+@pytest.fixture
+def sanity_rfc2307_bis_mpg(request, ldap_conn):
+ populate_rfc2307bis(request, ldap_conn)
+
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ ent_list.add_group_bis("conflict1", 1001)
+ ent_list.add_group_bis("conflict2", 1002)
+ create_ldap_fixture(request, ldap_conn, ent_list)
+
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
+ unindent("""
+ [domain/LDAP]
+ auto_private_groups = True
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_ldap_auto_private_groups_enumerate(ldap_conn,
+ sanity_rfc2307_bis_mpg):
+ """
+ Test the auto_private_groups together with enumeration
+ """
+ passwd_pattern = ent.contains_only(
+ dict(name='user1', passwd='*', uid=1001, gid=1001, gecos='1001',
+ dir='/home/user1', shell='/bin/bash'),
+ dict(name='user2', passwd='*', uid=1002, gid=1002, gecos='1002',
+ dir='/home/user2', shell='/bin/bash'),
+ dict(name='user3', passwd='*', uid=1003, gid=1003, gecos='1003',
+ dir='/home/user3', shell='/bin/bash')
+ )
+ ent.assert_passwd(passwd_pattern)
+
+ group_pattern = ent.contains_only(
+ dict(name='user1', passwd='*', gid=1001, mem=ent.contains_only()),
+ dict(name='user2', passwd='*', gid=1002, mem=ent.contains_only()),
+ dict(name='user3', passwd='*', gid=1003, mem=ent.contains_only()),
+ dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
+ dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
+ dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
+ dict(name='empty_group1', passwd='*', gid=2010,
+ mem=ent.contains_only()),
+ dict(name='empty_group2', passwd='*', gid=2011,
+ mem=ent.contains_only()),
+ dict(name='two_user_group', passwd='*', gid=2012,
+ mem=ent.contains_only("user1", "user2")),
+ dict(name='group_empty_group', passwd='*', gid=2013,
+ mem=ent.contains_only()),
+ dict(name='group_two_empty_groups', passwd='*', gid=2014,
+ mem=ent.contains_only()),
+ dict(name='one_user_group1', passwd='*', gid=2015,
+ mem=ent.contains_only("user1")),
+ dict(name='one_user_group2', passwd='*', gid=2016,
+ mem=ent.contains_only("user2")),
+ dict(name='group_one_user_group', passwd='*', gid=2017,
+ mem=ent.contains_only("user1")),
+ dict(name='group_two_user_group', passwd='*', gid=2018,
+ mem=ent.contains_only("user1", "user2")),
+ dict(name='group_two_one_user_groups', passwd='*', gid=2019,
+ mem=ent.contains_only("user1", "user2"))
+ )
+ ent.assert_group(group_pattern)
+
+ with pytest.raises(KeyError):
+ grp.getgrnam("conflict1")
+ ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index f2467f1ffe9890049ad73bba6432102d029510e8..a6659b1b78df4d72eb98c208d67ee5d10c9c88ea 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -1169,3 +1169,217 @@ def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
res, _ = call_sssd_getgrgid(0)
assert res == NssReturnCode.NOTFOUND
+
+
+@pytest.fixture
+def mpg_setup(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ ent_list.add_user("user1", 1001, 2001)
+ ent_list.add_user("user2", 1002, 2002)
+ ent_list.add_user("user3", 1003, 2003)
+
+ ent_list.add_group_bis("group1", 2001)
+ ent_list.add_group_bis("group2", 2002)
+ ent_list.add_group_bis("group3", 2003)
+
+ ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"])
+ ent_list.add_group_bis("one_user_group1", 2015, ["user1"])
+ ent_list.add_group_bis("one_user_group2", 2016, ["user2"])
+
+ create_ldap_entries(ldap_conn, ent_list)
+ create_ldap_cleanup(request, ldap_conn, None)
+
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
+ unindent("""
+ [domain/LDAP]
+ auto_private_groups = True
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup):
+ """
+ Integration test for auto_private_groups
+
+ See also ticket https://pagure.io/SSSD/sssd/issue/1872
+ """
+ # Make sure the user's GID is taken from their uidNumber
+ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
+ # Make sure the private group is resolvable by name and by GID
+ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
+ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
+
+ # The group referenced in user's gidNumber attribute should be still
+ # visible, but it's fine that it doesn't contain the user as a member
+ # as the group is currently added during the initgroups operation only
+ ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
+ ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
+
+ # The user's secondary groups list must be correct as well
+ # Note that the original GID is listed as well -- this is correct and expected
+ # because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute
+ user1_expected_gids = [1001, 2001, 2012, 2015]
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
+ assert res == sssd_id.NssReturnCode.SUCCESS
+
+ assert sorted(gids) == sorted(user1_expected_gids), \
+ "result: %s\n expected %s" % (
+ ", ".join(["%s" % s for s in sorted(gids)]),
+ ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
+ )
+
+ # Request user2's private group by GID without resolving the user first.
+ # This must trigger user resolution through by-GID resolution, since the GID
+ # doesn't exist on its own in LDAP
+ ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
+
+ # Test supplementary groups for user2 as well
+ user1_expected_gids = [1002, 2002, 2012, 2016]
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002)
+ assert res == sssd_id.NssReturnCode.SUCCESS
+
+ assert sorted(gids) == sorted(user1_expected_gids), \
+ "result: %s\n expected %s" % (
+ ", ".join(["%s" % s for s in sorted(gids)]),
+ ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
+ )
+
+ # Request user3's private group by name without resolving the user first
+ # This must trigger user resolution through by-name resolution, since the
+ # name doesn't exist on its own in LDAP
+ ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
+
+ # Remove entries and request them again to make sure they are not
+ # resolvable anymore
+ cleanup_ldap_entries(ldap_conn, None)
+
+ if subprocess.call(["sss_cache", "-GU"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ with pytest.raises(KeyError):
+ pwd.getpwnam("user1")
+ with pytest.raises(KeyError):
+ grp.getgrnam("user1")
+ with pytest.raises(KeyError):
+ grp.getgrgid(1002)
+ with pytest.raises(KeyError):
+ grp.getgrnam("user3")
+
+
+@pytest.fixture
+def mpg_setup_conflict(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ ent_list.add_user("user1", 1001, 2001)
+ ent_list.add_user("user2", 1002, 2002)
+ ent_list.add_user("user3", 1003, 1003)
+ ent_list.add_group_bis("group1", 1001)
+ ent_list.add_group_bis("group2", 1002)
+ ent_list.add_group_bis("group3", 1003)
+ ent_list.add_group_bis("supp_group", 2015, ["user3"])
+ create_ldap_fixture(request, ldap_conn, ent_list)
+
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
+ unindent("""
+ [domain/LDAP]
+ auto_private_groups = True
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict):
+ """
+ Make sure that conflicts between groups that are auto-created with the
+ help of the auto_private_groups option and between 'real' LDAP groups
+ are handled in a predictable manner.
+ """
+ # Make sure the user's GID is taken from their uidNumber
+ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
+ # Make sure the private group is resolvable by name and by GID
+ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
+ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
+
+ # Let's request the group with the same ID as user2's private group
+ # The request should match the 'real' group
+ ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only()))
+ # But because of the GID conflict, the user cannot be resolved
+ with pytest.raises(KeyError):
+ pwd.getpwnam("user2")
+
+ # This user's GID is the same as the UID in this entry. The most important
+ # thing here is that the supplementary groups are correct and the GID
+ # resolves to the private group (as long as the user was requested first)
+ user3_expected_gids = [1003, 2015]
+ ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003))
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003)
+ assert res == sssd_id.NssReturnCode.SUCCESS
+
+ assert sorted(gids) == sorted(user3_expected_gids), \
+ "result: %s\n expected %s" % (
+ ", ".join(["%s" % s for s in sorted(gids)]),
+ ", ".join(["%s" % s for s in sorted(user3_expected_gids)])
+ )
+ # Make sure the private group is resolvable by name and by GID
+ ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only()))
+ ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
+
+
+@pytest.fixture
+def mpg_setup_no_gid(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ ent_list.add_user("user1", 1001, 2001)
+
+ ent_list.add_group_bis("group1", 2001)
+ ent_list.add_group_bis("one_user_group1", 2015, ["user1"])
+
+ create_ldap_entries(ldap_conn, ent_list)
+ create_ldap_cleanup(request, ldap_conn, None)
+
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
+ unindent("""
+ [domain/LDAP]
+ auto_private_groups = True
+ ldap_user_gid_number = no_such_attribute
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
+ """
+ Integration test for auto_private_groups - test that even a user with
+ no GID assigned at all can be resolved including their autogenerated
+ primary group.
+
+ See also ticket https://pagure.io/SSSD/sssd/issue/1872
+ """
+ # Make sure the user's GID is taken from their uidNumber
+ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
+ # Make sure the private group is resolvable by name and by GID
+ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
+ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
+
+ # The group referenced in user's gidNumber attribute should be still
+ # visible, but shouldn't have any relation to the user
+ ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
+ ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
+
+ # The user's secondary groups list must be correct as well. This time only
+ # the generated group and the explicit secondary group are added, since
+ # there is no original GID
+ user1_expected_gids = [1001, 2015]
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
+ assert res == sssd_id.NssReturnCode.SUCCESS
+
+ assert sorted(gids) == sorted(user1_expected_gids), \
+ "result: %s\n expected %s" % (
+ ", ".join(["%s" % s for s in sorted(gids)]),
+ ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
+ )
--
2.15.1

6
0013-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch → 0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch
View File

@ -1,7 +1,7 @@
From 0f44eefe2ce75a0814c8688495477f6c57f3d39a Mon Sep 17 00:00:00 2001
From ec2489ab1ba7075e69f1f3747d96656ac2b0aab5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Fri, 20 Oct 2017 09:26:43 +0200
Subject: [PATCH] CACHE_REQ: Copy the cr_domain list for each request
Subject: [PATCH 09/79] CACHE_REQ: Copy the cr_domain list for each request
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -137,5 +137,5 @@ index 3780a5d8d88d76e100738d28d1dd0e697edf5eae..ebdc71dd635d5d8a5d06e30e96c5d410
--
2.15.0
2.15.1

41
0010-sudo-document-background-activity.patch Normal file
View File

@ -0,0 +1,41 @@
From a0f79dd38cffc5ad382aae9baba76863678c26ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 20 Oct 2017 11:49:26 +0200
Subject: [PATCH 10/79] sudo: document background activity
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When we introduced socket activation, we changed the internall behaviour.
Previously we disabled sudo if it was not listed in services, with
socket activation we removed this feature. Some users were confused
so this change documents current behaviour.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/man/sssd.conf.5.xml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 1e8d9537517c85c3021b9c2c4185ea272c5bfffa..b247b5ac75a82d45f29023f5f9ca24a3a7a5ce0c 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2348,6 +2348,14 @@ pam_account_locked_message = Account locked, please contact help desk.
<manvolnum>5</manvolnum>
</citerefentry>.
</para>
+ <para>
+ <emphasis>NOTE:</emphasis> Sudo rules are
+ periodically downloaded in the background unless
+ the sudo provider is explicitly disabled. Set
+ <emphasis>sudo_provider = None</emphasis> to
+ disable all sudo-related activity in SSSD if you do
+ not want to use sudo with SSSD at all.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
--
2.15.1

40
0011-MAN-GPO-Security-Filtering-limitation.patch Normal file
View File

@ -0,0 +1,40 @@
From bb20c565417a2c2ab274b254e6238657c5d8c73a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Thu, 26 Oct 2017 17:12:17 +0200
Subject: [PATCH 11/79] MAN: GPO Security Filtering limitation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Note in the man pages that current version of SSSD does not support
host entries in the 'Security filtering' list.
Resolves:
https://pagure.io/SSSD/sssd/issue/3444
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/man/sssd-ad.5.xml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 08c1dd09fb829c6cffb416250b9b518668ec5790..649042d587de3d3600fff59866681e302c721af8 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -345,6 +345,13 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
particular user is allowed to logon to a particular
host.
</para>
+ <para>
+ NOTE: The current version of SSSD does not support
+ host (computer) entries in the GPO 'Security
+ Filtering' list. Only user and group entries are
+ supported. Host entries in the list have no
+ effect.
+ </para>
<para>
NOTE: If the operation mode is set to enforcing, it
is possible that users that were previously allowed
--
2.15.1

55
0012-CI-Ignore-source-file-generated-by-systemtap.patch Normal file
View File

@ -0,0 +1,55 @@
From 5b34c650b387192282f3c2cd6211db0fd4944870 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 30 Oct 2017 14:54:07 +0100
Subject: [PATCH 12/79] CI: Ignore source file generated by systemtap
There are some changes in systemtap 3.2 which generate temporary
source files and remove them later. We are not interested in code
coverage in this area. Lets ignore them.
...
genhtml: failure 00:00:01 ci-build-coverage/ci-genhtml.log
FAILURE
sh$ cat ci-build-coverage/ci-genhtml.log
Start: Mon Oct 30 13:43:52 UTC 2017
+ eval 'genhtml --output-directory \
"$coverage_report_dir" \
--title "sssd" --show-details \
--legend --prefix "$BASE_DIR" \
ci.info |& tee ci-genhtml.out'
++ genhtml --output-directory ci-report-coverage --title sssd \
--show-details --legend --prefix /home/build/sssd ci.info
++ tee ci-genhtml.out
Reading data file ci.info
Found 447 entries.
Using user-specified filename prefix "/home/build/sssd"
Writing .css and .png files.
Generating output.
genhtml: ERROR: cannot read /home/build/sssd/stap_generated_probes.o.dtrace-temp.c
Processing file stap_generated_probes.o.dtrace-temp.c
End: Mon Oct 30 13:43:53 UTC 2017
sh$ ls -l /home/build/sssd/stap_generated_probes.o.dtrace-temp.c
ls: cannot access '/home/build/sssd/stap_generated_probes.o.dtrace-temp.c': No such file or directory
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
contrib/ci/run | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/ci/run b/contrib/ci/run
index aa6d35abedbd24fce49651e43f4a704b2b1b9880..26cd32b3316eb9fdfd9fd07e26dd862fec7b669d 100755
--- a/contrib/ci/run
+++ b/contrib/ci/run
@@ -300,6 +300,7 @@ function build_coverage()
--output-file ci-dirty.info
stage lcov-clean lcov --remove ci-dirty.info \
"/usr/*" "src/tests/*" "/tmp/*" \
+ "*dtrace-temp.c" \
--output-file ci.info
stage genhtml eval 'genhtml --output-directory \
"$coverage_report_dir" \
--
2.15.1

63
0013-sudo-always-use-srv_opts-from-id-context.patch Normal file
View File

@ -0,0 +1,63 @@
From 25bc436bccacb7f995314465b2923c6e08f654d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 19 Oct 2017 10:39:21 +0200
Subject: [PATCH 13/79] sudo: always use srv_opts from id context
Prior this patch, we remember id_ctx->srv_opts in sudo request to switch
the latest usn values. This works fine most of the time but it may cause
a crash.
If we have two concurrent sudo refresh and one of these fails, it causes
failover to try the next server and possibly replacing the old srv_opts
with new one and it causes an access after free in the other refresh.
Resolves:
https://pagure.io/SSSD/sssd/issue/3562
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ldap/sdap_async_sudo.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
index f33d5b5fa86dc1806695482d627bd71a2b040d6e..5dc58012845b7109f0fa138e2e291b8ec3267799 100644
--- a/src/providers/ldap/sdap_async_sudo.c
+++ b/src/providers/ldap/sdap_async_sudo.c
@@ -279,7 +279,6 @@ done:
struct sdap_sudo_refresh_state {
struct sdap_sudo_ctx *sudo_ctx;
struct tevent_context *ev;
- struct sdap_server_opts *srv_opts;
struct sdap_options *opts;
struct sdap_id_op *sdap_op;
struct sysdb_ctx *sysdb;
@@ -405,9 +404,6 @@ static void sdap_sudo_refresh_connect_done(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_FUNC, "SUDO LDAP connection successful\n");
- /* Obtain srv_opts here in case of first connection. */
- state->srv_opts = state->sudo_ctx->id_ctx->srv_opts;
-
/* Renew host information if needed. */
if (state->sudo_ctx->run_hostinfo) {
subreq = sdap_sudo_get_hostinfo_send(state, state->opts,
@@ -586,7 +582,6 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
goto done;
}
-
/* start transaction */
ret = sysdb_transaction_start(state->sysdb);
if (ret != EOK) {
@@ -621,7 +616,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
/* remember new usn */
ret = sysdb_get_highest_usn(state, rules, rules_count, &usn);
if (ret == EOK) {
- sdap_sudo_set_usn(state->srv_opts, usn);
+ sdap_sudo_set_usn(state->sudo_ctx->id_ctx->srv_opts, usn);
} else {
DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get highest USN [%d]: %s\n",
ret, sss_strerror(ret));
--
2.15.1

108
0014-AD-Remember-last-site-discovered.patch Normal file
View File

@ -0,0 +1,108 @@
From ceb9cc228793551eb0fc42234ee3f9b3c9d6cb9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 18 Oct 2017 15:20:34 +0200
Subject: [PATCH 14/79] AD: Remember last site discovered
To discover Active Directory site for a client we must first contact any
directory controller for an LDAP ping. This is done by searching
domain-wide DNS tree which may however contain servers that are not
reachable from current site and than we face long timeouts or failure.
This patch makes sssd remember the last successfuly discovered site
and use this for DNS search to lookup a site and forest again similar
to what we do when ad_site option is set.
Resolves:
https://pagure.io/SSSD/sssd/issue/3265
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ad/ad_srv.c | 44 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 43 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
index ff01ee95c4d2c6875a989394489f1a0495cc3003..be1ba0f237add894566ae713ce5e29fd202d414c 100644
--- a/src/providers/ad/ad_srv.c
+++ b/src/providers/ad/ad_srv.c
@@ -481,6 +481,7 @@ struct ad_srv_plugin_ctx {
const char *hostname;
const char *ad_domain;
const char *ad_site_override;
+ const char *current_site;
};
struct ad_srv_plugin_ctx *
@@ -518,6 +519,11 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
if (ctx->ad_site_override == NULL) {
goto fail;
}
+
+ ctx->current_site = talloc_strdup(ctx, ad_site_override);
+ if (ctx->current_site == NULL) {
+ goto fail;
+ }
}
return ctx;
@@ -527,6 +533,32 @@ fail:
return NULL;
}
+static errno_t
+ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx,
+ const char *new_site)
+{
+ const char *site;
+ errno_t ret;
+
+ if (new_site == NULL) {
+ return EOK;
+ }
+
+ if (ctx->current_site != NULL && strcmp(ctx->current_site, new_site) == 0) {
+ return EOK;
+ }
+
+ site = talloc_strdup(ctx, new_site);
+ if (site == NULL) {
+ return ENOMEM;
+ }
+
+ talloc_zfree(ctx->current_site);
+ ctx->current_site = site;
+
+ return EOK;
+}
+
struct ad_srv_plugin_state {
struct tevent_context *ev;
struct ad_srv_plugin_ctx *ctx;
@@ -613,7 +645,7 @@ struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
subreq = ad_get_dc_servers_send(state, ev, ctx->be_res->resolv,
state->discovery_domain,
- state->ctx->ad_site_override);
+ state->ctx->current_site);
if (subreq == NULL) {
ret = ENOMEM;
goto immediately;
@@ -709,6 +741,16 @@ static void ad_srv_plugin_site_done(struct tevent_req *subreq)
backup_domain = NULL;
if (ret == EOK) {
+ /* Remember current site so it can be used during next lookup so
+ * we can contact directory controllers within a known reachable
+ * site first. */
+ ret = ad_srv_plugin_ctx_switch_site(state->ctx, state->site);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set site [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
if (strcmp(state->service, "gc") == 0) {
if (state->forest != NULL) {
if (state->site != NULL) {
--
2.15.1

