From 4c9df62bbdcf66635b9cfc3e0d496510ad7831f6 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mon, 4 Dec 2017 21:33:29 +0100 Subject: [PATCH] Backport most important bug fixes Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout Resolves: upstream#3562 - Use-after free if more sudo requests run and one of them fails, causing a fail-over to a next server Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed Resolves: rhbz#1479283 - proxy to files does not work with implicit_files_domain Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system (cherry picked from commit 6f4bba55463dba0d38804d2c34c4da4da50e0478) --- 0001-KCM-Fix-typo-in-comments.patch | 38 + 0002-Fix-minor-spelling-mistakes.patch | 556 ++++++++++++ ...Add-a-new-option-auto_private_groups.patch | 158 ++++ ...e-obsolete-option-magic_private_grou.patch | 32 + ...low-the-mpg-flag-for-the-main-domain.patch | 166 ++++ ...request-into-user-request-for-MPG-do.patch | 221 +++++ ...ers-and-groups-ID-collision-in-MPG-d.patch | 96 ++ ...ation-tests-for-the-auto_private_gro.patch | 345 ++++++++ ...-the-cr_domain-list-for-each-request.patch | 6 +- 0010-sudo-document-background-activity.patch | 41 + ...AN-GPO-Security-Filtering-limitation.patch | 40 + ...e-source-file-generated-by-systemtap.patch | 55 ++ ...-always-use-srv_opts-from-id-context.patch | 63 ++ 0014-AD-Remember-last-site-discovered.patch | 108 +++ ...add-functions-to-get-set-client-site.patch | 205 +++++ ...member-last-site-discovered-in-sysdb.patch | 160 ++++ ...wrapper-function-to-configure-logger.patch | 132 +++ 0018-Add-parameter-logger-to-daemons.patch | 829 ++++++++++++++++++ ...parameter-debug-to-files-with-DEBUG_.patch | 258 ++++++ ...ronment-file-to-responder-service-fi.patch | 106 +++ ...d-deprecate-parameter-debug-to-files.patch | 46 + ...-to-the-LDAP-server-also-in-the-auth.patch | 212 +++++ ...KCM-Fix-restart-during-after-upgrade.patch | 6 +- 0035-RESP-Add-some-missing-NULL-checks.patch | 79 ++ ...expand-variables-in-sssd-ifp.service.patch | 50 ++ ...STEMD-Clean-pid-file-in-corner-cases.patch | 38 + ...information-about-logger-to-children.patch | 197 +++++ ...te-array-expansions-in-sss_debugleve.patch | 33 + 0040-TOOLS-Call-exec-for-sss_debuglevel.patch | 31 + ...or-treatment-from-sdap_cli_connect-i.patch | 57 ++ ...-as-memory_context-in-_setnetgrent_s.patch | 38 + ...tion-of-cache_req-debug-string-ID-fo.patch | 67 ++ ...-Order-list-of-entries-in-some-lists.patch | 6 +- ...-providers-with-SIGUSR2-after-time-d.patch | 42 + ...ake-checks-independent-of-input-size.patch | 168 ++++ ...message-for-krb5_init_context-failur.patch | 187 ++++ ...alloc-hierarchy-in-sized_output_name.patch | 58 ++ ...heck-memory-leak-in-sized_output_nam.patch | 57 ++ ...IL-add-find_domain_by_object_name_ex.patch | 81 ++ ...-from-different-domains-in-ipa_resol.patch | 75 ++ ...fixes-for-sysdb_invalidate_overrides.patch | 202 +++++ ...SDB_OVERRIDE_DN-in-process_members-a.patch | 253 ++++++ ...use-cache-searches-in-get_groups_dns.patch | 69 ++ ...instead-of-group-names-in-ipa_s2n_sa.patch | 85 ++ ...nvalid-enum-nss_status-return-values.patch | 150 ++++ ...detection-files-to-separate-function.patch | 110 +++ ...ix-starting-of-implicit-files-domain.patch | 96 ++ ...art-implicit_files-with-proxy-domain.patch | 59 ++ ...der-Regression-test-for-implicit_fil.patch | 73 ++ 0502-SYSTEMD-Use-capabilities.patch | 10 +- sssd.spec | 78 +- 51 files changed, 6308 insertions(+), 20 deletions(-) create mode 100644 0001-KCM-Fix-typo-in-comments.patch create mode 100644 0002-Fix-minor-spelling-mistakes.patch create mode 100644 0003-CONFIG-Add-a-new-option-auto_private_groups.patch create mode 100644 0004-CONFDB-Remove-the-obsolete-option-magic_private_grou.patch create mode 100644 0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch create mode 100644 0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch create mode 100644 0007-SYSDB-Prevent-users-and-groups-ID-collision-in-MPG-d.patch