205
0015-sysdb-add-functions-to-get-set-client-site.patch Normal file
View File

@ -0,0 +1,205 @@
From 8687782eb971d0fa6f8f4420a8616ba943d7252b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 24 Oct 2017 12:09:39 +0200
Subject: [PATCH 15/79] sysdb: add functions to get/set client site
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb.h | 10 +++
src/db/sysdb_subdomains.c | 108 +++++++++++++++++++++++++++++++
src/tests/cmocka/test_sysdb_subdomains.c | 28 ++++++++
3 files changed, 146 insertions(+)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index fbbe321072385bd43353ef2f7d0e30667887d128..4192f9085d941814eccd2ac60ce8fb6d4e1bfa67 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -154,6 +154,7 @@
#define SYSDB_SUBDOMAIN_FOREST "memberOfForest"
#define SYSDB_SUBDOMAIN_TRUST_DIRECTION "trustDirection"
#define SYSDB_UPN_SUFFIXES "upnSuffixes"
+#define SYSDB_SITE "site"
#define SYSDB_BASE_ID "baseID"
#define SYSDB_ID_RANGE_SIZE "idRangeSize"
@@ -509,6 +510,15 @@ errno_t sysdb_domain_update_domain_resolution_order(
const char *domain_name,
const char *domain_resolution_order);
+errno_t
+sysdb_get_site(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *dom,
+ const char **_site);
+
+errno_t
+sysdb_set_site(struct sss_domain_info *dom,
+ const char *site);
+
errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
const char *name, const char *realm,
const char *flat_name, const char *domain_id,
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 2789cc4949fb7be9ad272d7613ed18a64fa8a20a..cb5de1afe3e8c9692789c5d2679eb3a4e6e1cdb2 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -1284,3 +1284,111 @@ done:
talloc_free(tmp_ctx);
return ret;
}
+
+errno_t
+sysdb_get_site(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *dom,
+ const char **_site)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct ldb_res *res;
+ struct ldb_dn *dn;
+ const char *attrs[] = { SYSDB_SITE, NULL };
+ errno_t ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ dn = ldb_dn_new_fmt(tmp_ctx, dom->sysdb->ldb, SYSDB_DOM_BASE, dom->name);
+ if (dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(dom->sysdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
+ attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ if (res->count == 0) {
+ *_site = NULL;
+ ret = EOK;
+ goto done;
+ } else if (res->count != 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Got more than one reply for base search!\n");
+ ret = EIO;
+ goto done;
+ }
+
+ *_site = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SITE, NULL);
+ talloc_steal(mem_ctx, *_site);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+errno_t
+sysdb_set_site(struct sss_domain_info *dom,
+ const char *site)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct ldb_message *msg;
+ struct ldb_dn *dn;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ dn = ldb_dn_new_fmt(tmp_ctx, dom->sysdb->ldb, SYSDB_DOM_BASE, dom->name);
+ if (dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ msg = ldb_msg_new(tmp_ctx);
+ if (msg == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ msg->dn = dn;
+
+ ret = ldb_msg_add_empty(msg, SYSDB_SITE, LDB_FLAG_MOD_REPLACE, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ if (site != NULL) {
+ ret = ldb_msg_add_string(msg, SYSDB_SITE, site);
+ if (ret != LDB_SUCCESS) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+ }
+
+ ret = ldb_modify(dom->sysdb->ldb, msg);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "ldb_modify()_failed: [%s][%d][%s]\n",
+ ldb_strerror(ret), ret, ldb_errstring(dom->sysdb->ldb));
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c
index 84bcdc17b39dbc8822097c2006f157a09ea5e466..f8e3e1d915dba0f3a79adbf5af733980bf23a265 100644
--- a/src/tests/cmocka/test_sysdb_subdomains.c
+++ b/src/tests/cmocka/test_sysdb_subdomains.c
@@ -513,6 +513,31 @@ static void test_sysdb_link_ad_multidom(void **state)
}
+static void test_sysdb_set_and_get_site(void **state)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct subdom_test_ctx *test_ctx =
+ talloc_get_type(*state, struct subdom_test_ctx);
+ const char *site;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(NULL);
+ assert_non_null(test_ctx);
+
+ ret = sysdb_get_site(test_ctx, test_ctx->tctx->dom, &site);
+ assert_int_equal(ret, EOK);
+ assert_null(site);
+
+ ret = sysdb_set_site(test_ctx->tctx->dom, "TestSite");
+ assert_int_equal(ret, EOK);
+
+ ret = sysdb_get_site(tmp_ctx, test_ctx->tctx->dom, &site);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(site, "TestSite");
+
+ talloc_free(tmp_ctx);
+}
+
int main(int argc, const char *argv[])
{
int rv;
@@ -546,6 +571,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_sysdb_link_ad_multidom,
test_sysdb_subdom_setup,
test_sysdb_subdom_teardown),
+ cmocka_unit_test_setup_teardown(test_sysdb_set_and_get_site,
+ test_sysdb_subdom_setup,
+ test_sysdb_subdom_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
--
2.15.1

160
0016-AD-Remember-last-site-discovered-in-sysdb.patch Normal file
View File

@ -0,0 +1,160 @@
From 48f58549e2b687ba405162bd5db23f1c323732f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 1 Nov 2017 14:57:17 +0100
Subject: [PATCH 16/79] AD: Remember last site discovered in sysdb
This can speed up sssd startup.
Resolves:
https://pagure.io/SSSD/sssd/issue/3265
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb_subdomains.c | 2 +-
src/providers/ad/ad_init.c | 2 +-
src/providers/ad/ad_srv.c | 21 +++++++++++++++++++++
src/providers/ad/ad_srv.h | 1 +
src/providers/ad/ad_subdomains.c | 2 +-
src/providers/ipa/ipa_subdomains_server.c | 2 +-
6 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index cb5de1afe3e8c9692789c5d2679eb3a4e6e1cdb2..353561765904efe4bd698c38949a1b290ecf0b80 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -1291,7 +1291,7 @@ sysdb_get_site(TALLOC_CTX *mem_ctx,
const char **_site)
{
TALLOC_CTX *tmp_ctx;
- struct ldb_res *res;
+ struct ldb_result *res;
struct ldb_dn *dn;
const char *attrs[] = { SYSDB_SITE, NULL };
errno_t ret;
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 131e960d4c623398506f834742400df9c786b86b..e62025d4acd24844a5c7082d00c597516f35de16 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -199,7 +199,7 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
return EOK;
}
- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
+ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
default_host_dbs, ad_options->id,
hostname, ad_domain,
ad_site_override);
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
index be1ba0f237add894566ae713ce5e29fd202d414c..4fa1668605e131b2e31802b1401f49fc6e00a23b 100644
--- a/src/providers/ad/ad_srv.c
+++ b/src/providers/ad/ad_srv.c
@@ -34,6 +34,7 @@
#include "providers/fail_over_srv.h"
#include "providers/ldap/sdap.h"
#include "providers/ldap/sdap_async.h"
+#include "db/sysdb.h"
#define AD_SITE_DOMAIN_FMT "%s._sites.%s"
@@ -475,6 +476,7 @@ int ad_get_client_site_recv(TALLOC_CTX *mem_ctx,
}
struct ad_srv_plugin_ctx {
+ struct be_ctx *be_ctx;
struct be_resolv_ctx *be_res;
enum host_database *host_dbs;
struct sdap_options *opts;
@@ -486,6 +488,7 @@ struct ad_srv_plugin_ctx {
struct ad_srv_plugin_ctx *
ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
struct be_resolv_ctx *be_res,
enum host_database *host_dbs,
struct sdap_options *opts,
@@ -494,12 +497,14 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
const char *ad_site_override)
{
struct ad_srv_plugin_ctx *ctx = NULL;
+ errno_t ret;
ctx = talloc_zero(mem_ctx, struct ad_srv_plugin_ctx);
if (ctx == NULL) {
return NULL;
}
+ ctx->be_ctx = be_ctx;
ctx->be_res = be_res;
ctx->host_dbs = host_dbs;
ctx->opts = opts;
@@ -524,6 +529,15 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
if (ctx->current_site == NULL) {
goto fail;
}
+ } else {
+ ret = sysdb_get_site(ctx, be_ctx->domain, &ctx->current_site);
+ if (ret != EOK) {
+ /* Not fatal. */
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Unable to get current site from cache [%d]: %s\n",
+ ret, sss_strerror(ret));
+ ctx->current_site = NULL;
+ }
}
return ctx;
@@ -556,6 +570,13 @@ ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx,
talloc_zfree(ctx->current_site);
ctx->current_site = site;
+ ret = sysdb_set_site(ctx->be_ctx->domain, ctx->current_site);
+ if (ret != EOK) {
+ /* Not fatal. */
+ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ }
+
return EOK;
}
diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h
index ae5efe44755fa09f74064014cce749e35b1831da..fddef686762e57bb95d648247131d39a797aa516 100644
--- a/src/providers/ad/ad_srv.h
+++ b/src/providers/ad/ad_srv.h
@@ -25,6 +25,7 @@ struct ad_srv_plugin_ctx;
struct ad_srv_plugin_ctx *
ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
struct be_resolv_ctx *be_res,
enum host_database *host_dbs,
struct sdap_options *opts,
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 280aa54c23bf61e60d23ea91bd44a39f9f43d155..3fb9b950f171d85817cce35ac92ad7c4974ccb68 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -245,7 +245,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
ad_options->id_ctx = ad_id_ctx;
/* use AD plugin */
- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
+ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
default_host_dbs,
ad_id_ctx->ad_options->id,
hostname,
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index 10166d162f746fde176e6c7c2bfbe3906b1bfddc..d670a156b37608d20d49d79131138f02e4abf82b 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -305,7 +305,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
/* use AD plugin */
- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
+ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
default_host_dbs,
ad_id_ctx->ad_options->id,
id_ctx->server_mode->hostname,
--
2.15.1

132
0017-UTIL-Add-wrapper-function-to-configure-logger.patch Normal file
View File

@ -0,0 +1,132 @@
From dad79765d9ccafb3ba5d31a20462d73af96fa058 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 23 Oct 2017 14:58:14 +0200
Subject: [PATCH 17/79] UTIL: Add wrapper function to configure logger
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Let's use one enum for logger type instead of many integers (debug_to_file,
debug_to_stderr plus some weird combination for journald).
Old variable were also transformed to enum for backward compatibility
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/util/debug.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/util/debug.h | 18 ++++++++++++++++++
2 files changed, 72 insertions(+)
diff --git a/src/util/debug.c b/src/util/debug.c
index ca4fa4c6f5b150700a0a136d8a7ca9df30c29d73..4e469447e5ab8aa89cd57bcd6d00269875a12bc6 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -43,9 +43,63 @@ int debug_timestamps = SSSDBG_TIMESTAMP_UNRESOLVED;
int debug_microseconds = SSSDBG_MICROSECONDS_UNRESOLVED;
int debug_to_file = 0;
int debug_to_stderr = 0;
+enum sss_logger_t sss_logger;
const char *debug_log_file = "sssd";
FILE *debug_file = NULL;
+const char *sss_logger_str[] = {
+ [STDERR_LOGGER] = "stderr",
+ [FILES_LOGGER] = "files",
+#ifdef WITH_JOURNALD
+ [JOURNALD_LOGGER] = "journald",
+#endif
+ NULL,
+};
+
+#ifdef WITH_JOURNALD
+#define JOURNALD_STR " journald,"
+#else
+#define JOURNALD_STR ""
+#endif
+
+void sss_set_logger(const char *logger)
+{
+ /* use old flags */
+ if (logger == NULL) {
+ if (debug_to_stderr != 0) {
+ sss_logger = STDERR_LOGGER;
+ }
+ /* It is never described what should be used in case of
+ * debug_to_stderr == 1 && debug_to_file == 1. Because neither
+ * of binaries provide both command line arguments.
+ * Let files have higher priority.
+ */
+ if (debug_to_file != 0) {
+ sss_logger = FILES_LOGGER;
+ }
+#ifdef WITH_JOURNALD
+ if (debug_to_file == 0 && debug_to_stderr == 0) {
+ sss_logger = JOURNALD_LOGGER;
+ }
+#endif
+ } else {
+ if (strcmp(logger, "stderr") == 0) {
+ sss_logger = STDERR_LOGGER;
+ } else if (strcmp(logger, "files") == 0) {
+ sss_logger = FILES_LOGGER;
+#ifdef WITH_JOURNALD
+ } else if (strcmp(logger, "journald") == 0) {
+ sss_logger = JOURNALD_LOGGER;
+#endif
+ } else {
+ /* unexpected value */
+ fprintf(stderr, "Unexpected logger: %s\nExpected:%s stderr, "
+ "files\n", logger, JOURNALD_STR);
+ sss_logger = STDERR_LOGGER;
+ }
+ }
+}
+
errno_t set_debug_file_from_fd(const int fd)
{
FILE *dummy;
diff --git a/src/util/debug.h b/src/util/debug.h
index 2a1bd4ffd30817d7128805996c21105fe40982a2..4adafb7cfc03f7381c4d03071eb44edad04bee00 100644
--- a/src/util/debug.h
+++ b/src/util/debug.h
@@ -31,13 +31,26 @@
#define APPEND_LINE_FEED 0x1
+enum sss_logger_t {
+ STDERR_LOGGER = 0,
+ FILES_LOGGER,
+#ifdef WITH_JOURNALD
+ JOURNALD_LOGGER,
+#endif
+};
+
+extern const char *sss_logger_str[];
extern const char *debug_prg_name;
extern int debug_level;
extern int debug_timestamps;
extern int debug_microseconds;
extern int debug_to_file;
extern int debug_to_stderr;
+extern enum sss_logger_t sss_logger;
extern const char *debug_log_file;
+
+void sss_set_logger(const char *logger);
+
void sss_vdebug_fn(const char *file,
long line,
const char *function,
@@ -80,6 +93,11 @@ int get_fd_from_debug_file(void);
#define SSSDBG_MICROSECONDS_UNRESOLVED -1
#define SSSDBG_MICROSECONDS_DEFAULT 0
+#define SSSD_LOGGER_OPTS \
+ {"logger", '\0', POPT_ARG_STRING, &opt_logger, 0, \
+ _("Set logger"), "stderr|files|journald"},
+
+
#define SSSD_DEBUG_OPTS \
{"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, \
_("Debug level"), NULL}, \
--
2.15.1