create mode 100644 0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch rename 0013-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch => 0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch (97%) create mode 100644 0010-sudo-document-background-activity.patch create mode 100644 0011-MAN-GPO-Security-Filtering-limitation.patch create mode 100644 0012-CI-Ignore-source-file-generated-by-systemtap.patch create mode 100644 0013-sudo-always-use-srv_opts-from-id-context.patch create mode 100644 0014-AD-Remember-last-site-discovered.patch create mode 100644 0015-sysdb-add-functions-to-get-set-client-site.patch create mode 100644 0016-AD-Remember-last-site-discovered-in-sysdb.patch create mode 100644 0017-UTIL-Add-wrapper-function-to-configure-logger.patch create mode 100644 0018-Add-parameter-logger-to-daemons.patch create mode 100644 0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch create mode 100644 0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch create mode 100644 0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch create mode 100644 0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch rename 0001-KCM-Fix-restart-during-after-upgrade.patch => 0024-KCM-Fix-restart-during-after-upgrade.patch (93%) create mode 100644 0035-RESP-Add-some-missing-NULL-checks.patch create mode 100644 0036-BUILD-Properly-expand-variables-in-sssd-ifp.service.patch create mode 100644 0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch create mode 100644 0038-CHILD-Pass-information-about-logger-to-children.patch create mode 100644 0039-TOOLS-Double-quote-array-expansions-in-sss_debugleve.patch create mode 100644 0040-TOOLS-Call-exec-for-sss_debuglevel.patch create mode 100644 0041-LDAP-Improve-error-treatment-from-sdap_cli_connect-i.patch create mode 100644 0053-NSS-Use-enum_ctx-as-memory_context-in-_setnetgrent_s.patch create mode 100644 0054-cache_req-Correction-of-cache_req-debug-string-ID-fo.patch rename 0012-TESTS-Order-list-of-entries-in-some-lists.patch => 0055-TESTS-Order-list-of-entries-in-some-lists.patch (97%) create mode 100644 0063-WATCHDOG-Restart-providers-with-SIGUSR2-after-time-d.patch create mode 100644 0064-mmap_cache-make-checks-independent-of-input-size.patch create mode 100644 0066-krb5-show-error-message-for-krb5_init_context-failur.patch create mode 100644 0067-responder-Fix-talloc-hierarchy-in-sized_output_name.patch create mode 100644 0068-test_responder-Check-memory-leak-in-sized_output_nam.patch create mode 100644 0069-UTIL-add-find_domain_by_object_name_ex.patch create mode 100644 0070-ipa-handle-users-from-different-domains-in-ipa_resol.patch create mode 100644 0071-overrides-fixes-for-sysdb_invalidate_overrides.patch create mode 100644 0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch create mode 100644 0073-IPA-use-cache-searches-in-get_groups_dns.patch create mode 100644 0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch create mode 100644 0075-nss-Fix-invalid-enum-nss_status-return-values.patch create mode 100644 0076-confdb-Move-detection-files-to-separate-function.patch create mode 100644 0077-confdb-Fix-starting-of-implicit-files-domain.patch create mode 100644 0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch create mode 100644 0079-test_files_provider-Regression-test-for-implicit_fil.patch diff --git a/0001-KCM-Fix-typo-in-comments.patch b/0001-KCM-Fix-typo-in-comments.patch new file mode 100644 index 0000000..d4cbd46 --- /dev/null +++ b/0001-KCM-Fix-typo-in-comments.patch @@ -0,0 +1,38 @@ +From fd7226ff51eb9af70d0fcb63727cd1a48ab0534b Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 23 Oct 2017 07:35:52 +0200 +Subject: [PATCH 01/79] KCM: Fix typo in comments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Fabiano Fidêncio +--- + src/responder/kcm/kcmsrv_ccache_json.