829
0018-Add-parameter-logger-to-daemons.patch Normal file
View File

@ -0,0 +1,829 @@
From 0256b7734738302da9752db5297a3d41fccd40ac Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 23 Oct 2017 15:18:47 +0200
Subject: [PATCH 18/79] Add parameter --logger to daemons
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Different binary handled information about logging differently
e,g, --debug-to-files --debug-to-stderr
And logging to journald was a special case of previous options
(!debug_file && !debug_to_stderr). It was also tied to the monitor option
"--daemon" and therefore loggind to stderr was used in interactive mode
+ systemd Type=notify.
Resolves:
https://pagure.io/SSSD/sssd/issue/3433
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/man/sssd.8.xml | 31 +++++++++++++++++++++++++
src/monitor/monitor.c | 48 ++++++++++++---------------------------
src/p11_child/p11_child_nss.c | 3 +++
src/providers/ad/ad_gpo_child.c | 4 ++++
src/providers/data_provider_be.c | 4 ++++
src/providers/ipa/selinux_child.c | 4 ++++
src/providers/krb5/krb5_child.c | 4 ++++
src/providers/ldap/ldap_child.c | 4 ++++
src/providers/proxy/proxy_auth.c | 4 ++--
src/providers/proxy/proxy_child.c | 4 ++++
src/responder/autofs/autofssrv.c | 4 ++++
src/responder/ifp/ifpsrv.c | 4 ++++
src/responder/kcm/kcm.c | 4 ++++
src/responder/nss/nsssrv.c | 4 ++++
src/responder/pac/pacsrv.c | 4 ++++
src/responder/pam/pamsrv.c | 4 ++++
src/responder/secrets/secsrv.c | 4 ++++
src/responder/ssh/sshsrv.c | 4 ++++
src/responder/sudo/sudosrv.c | 4 ++++
src/tests/cmocka/dummy_child.c | 4 ++++
src/tests/debug-tests.c | 10 ++++++++
src/util/child_common.c | 2 +-
src/util/debug.c | 4 ++--
src/util/server.c | 12 ++++++----
24 files changed, 135 insertions(+), 43 deletions(-)
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
index 923da6824907f0d2d140d9ca83f87338e7664f83..0b725628ff93f48f832140dd5dc15b040a8b179f 100644
--- a/src/man/sssd.8.xml
+++ b/src/man/sssd.8.xml
@@ -92,6 +92,37 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>--logger=</option><replaceable>value</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Location where SSSD will send log messages. This option
+ overrides the value of the deprecated option
+ <option>--debug-to-files</option>. The deprecated
+ option will still work if the <option>--logger</option>
+ is not used.
+ </para>
+ <para>
+ <emphasis>stderr</emphasis>: Redirect debug messages to
+ standard error output.
+ </para>
+ <para>
+ <emphasis>files</emphasis>: Redirect debug messages to
+ the log files. By default, the log files are stored in
+ <filename>/var/log/sssd</filename> and there are
+ separate log files for every SSSD service and domain.
+ </para>
+ <para>
+ <emphasis>journald</emphasis>: Redirect debug messages
+ to systemd-journald
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>-D</option>,<option>--daemon</option>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 7726548bbb666bb189667efc1de2295f8a001105..3c0b7ab2dac10fe15a8a5b807cb68ea4b7ab8461 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -1211,22 +1211,11 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
}
}
- if (debug_to_file) {
- svc->command = talloc_strdup_append(
- svc->command, " --debug-to-files"
- );
- if (!svc->command) {
- talloc_free(svc);
- return ENOMEM;
- }
- } else if (ctx->is_daemon == false) {
- svc->command = talloc_strdup_append(
- svc->command, " --debug-to-stderr"
- );
- if (!svc->command) {
- talloc_free(svc);
- return ENOMEM;
- }
+ svc->command = talloc_asprintf_append(
+ svc->command, " --logger=%s", sss_logger_str[sss_logger]);
+ if (!svc->command) {
+ talloc_free(svc);
+ return ENOMEM;
}
}
@@ -1374,22 +1363,11 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name,
}
}
- if (debug_to_file) {
- svc->command = talloc_strdup_append(
- svc->command, " --debug-to-files"
- );
- if (!svc->command) {
- talloc_free(svc);
- return ENOMEM;
- }
- } else if (ctx->is_daemon == false) {
- svc->command = talloc_strdup_append(
- svc->command, " --debug-to-stderr"
- );
- if (!svc->command) {
- talloc_free(svc);
- return ENOMEM;
- }
+ svc->command = talloc_asprintf_append(
+ svc->command, " --logger=%s", sss_logger_str[sss_logger]);
+ if (!svc->command) {
+ talloc_free(svc);
+ return ENOMEM;
}
}
@@ -2454,6 +2432,7 @@ int main(int argc, const char *argv[])
int opt_version = 0;
int opt_netlinkoff = 0;
char *opt_config_file = NULL;
+ char *opt_logger = NULL;
char *config_file = NULL;
int flags = 0;
struct main_context *main_ctx;
@@ -2465,6 +2444,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
{"daemon", 'D', POPT_ARG_NONE, &opt_daemon, 0, \
_("Become a daemon (default)"), NULL }, \
{"interactive", 'i', POPT_ARG_NONE, &opt_interactive, 0, \
@@ -2551,6 +2531,8 @@ int main(int argc, const char *argv[])
debug_to_stderr = 1;
}
+ sss_set_logger(opt_logger);
+
if (opt_config_file) {
config_file = talloc_strdup(tmp_ctx, opt_config_file);
} else {
@@ -2575,7 +2557,7 @@ int main(int argc, const char *argv[])
/* Open before server_setup() does to have logging
* during configuration checking */
- if (debug_to_file) {
+ if (sss_logger == FILES_LOGGER) {
ret = open_debug_file();
if (ret) {
return 7;
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index f165b58e63d2b8a6f26acf8bd89e7b41713e7359..e7dbcb689220d1cd2585fbde5f26e84f8fa15cc2 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -537,6 +537,7 @@ int main(int argc, const char *argv[])
int opt;
poptContext pc;
int debug_fd = -1;
+ char *opt_logger = NULL;
errno_t ret;
TALLOC_CTX *main_ctx = NULL;
char *cert;
@@ -564,6 +565,7 @@ int main(int argc, const char *argv[])
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
&debug_to_stderr, 0,
_("Send the debug output to stderr directly."), NULL },
+ SSSD_LOGGER_OPTS
{"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL},
{"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL},
{"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL},
@@ -672,6 +674,7 @@ int main(int argc, const char *argv[])
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
}
}
+ sss_set_logger(opt_logger);
DEBUG(SSSDBG_TRACE_FUNC, "p11_child started.\n");
diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c
index 8e5e062547721567cb450f9d0f72f1ec8cb99f96..5375cc691e8649c289672b74c4bfe5266c8222c9 100644
--- a/src/providers/ad/ad_gpo_child.c
+++ b/src/providers/ad/ad_gpo_child.c
@@ -687,6 +687,7 @@ main(int argc, const char *argv[])
int opt;
poptContext pc;
int debug_fd = -1;
+ char *opt_logger = NULL;
errno_t ret;
int sysvol_gpt_version;
int result;
@@ -710,6 +711,7 @@ main(int argc, const char *argv[])
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
&debug_to_stderr, 0,
_("Send the debug output to stderr directly."), NULL },
+ SSSD_LOGGER_OPTS
POPT_TABLEEND
};
@@ -744,6 +746,8 @@ main(int argc, const char *argv[])
}
}
+ sss_set_logger(opt_logger);
+
DEBUG(SSSDBG_TRACE_FUNC, "gpo_child started.\n");
main_ctx = talloc_new(NULL);
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 2e55dc4e3fe9ba1aa8c1c51c426efee00b9ae91d..56ddac112a209b6937313d3d3c94a73d2067331f 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -537,6 +537,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
char *be_domain = NULL;
char *srv_name = NULL;
struct main_context *main_ctx;
@@ -548,6 +549,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
{"domain", 0, POPT_ARG_STRING, &be_domain, 0,
_("Domain of the information provider (mandatory)"), NULL },
@@ -582,6 +584,8 @@ int main(int argc, const char *argv[])
debug_log_file = talloc_asprintf(NULL, "sssd_%s", be_domain);
if (!debug_log_file) return 2;
+ sss_set_logger(opt_logger);
+
srv_name = talloc_asprintf(NULL, "sssd[be[%s]]", be_domain);
if (!srv_name) return 2;
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 073475094ee491bd5453898c6ba65214fa14fe59..120492686963241b7e419413f489cc38953e32f2 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -206,6 +206,7 @@ int main(int argc, const char *argv[])
struct response *resp = NULL;
ssize_t written;
bool needs_update;
+ char *opt_logger = NULL;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -220,6 +221,7 @@ int main(int argc, const char *argv[])
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
&debug_to_stderr, 0,
_("Send the debug output to stderr directly."), NULL },
+ SSSD_LOGGER_OPTS
POPT_TABLEEND
};
@@ -254,6 +256,8 @@ int main(int argc, const char *argv[])
}
}
+ sss_set_logger(opt_logger);
+
DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n");
DEBUG(SSSDBG_TRACE_INTERNAL,
"Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n",
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index b8ee497728b4b70fae89e528172e9d5bd42239c0..b44f3a20f1c0725304a37620d36f8872cf9ca5d7 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -3020,6 +3020,7 @@ int main(int argc, const char *argv[])
int opt;
poptContext pc;
int debug_fd = -1;
+ char *opt_logger = NULL;
errno_t ret;
krb5_error_code kerr;
uid_t fast_uid;
@@ -3039,6 +3040,7 @@ int main(int argc, const char *argv[])
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
&debug_to_stderr, 0,
_("Send the debug output to stderr directly."), NULL },
+ SSSD_LOGGER_OPTS
{CHILD_OPT_FAST_CCACHE_UID, 0, POPT_ARG_INT, &fast_uid, 0,
_("The user to create FAST ccache as"), NULL},
{CHILD_OPT_FAST_CCACHE_GID, 0, POPT_ARG_INT, &fast_gid, 0,
@@ -3097,6 +3099,8 @@ int main(int argc, const char *argv[])
}
}
+ sss_set_logger(opt_logger);
+
DEBUG(SSSDBG_TRACE_FUNC, "krb5_child started.\n");
kr = talloc_zero(NULL, struct krb5_req);
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index b796e5cae01517c85c2fc1605b1e5877454691dc..baeed239db5dc7ffa482edcbc155f25f718c8249 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -599,6 +599,7 @@ int main(int argc, const char *argv[])
int kerr;
int opt;
int debug_fd = -1;
+ char *opt_logger = NULL;
poptContext pc;
TALLOC_CTX *main_ctx = NULL;
uint8_t *buf = NULL;
@@ -622,6 +623,7 @@ int main(int argc, const char *argv[])
_("An open file descriptor for the debug logs"), NULL},
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \
_("Send the debug output to stderr directly."), NULL }, \
+ SSSD_LOGGER_OPTS
POPT_TABLEEND
};
@@ -657,6 +659,8 @@ int main(int argc, const char *argv[])
}
}
+ sss_set_logger(opt_logger);
+
BlockSignals(false, SIGTERM);
CatchSignal(SIGTERM, sig_term_handler);
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index a05586e60b6ef894b0fcf1b8b3f30fdbf51a808d..665a29cf779290b8d35973245a36a1b5224bca78 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -178,9 +178,9 @@ static struct tevent_req *proxy_child_init_send(TALLOC_CTX *mem_ctx,
state->command = talloc_asprintf(req,
"%s/proxy_child -d %#.4x --debug-timestamps=%d "
- "--debug-microseconds=%d%s --domain %s --id %d",
+ "--debug-microseconds=%d --logger=%s --domain %s --id %d",
SSSD_LIBEXEC_PATH, debug_level, debug_timestamps,
- debug_microseconds, (debug_to_file ? " --debug-to-files" : ""),
+ debug_microseconds, sss_logger_str[sss_logger],
auth_ctx->be->domain->name,
child_ctx->id);
if (state->command == NULL) {
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
index be58622eb8b26231eeb6699976d51f57dc44de98..ae4855adeb5cc68f1a19003355a5d94f5b1bb378 100644
--- a/src/providers/proxy/proxy_child.c
+++ b/src/providers/proxy/proxy_child.c
@@ -504,6 +504,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
char *domain = NULL;
char *srv_name = NULL;
char *conf_entry = NULL;
@@ -517,6 +518,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
{"domain", 0, POPT_ARG_STRING, &domain, 0,
_("Domain of the information provider (mandatory)"), NULL },
@@ -561,6 +563,8 @@ int main(int argc, const char *argv[])
debug_log_file = talloc_asprintf(NULL, "proxy_child_%s", domain);
if (!debug_log_file) return 2;
+ sss_set_logger(opt_logger);
+
srv_name = talloc_asprintf(NULL, "sssd[proxy_child[%s]]", domain);
if (!srv_name) return 2;
diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
index cfb2233fdfc346bf27b128ee8c4261f4c73e3470..b0762a2b685a7c5ab3abfa281f0906ad8bfe1c88 100644
--- a/src/responder/autofs/autofssrv.c
+++ b/src/responder/autofs/autofssrv.c
@@ -185,6 +185,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -193,6 +194,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
SSSD_RESPONDER_OPTS
POPT_TABLEEND
@@ -221,6 +223,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_autofs";
+ sss_set_logger(opt_logger);
+
ret = server_setup("sssd[autofs]", 0, uid, gid,
CONFDB_AUTOFS_CONF_ENTRY, &main_ctx);
if (ret != EOK) {
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
index 0dc61a42200cc79fc6f12515a8f581ad0201a043..85dfbacc217e2870dd7517e36a1d39e7f2054a8b 100644
--- a/src/responder/ifp/ifpsrv.c
+++ b/src/responder/ifp/ifpsrv.c
@@ -355,6 +355,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -363,6 +364,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
SSSD_RESPONDER_OPTS
POPT_TABLEEND
@@ -391,6 +393,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_ifp";
+ sss_set_logger(opt_logger);
+
ret = server_setup("sssd[ifp]", 0, 0, 0,
CONFDB_IFP_CONF_ENTRY, &main_ctx);
if (ret != EOK) return 2;
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
index 2202f96381a2622a2c5433e281172287b325f960..358fcc18165dec7b41a7389a3ef22660ac04b4a8 100644
--- a/src/responder/kcm/kcm.c
+++ b/src/responder/kcm/kcm.c
@@ -258,6 +258,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -266,6 +267,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
POPT_TABLEEND
};
@@ -293,6 +295,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_kcm";
+ sss_set_logger(opt_logger);
+
ret = server_setup("sssd[kcm]", 0, uid, gid, CONFDB_KCM_CONF_ENTRY,
&main_ctx);
if (ret != EOK) return 2;
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index d67b9fac8d770d113560e41b259e2d5edd219343..1559c314e5353d41c61c83ecc712311ac18a7202 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -405,6 +405,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -413,6 +414,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
SSSD_RESPONDER_OPTS
POPT_TABLEEND
@@ -441,6 +443,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_nss";
+ sss_set_logger(opt_logger);
+
ret = server_setup("sssd[nss]", 0, uid, gid, CONFDB_NSS_CONF_ENTRY,
&main_ctx);
if (ret != EOK) return 2;
diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
index 1f820c07f5c55fe8df75cce05b403c41075d9f94..b72e5c8d2a42bc85f0974dcb81a1290d3f740986 100644
--- a/src/responder/pac/pacsrv.c
+++ b/src/responder/pac/pacsrv.c
@@ -209,6 +209,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -217,6 +218,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
SSSD_RESPONDER_OPTS
POPT_TABLEEND
@@ -245,6 +247,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_pac";
+ sss_set_logger(opt_logger);
+
ret = server_setup("sssd[pac]", 0, uid, gid,
CONFDB_PAC_CONF_ENTRY, &main_ctx);
if (ret != EOK) return 2;
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 79470823d18138da6ef9235e6336a3220ead1797..cc0e4bddcdbecfadabea78a6d2815d0ac6d651b6 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -355,6 +355,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -365,6 +366,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
SSSD_RESPONDER_OPTS
POPT_TABLEEND
@@ -393,6 +395,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_pam";
+ sss_set_logger(opt_logger);
+
if (!is_socket_activated()) {
/* Crate pipe file descriptors here before privileges are dropped
* in server_setup() */
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 2b661b165ef0c174557f53012b2dbaa236a6e359..59c0f3a56040a6fc0c092247fbd124a069f97153 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -324,6 +324,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -332,6 +333,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
POPT_TABLEEND
};
@@ -359,6 +361,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_secrets";
+ sss_set_logger(opt_logger);
+
ret = server_setup("sssd[secrets]", 0, uid, gid, CONFDB_SEC_CONF_ENTRY,
&main_ctx);
if (ret != EOK) return 2;
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
index 440f0e2b9dc06e3dc52ff96d7207b8a3727865c0..8b0e7cc2d71044d7ab3bd2439041f678ddedb4cd 100644
--- a/src/responder/ssh/sshsrv.c
+++ b/src/responder/ssh/sshsrv.c
@@ -177,6 +177,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -185,6 +186,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
SSSD_RESPONDER_OPTS
POPT_TABLEEND
@@ -213,6 +215,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_ssh";
+ sss_set_logger(opt_logger);
+
ret = server_setup("sssd[ssh]", 0, uid, gid,
CONFDB_SSH_CONF_ENTRY, &main_ctx);
if (ret != EOK) {
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index dca70ea4afc0e6df6d1b1864338c7b1091a98fee..19058321a25022d7704556ec0ef79729db3ac1f2 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -178,6 +178,7 @@ int main(int argc, const char *argv[])
{
int opt;
poptContext pc;
+ char *opt_logger = NULL;
struct main_context *main_ctx;
int ret;
uid_t uid;
@@ -186,6 +187,7 @@ int main(int argc, const char *argv[])
struct poptOption long_options[] = {
POPT_AUTOHELP
SSSD_MAIN_OPTS
+ SSSD_LOGGER_OPTS
SSSD_SERVER_OPTS(uid, gid)
SSSD_RESPONDER_OPTS
POPT_TABLEEND
@@ -214,6 +216,8 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_sudo";
+ sss_set_logger(opt_logger);
+
ret = server_setup("sssd[sudo]", 0, uid, gid, CONFDB_SUDO_CONF_ENTRY,
&main_ctx);
if (ret != EOK) {
diff --git a/src/tests/cmocka/dummy_child.c b/src/tests/cmocka/dummy_child.c
index bcaa9455037a0604422750bf7cc719a25cef4a99..811cb40490c89c4250401e0d8d3e9d1c277f57af 100644
--- a/src/tests/cmocka/dummy_child.c
+++ b/src/tests/cmocka/dummy_child.c
@@ -34,6 +34,7 @@ int main(int argc, const char *argv[])
{
int opt;
int debug_fd = -1;
+ char *opt_logger = NULL;
poptContext pc;
ssize_t len;
ssize_t written;
@@ -55,6 +56,7 @@ int main(int argc, const char *argv[])
_("An open file descriptor for the debug logs"), NULL},
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \
_("Send the debug output to stderr directly."), NULL },
+ SSSD_LOGGER_OPTS
{"guitar", 0, POPT_ARG_STRING, &guitar, 0, _("Who plays guitar"), NULL },
{"drums", 0, POPT_ARG_STRING, &drums, 0, _("Who plays drums"), NULL },
POPT_TABLEEND
@@ -76,6 +78,8 @@ int main(int argc, const char *argv[])
}
poptFreeContext(pc);
+ sss_set_logger(opt_logger);
+
action = getenv("TEST_CHILD_ACTION");
if (action) {
if (strcasecmp(action, "check_extra_args") == 0) {
diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c
index d904d7eb8b5418608023faca0d62067f3106d23b..1446ec0474ab4bf72e66b58831fef59defd7be76 100644
--- a/src/tests/debug-tests.c
+++ b/src/tests/debug-tests.c
@@ -343,6 +343,7 @@ START_TEST(test_debug_is_set_single_no_timestamp)
debug_microseconds = 0;
debug_to_file = 1;
debug_prg_name = "sssd";
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
for (i = 0; i <= 9; i++) {
debug_level = levels[i];
@@ -385,6 +386,8 @@ START_TEST(test_debug_is_set_single_timestamp)
debug_microseconds = 0;
debug_to_file = 1;
debug_prg_name = "sssd";
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
+
for (i = 0; i <= 9; i++) {
debug_level = levels[i];
@@ -432,6 +435,8 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
debug_microseconds = 1;
debug_to_file = 1;
debug_prg_name = "sssd";
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
+
for (i = 0; i <= 9; i++) {
debug_level = levels[i];
@@ -480,6 +485,8 @@ START_TEST(test_debug_is_notset_no_timestamp)
debug_microseconds = 0;
debug_to_file = 1;
debug_prg_name = "sssd";
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
+
for (i = 0; i <= 9; i++) {
debug_level = all_set & ~levels[i];
@@ -525,6 +532,8 @@ START_TEST(test_debug_is_notset_timestamp)
debug_microseconds = 0;
debug_to_file = 1;
debug_prg_name = "sssd";
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
+
for (i = 0; i <= 9; i++) {
debug_level = all_set & ~levels[i];
@@ -570,6 +579,7 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
debug_microseconds = 1;
debug_to_file = 1;
debug_prg_name = "sssd";
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
for (i = 0; i <= 9; i++) {
debug_level = all_set & ~levels[i];
diff --git a/src/util/child_common.c b/src/util/child_common.c
index b300d84bf432608db96de36e04637b5fb115212e..dc070f26446305e07cbb34edd1e4d72db72aedc5 100644
--- a/src/util/child_common.c
+++ b/src/util/child_common.c
@@ -676,7 +676,7 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx,
}
if (child_debug_stderr) {
- argv[--argc] = talloc_strdup(argv, "--debug-to-stderr");
+ argv[--argc] = talloc_strdup(argv, "--logger=stderr");
if (argv[argc] == NULL) {
ret = ENOMEM;
goto fail;
diff --git a/src/util/debug.c b/src/util/debug.c
index 4e469447e5ab8aa89cd57bcd6d00269875a12bc6..30801fce7c27b115d1cafd4ed826a57c7d444a72 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -277,7 +277,7 @@ void sss_vdebug_fn(const char *file,
errno_t ret;
va_list ap_fallback;
- if (!debug_file && !debug_to_stderr) {
+ if (sss_logger == JOURNALD_LOGGER) {
/* If we are not outputting logs to files, we should be sending them
* to journald.
* NOTE: on modern systems, this is where stdout/stderr will end up
@@ -470,7 +470,7 @@ int rotate_debug_files(void)
int ret;
errno_t error;
- if (!debug_to_file) return EOK;
+ if (sss_logger != FILES_LOGGER) return EOK;
do {
error = 0;
diff --git a/src/util/server.c b/src/util/server.c
index 4e65cc66c01ba020b13a88df8e017765ac97f76e..f76cb6a0838324d4fc3ed376eb425fee2412a817 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -455,7 +455,7 @@ int server_setup(const char *name, int flags,
char *conf_db;
int ret = EOK;
bool dt;
- bool dl;
+ bool dl = false;
bool dm;
struct tevent_signal *tes;
struct logrotate_ctx *lctx;
@@ -637,16 +637,18 @@ int server_setup(const char *name, int flags,
}
/* same for debug to file */
- dl = (debug_to_file != 0);
ret = confdb_get_bool(ctx->confdb_ctx, conf_entry,
CONFDB_SERVICE_DEBUG_TO_FILES,
- dl, &dl);
+ false, &dl);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n",
ret, strerror(ret));
return ret;
}
- if (dl) debug_to_file = 1;
+ if (dl) {
+ debug_to_file = 1;
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
+ }
/* before opening the log file set up log rotation */
lctx = talloc_zero(ctx, struct logrotate_ctx);
@@ -662,7 +664,7 @@ int server_setup(const char *name, int flags,
}
/* open log file if told so */
- if (debug_to_file) {
+ if (sss_logger == FILES_LOGGER) {
ret = open_debug_file();
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) "
--
2.15.1

258
0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch Normal file
View File

@ -0,0 +1,258 @@
From e2c0eecb49af621de77426cb46fff9bbb9a3f220 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 23 Oct 2017 18:03:46 +0200
Subject: [PATCH 19/79] SYSTEMD: Replace parameter --debug-to-files with
${DEBUG_LOGGER}
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Users can set variable DEBUG_LOGGER in environment files
(/etc/sysconfig/sssd or /etc/default/sssd; depending on the distribution)
to override default logging to files.
e.g.
DEBUG_LOGGER=--logger=stderr
DEBUG_LOGGER=--logger=journald
Resolves:
https://pagure.io/SSSD/sssd/issue/3433
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
Makefile.am | 12 +-----------
contrib/sssd.spec.in | 4 ----
src/sysv/systemd/journal.conf.in | 7 -------
src/sysv/systemd/sssd-autofs.service.in | 3 ++-
src/sysv/systemd/sssd-ifp.service.in | 3 ++-
src/sysv/systemd/sssd-kcm.service.in | 3 ++-
src/sysv/systemd/sssd-nss.service.in | 3 ++-
src/sysv/systemd/sssd-pac.service.in | 3 ++-
src/sysv/systemd/sssd-pam.service.in | 3 ++-
src/sysv/systemd/sssd-secrets.service.in | 3 ++-
src/sysv/systemd/sssd-ssh.service.in | 3 ++-
src/sysv/systemd/sssd-sudo.service.in | 3 ++-
src/sysv/systemd/sssd.service.in | 3 ++-
13 files changed, 21 insertions(+), 32 deletions(-)
delete mode 100644 src/sysv/systemd/journal.conf.in
diff --git a/Makefile.am b/Makefile.am
index 41a8f32f4e76fdcbd09ad833161f0bdada19e389..5483375167d99568e8313c9a0488900419be6ec3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -91,7 +91,7 @@ sssdkcmdatadir = $(datadir)/sssd-kcm
deskprofilepath = $(sss_statedir)/deskprofile
if HAVE_SYSTEMD_UNIT
-ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --debug-to-files --dbus-activated
+ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated
ifp_systemdservice = SystemdService=sssd-ifp.service
ifp_restart = Restart=on-failure
else
@@ -4483,10 +4483,6 @@ if BUILD_KCM
src/sysv/systemd/sssd-kcm.service \
$(NULL)
endif
-if WITH_JOURNALD
- systemdconf_DATA += \
- src/sysv/systemd/journal.conf
-endif
else
if HAVE_SUSE
init_SCRIPTS += \
@@ -4535,7 +4531,6 @@ replace_script = \
EXTRA_DIST += \
src/sysv/systemd/sssd.service.in \
- src/sysv/systemd/journal.conf.in \
src/sysv/systemd/sssd-nss.socket.in \
src/sysv/systemd/sssd-nss.service.in \
src/sysv/systemd/sssd-pam.socket.in \
@@ -4585,10 +4580,6 @@ src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile
@$(MKDIR_P) src/sysv/systemd/
$(replace_script)
-src/sysv/systemd/journal.conf: src/sysv/systemd/journal.conf.in Makefile
- @$(MKDIR_P) src/sysv/systemd/
- $(replace_script)
-
src/sysv/systemd/sssd-nss.socket: src/sysv/systemd/sssd-nss.socket.in Makefile
@$(MKDIR_P) src/sysv/systemd/
$(replace_script)
@@ -4924,7 +4915,6 @@ endif
rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service
rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket
rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service
- rm -f $(builddir)/src/sysv/systemd/journal.conf
rm -f $(builddir)/src/tools/wrappers/sss_debuglevel
CLEANFILES += *.X */*.X */*/*.X
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index d6ab73e60863316cbf239d34242959fdfe8d4b1b..4aafd1832b67161ff1c25a4e9ad689586a227a25 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -971,10 +971,6 @@ done
%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd
%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d
%ghost %attr(0600,sssd,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
-%if (0%{?use_systemd} == 1)
-%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/sssd.service.d
-%config(noreplace) %{_sysconfdir}/systemd/system/sssd.service.d/journal.conf
-%endif
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%dir %{_sysconfdir}/rwtab.d
diff --git a/src/sysv/systemd/journal.conf.in b/src/sysv/systemd/journal.conf.in
deleted file mode 100644
index 9ce170b4893629792516aab41573adea1fb741f0..0000000000000000000000000000000000000000
--- a/src/sysv/systemd/journal.conf.in
+++ /dev/null
@@ -1,7 +0,0 @@
-[Service]
-# Uncomment *both* of the following lines to enable debug logging
-# to go to journald instead of /var/log/sssd. You will need to
-# run 'systemctl daemon-reload' and then restart the SSSD service
-# for this to take effect
-#ExecStart=
-#ExecStart=@sbindir@/sssd -i
diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in
index 32ea6e19ca7f9aa65599c0cf296a8c5e73362271..c2dc254c8f3f56cb6ae4dc481781688aa702b102 100644
--- a/src/sysv/systemd/sssd-autofs.service.in
+++ b/src/sysv/systemd/sssd-autofs.service.in
@@ -9,8 +9,9 @@ RefuseManualStart=true
Also=sssd-autofs.socket
[Service]
+Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log
-ExecStart=@libexecdir@/sssd/sssd_autofs --debug-to-files --socket-activated
+ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
index 8e7abdb0e8c5ec83f9423c688daf845a16c57e7e..05a9a602b2d27c54a4faa79c58e0ecba90267100 100644
--- a/src/sysv/systemd/sssd-ifp.service.in
+++ b/src/sysv/systemd/sssd-ifp.service.in
@@ -5,7 +5,8 @@ After=sssd.service
BindsTo=sssd.service
[Service]
+Environment=DEBUG_LOGGER=--logger=files
Type=dbus
BusName=org.freedesktop.sssd.infopipe
-ExecStart=@ifp_exec_cmd@
+ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
@ifp_restart@
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
index 1e2bee12dc3bedd17d41b86f91c9b2b52d985c40..92306f97ec73a775739bfdb4454df14956e5e133 100644
--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -6,4 +6,5 @@ Documentation=man:sssd-kcm(5)
Also=sssd-kcm.socket
[Service]
-ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 --debug-to-files
+Environment=DEBUG_LOGGER=--logger=files
+ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in
index 6a29078d5a36dff229e47bf7ce953e46443ce023..fe771ad0fa99968bb1d42037abf2f960271589b1 100644
--- a/src/sysv/systemd/sssd-nss.service.in
+++ b/src/sysv/systemd/sssd-nss.service.in
@@ -9,5 +9,6 @@ RefuseManualStart=true
Also=sssd-nss.socket
[Service]
-ExecStart=@libexecdir@/sssd/sssd_nss --debug-to-files --socket-activated
+Environment=DEBUG_LOGGER=--logger=files
+ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in
index ffbfdec030ba6d5cf75c989854c27bc46b6983a5..dbd25abc476f579c9d8cce171fdeafa06e567610 100644
--- a/src/sysv/systemd/sssd-pac.service.in
+++ b/src/sysv/systemd/sssd-pac.service.in
@@ -9,8 +9,9 @@ RefuseManualStart=true
Also=sssd-pac.socket
[Service]
+Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log
-ExecStart=@libexecdir@/sssd/sssd_pac --debug-to-files --socket-activated
+ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in
index 6dec46f0c5d384c500268dafcd00af894088e0b6..df722d1f3014bf62cc60114c30331424d14f411b 100644
--- a/src/sysv/systemd/sssd-pam.service.in
+++ b/src/sysv/systemd/sssd-pam.service.in
@@ -9,8 +9,9 @@ RefuseManualStart=true
Also=sssd-pam.socket sssd-pam-priv.socket
[Service]
+Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log
-ExecStart=@libexecdir@/sssd/sssd_pam --debug-to-files --socket-activated
+ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-secrets.service.in b/src/sysv/systemd/sssd-secrets.service.in
index f45d647677a62900c01c7eb103597f2b1387498c..a7b41e0b16a5fa882546b41047e616fd2140329f 100644
--- a/src/sysv/systemd/sssd-secrets.service.in
+++ b/src/sysv/systemd/sssd-secrets.service.in
@@ -6,4 +6,5 @@ Documentation=man:sssd-secrets(5)
Also=sssd-secrets.socket
[Service]
-ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 --debug-to-files
+Environment=DEBUG_LOGGER=--logger=files
+ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 ${DEBUG_LOGGER}
diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in
index 6f233b4854018d79cc0ad9d67d53ebd67a49f7b7..f41249ea0fe19e5044d5d06ba195ab604d8e6a29 100644
--- a/src/sysv/systemd/sssd-ssh.service.in
+++ b/src/sysv/systemd/sssd-ssh.service.in
@@ -9,8 +9,9 @@ RefuseManualStart=true
Also=sssd-ssh.socket
[Service]
+Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log
-ExecStart=@libexecdir@/sssd/sssd_ssh --debug-to-files --socket-activated
+ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in
index b59bcbcd817c3986d7ee245b1083f90ff5a3775a..da022f768af91e360182fad0ff885fad43ecfdc0 100644
--- a/src/sysv/systemd/sssd-sudo.service.in
+++ b/src/sysv/systemd/sssd-sudo.service.in
@@ -9,8 +9,9 @@ RefuseManualStart=true
Also=sssd-sudo.socket
[Service]
+Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log
-ExecStart=@libexecdir@/sssd/sssd_sudo --debug-to-files --socket-activated
+ExecStart=@libexecdir@/sssd/sssd_sudo --socket-activated
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
index 05cfd3705084dbff8b46fb07e736612612c58b70..cea848fac80303d6fae12dd84316a91dbc60072d 100644
--- a/src/sysv/systemd/sssd.service.in
+++ b/src/sysv/systemd/sssd.service.in
@@ -5,8 +5,9 @@ Before=systemd-user-sessions.service nss-user-lookup.target
Wants=nss-user-lookup.target
[Service]
+Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
-ExecStart=@sbindir@/sssd -i -f
+ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
--
2.15.1

106
0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch Normal file
View File

@ -0,0 +1,106 @@
From 536c8687921a0afe072bf81fca0bbb618a4c92fc Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 24 Oct 2017 12:15:48 +0200
Subject: [PATCH 20/79] SYSTEMD: Add environment file to responder service
files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/sysv/systemd/sssd-autofs.service.in | 1 +
src/sysv/systemd/sssd-ifp.service.in | 1 +
src/sysv/systemd/sssd-nss.service.in | 1 +
src/sysv/systemd/sssd-pac.service.in | 1 +
src/sysv/systemd/sssd-pam.service.in | 1 +
src/sysv/systemd/sssd-ssh.service.in | 1 +
src/sysv/systemd/sssd-sudo.service.in | 1 +
7 files changed, 7 insertions(+)
diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in
index c2dc254c8f3f56cb6ae4dc481781688aa702b102..7f920ad66a46bb0785c3f947bc26c15d0e370259 100644
--- a/src/sysv/systemd/sssd-autofs.service.in
+++ b/src/sysv/systemd/sssd-autofs.service.in
@@ -10,6 +10,7 @@ Also=sssd-autofs.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
+EnvironmentFile=-@environment_file@
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log
ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
index 05a9a602b2d27c54a4faa79c58e0ecba90267100..f3bf92223ce8847858f57c2bb04b97c858be0ead 100644
--- a/src/sysv/systemd/sssd-ifp.service.in
+++ b/src/sysv/systemd/sssd-ifp.service.in
@@ -6,6 +6,7 @@ BindsTo=sssd.service
[Service]
Environment=DEBUG_LOGGER=--logger=files
+EnvironmentFile=-@environment_file@
Type=dbus
BusName=org.freedesktop.sssd.infopipe
ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in
index fe771ad0fa99968bb1d42037abf2f960271589b1..c671280f2c8a7f85fd09a72983a21db0c30df3b9 100644
--- a/src/sysv/systemd/sssd-nss.service.in
+++ b/src/sysv/systemd/sssd-nss.service.in
@@ -10,5 +10,6 @@ Also=sssd-nss.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
+EnvironmentFile=-@environment_file@
ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in
index dbd25abc476f579c9d8cce171fdeafa06e567610..590449b01223fe799eebb12b63229dfb8f2438f9 100644
--- a/src/sysv/systemd/sssd-pac.service.in
+++ b/src/sysv/systemd/sssd-pac.service.in
@@ -10,6 +10,7 @@ Also=sssd-pac.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
+EnvironmentFile=-@environment_file@
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log
ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in
index df722d1f3014bf62cc60114c30331424d14f411b..f2e938579c7ef4254bb2e05231bfe83d7e20f395 100644
--- a/src/sysv/systemd/sssd-pam.service.in
+++ b/src/sysv/systemd/sssd-pam.service.in
@@ -10,6 +10,7 @@ Also=sssd-pam.socket sssd-pam-priv.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
+EnvironmentFile=-@environment_file@
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log
ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in
index f41249ea0fe19e5044d5d06ba195ab604d8e6a29..1c185466dfa8c13804cc980bbbdbc997d4ebe955 100644
--- a/src/sysv/systemd/sssd-ssh.service.in
+++ b/src/sysv/systemd/sssd-ssh.service.in
@@ -10,6 +10,7 @@ Also=sssd-ssh.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
+EnvironmentFile=-@environment_file@
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log
ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in
index da022f768af91e360182fad0ff885fad43ecfdc0..f13d88107eccd9e80447390c9c0f8940ae933106 100644
--- a/src/sysv/systemd/sssd-sudo.service.in
+++ b/src/sysv/systemd/sssd-sudo.service.in
@@ -10,6 +10,7 @@ Also=sssd-sudo.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
+EnvironmentFile=-@environment_file@
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log
ExecStart=@libexecdir@/sssd/sssd_sudo --socket-activated
Restart=on-failure
--
2.15.1

46
0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch Normal file
View File

@ -0,0 +1,46 @@
From d344095ece6000e7641a9c867c8e00335b8d1ab0 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 24 Oct 2017 12:07:46 +0200
Subject: [PATCH 21/79] UTIL: Hide and deprecate parameter --debug-to-files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/man/sssd.8.xml | 4 ++++
src/util/debug.h | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
index 0b725628ff93f48f832140dd5dc15b040a8b179f..f2cbe015b844579af98aebd864770bc651dcf4b1 100644
--- a/src/man/sssd.8.xml
+++ b/src/man/sssd.8.xml
@@ -90,6 +90,10 @@
log files are stored in <filename>/var/log/sssd</filename> and
there are separate log files for every SSSD service and domain.
</para>
+ <para>
+ This option is deprecated. It is replaced by
+ <option>--logger=files</option>.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
diff --git a/src/util/debug.h b/src/util/debug.h
index 4adafb7cfc03f7381c4d03071eb44edad04bee00..09f50cc9f3122f02d8ba2092dfb7ee633332de9b 100644
--- a/src/util/debug.h
+++ b/src/util/debug.h
@@ -101,7 +101,7 @@ int get_fd_from_debug_file(void);
#define SSSD_DEBUG_OPTS \
{"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, \
_("Debug level"), NULL}, \
- {"debug-to-files", 'f', POPT_ARG_NONE, &debug_to_file, 0, \
+ {"debug-to-files", 'f', POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_file, 0, \
_("Send the debug output to files instead of stderr"), NULL }, \
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \
_("Send the debug output to stderr directly."), NULL }, \
--
2.15.1

212
0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch Normal file
View File

@ -0,0 +1,212 @@
From eafe5f3e981a951c0ff20807a0486cfa62dcc3ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 25 Oct 2017 11:25:09 +0200
Subject: [PATCH 23/79] LDAP: Bind to the LDAP server also in the auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When dealing with id_provider not being the same as auth_provider, SSSD
has to bind the DN of the user which wants to authenticate with the
ldap_default_bind_dn and the password provided by the user.
In order to do so, the least intrusive way is just by replacing
sdap_connect*() functions by sdap_cli_connect*() functions in the LDAP's
auth module.
The simple change also allowed us to remove some code that is already
executed as part of sdap_cli_connect*() and some functions had their
names adapted to reflect better their new purpose.
Resolves:
https://pagure.io/SSSD/sssd/issue/3451
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ldap/ldap_auth.c | 114 +++++++++--------------------------------
1 file changed, 25 insertions(+), 89 deletions(-)
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 00ddd889b6294e457c13218491547b84f1468266..a3b1480aae4272d2e10f105a1eaf3a5816c3487c 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -619,14 +619,11 @@ struct auth_state {
char *dn;
enum pwexpire pw_expire_type;
void *pw_expire_data;
-
- struct fo_server *srv;
};
-static struct tevent_req *auth_get_server(struct tevent_req *req);
+static struct tevent_req *auth_connect_send(struct tevent_req *req);
static void auth_get_dn_done(struct tevent_req *subreq);
static void auth_do_bind(struct tevent_req *req);
-static void auth_resolve_done(struct tevent_req *subreq);
static void auth_connect_done(struct tevent_req *subreq);
static void auth_bind_user_done(struct tevent_req *subreq);
@@ -659,7 +656,6 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
state->ctx = ctx;
state->username = username;
state->authtok = authtok;
- state->srv = NULL;
if (try_chpass_service && ctx->chpass_service != NULL &&
ctx->chpass_service->name != NULL) {
state->sdap_service = ctx->chpass_service;
@@ -667,7 +663,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
state->sdap_service = ctx->service;
}
- if (!auth_get_server(req)) goto fail;
+ if (!auth_connect_send(req)) goto fail;
return req;
@@ -676,75 +672,37 @@ fail:
return NULL;
}
-static struct tevent_req *auth_get_server(struct tevent_req *req)
+static struct tevent_req *auth_connect_send(struct tevent_req *req)
{
- struct tevent_req *next_req;
+ struct tevent_req *subreq;
struct auth_state *state = tevent_req_data(req,
struct auth_state);
-
- /* NOTE: this call may cause service->uri to be refreshed
- * with a new valid server. Do not use service->uri before */
- next_req = be_resolve_server_send(state,
- state->ev,
- state->ctx->be,
- state->sdap_service->name,
- state->srv == NULL ? true : false);
- if (!next_req) {
- DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n");
- return NULL;
- }
-
- tevent_req_set_callback(next_req, auth_resolve_done, req);
- return next_req;
-}
-
-static void auth_resolve_done(struct tevent_req *subreq)
-{
- struct tevent_req *req = tevent_req_callback_data(subreq,
- struct tevent_req);
- struct auth_state *state = tevent_req_data(req,
- struct auth_state);
- int ret;
bool use_tls;
- ret = be_resolve_server_recv(subreq, state, &state->srv);
- talloc_zfree(subreq);
- if (ret) {
- /* all servers have been tried and none
- * was found good, go offline */
- tevent_req_error(req, ETIMEDOUT);
- return;
+ /* Check for undocumented debugging feature to disable TLS
+ * for authentication. This should never be used in production
+ * for obvious reasons.
+ */
+ use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
+ if (!use_tls) {
+ sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
+ "insecure connection. This should be done "
+ "for debugging purposes only.");
}
- /* Determine whether we need to use TLS */
- if (sdap_is_secure_uri(state->ctx->service->uri)) {
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "[%s] is a secure channel. No need to run START_TLS\n",
- state->ctx->service->uri);
- use_tls = false;
- } else {
+ subreq = sdap_cli_connect_send(state, state->ev, state->ctx->opts,
+ state->ctx->be,
+ state->sdap_service, false,
+ use_tls ? CON_TLS_ON : CON_TLS_OFF, false);
- /* Check for undocumented debugging feature to disable TLS
- * for authentication. This should never be used in production
- * for obvious reasons.
- */
- use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
- if (!use_tls) {
- sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
- "insecure connection. This should be done "
- "for debugging purposes only.");
- }
- }
-
- subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
- state->sdap_service->uri,
- state->sdap_service->sockaddr, use_tls);
- if (!subreq) {
+ if (subreq == NULL) {
tevent_req_error(req, ENOMEM);
- return;
+ return NULL;
}
tevent_req_set_callback(subreq, auth_connect_done, req);
+
+ return subreq;
}
static void auth_connect_done(struct tevent_req *subreq)
@@ -755,35 +713,13 @@ static void auth_connect_done(struct tevent_req *subreq)
struct auth_state);
int ret;
- ret = sdap_connect_recv(subreq, state, &state->sh);
+ ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
talloc_zfree(subreq);
- if (ret) {
- if (state->srv) {
- /* mark this server as bad if connection failed */
- be_fo_set_port_status(state->ctx->be,
- state->sdap_service->name,
- state->srv, PORT_NOT_WORKING);
- }
-
- if (auth_get_server(req) == NULL) {
+ if (ret != EOK) {
+ if (auth_connect_send(req) == NULL) {
tevent_req_error(req, ENOMEM);
}
return;
- } else if (state->srv) {
- be_fo_set_port_status(state->ctx->be, state->sdap_service->name,
- state->srv, PORT_WORKING);
- }
-
- /* In case the ID provider is set to proxy, this might be the first
- * LDAP operation at all, so we need to set the connection status
- */
- if (state->sh->connected == false) {
- ret = sdap_set_connected(state->sh, state->ev);
- if (ret) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot set connected status\n");
- tevent_req_error(req, ret);
- return;
- }
}
ret = get_user_dn(state, state->ctx->be->domain,
@@ -870,7 +806,7 @@ static void auth_bind_user_done(struct tevent_req *subreq)
break;
case ETIMEDOUT:
case ERR_NETWORK_IO:
- if (auth_get_server(req) == NULL) {
+ if (auth_connect_send(req) == NULL) {
tevent_req_error(req, ENOMEM);
}
return;
--
2.15.1

6
0001-KCM-Fix-restart-during-after-upgrade.patch → 0024-KCM-Fix-restart-during-after-upgrade.patch
View File

@ -1,7 +1,7 @@
From 53d1459e9b87196b4f6e327f0f5db4d9229bf541 Mon Sep 17 00:00:00 2001
From 6010476f08fb52bfcea9c2b10461b0d53ce0860c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 3 Nov 2017 11:43:18 +0100
Subject: [PATCH] KCM: Fix restart during/after upgrade
Subject: [PATCH 24/79] KCM: Fix restart during/after upgrade
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -51,5 +51,5 @@ index a7b41e0b16a5fa882546b41047e616fd2140329f..a9756acf8a3c71e861b443259c071338
[Install]
Also=sssd-secrets.socket
--
2.14.3
2.15.1

79
0035-RESP-Add-some-missing-NULL-checks.patch Normal file
View File

@ -0,0 +1,79 @@
From 6e4b53c819d2cbc0a4e25b9813e24c47ad12febb Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 9 Nov 2017 13:24:47 +0100
Subject: [PATCH 35/79] RESP: Add some missing NULL checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/responder/autofs/autofssrv_dp.c | 4 ++++
src/responder/common/responder_dp.c | 4 ++++
src/responder/common/responder_dp_ssh.c | 4 ++++
src/responder/sudo/sudosrv_dp.c | 4 ++++
4 files changed, 16 insertions(+)
diff --git a/src/responder/autofs/autofssrv_dp.c b/src/responder/autofs/autofssrv_dp.c
index a323d83d9deb4e51180da9ff291044f1b9f64f76..bb8c2a42899b163b7727af778e554a5f55ca2d56 100644
--- a/src/responder/autofs/autofssrv_dp.c
+++ b/src/responder/autofs/autofssrv_dp.c
@@ -65,6 +65,10 @@ sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
}
info = talloc_zero(state, struct sss_dp_get_autofs_info);
+ if (info == NULL) {
+ ret = ENOMEM;
+ goto error;
+ }
info->fast_reply = fast_reply;
info->type = type;
info->name = name;
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index a75a611960801f5f5bdc95f00aea9ab921e8e293..935a36d28d15d1074a0971fe9781474072578b8f 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -536,6 +536,10 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
}
info = talloc_zero(state, struct sss_dp_account_info);
+ if (info == NULL) {
+ ret = ENOMEM;
+ goto error;
+ }
info->fast_reply = fast_reply;
info->type = type;
info->opt_name = opt_name;
diff --git a/src/responder/common/responder_dp_ssh.c b/src/responder/common/responder_dp_ssh.c
index 303ba1568b6230b0d4dfa718e4a7c024ae84d4e9..f78052296f07d3e21d8d4841a58c85fcf178fa1a 100644
--- a/src/responder/common/responder_dp_ssh.c
+++ b/src/responder/common/responder_dp_ssh.c
@@ -64,6 +64,10 @@ sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
}
info = talloc_zero(state, struct sss_dp_get_ssh_host_info);
+ if (info == NULL) {
+ ret = ENOMEM;
+ goto error;
+ }
info->fast_reply = fast_reply;
info->name = name;
info->alias = alias;
diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c
index 3a4a79473ff9915b3845643505d63411585aa262..f8ec8abc26d9710a2bccaadc4f807f963fe35f89 100644
--- a/src/responder/sudo/sudosrv_dp.c
+++ b/src/responder/sudo/sudosrv_dp.c
@@ -72,6 +72,10 @@ sss_dp_get_sudoers_send(TALLOC_CTX *mem_ctx,
}
info = talloc_zero(state, struct sss_dp_get_sudoers_info);
+ if (info == NULL) {
+ ret = ENOMEM;
+ goto error;
+ }
info->fast_reply = fast_reply;
info->type = type;
info->name = name;
--
2.15.1

50
0036-BUILD-Properly-expand-variables-in-sssd-ifp.service.patch Normal file
View File

@ -0,0 +1,50 @@
From c514089df0e3c357bb8465bca297806b253569e9 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 7 Nov 2017 17:11:52 +0100
Subject: [PATCH 36/79] BUILD: Properly expand variables in sssd-ifp.service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
systemd[1]: [/usr/lib/systemd/system/sssd-ifp.service:9]
Path '-@environment_file@' is not absolute, ignoring.
sh-4.2# systemctl cat sssd-ifp.service
# /usr/lib/systemd/system/sssd-ifp.service
[Unit]
Description=SSSD IFP Service responder
Documentation=man:sssd-ifp(5)
After=sssd.service
BindsTo=sssd.service
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
Type=dbus
BusName=org.freedesktop.sssd.infopipe
ExecStart=/usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --dbus-activated ${DEBUG_LOGGER}
Resolves:
https://pagure.io/SSSD/sssd/issue/3433
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 286ba47e3c421864362717be5258de960efca9f2..bbc90d9bad4d22ca0284ea95281a487d42399c05 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1491,7 +1491,7 @@ EXTRA_DIST += \
src/responder/ifp/org.freedesktop.sssd.infopipe.service.in \
$(NULL)
-ifp_edit_cmd = $(SED) \
+ifp_edit_cmd = $(edit_cmd) \
-e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \
-e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \
-e 's|@ifp_restart[@]|$(ifp_restart)|g'
--
2.15.1

38
0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch Normal file
View File

@ -0,0 +1,38 @@
From 8d1779240b4b193ecdc7ff8601def88a95cd7d47 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 8 Nov 2017 14:09:36 +0100
Subject: [PATCH 37/79] SYSTEMD: Clean pid file in corner cases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
SSSD can cleanup pid file in case of standard stopping of daemon.
It's done in function monitor_cleanup. However monitor does not have a
change to cleanup file in case of OOM or sending SIGKILL to monitor.
Even though PIDFile is not necessary for services with Type notify
we should let systemd to clean this file in unexpected situations.
Resolves:
https://pagure.io/SSSD/sssd/issue/3528
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/sysv/systemd/sssd.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
index cea848fac80303d6fae12dd84316a91dbc60072d..0c515d34caaa3ea397c4c7e95eef0188df170840 100644
--- a/src/sysv/systemd/sssd.service.in
+++ b/src/sysv/systemd/sssd.service.in
@@ -10,6 +10,7 @@ EnvironmentFile=-@environment_file@
ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
+PIDFile=@localstatedir@/run/sssd.pid
[Install]
WantedBy=multi-user.target
--
2.15.1

197
0038-CHILD-Pass-information-about-logger-to-children.patch Normal file
View File

@ -0,0 +1,197 @@
From 9ff9b0e5f6599d178d374753d7fbc99e7258ca4c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 8 Nov 2017 08:13:02 +0100
Subject: [PATCH 38/79] CHILD: Pass information about logger to children
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Variables debug_to_file or debug_to_stderr were not set
because back-end already user parameter --logger=%s.
And therefore logs were not sent to files.
It could only work in case of direct usage of --debug-to-files in back-end via
command configuration option.
Resolves:
https://pagure.io/SSSD/sssd/issue/3433
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/p11_child/p11_child_nss.c | 4 +++-
src/providers/ad/ad_gpo_child.c | 3 ++-
src/providers/ipa/selinux_child.c | 3 ++-
src/providers/krb5/krb5_child.c | 3 ++-
src/providers/ldap/ldap_child.c | 3 ++-
src/util/child_common.c | 24 ++++++++++--------------
6 files changed, 21 insertions(+), 19 deletions(-)
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index e7dbcb689220d1cd2585fbde5f26e84f8fa15cc2..b0ec69be321c4b4186ce851c07bfcc3e1afe9694 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -537,7 +537,7 @@ int main(int argc, const char *argv[])
int opt;
poptContext pc;
int debug_fd = -1;
- char *opt_logger = NULL;
+ const char *opt_logger = NULL;
errno_t ret;
TALLOC_CTX *main_ctx = NULL;
char *cert;
@@ -673,7 +673,9 @@ int main(int argc, const char *argv[])
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
}
+ opt_logger = sss_logger_str[FILES_LOGGER];
}
+
sss_set_logger(opt_logger);
DEBUG(SSSDBG_TRACE_FUNC, "p11_child started.\n");
diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c
index 5375cc691e8649c289672b74c4bfe5266c8222c9..a0bd6e13a31fe0f92924d49302d1b8b17bac4d67 100644
--- a/src/providers/ad/ad_gpo_child.c
+++ b/src/providers/ad/ad_gpo_child.c
@@ -687,7 +687,7 @@ main(int argc, const char *argv[])
int opt;
poptContext pc;
int debug_fd = -1;
- char *opt_logger = NULL;
+ const char *opt_logger = NULL;
errno_t ret;
int sysvol_gpt_version;
int result;
@@ -744,6 +744,7 @@ main(int argc, const char *argv[])
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
}
+ opt_logger = sss_logger_str[FILES_LOGGER];
}
sss_set_logger(opt_logger);
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 120492686963241b7e419413f489cc38953e32f2..a7e20f715626d0f3ecef7cc06f3de5d44b6a15c1 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -206,7 +206,7 @@ int main(int argc, const char *argv[])
struct response *resp = NULL;
ssize_t written;
bool needs_update;
- char *opt_logger = NULL;
+ const char *opt_logger = NULL;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -254,6 +254,7 @@ int main(int argc, const char *argv[])
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
}
+ opt_logger = sss_logger_str[FILES_LOGGER];
}
sss_set_logger(opt_logger);
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index b44f3a20f1c0725304a37620d36f8872cf9ca5d7..7ee6c34eb1f8b78d5a6fd7b6f87996e3c9572d4f 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -3020,7 +3020,7 @@ int main(int argc, const char *argv[])
int opt;
poptContext pc;
int debug_fd = -1;
- char *opt_logger = NULL;
+ const char *opt_logger = NULL;
errno_t ret;
krb5_error_code kerr;
uid_t fast_uid;
@@ -3097,6 +3097,7 @@ int main(int argc, const char *argv[])
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
}
+ opt_logger = sss_logger_str[FILES_LOGGER];
}
sss_set_logger(opt_logger);
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index baeed239db5dc7ffa482edcbc155f25f718c8249..c0618d6d8828f102c32cf56731995e2b370590e7 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -599,7 +599,7 @@ int main(int argc, const char *argv[])
int kerr;
int opt;
int debug_fd = -1;
- char *opt_logger = NULL;
+ const char *opt_logger = NULL;
poptContext pc;
TALLOC_CTX *main_ctx = NULL;
uint8_t *buf = NULL;
@@ -657,6 +657,7 @@ int main(int argc, const char *argv[])
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
}
+ opt_logger = sss_logger_str[FILES_LOGGER];
}
sss_set_logger(opt_logger);
diff --git a/src/util/child_common.c b/src/util/child_common.c
index dc070f26446305e07cbb34edd1e4d72db72aedc5..203c115f9e7c4ecc2178b5660473d4f960fbbb6d 100644
--- a/src/util/child_common.c
+++ b/src/util/child_common.c
@@ -630,14 +630,11 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx,
}
/* Save the current state in case an interrupt changes it */
- bool child_debug_to_file = debug_to_file;
bool child_debug_timestamps = debug_timestamps;
bool child_debug_microseconds = debug_microseconds;
- bool child_debug_stderr = debug_to_stderr;
if (!extra_args_only) {
- if (child_debug_to_file) argc++;
- if (child_debug_stderr) argc++;
+ argc++;
}
if (extra_argv) {
@@ -675,21 +672,20 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx,
goto fail;
}
- if (child_debug_stderr) {
- argv[--argc] = talloc_strdup(argv, "--logger=stderr");
- if (argv[argc] == NULL) {
- ret = ENOMEM;
- goto fail;
- }
- }
-
- if (child_debug_to_file) {
+ if (sss_logger == FILES_LOGGER) {
argv[--argc] = talloc_asprintf(argv, "--debug-fd=%d",
child_debug_fd);
if (argv[argc] == NULL) {
ret = ENOMEM;
goto fail;
}
+ } else {
+ argv[--argc] = talloc_asprintf(argv, "--logger=%s",
+ sss_logger_str[sss_logger]);
+ if (argv[argc] == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
}
argv[--argc] = talloc_asprintf(argv, "--debug-timestamps=%d",
@@ -816,7 +812,7 @@ errno_t child_debug_init(const char *logfile, int *debug_fd)
return EOK;
}
- if (debug_to_file != 0 && *debug_fd == -1) {
+ if (sss_logger == FILES_LOGGER && *debug_fd == -1) {
ret = open_debug_file_ex(logfile, &debug_filep, false);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) [%s]\n",
--
2.15.1

33
0039-TOOLS-Double-quote-array-expansions-in-sss_debugleve.patch Normal file
View File

@ -0,0 +1,33 @@
From 6d15db05c0975fed2b18cc52056fa29aedec823c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 7 Nov 2017 09:09:55 +0100
Subject: [PATCH 39/79] TOOLS: Double quote array expansions in sss_debuglevel
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise they're like $* and break on spaces.
This issue has been caught by coverity:
Defect type: SHELLCHECK_WARNING
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/tools/wrappers/sss_debuglevel.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/wrappers/sss_debuglevel.in b/src/tools/wrappers/sss_debuglevel.in
index 4deeafff6bf472dbe63578f57bfacee7b774d09f..aa19f790a26c67186123c87675d527f403b06264 100644
--- a/src/tools/wrappers/sss_debuglevel.in
+++ b/src/tools/wrappers/sss_debuglevel.in
@@ -1,4 +1,4 @@
#!/bin/sh
sbindir=@sbindir@
echo "Redirecting to $sbindir/sssctl debug-level" >&2
-$sbindir/sssctl debug-level $@
+$sbindir/sssctl debug-level "$@"
--
2.15.1

31
0040-TOOLS-Call-exec-for-sss_debuglevel.patch Normal file
View File

@ -0,0 +1,31 @@
From 58932b42802c93fdfc3eea8cdcdcca4534293941 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 8 Nov 2017 17:59:15 +0100
Subject: [PATCH 40/79] TOOLS: Call "exec" for sss_debuglevel
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This suggestion came from Lukáš Slebodník. The advantage of calling
"exec" is to avoid forking another child of the process.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/tools/wrappers/sss_debuglevel.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/wrappers/sss_debuglevel.in b/src/tools/wrappers/sss_debuglevel.in
index aa19f790a26c67186123c87675d527f403b06264..a55afcddc547dfda4ac0a7e22da5f9f9407fe45f 100644
--- a/src/tools/wrappers/sss_debuglevel.in
+++ b/src/tools/wrappers/sss_debuglevel.in
@@ -1,4 +1,4 @@
#!/bin/sh
sbindir=@sbindir@
echo "Redirecting to $sbindir/sssctl debug-level" >&2
-$sbindir/sssctl debug-level "$@"
+exec $sbindir/sssctl debug-level "$@"
--
2.15.1

57
0041-LDAP-Improve-error-treatment-from-sdap_cli_connect-i.patch Normal file
View File

@ -0,0 +1,57 @@
From 1e50148c7eadeff96b96811ede747399628a06c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 7 Nov 2017 23:34:42 +0100
Subject: [PATCH 41/79] LDAP: Improve error treatment from sdap_cli_connect()
in ldap_auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Because we weren't treating the errors coming from
sdap_cli_connect_recv() properly we ended up introducing a regression in
the commit add72860c7, related to offline authentication.
From now on, let's properly treat errors coming from auth_connect_send(),
which were treated before by going offline when be_resolve_server_recv()
failed, and propagate ETIMEDOUT to the request, thus going offline and
allowing offline authentication on those cases.
Related:
https://pagure.io/SSSD/sssd/issue/3451
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ldap/ldap_auth.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index a3b1480aae4272d2e10f105a1eaf3a5816c3487c..2e0e2cfd6f8af2bf0c9ad15bd956a55a34777a3c 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -716,8 +716,20 @@ static void auth_connect_done(struct tevent_req *subreq)
ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
talloc_zfree(subreq);
if (ret != EOK) {
- if (auth_connect_send(req) == NULL) {
- tevent_req_error(req, ENOMEM);
+ /* As sdap_cli_connect_recv() returns EIO in case all the servers are
+ * down and we have to go offline, let's treat it accordingly here and
+ * allow the PAM responder to with to offline authentication.
+ *
+ * Unfortunately, there's not much pattern within our code and the way
+ * to indicate we're going down in this part of the code is returning
+ * an ETIMEDOUT.
+ */
+ if (ret == EIO) {
+ tevent_req_error(req, ETIMEDOUT);
+ } else {
+ if (auth_connect_send(req) == NULL) {
+ tevent_req_error(req, ENOMEM);
+ }
}
return;
}
--
2.15.1

38
0053-NSS-Use-enum_ctx-as-memory_context-in-_setnetgrent_s.patch Normal file
View File

@ -0,0 +1,38 @@
From 22cc09e379710b29520d5bbc6fdf6ad84473cd43 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 6 Nov 2017 17:03:19 +0100
Subject: [PATCH 53/79] NSS: Use enum_ctx as memory_context in
_setnetgrent_set_timeout()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We've noticed some crashes that happened because enum_ctx is already
freed, but the timeout handler is still called. In order to avoid that,
let's remove the timeout handler when enum_ctx is freed at other places.
Resolves: https://pagure.io/SSSD/sssd/issue/3523
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/nss/nss_enum.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
index aa7d8428f37e943a6b5904495c40ad4b8011b767..da844fbced529f606a3e98669fb7b95e0696ce00 100644
--- a/src/responder/nss/nss_enum.c
+++ b/src/responder/nss/nss_enum.c
@@ -283,7 +283,7 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev,
timeout = enum_ctx->result[0]->domain->netgroup_timeout;
tv = tevent_timeval_current_ofs(timeout, 0);
- te = tevent_add_timer(ev, nss_ctx, tv, nss_setnetgrent_timeout, enum_ctx);
+ te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx);
if (te == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not set up life timer for enumeration object.\n");
--
2.15.1

67
0054-cache_req-Correction-of-cache_req-debug-string-ID-fo.patch Normal file
View File

@ -0,0 +1,67 @@
From 5fb2959852b53c6015cbf1cea653365708b379e9 Mon Sep 17 00:00:00 2001
From: amitkuma <amitkuma@redhat.com>
Date: Tue, 14 Nov 2017 13:59:12 +0530
Subject: [PATCH 54/79] cache_req: Correction of cache_req debug string ID
format
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The cache-req debug string representation uses a wrong format
specifier for by-ID requests.
data->id (uint32_t) should be replaced with %"PRIu32"
in cache_req_group_by_id.c, cache_req_object_by_id.c &
cache_req_user_by_id.c.
Resolves:
https://pagure.io/SSSD/sssd/issue/3570
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/responder/common/cache_req/plugins/cache_req_group_by_id.c | 2 +-
src/responder/common/cache_req/plugins/cache_req_object_by_id.c | 2 +-
src/responder/common/cache_req/plugins/cache_req_user_by_id.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
index 5ca64283a781318bc4e4d6920fff989c3f3919b4..121f95abe86d2466aaea69f0fe68dfb33b1fee9e 100644
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
@@ -31,7 +31,7 @@ cache_req_group_by_id_create_debug_name(TALLOC_CTX *mem_ctx,
struct cache_req_data *data,
struct sss_domain_info *domain)
{
- return talloc_asprintf(mem_ctx, "GID:%d@%s", data->id, domain->name);
+ return talloc_asprintf(mem_ctx, "GID:%"PRIu32"@%s", data->id, domain->name);
}
static errno_t
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
index 339bd4f5fef827acc1aa3c123d041e426d9e4782..4c88e1035b41969703c1c38d740e15516ac0d622 100644
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
@@ -31,7 +31,7 @@ cache_req_object_by_id_create_debug_name(TALLOC_CTX *mem_ctx,
struct cache_req_data *data,
struct sss_domain_info *domain)
{
- return talloc_asprintf(mem_ctx, "ID:%d@%s", data->id, domain->name);
+ return talloc_asprintf(mem_ctx, "ID:%"PRIu32"@%s", data->id, domain->name);
}
static errno_t
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
index 913f9be5bcc2dfd074b52cb3b15fb6948826e831..3c25c7631b3da4a829ab577629334a7ee97980da 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
@@ -31,7 +31,7 @@ cache_req_user_by_id_create_debug_name(TALLOC_CTX *mem_ctx,
struct cache_req_data *data,
struct sss_domain_info *domain)
{
- return talloc_asprintf(mem_ctx, "UID:%d@%s", data->id, domain->name);
+ return talloc_asprintf(mem_ctx, "UID:%"PRIu32"@%s", data->id, domain->name);
}
static errno_t
--
2.15.1

6
0012-TESTS-Order-list-of-entries-in-some-lists.patch → 0055-TESTS-Order-list-of-entries-in-some-lists.patch
View File

@ -1,7 +1,7 @@
From caae0e53e6091806634943699f4398b6a20273b4 Mon Sep 17 00:00:00 2001
From 0e73859e68b8dc348c2ee1e00a45646d9ac2c63c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Mon, 13 Nov 2017 16:15:21 +0100
Subject: [PATCH] TESTS: Order list of entries in some lists
Subject: [PATCH 55/79] TESTS: Order list of entries in some lists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -167,5 +167,5 @@ index 0378254b4440b29c3182faf2adde8c3db8a4ce97..dd3eb50f9310ff925734dcf51a669d08
"three", TEST_GID_OVERRIDE_BASE + 2);
assert_group_attrs(res->msgs[1], test_ctx->domain, "two",
--
2.15.0
2.15.1

42
0063-WATCHDOG-Restart-providers-with-SIGUSR2-after-time-d.patch Normal file
View File

@ -0,0 +1,42 @@
From 97b56f1ec15a3270cc2e85c9b367e4d38f91ae1a Mon Sep 17 00:00:00 2001
From: Victor Tapia <victor.tapia@canonical.com>
Date: Mon, 16 Oct 2017 09:45:24 +0200
Subject: [PATCH 63/79] WATCHDOG: Restart providers with SIGUSR2 after time
drift
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Restarting the providers using the already implemented SIGUSR2 (for
method .resetOffline, used after netlink detects an interface change)
when a time drift is detected, ensures that affected connection retries
(e.g. LDAP) will be rescheduled immediately instead of having to wait
the time shifted to return to its normal execution.
Resolves:
https://pagure.io/SSSD/sssd/issue/3285
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/util/util_watchdog.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index 59293db60e4ffbe566f8b17f3f289503e8d9aee6..20a8b896791118c1ae9b5bfe101a539b213497a4 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -160,6 +160,10 @@ static void watchdog_fd_read_handler(struct tevent_context *ev,
"[%d]: %s\n", ret, sss_strerror(ret));
orderly_shutdown(1);
}
+ if (strncmp(debug_prg_name, "sssd[be[", sizeof("sssd[be[") - 1) == 0) {
+ kill(getpid(), SIGUSR2);
+ DEBUG(SSSDBG_IMPORTANT_INFO, "SIGUSR2 sent to %s\n", debug_prg_name);
+ }
}
int setup_watchdog(struct tevent_context *ev, int interval)
--
2.15.1

168
0064-mmap_cache-make-checks-independent-of-input-size.patch Normal file
View File

@ -0,0 +1,168 @@
From b70b4099b049b6a2bd85e773dbd81974dee24e05 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 17 Nov 2017 10:51:44 +0100
Subject: [PATCH 64/79] mmap_cache: make checks independent of input size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently the consistency checks for the mmap_cache payload data on the
client and the responder side include the length of the input string of
the current request. Since there might be hash collisions which other
much longer or much shorter names those checks might fail although there
is no data corruption.
This patch removes the checks using the length of the input and adds a
check if the name found in the payload is zero-terminated inside of the
payload data.
Resolves https://pagure.io/SSSD/sssd/issue/3571
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/responder/nss/nsssrv_mmap_cache.c | 34 ++++++++++++++++++++++++----------
src/sss_client/nss_mc_group.c | 12 ++++++------
src/sss_client/nss_mc_initgr.c | 12 +++++++-----
src/sss_client/nss_mc_passwd.c | 12 ++++++------
4 files changed, 43 insertions(+), 27 deletions(-)
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
index a87ad646f9b741db3eb18680678697032fc420ba..ad5adbce15e50c065d4d16e626be97fd23d06643 100644
--- a/src/responder/nss/nsssrv_mmap_cache.c
+++ b/src/responder/nss/nsssrv_mmap_cache.c
@@ -547,18 +547,32 @@ static struct sss_mc_rec *sss_mc_find_record(struct sss_mc_ctx *mcc,
return NULL;
}
+ if (key->len > strs_len) {
+ /* The string cannot be in current record */
+ slot = sss_mc_next_slot_with_hash(rec, hash);
+ continue;
+ }
+
safealign_memcpy(&name_ptr, rec->data, sizeof(rel_ptr_t), NULL);
- if (key->len > strs_len
- || (name_ptr + key->len) > (strs_offset + strs_len)
- || (uint8_t *)rec->data + strs_offset + strs_len > max_addr) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Corrupted fastcache. name_ptr value is %u.\n", name_ptr);
- sss_mc_save_corrupted(mcc);
- sss_mmap_cache_reset(mcc);
- return NULL;
- }
-
t_key = (char *)rec->data + name_ptr;
+ /* name_ptr must point to some data in the strs/gids area of the data
+ * payload. Since it is a pointer relative to rec->data it must larger
+ * equal strs_offset and must be smaller then strs_offset + strs_len.
+ * Additionally the area must not end outside of the data table and
+ * t_key must be a zero-terminates string. */
+ if (name_ptr < strs_offset
+ || name_ptr >= strs_offset + strs_len
+ || (uint8_t *)rec->data > max_addr
+ || strs_offset > max_addr - (uint8_t *)rec->data
+ || strs_len > max_addr - (uint8_t *)rec->data - strs_offset) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Corrupted fastcache entry at slot %u. "
+ "name_ptr value is %u.\n", slot, name_ptr);
+ sss_mc_save_corrupted(mcc);
+ sss_mmap_cache_reset(mcc);
+ return NULL;
+ }
+
if (strcmp(key->str, t_key) == 0) {
break;
}
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
index ce88d42fdaf4f19e78fc43e187bc28651cdc3c4e..ba582fe55cf3abf90d8e016c82a0bee48608ce78 100644
--- a/src/sss_client/nss_mc_group.c
+++ b/src/sss_client/nss_mc_group.c
@@ -148,20 +148,20 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
}
data = (struct sss_mc_grp_data *)rec->data;
+ rec_name = (char *)data + data->name;
/* Integrity check
- * - name_len cannot be longer than all strings
* - data->name cannot point outside strings
* - all strings must be within copy of record
- * - size of record must be lower that data table size */
- if (name_len > data->strs_len
- || (data->name + name_len) > (strs_offset + data->strs_len)
+ * - record must not end outside data table
+ * - rec_name is a zero-terminated string */
+ if (data->name < strs_offset
+ || data->name >= strs_offset + data->strs_len
|| data->strs_len > rec->len
- || rec->len > data_size) {
+ || (uint8_t *) rec + rec->len > gr_mc_ctx.data_table + data_size ) {
ret = ENOENT;
goto done;
}
- rec_name = (char *)data + data->name;
if (strcmp(name, rec_name) == 0) {
break;
}
diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c
index a77088d849ad3601cb3edb55fc5ea4ae4c52fe38..606f1c7ee2526a15378831d4512e943bac214d0e 100644
--- a/src/sss_client/nss_mc_initgr.c
+++ b/src/sss_client/nss_mc_initgr.c
@@ -131,15 +131,17 @@ errno_t sss_nss_mc_initgroups_dyn(const char *name, size_t name_len,
data = (struct sss_mc_initgr_data *)rec->data;
rec_name = (char *)data + data->name;
/* Integrity check
- * - name_len cannot be longer than all strings or data
+ * - data->name cannot point outside all strings or data
* - all data must be within copy of record
* - size of record must be lower that data table size
- * - data->strs cannot point outside strings */
- if (name_len > data->strs_len
+ * - data->strs cannot point outside strings
+ * - rec_name is a zero-terminated string */
+ if (data->name < data_offset
+ || data->name >= data_offset + data->data_len
|| data->strs_len > data->data_len
|| data->data_len > rec->len
- || rec->len > data_size
- || (data->strs + name_len) > (data_offset + data->data_len)) {
+ || (uint8_t *) rec + rec->len
+ > initgr_mc_ctx.data_table + data_size ) {
ret = ENOENT;
goto done;
}
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
index 0da7ad0aeece7d38ca34bb3fde64adc898eaf0ae..0bc1237446d3691c8c83aa0fc0cf692d4b336f9e 100644
--- a/src/sss_client/nss_mc_passwd.c
+++ b/src/sss_client/nss_mc_passwd.c
@@ -141,20 +141,20 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
}
data = (struct sss_mc_pwd_data *)rec->data;
+ rec_name = (char *)data + data->name;
/* Integrity check
- * - name_len cannot be longer than all strings
* - data->name cannot point outside strings
* - all strings must be within copy of record
- * - size of record must be lower that data table size */
- if (name_len > data->strs_len
- || (data->name + name_len) > (strs_offset + data->strs_len)
+ * - record must not end outside data table
+ * - rec_name is a zero-terminated string */
+ if (data->name < strs_offset
+ || data->name >= strs_offset + data->strs_len
|| data->strs_len > rec->len
- || rec->len > data_size) {
+ || (uint8_t *) rec + rec->len > pw_mc_ctx.data_table + data_size ) {
ret = ENOENT;
goto done;
}
- rec_name = (char *)data + data->name;
if (strcmp(name, rec_name) == 0) {
break;
}
--
2.15.1

187
0066-krb5-show-error-message-for-krb5_init_context-failur.patch Normal file
View File

@ -0,0 +1,187 @@
From 209caaad9d545aeb601f64854a2ffb978b77c4b1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 27 Nov 2017 13:45:14 +0100
Subject: [PATCH 66/79] krb5: show error message for krb5_init_context()
failures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If there are typos in /etc/krb5.conf (or one of the included config
snippets) krb5_init_context(), the initial call always needed to do any
other operation with libkrb5, fails because /etc/krb5.conf cannot be
parsed.
Currently the related debug/syslog messages might be misleading, e.g.
failed to read keytab. This is because SSSD does not use a global krb5
context but creates a fresh one for every new request or operation (to
always use the latest settings from /etc/krb5.conf) and typically there
is an error message indicating that the related operation failed but not
giving more details.
Since krb5_init_context() is fundamental for Kerberos support this patch
tries to add as much details as libkrb5 provides in the logs if the call
fails.
Resolves:
https://pagure.io/SSSD/sssd/issue/3586
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
---
src/providers/krb5/krb5_ccache.c | 6 +++---
src/providers/krb5/krb5_common.c | 2 +-
src/providers/ldap/ldap_child.c | 2 +-
src/providers/ldap/ldap_common.c | 2 +-
src/responder/kcm/kcm.c | 3 ++-
src/util/sss_krb5.c | 25 ++++++++++++++++++++++---
src/util/sss_krb5.h | 2 ++
7 files changed, 32 insertions(+), 10 deletions(-)
diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
index f9bb25efd4ca3257845c3b157667d21d24299f4a..2e28276b72b6d5961de33c0ceb61774074a92d11 100644
--- a/src/providers/krb5/krb5_ccache.c
+++ b/src/providers/krb5/krb5_ccache.c
@@ -299,7 +299,7 @@ static errno_t sss_open_ccache_as_user(TALLOC_CTX *mem_ctx,
goto done;
}
- kerr = krb5_init_context(&cc->context);
+ kerr = sss_krb5_init_context(&cc->context);
if (kerr) {
ret = EIO;
goto done;
@@ -565,9 +565,9 @@ errno_t get_ccache_file_data(const char *ccache_file, const char *client_name,
const char *realm_name;
int realm_length;
- kerr = krb5_init_context(&ctx);
+ kerr = sss_krb5_init_context(&ctx);
if (kerr != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "krb5_init_context failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_init_context failed.\n");
goto done;
}
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 0b32da94dd8320d51708e2b7e827b94c472642a6..520e7591ce1b37b4a8dea357b6dd0ec7afd76f58 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -106,7 +106,7 @@ static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
*ccname = NULL;
- ret = krb5_init_context(&ctx);
+ ret = sss_krb5_init_context(&ctx);
if (ret) return ret;
ret = krb5_get_profile(ctx, &p);
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index c0618d6d8828f102c32cf56731995e2b370590e7..4558fd7c42be03c4472dbf3092ce8044e8ae89d9 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -574,7 +574,7 @@ static krb5_error_code privileged_krb5_setup(struct input_buffer *ibuf)
krb5_error_code kerr;
char *keytab_name;
- kerr = krb5_init_context(&ibuf->context);
+ kerr = sss_krb5_init_context(&ibuf->context);
if (kerr != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to init kerberos context\n");
return kerr;
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 0597e91f7fade47aeb34565597c730ac406e0cfc..4ec36584ad5acc52cf442b015caec80a6a8936da 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -364,7 +364,7 @@ sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
krb5_error_code krberr;
krb5_context context = NULL;
- krberr = krb5_init_context(&context);
+ krberr = sss_krb5_init_context(&context);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n");
goto done;
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
index 358fcc18165dec7b41a7389a3ef22660ac04b4a8..0fc09376888544570ca1bcf8c1ff1ba1d72d5906 100644
--- a/src/responder/kcm/kcm.c
+++ b/src/responder/kcm/kcm.c
@@ -28,6 +28,7 @@
#include "responder/kcm/kcmsrv_pvt.h"
#include "responder/common/responder.h"
#include "util/util.h"
+#include "util/sss_krb5.h"
#define DEFAULT_KCM_FD_LIMIT 2048
@@ -183,7 +184,7 @@ static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx,
return NULL;
}
- kret = krb5_init_context(&kcm_data->k5c);
+ kret = sss_krb5_init_context(&kcm_data->k5c);
if (kret != EOK) {
talloc_free(kcm_data);
return NULL;
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index a702a8b57c55bdb4215edf73731ddeaba156a84f..12660b0dd2e9170108afd54492e7ce30415741cb 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -113,7 +113,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
return ENOMEM;
}
- kerr = krb5_init_context(&krb_ctx);
+ kerr = sss_krb5_init_context(&krb_ctx);
if (kerr) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n");
ret = EFAULT;
@@ -1096,9 +1096,9 @@ bool sss_krb5_realm_has_proxy(const char *realm)
return false;
}
- kerr = krb5_init_context(&context);
+ kerr = sss_krb5_init_context(&context);
if (kerr != 0) {
- DEBUG(SSSDBG_OP_FAILURE, "krb5_init_context failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "sss_krb5_init_context failed.\n");
return false;
}
@@ -1330,3 +1330,22 @@ krb5_error_code sss_krb5_marshal_princ(krb5_principal princ,
}
return EOK;
}
+
+krb5_error_code sss_krb5_init_context(krb5_context *context)
+{
+ krb5_error_code kerr;
+ const char *msg;
+
+ kerr = krb5_init_context(context);
+ if (kerr != 0) {
+ /* It is safe to call (sss_)krb5_get_error_message() with NULL as first
+ * argument. */
+ msg = sss_krb5_get_error_message(NULL, kerr);
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to init kerberos context [%s]\n", msg);
+ sss_log(SSS_LOG_CRIT, "Failed to init kerberos context [%s]\n", msg);
+ sss_krb5_free_error_message(NULL, msg);
+ }
+
+ return kerr;
+}
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index 0d9043be98749b1a21a1b74c68f07298fa27f230..423951443c8c512211b1e894c41f1c8891be479f 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -195,4 +195,6 @@ krb5_error_code sss_krb5_unmarshal_princ(TALLOC_CTX *mem_ctx,
struct sss_iobuf *iobuf,
krb5_principal *_princ);
+krb5_error_code sss_krb5_init_context(krb5_context *context);
+
#endif /* __SSS_KRB5_H__ */
--
2.15.1

58
0067-responder-Fix-talloc-hierarchy-in-sized_output_name.patch Normal file
View File

@ -0,0 +1,58 @@
From ddff278e709a2aa882f2d8d64c263cddc3a93a2c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 28 Nov 2017 12:19:54 +0100
Subject: [PATCH 67/79] responder: Fix talloc hierarchy in sized_output_name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sized_output_name was a called with NULL context in
memcache_delete_entry but returned data from sized_output_name
didn't have proper talloc hierarchy and we could not release all
all returned data.
==00:01:01:29.871 10088== 934,414 bytes in 8,731 blocks are definitely lost in loss record 121 of 121
==00:01:01:29.871 10088== at 0x4C29BE3: malloc (vg_replace_malloc.c:299)
==00:01:01:29.871 10088== by 0x8FF4EAB: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.9)
==00:01:01:29.871 10088== by 0x52933B9: sss_output_name (usertools.c:808)
==00:01:01:29.871 10088== by 0x5293550: sss_output_fqname (usertools.c:863)
==00:01:01:29.871 10088== by 0x1211F9: sized_output_name (responder_common.c:1708)
==00:01:01:29.871 10088== by 0x1137E6: memcache_delete_entry (nss_get_object.c:112)
==00:01:01:29.871 10088== by 0x113BB6: nss_get_object_done (nss_get_object.c:245)
==00:01:01:29.871 10088== by 0x8DE5291: _tevent_req_error (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x1276CE: cache_req_done (cache_req.c:1047)
==00:01:01:29.871 10088== by 0x8DE5291: _tevent_req_error (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x126AF6: cache_req_search_domains_done (cache_req.c:607)
==00:01:01:29.871 10088== by 0x8DE4AB9: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE9C9C: ??? (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE82A6: ??? (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE40CC: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE42FA: tevent_common_loop_wait (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE8246: ??? (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x5291B32: server_loop (server.c:718)
==00:01:01:29.871 10088== by 0x11004C: main (nsssrv.c:560)
Resolves:
https://pagure.io/SSSD/sssd/issue/3588
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/responder/common/responder_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 6b4d2d9e5936c79944b6f883e9fe46fd03ff32f6..e1100ce4b1eaae8bc561246699dc9bacc96133c8 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -1815,7 +1815,7 @@ int sized_output_name(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = sss_output_fqname(mem_ctx, name_dom, orig_name,
+ ret = sss_output_fqname(name, name_dom, orig_name,
rctx->override_space, &name_str);
if (ret != EOK) {
goto done;
--
2.15.1

57
0068-test_responder-Check-memory-leak-in-sized_output_nam.patch Normal file
View File

@ -0,0 +1,57 @@
From 878fa7d0d4a3c9de1e813a550c5968153faae0a9 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 28 Nov 2017 12:20:26 +0100
Subject: [PATCH 68/79] test_responder: Check memory leak in sized_output_name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3588
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/tests/cmocka/test_responder_common.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
index fb7e4ee500570319999e6e85ee14a05cddea8de3..5441167caeb284982ee76926117da029966ec997 100644
--- a/src/tests/cmocka/test_responder_common.c
+++ b/src/tests/cmocka/test_responder_common.c
@@ -316,6 +316,23 @@ void test_schedule_get_domains_task(void **state)
talloc_free(dummy_ncache_ptr);
}
+void test_sss_output_fqname(void **state)
+{
+ struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state,
+ struct parse_inp_test_ctx);
+ errno_t ret;
+ struct sized_string *res = NULL;
+
+ ret = sized_output_name(parse_inp_ctx, parse_inp_ctx->rctx, "dummy",
+ parse_inp_ctx->tctx->dom, &res);
+ assert_int_equal(ret, EOK);
+ assert_non_null(res);
+ assert_string_equal("dummy", res->str);
+ assert_int_equal(6, res->len);
+
+ talloc_zfree(res);
+}
+
int main(int argc, const char *argv[])
{
int rv;
@@ -346,6 +363,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_schedule_get_domains_task,
parse_inp_test_setup,
parse_inp_test_teardown),
+ cmocka_unit_test_setup_teardown(test_sss_output_fqname,
+ parse_inp_test_setup,
+ parse_inp_test_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
--
2.15.1

81
0069-UTIL-add-find_domain_by_object_name_ex.patch Normal file
View File

@ -0,0 +1,81 @@
From 8b98ab849993ddd2bddbe475f443fbee24081c1a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 12:08:30 +0100
Subject: [PATCH 69/79] UTIL: add find_domain_by_object_name_ex()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The _ex version of find_domain_by_object_name() has a additional option
'strict'. If set to 'true' NULL is return instead to domain from the
first argument. This way the caller can see if the provider object name
really contains a known domain.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/util/domain_info_utils.c | 17 ++++++++++++++---
src/util/util.h | 4 ++++
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 3a3f5130a32e2c5fe4b81819bf2de697a4474111..66077092a40111967a98b0937506d9e4472f50d5 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -174,8 +174,8 @@ sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain,
}
struct sss_domain_info *
-find_domain_by_object_name(struct sss_domain_info *domain,
- const char *object_name)
+find_domain_by_object_name_ex(struct sss_domain_info *domain,
+ const char *object_name, bool strict)
{
TALLOC_CTX *tmp_ctx;
struct sss_domain_info *dom = NULL;
@@ -197,7 +197,11 @@ find_domain_by_object_name(struct sss_domain_info *domain,
}
if (domainname == NULL) {
- dom = domain;
+ if (strict) {
+ dom = NULL;
+ } else {
+ dom = domain;
+ }
} else {
dom = find_domain_by_name(domain, domainname, true);
}
@@ -207,6 +211,13 @@ done:
return dom;
}
+struct sss_domain_info *
+find_domain_by_object_name(struct sss_domain_info *domain,
+ const char *object_name)
+{
+ return find_domain_by_object_name_ex(domain, object_name, false);
+}
+
errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *domain_name,
diff --git a/src/util/util.h b/src/util/util.h
index 37383011763a9a2a3c2c066215e3ed94aca77308..2521b1789b0b8701b1fbcce33890eedb7fe18d5e 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -551,6 +551,10 @@ struct sss_domain_info *
find_domain_by_object_name(struct sss_domain_info *domain,
const char *object_name);
+struct sss_domain_info *
+find_domain_by_object_name_ex(struct sss_domain_info *domain,
+ const char *object_name, bool strict);
+
bool subdomain_enumerates(struct sss_domain_info *parent,
const char *sd_name);
--
2.15.1

75
0070-ipa-handle-users-from-different-domains-in-ipa_resol.patch Normal file
View File

@ -0,0 +1,75 @@
From 2029b7b32c868dd5ad33dcc9b078d362ee9bb602 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 12:04:50 +0100
Subject: [PATCH 70/79] ipa: handle users from different domains in
ipa_resolve_user_list_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Instead of assuming that all users in the list can be found in the
provided domain with this patch the domain name part of the user name is
preferred. The provided domain name is used as a fallback.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_id.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
index 5044577f0faa95b19de9233240e92aa60f029774..9a092bc837f762af8d229ff5a7eb4c4ba4b78f2f 100644
--- a/src/providers/ipa/ipa_id.c
+++ b/src/providers/ipa/ipa_id.c
@@ -63,6 +63,8 @@ struct ipa_resolve_user_list_state {
struct ipa_id_ctx *ipa_ctx;
struct ldb_message_element *users;
const char *domain_name;
+ struct sss_domain_info *domain;
+ struct sss_domain_info *user_domain;
size_t user_idx;
int dp_error;
@@ -91,6 +93,8 @@ ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev,
state->ev = ev;
state->ipa_ctx = ipa_ctx;
state->domain_name = domain_name;
+ state->domain = find_domain_by_name(state->ipa_ctx->sdap_id_ctx->be->domain,
+ state->domain_name, true);
state->users = users;
state->user_idx = 0;
state->dp_error = DP_ERR_FATAL;
@@ -132,8 +136,17 @@ static errno_t ipa_resolve_user_list_get_user_step(struct tevent_req *req)
DEBUG(SSSDBG_TRACE_ALL, "Trying to resolve user [%s].\n", ar->filter_value);
- if (strcasecmp(state->domain_name,
- state->ipa_ctx->sdap_id_ctx->be->domain->name) != 0) {
+ state->user_domain = find_domain_by_object_name_ex(
+ state->ipa_ctx->sdap_id_ctx->be->domain,
+ ar->filter_value, true);
+ /* Use provided domain as as fallback is no known domain was found in the
+ * user name. */
+ if (state->user_domain == NULL) {
+ state->user_domain = state->domain;
+ }
+ ar->domain = state->user_domain->name;
+
+ if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) {
subreq = ipa_subdomain_account_send(state, state->ev, state->ipa_ctx,
ar);
} else {
@@ -158,8 +171,7 @@ static void ipa_resolve_user_list_get_user_done(struct tevent_req *subreq)
struct ipa_resolve_user_list_state);
int ret;
- if (strcasecmp(state->domain_name,
- state->ipa_ctx->sdap_id_ctx->be->domain->name) != 0) {
+ if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) {
ret = ipa_subdomain_account_recv(subreq, &state->dp_error);
} else {
ret = ipa_id_get_account_info_recv(subreq, &state->dp_error);
--
2.15.1

202
0071-overrides-fixes-for-sysdb_invalidate_overrides.patch Normal file
View File

@ -0,0 +1,202 @@
From 3edca52d650154bcd784674d631a76512c6c4004 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 15:51:27 +0100
Subject: [PATCH 71/79] overrides: fixes for sysdb_invalidate_overrides()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There were two issues in sysdb_invalidate_overrides().
First, SYSDB_CACHE_EXPIRE was only reset for the entry in the data cache
but not in the timestamp cache.
Second, if one of the steps in the combined replace and delete operation
failed no change was committed to the cache. If, for whatever reasons,
a user or group object didn't had SYSDB_OVERRIDE_DN set the delete
failed and hence SYSDB_CACHE_EXPIRE wasn't reset as well. To make sure
the cache is in a consistent state after a view change the replace and
the delete operations are don in two steps.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/db/sysdb_views.c | 111 +++++++++++++++++++++++++++++++++++++--------------
1 file changed, 80 insertions(+), 31 deletions(-)
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index f640c813acf4deafe98eb15708d3a94790502dcb..bcd7dd46168aecdf808ad315175a12cef9ee03dd 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -279,6 +279,45 @@ done:
return ret;
}
+static errno_t invalidate_entry_override(struct sysdb_ctx *sysdb,
+ struct ldb_dn *dn,
+ struct ldb_message *msg_del,
+ struct ldb_message *msg_repl)
+{
+ int ret;
+
+ msg_del->dn = dn;
+ msg_repl->dn = dn;
+
+ ret = ldb_modify(sysdb->ldb, msg_del);
+ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "ldb_modify failed: [%s](%d)[%s]\n",
+ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb));
+ return sysdb_error_to_errno(ret);
+ }
+
+ ret = ldb_modify(sysdb->ldb, msg_repl);
+ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "ldb_modify failed: [%s](%d)[%s]\n",
+ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb));
+ return sysdb_error_to_errno(ret);
+ }
+
+ if (sysdb->ldb_ts != NULL) {
+ ret = ldb_modify(sysdb->ldb_ts, msg_repl);
+ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "ldb_modify failed: [%s](%d)[%s]\n",
+ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb_ts));
+ return sysdb_error_to_errno(ret);
+ }
+ }
+
+ return EOK;
+}
+
errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
{
int ret;
@@ -287,22 +326,23 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
bool in_transaction = false;
struct ldb_result *res;
size_t c;
- struct ldb_message *msg;
+ struct ldb_message *msg_del;
+ struct ldb_message *msg_repl;
struct ldb_dn *base_dn;
+ if (sysdb->ldb_ts == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Timestamp cache context not available, cache might not be "
+ "invalidated completely. Please call 'sss_cache -E' or remove "
+ "the cache file if there are issues after a view name change.\n");
+ }
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
return ENOMEM;
}
- msg = ldb_msg_new(tmp_ctx);
- if (msg == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n");
- ret = ENOMEM;
- goto done;
- }
-
base_dn = ldb_dn_new(tmp_ctx, sysdb->ldb, SYSDB_BASE);
if (base_dn == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed\n");
@@ -310,27 +350,40 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
goto done;
}
- ret = ldb_msg_add_empty(msg, SYSDB_CACHE_EXPIRE, LDB_FLAG_MOD_REPLACE,
+ msg_del = ldb_msg_new(tmp_ctx);
+ if (msg_del == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = ldb_msg_add_empty(msg_del, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE,
NULL);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n");
ret = sysdb_error_to_errno(ret);
goto done;
}
- ret = ldb_msg_add_string(msg, SYSDB_CACHE_EXPIRE, "1");
+
+ msg_repl = ldb_msg_new(tmp_ctx);
+ if (msg_repl == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = ldb_msg_add_empty(msg_repl, SYSDB_CACHE_EXPIRE,
+ LDB_FLAG_MOD_REPLACE, NULL);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n");
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+ ret = ldb_msg_add_string(msg_repl, SYSDB_CACHE_EXPIRE, "1");
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
ret = sysdb_error_to_errno(ret);
goto done;
}
- ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, NULL);
- if (ret != LDB_SUCCESS) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n");
- ret = sysdb_error_to_errno(ret);
- goto done;
- }
-
ret = sysdb_transaction_start(sysdb);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_transaction_start failed.\n");
@@ -347,14 +400,12 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
}
for (c = 0; c < res->count; c++) {
- msg->dn = res->msgs[c]->dn;
-
- ret = ldb_modify(sysdb->ldb, msg);
- if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
+ ret = invalidate_entry_override(sysdb, res->msgs[c]->dn, msg_del,
+ msg_repl);
+ if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "ldb_modify failed: [%s](%d)[%s]\n",
- ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb));
- ret = sysdb_error_to_errno(ret);
+ "invalidate_entry_override failed [%d][%s].\n",
+ ret, sss_strerror(ret));
goto done;
}
}
@@ -370,14 +421,12 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
}
for (c = 0; c < res->count; c++) {
- msg->dn = res->msgs[c]->dn;
-
- ret = ldb_modify(sysdb->ldb, msg);
- if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
+ ret = invalidate_entry_override(sysdb, res->msgs[c]->dn, msg_del,
+ msg_repl);
+ if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "ldb_modify failed: [%s](%d)[%s]\n",
- ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb));
- ret = sysdb_error_to_errno(ret);
+ "invalidate_entry_override failed [%d][%s].\n",
+ ret, sss_strerror(ret));
goto done;
}
}
--
2.15.1

253
0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch Normal file
View File

@ -0,0 +1,253 @@
From afa3e5d8401c529dad9fb6f2e3a3f4c2aa79a977 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:12:58 +0100
Subject: [PATCH 72/79] ipa: check for SYSDB_OVERRIDE_DN in process_members and
get_group_dn_list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
process_members() and get_group_dn_list() are used on an IPA client to
determine a list of users or groups which are missing in the cache and
are needed to properly add a group or user object to the cache
respectively.
If a non-default view is assigned to the client the SYSDB_OVERRIDE_DN
must be set for all user and group objects to indicate that it was
already checked if there is an id-override defined for the object or
not. There a circumstances were SYSDB_OVERRIDE_DN is not set, e.g. after
a view name change. To make sure the cache is in a consistent state with
this patch user and group entries without SYSDB_OVERRIDE_DN are
considered as missing is a non-default view is assigned to the client.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++-----------------
1 file changed, 83 insertions(+), 62 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 39ed17cbf0e8c523212084197e9f2963fed88dc8..c6132f509dcc8e7af84e03e8bfe20701107d1392 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1523,6 +1523,7 @@ fail:
}
static errno_t process_members(struct sss_domain_info *domain,
+ bool is_default_view,
struct sysdb_attrs *group_attrs,
char **members,
TALLOC_CTX *mem_ctx, char ***_missing_members)
@@ -1536,6 +1537,7 @@ static errno_t process_members(struct sss_domain_info *domain,
struct sss_domain_info *parent_domain;
char **missing_members = NULL;
size_t miss_count = 0;
+ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
if (members == NULL) {
DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n");
@@ -1572,53 +1574,59 @@ static errno_t process_members(struct sss_domain_info *domain,
goto done;
}
- ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], NULL,
+ ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,
&msg);
- if (ret == EOK) {
- if (group_attrs != NULL) {
- dn_str = ldb_dn_get_linearized(msg->dn);
- if (dn_str == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
- ret = EINVAL;
- goto done;
- }
-
- DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
- members[c], dn_str);
+ if (ret == EOK || ret == ENOENT) {
+ if (ret == ENOENT
+ || (!is_default_view
+ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
+ NULL) == NULL)) {
+ /* only add ghost if the member is really missing */
+ if (group_attrs != NULL && ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
+ members[c]);
- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
- dn_str);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sysdb_attrs_add_string_safe failed.\n");
- goto done;
+ /* There were cases where the server returned the same user
+ * multiple times */
+ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
+ members[c]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_add_string failed.\n");
+ goto done;
+ }
}
- }
- } else if (ret == ENOENT) {
- if (group_attrs != NULL) {
- DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
- members[c]);
- /* There were cases where the server returned the same user
- * multiple times */
- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
- members[c]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sysdb_attrs_add_string failed.\n");
- goto done;
+ if (missing_members != NULL) {
+ missing_members[miss_count] = talloc_strdup(missing_members,
+ members[c]);
+ if (missing_members[miss_count] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ miss_count++;
}
- }
+ } else {
+ if (group_attrs != NULL) {
+ dn_str = ldb_dn_get_linearized(msg->dn);
+ if (dn_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
+ members[c], dn_str);
- if (missing_members != NULL) {
- missing_members[miss_count] = talloc_strdup(missing_members,
- members[c]);
- if (missing_members[miss_count] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
- goto done;
+ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
+ dn_str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_add_string_safe failed.\n");
+ goto done;
+ }
}
- miss_count++;
}
} else {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
@@ -1649,6 +1657,7 @@ done:
}
static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
+ bool is_default_view,
struct sss_domain_info *dom,
size_t ngroups, char **groups,
struct ldb_dn ***_dn_list,
@@ -1664,6 +1673,7 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
size_t n_missing = 0;
struct sss_domain_info *obj_domain;
struct sss_domain_info *parent_domain;
+ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -1689,25 +1699,31 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], NULL,
+ ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], attrs,
&msg);
- if (ret == EOK) {
- dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
- if (dn_list[n_dns] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
- ret = ENOMEM;
- goto done;
+ if (ret == EOK || ret == ENOENT) {
+ if (ret == ENOENT
+ || (!is_default_view
+ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
+ NULL) == NULL)) {
+ missing_groups[n_missing] = talloc_strdup(missing_groups,
+ groups[c]);
+ if (missing_groups[n_missing] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ n_missing++;
+
+ } else {
+ dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
+ if (dn_list[n_dns] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ n_dns++;
}
- n_dns++;
- } else if (ret == ENOENT) {
- missing_groups[n_missing] = talloc_strdup(missing_groups,
- groups[c]);
- if (missing_groups[n_missing] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
- goto done;
- }
- n_missing++;
} else {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_group_by_name failed.\n");
goto done;
@@ -1803,7 +1819,9 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
}
- ret = get_group_dn_list(state, state->dom,
+ ret = get_group_dn_list(state,
+ is_default_view(state->ipa_ctx->view_name),
+ state->dom,
attrs->ngroups, attrs->groups,
&group_dn_list, &missing_list);
if (ret != EOK) {
@@ -1832,8 +1850,10 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
}
break;
} else if (attrs->response_type == RESP_GROUP_MEMBERS) {
- ret = process_members(state->dom, NULL, attrs->a.group.gr_mem,
- state, &missing_list);
+ ret = process_members(state->dom,
+ is_default_view(state->ipa_ctx->view_name),
+ NULL, attrs->a.group.gr_mem, state,
+ &missing_list);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
goto done;
@@ -2572,8 +2592,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
}
}
- ret = process_members(dom, attrs->sysdb_attrs,
- attrs->a.group.gr_mem, NULL, NULL);
+ ret = process_members(dom, is_default_view(view_name),
+ attrs->sysdb_attrs, attrs->a.group.gr_mem,
+ NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
goto done;
--
2.15.1

69
0073-IPA-use-cache-searches-in-get_groups_dns.patch Normal file
View File

@ -0,0 +1,69 @@
From d1d62630e1d1c6a88fe4bf8612cb4f9a2fff7181 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:41:29 +0100
Subject: [PATCH 73/79] IPA: use cache searches in get_groups_dns()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the group name is overridden in the default view we have to search
for the name and cannot construct it because the extdom plugin will
return the overridden name but the DN of the related group object in the
cache will contain the original name.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index c6132f509dcc8e7af84e03e8bfe20701107d1392..49c393e9a1eb19ab683949cf633a6838274bc0fe 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2038,6 +2038,7 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
int c;
struct sss_domain_info *root_domain;
char **dn_list;
+ struct ldb_message *msg;
if (name_list == NULL) {
*_dn_list = NULL;
@@ -2082,15 +2083,25 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
goto done;
}
- /* This might fail if some unexpected cases are used. But current
- * sysdb code which handles group membership constructs DNs this way
- * as well, IPA names are lowercased and AD names by default will be
- * lowercased as well. If there are really use-cases which cause an
- * issue here, sysdb_group_strdn() has to be replaced by a proper
- * search. */
- dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ /* If the group name is overridden in the default view we have to
+ * search for the name and cannot construct it because the extdom
+ * plugin will return the overridden name but the DN of the related
+ * group object in the cache will contain the original name. */
+
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name_list[c], NULL,
+ &msg);
+ if (ret == EOK) {
+ dn_list[c] = ldb_dn_alloc_linearized(dn_list, msg->dn);
+ } else {
+ /* best effort, try to construct the DN */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "sysdb_search_group_by_name failed with [%d], "
+ "generating DN for [%s] in domain [%s].\n",
+ ret, name_list[c], dom->name);
+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ }
if (dn_list[c] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_alloc_linearized failed.\n");
ret = ENOMEM;
goto done;
}
--
2.15.1

85
0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch Normal file
View File

@ -0,0 +1,85 @@
From 97becd502f5d8aa74b94eee78a949825222b6933 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:45:45 +0100
Subject: [PATCH 74/79] ipa: compare DNs instead of group names in
ipa_s2n_save_objects()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If group names are used to compare the current list of group memberships
returned by the server with the one from the cache some groups might end
up in the wrong result list if group names are overridden. This
ambiguity can be resolved by using the DNs of the cached objects.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 31 ++++++++++++-------------------
1 file changed, 12 insertions(+), 19 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 49c393e9a1eb19ab683949cf633a6838274bc0fe..8b97f78620f19b0708e8a480cb72fd7f12d96dfb 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2185,10 +2185,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
struct ldb_result *res;
enum sysdb_member_type type;
char **sysdb_grouplist;
- char **add_groups;
char **add_groups_dns;
- char **del_groups;
char **del_groups_dns;
+ char **groups_dns;
bool in_transaction = false;
int tret;
struct sysdb_attrs *gid_override_attrs = NULL;
@@ -2514,33 +2513,27 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
}
if (attrs->response_type == RESP_USER_GROUPLIST) {
- ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,
- &sysdb_grouplist);
+ ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name,
+ &sysdb_grouplist);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");
goto done;
}
- ret = diff_string_lists(tmp_ctx, attrs->groups,
- sysdb_grouplist, &add_groups,
- &del_groups, NULL);
+ ret = get_groups_dns(tmp_ctx, dom, attrs->groups, &groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
+ goto done;
+ }
+
+ ret = diff_string_lists(tmp_ctx, groups_dns,
+ sysdb_grouplist, &add_groups_dns,
+ &del_groups_dns, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");
goto done;
}
- ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
- goto done;
- }
-
- ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
- goto done;
- }
-
DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",
name);
ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,
--
2.15.1

150
0075-nss-Fix-invalid-enum-nss_status-return-values.patch Normal file
View File

@ -0,0 +1,150 @@
From fd0fb14e613f15a7d1fbde86bf371a72d8dfe3b8 Mon Sep 17 00:00:00 2001
From: Carlos O'Donell <carlos@systemhalted.org>
Date: Wed, 29 Nov 2017 22:36:39 -0800
Subject: [PATCH 75/79] nss: Fix invalid enum nss_status return values.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The upstream glibc test nss/bug17079 covers several cases where the
NSS infrastructure passes invalid pointers to NSS plugins. The plugins
should return correct results for the invalid values e.g. ERANGE,
but it should do so by setting *errnop to the error and returning
NSS_STATUS_TRYAGAIN. This commit fixes the group, netgroup, passwd
and service handling code to correctly return ERANGE in *errnop
and NSS_TATUS_TRYAGAIN in the case of invalid buffer (NULL) or
zero sized buffer length. This fixes the nss/bug17079 regression test
when run in a test configuration with sss enabled for any of the
above mentioned services.
Upstream glibc bug:
Bug 22530 - FAIL: nss/bug17079 due to _nss_sss_getpwuid_r
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Merges: https://pagure.io/SSSD/sssd/pull-request/3561
Signed-off-by: Carlos O'Donell <carlos@redhat.com>
Reviewed-by: Florian Weimer <fweimer@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/nss_group.c | 10 ++++++++--
src/sss_client/nss_netgroup.c | 5 ++++-
src/sss_client/nss_passwd.c | 10 ++++++++--
src/sss_client/nss_services.c | 15 ++++++++++++---
4 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c
index 42fba6242d23fc1d52cfd7be10cf10383010f091..054f30e13f8d5f8300a3e63c9035b98d30473c0e 100644
--- a/src/sss_client/nss_group.c
+++ b/src/sss_client/nss_group.c
@@ -522,7 +522,10 @@ enum nss_status _nss_sss_getgrgid_r(gid_t gid, struct group *result,
int ret;
/* Caught once glibc passing in buffer == 0x0 */
- if (!buffer || !buflen) return ERANGE;
+ if (!buffer || !buflen) {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
ret = sss_nss_mc_getgrgid(gid, result, buffer, buflen);
switch (ret) {
@@ -655,7 +658,10 @@ static enum nss_status internal_getgrent_r(struct group *result,
int ret;
/* Caught once glibc passing in buffer == 0x0 */
- if (!buffer || !buflen) return ERANGE;
+ if (!buffer || !buflen) {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
/* if there are leftovers return the next one */
if (sss_nss_getgrent_data.data != NULL &&
diff --git a/src/sss_client/nss_netgroup.c b/src/sss_client/nss_netgroup.c
index 8594fc460514d6f92e786605168fa7d15c7ee913..3a1834a311e6658c6160b5f95a01434fed69ad1c 100644
--- a/src/sss_client/nss_netgroup.c
+++ b/src/sss_client/nss_netgroup.c
@@ -231,7 +231,10 @@ static enum nss_status internal_getnetgrent_r(struct __netgrent *result,
int ret;
/* Caught once glibc passing in buffer == 0x0 */
- if (!buffer || !buflen) return ERANGE;
+ if (!buffer || !buflen) {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
/* If we're already processing result data, continue to
* return it.
diff --git a/src/sss_client/nss_passwd.c b/src/sss_client/nss_passwd.c
index 61e2a567e684fbc7664b5d425e81cfa28a98e845..5b1c2ce66b0954bc304dfb458f509defa8eed889 100644
--- a/src/sss_client/nss_passwd.c
+++ b/src/sss_client/nss_passwd.c
@@ -251,7 +251,10 @@ enum nss_status _nss_sss_getpwuid_r(uid_t uid, struct passwd *result,
int ret;
/* Caught once glibc passing in buffer == 0x0 */
- if (!buffer || !buflen) return ERANGE;
+ if (!buffer || !buflen) {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
ret = sss_nss_mc_getpwuid(uid, result, buffer, buflen);
switch (ret) {
@@ -376,7 +379,10 @@ static enum nss_status internal_getpwent_r(struct passwd *result,
int ret;
/* Caught once glibc passing in buffer == 0x0 */
- if (!buffer || !buflen) return ERANGE;
+ if (!buffer || !buflen) {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
/* if there are leftovers return the next one */
if (sss_nss_getpwent_data.data != NULL &&
diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c
index 64e0b43e1643e4e76d2381a6b062335c3d513a21..161dad9ae27f822b40af8368e5af38b020d6549a 100644
--- a/src/sss_client/nss_services.c
+++ b/src/sss_client/nss_services.c
@@ -177,7 +177,10 @@ _nss_sss_getservbyname_r(const char *name,
int ret;
/* Caught once glibc passing in buffer == 0x0 */
- if (!buffer || !buflen) return ERANGE;
+ if (!buffer || !buflen) {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
ret = sss_strnlen(name, SSS_NAME_MAX, &name_len);
if (ret != 0) {
@@ -278,7 +281,10 @@ _nss_sss_getservbyport_r(int port, const char *protocol,
int ret;
/* Caught once glibc passing in buffer == 0x0 */
- if (!buffer || !buflen) return ERANGE;
+ if (!buffer || !buflen) {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
if (protocol) {
ret = sss_strnlen(protocol, SSS_NAME_MAX, &proto_len);
@@ -411,7 +417,10 @@ static enum nss_status internal_getservent_r(struct servent *result,
int ret;
/* Caught once glibc passing in buffer == 0x0 */
- if (!buffer || !buflen) return ERANGE;
+ if (!buffer || !buflen) {
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
/* if there are leftovers return the next one */
if (sss_nss_getservent_data.data != NULL &&
--
2.15.1

110
0076-confdb-Move-detection-files-to-separate-function.patch Normal file
View File

@ -0,0 +1,110 @@
From 5af7dcbba7a54c9a017a7d317f74453254125eb7 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 29 Nov 2017 17:57:56 +0100
Subject: [PATCH 76/79] confdb: Move detection files to separate function
---
src/confdb/confdb.c | 73 ++++++++++++++++++++++++++++++-----------------------
1 file changed, 41 insertions(+), 32 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index a028224817f12ace2a0c4165d7b9cb0bb80ce5a1..c41bd5087592ba15d8956e0279aaf72ba86936ed 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1718,52 +1718,61 @@ done:
return ret;
}
-static int confdb_has_files_domain(struct confdb_ctx *cdb)
+static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx,
+ struct ldb_result *doms)
{
- TALLOC_CTX *tmp_ctx = NULL;
- struct ldb_dn *dn = NULL;
- struct ldb_result *res = NULL;
- static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
const char *id_provider = NULL;
- int ret;
unsigned int i;
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- return ENOMEM;
- }
-
- dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
- if (dn == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
- attrs, NULL);
- if (ret != LDB_SUCCESS) {
- ret = EIO;
- goto done;
- }
-
- for (i = 0; i < res->count; i++) {
- id_provider = ldb_msg_find_attr_as_string(res->msgs[i],
+ for (i = 0; i < doms->count; i++) {
+ id_provider = ldb_msg_find_attr_as_string(doms->msgs[i],
CONFDB_DOMAIN_ID_PROVIDER,
NULL);
if (id_provider == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_OP_FAILURE,
"The object [%s] doesn't have a id_provider\n",
- ldb_dn_get_linearized(res->msgs[i]->dn));
- ret = EINVAL;
- goto done;
+ ldb_dn_get_linearized(doms->msgs[i]->dn));
+ continue;
}
if (strcasecmp(id_provider, "files") == 0) {
- break;
+ return false;
}
}
- ret = i < res->count ? EOK : ENOENT;
+ return true;
+}
+
+static int confdb_has_files_domain(struct confdb_ctx *cdb)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct ldb_dn *dn = NULL;
+ struct ldb_result *res = NULL;
+ static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
+ int ret;
+ bool need_files_dom;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
+ if (dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = EIO;
+ goto done;
+ }
+
+ need_files_dom = need_implicit_files_domain(tmp_ctx, res);
+
+ ret = need_files_dom ? ENOENT : EOK;
done:
talloc_free(tmp_ctx);
return ret;
--
2.15.1

96
0077-confdb-Fix-starting-of-implicit-files-domain.patch Normal file
View File

@ -0,0 +1,96 @@
From 57720f0d0945262a13d9ab7d1ec8220837ab618f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 29 Nov 2017 20:02:35 +0100
Subject: [PATCH 77/79] confdb: Fix starting of implicit files domain
We did not start implicit_files domain when sssd configuration
contains files domain which was disabled.
---
src/confdb/confdb.c | 36 +++++++++++++++++++++++++++++++++--
src/tests/intg/test_files_provider.py | 3 +++
2 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index c41bd5087592ba15d8956e0279aaf72ba86936ed..ef1be4a6e6daee2644d535e561fac7735eb6a0b2 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1719,12 +1719,43 @@ done:
}
static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx,
+ struct confdb_ctx *cdb,
struct ldb_result *doms)
{
const char *id_provider = NULL;
unsigned int i;
+ errno_t ret;
+ char **domlist;
+ const char *val;
+
+ ret = confdb_get_string_as_list(cdb, tmp_ctx,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_ACTIVE_DOMAINS,
+ &domlist);
+ if (ret == ENOENT) {
+ return true;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot get active domains %d[%s]\n",
+ ret, sss_strerror(ret));
+ return false;
+ }
for (i = 0; i < doms->count; i++) {
+ val = ldb_msg_find_attr_as_string(doms->msgs[i], CONFDB_DOMAIN_ATTR,
+ NULL);
+ if (val == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "The object [%s] doesn't have a name\n",
+ ldb_dn_get_linearized(doms->msgs[i]->dn));
+ continue;
+ }
+
+ /* skip disabled domain */
+ if (!string_in_list(val, domlist, false)) {
+ continue;
+ }
+
id_provider = ldb_msg_find_attr_as_string(doms->msgs[i],
CONFDB_DOMAIN_ID_PROVIDER,
NULL);
@@ -1748,7 +1779,8 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb)
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_dn *dn = NULL;
struct ldb_result *res = NULL;
- static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
+ static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER,
+ CONFDB_DOMAIN_ATTR, NULL };
int ret;
bool need_files_dom;
@@ -1770,7 +1802,7 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb)
goto done;
}
- need_files_dom = need_implicit_files_domain(tmp_ctx, res);
+ need_files_dom = need_implicit_files_domain(tmp_ctx, cdb, res);
ret = need_files_dom ? ENOENT : EOK;
done:
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index e507ea10d78b9b35ee57178e78f4621372d0c2e5..169da713767b6495e117d805b29d8d6346237ebc 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -167,6 +167,9 @@ def no_files_domain(request):
[domain/local]
id_provider = local
+
+ [domain/disabled.files]
+ id_provider = files
""").format(**locals())
create_conf_fixture(request, conf)
create_sssd_fixture(request)
--
2.15.1

59
0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch Normal file
View File

@ -0,0 +1,59 @@
From 8cf5e390b38f0be4f88b0ebbbd1b14f52d35cd02 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 30 Nov 2017 07:59:33 +0100
Subject: [PATCH 78/79] confdb: Do not start implicit_files with proxy domain
id_provider = proxy + proxy_lib_name = files is equivalent
to id_provider = files. But requests to user hit implicit_files
domain instead of proxy domain and therefore it broke usage
of proxy domain with auth_provider = krb5.
Resolves:
https://pagure.io/SSSD/sssd/issue/3590
---
src/confdb/confdb.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index ef1be4a6e6daee2644d535e561fac7735eb6a0b2..0a4be57e08791f8a9eb5fc143a56352cd4ef4b5e 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1769,6 +1769,25 @@ static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx,
if (strcasecmp(id_provider, "files") == 0) {
return false;
}
+
+ if (strcasecmp(id_provider, "proxy") == 0) {
+ val = ldb_msg_find_attr_as_string(doms->msgs[i],
+ CONFDB_PROXY_LIBNAME, NULL);
+ if (val == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "The object [%s] doesn't have proxy_lib_name with "
+ "id_provider proxy\n",
+ ldb_dn_get_linearized(doms->msgs[i]->dn));
+ continue;
+ }
+
+ /* id_provider = proxy + proxy_lib_name = files is equivalent
+ * to id_provider = files
+ */
+ if (strcmp(val, "files") == 0) {
+ return false;
+ }
+ }
}
return true;
@@ -1780,7 +1799,8 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb)
struct ldb_dn *dn = NULL;
struct ldb_result *res = NULL;
static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER,
- CONFDB_DOMAIN_ATTR, NULL };
+ CONFDB_DOMAIN_ATTR,
+ CONFDB_PROXY_LIBNAME, NULL };
int ret;
bool need_files_dom;
--
2.15.1

73
0079-test_files_provider-Regression-test-for-implicit_fil.patch Normal file
View File

@ -0,0 +1,73 @@
From f9518dce861a1fe9a3a5c5c63ac45f67fdbc5e68 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 30 Nov 2017 10:21:17 +0100
Subject: [PATCH 79/79] test_files_provider: Regression test for implicit_files
+ proxy
Related to:
https://pagure.io/SSSD/sssd/issue/3590
---
src/tests/intg/test_files_provider.py | 40 +++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 169da713767b6495e117d805b29d8d6346237ebc..ea4e5b70a3626cb43217b59488cf186e3325ae8d 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -145,6 +145,26 @@ def files_domain_only(request):
return None
+@pytest.fixture
+def proxy_to_files_domain_only(request):
+ conf = unindent("""\
+ [sssd]
+ domains = proxy, local
+ services = nss
+
+ [domain/local]
+ id_provider = local
+
+ [domain/proxy]
+ id_provider = proxy
+ proxy_lib_name = files
+ auth_provider = none
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
@pytest.fixture
def no_sssd_domain(request):
conf = unindent("""\
@@ -980,6 +1000,26 @@ def test_no_sssd_domain(add_user_with_canary, no_sssd_domain):
assert user == USER1
+def test_proxy_to_files_domain_only(add_user_with_canary,
+ proxy_to_files_domain_only):
+ """
+ Test that implicit_files domain is not started together with proxy to files
+ """
+ local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009,
+ gecos='user1', dir='/home/user1', shell='/bin/bash')
+
+ # Add a user with a different UID than the one in files
+ subprocess.check_call(
+ ["sss_useradd", "-u", "10009", "-M", USER1["name"]])
+
+ res, user = call_sssd_getpwnam(USER1["name"])
+ assert res == NssReturnCode.SUCCESS
+ assert user == local_user1
+
+ res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"]))
+ assert res == NssReturnCode.NOTFOUND
+
+
def test_no_files_domain(add_user_with_canary, no_files_domain):
"""
Test that if no files domain is configured, sssd will add the implicit one
--
2.15.1

10
0502-SYSTEMD-Use-capabilities.patch
View File

@ -1,4 +1,4 @@
From 5381ad1bd7693a6681f00bef093241f13e3a2c4f Mon Sep 17 00:00:00 2001
From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
Date: Mon, 12 Dec 2016 21:56:16 +0100
Subject: [PATCH] SYSTEMD: Use capabilities
@ -9,17 +9,17 @@ copied from selinux policy
1 file changed, 1 insertion(+)
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
index 05cfd3705084dbff8b46fb07e736612612c58b70..e7bbbdb5093f52e4b71e3c85a9082192013385e8 100644
index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
--- a/src/sysv/systemd/sssd.service.in
+++ b/src/sysv/systemd/sssd.service.in
@@ -9,6 +9,7 @@ EnvironmentFile=-@environment_file@
ExecStart=@sbindir@/sssd -i -f
@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
PIDFile=@localstatedir@/run/sssd.pid
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
[Install]
WantedBy=multi-user.target
--
2.11.0
2.15.1

78
sssd.spec
View File

@ -32,7 +32,7 @@
Name: sssd
Version: 1.16.0
Release: 3%{?dist}
Release: 4%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -41,9 +41,55 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-KCM-Fix-restart-during-after-upgrade.patch
Patch0012: 0012-TESTS-Order-list-of-entries-in-some-lists.patch
Patch0013: 0013-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch
Patch0001: 0001-KCM-Fix-typo-in-comments.patch
Patch0002: 0002-Fix-minor-spelling-mistakes.patch
Patch0003: 0003-CONFIG-Add-a-new-option-auto_private_groups.patch
Patch0004: 0004-CONFDB-Remove-the-obsolete-option-magic_private_grou.patch
Patch0005: 0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch
Patch0006: 0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch
Patch0007: 0007-SYSDB-Prevent-users-and-groups-ID-collision-in-MPG-d.patch
Patch0008: 0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch
Patch0009: 0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch
Patch0010: 0010-sudo-document-background-activity.patch
Patch0011: 0011-MAN-GPO-Security-Filtering-limitation.patch
Patch0012: 0012-CI-Ignore-source-file-generated-by-systemtap.patch
Patch0013: 0013-sudo-always-use-srv_opts-from-id-context.patch
Patch0014: 0014-AD-Remember-last-site-discovered.patch
Patch0015: 0015-sysdb-add-functions-to-get-set-client-site.patch
Patch0016: 0016-AD-Remember-last-site-discovered-in-sysdb.patch
Patch0017: 0017-UTIL-Add-wrapper-function-to-configure-logger.patch
Patch0018: 0018-Add-parameter-logger-to-daemons.patch
Patch0019: 0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch
Patch0020: 0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch
Patch0021: 0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch
Patch0023: 0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch
Patch0024: 0024-KCM-Fix-restart-during-after-upgrade.patch
Patch0035: 0035-RESP-Add-some-missing-NULL-checks.patch
Patch0036: 0036-BUILD-Properly-expand-variables-in-sssd-ifp.service.patch
Patch0037: 0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch
Patch0038: 0038-CHILD-Pass-information-about-logger-to-children.patch
Patch0039: 0039-TOOLS-Double-quote-array-expansions-in-sss_debugleve.patch
Patch0040: 0040-TOOLS-Call-exec-for-sss_debuglevel.patch
Patch0041: 0041-LDAP-Improve-error-treatment-from-sdap_cli_connect-i.patch
Patch0053: 0053-NSS-Use-enum_ctx-as-memory_context-in-_setnetgrent_s.patch
Patch0054: 0054-cache_req-Correction-of-cache_req-debug-string-ID-fo.patch
Patch0055: 0055-TESTS-Order-list-of-entries-in-some-lists.patch
Patch0063: 0063-WATCHDOG-Restart-providers-with-SIGUSR2-after-time-d.patch
Patch0064: 0064-mmap_cache-make-checks-independent-of-input-size.patch
Patch0066: 0066-krb5-show-error-message-for-krb5_init_context-failur.patch
Patch0067: 0067-responder-Fix-talloc-hierarchy-in-sized_output_name.patch
Patch0068: 0068-test_responder-Check-memory-leak-in-sized_output_nam.patch
Patch0069: 0069-UTIL-add-find_domain_by_object_name_ex.patch
Patch0070: 0070-ipa-handle-users-from-different-domains-in-ipa_resol.patch
Patch0071: 0071-overrides-fixes-for-sysdb_invalidate_overrides.patch
Patch0072: 0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch
Patch0073: 0073-IPA-use-cache-searches-in-get_groups_dns.patch
Patch0074: 0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch
Patch0075: 0075-nss-Fix-invalid-enum-nss_status-return-values.patch
Patch0076: 0076-confdb-Move-detection-files-to-separate-function.patch
Patch0077: 0077-confdb-Fix-starting-of-implicit-files-domain.patch
Patch0078: 0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch
Patch0079: 0079-test_files_provider-Regression-test-for-implicit_fil.patch
Patch0500: 0500-Revert-libwbclient-sssd-update-interface-to-version-.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@ -841,8 +887,6 @@ done
%attr(700,root,root) %dir %{_sysconfdir}/sssd
%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/sssd.service.d
%config(noreplace) %{_sysconfdir}/systemd/system/sssd.service.d/journal.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%dir %{_sysconfdir}/rwtab.d
@ -1241,6 +1285,28 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Mon Dec 04 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-4
- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in
setnetgrent_result_timeout
- Resolves: upstream#3562 - Use-after free if more sudo requests run and one
of them fails, causing a fail-over to a next server
- Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
or machine swaps
- Resolves: failure in glibc tests
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
- Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
auth_provider ldap, login fails if the LDAP server
is not allowing anonymous binds
- Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
corrected with AD
- Resolves: upstream#3586 - Give a more detailed debug and system-log message
if krb5_init_context() failed
- Resolves: rhbz#1479283 - proxy to files does not work with
implicit_files_domain
- Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
in /etc/systemd/system
* Tue Nov 21 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-3
- Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next