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index 8199bc613e4204859438e1cd820f3f4b2123dd7e..f1cca9880d128d05ad1edfc5c3b2f709d1a67d48 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -265,7 +265,7 @@ static json_t *princ_data_to_json(TALLOC_CTX *mem_ctx, + * { + * "type": "number", + * "realm": "string", +- * "componenents": [ "elem1", "elem2", ...] ++ * "components": [ "elem1", "elem2", ...] + * } + */ + static json_t *princ_to_json(TALLOC_CTX *mem_ctx, +@@ -400,7 +400,7 @@ static json_t *creds_to_json_array(struct kcm_cred *creds) + * principal : { + * "type": "number", + * "realm": "string", +- * "componenents": [ "elem1", "elem2", ...] ++ * "components": [ "elem1", "elem2", ...] + * } + * creds : [ + * { +-- +2.15.1 + diff --git a/0002-Fix-minor-spelling-mistakes.patch b/0002-Fix-minor-spelling-mistakes.patch new file mode 100644 index 0000000..984c8ec --- /dev/null +++ b/0002-Fix-minor-spelling-mistakes.patch @@ -0,0 +1,556 @@ +From aeb34cfcb9ded4cd7d272220a3d3802be89b7dd8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ren=C3=A9=20Genz?= +Date: Sun, 22 Oct 2017 22:24:27 +0200 +Subject: [PATCH 02/79] Fix minor spelling mistakes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Merges: https://pagure.io/SSSD/sssd/pull-request/3556 + +Reviewed-by: Lukáš Slebodník +--- + contrib/sssd.spec.in | 6 +++--- + src/db/sysdb_private.h | 2 +- + src/db/sysdb_views.c | 4 ++-- + src/examples/sssd-example.conf | 2 +- + src/lib/idmap/sss_idmap.doxy.in | 2 +- + src/man/sssd-secrets.5.xml | 2 +- + src/providers/ad/ad_gpo.c | 4 ++-- + src/providers/be_dyndns.c | 2 +- + src/providers/data_provider/dp_request.c | 2 +- + src/providers/krb5/krb5_child.c | 2 +- + src/providers/ldap/sdap_async_sudo.c | 2 +- + src/responder/kcm/kcmsrv_ccache_json.c | 2 +- + src/responder/kcm/kcmsrv_op_queue.c | 4 ++-- + src/sbus/sssd_dbus_connection.c | 4 ++-- + src/shared/safealign.h | 4 ++-- + src/sss_client/autofs/sss_autofs.c | 4 ++-- + src/sss_client/idmap/sss_nss_idmap.doxy.in | 2 +- + src/sss_client/libwbclient/wbc_pwd_sssd.c | 2 +- + src/sss_client/sudo/sss_sudo.h | 10 +++++----- + src/tests/cmocka/common_mock_resp_dp.c | 2 +- + src/tests/cmocka/test_sbus_opath.c | 2 +- + src/tools/common/sss_process.c | 2 +- + src/tools/common/sss_process.h | 2 +- + src/tools/sssctl/sssctl.c | 4 ++-- + src/tools/sssctl/sssctl_data.c | 2 +- + src/util/crypto/libcrypto/crypto_sha512crypt.c | 2 +- + src/util/crypto/nss/nss_sha512crypt.c | 2 +- + src/util/server.c | 6 +++--- + src/util/sss_ini.h | 2 +- + src/util/tev_curl.c | 2 +- + src/util/util_lock.c | 2 +- + 31 files changed, 46 insertions(+), 46 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index e76b51833d5dfa3207d28add4af1016c00f25e1f..d6ab73e60863316cbf239d34242959fdfe8d4b1b 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -241,7 +241,7 @@ the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + +-The sssd subpackage is a meta-package that contains the deamon as well as all ++The sssd subpackage is a meta-package that contains the daemon as well as all + the existing back ends. + + %package common +@@ -496,7 +496,7 @@ Requires(post): /sbin/ldconfig + Requires(postun): /sbin/ldconfig + + %description -n libsss_idmap +-Utility library to convert SIDs to Unix uids and gids ++Utility library to convert SIDs to UNIX UIDs and GIDs + + %package -n libsss_idmap-devel + Summary: FreeIPA Idmap library +@@ -505,7 +505,7 @@ License: LGPLv3+ + Requires: libsss_idmap = %{version}-%{release} + + %description -n libsss_idmap-devel +-Utility library to SIDs to Unix uids and gids ++Utility library to SIDs to UNIX UIDs and GIDs + + %package -n libipa_hbac + Summary: FreeIPA HBAC Evaluator library +diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h +index dbd75615bc212e73c4338a76dceaa68a5889ed1d..7c3347fec99f60160804a6eed178baedafb81d33 100644 +--- a/src/db/sysdb_private.h ++++ b/src/db/sysdb_private.h +@@ -185,7 +185,7 @@ int sysdb_delete_ulong(struct ldb_message *msg, + + /* The utility function to create a subdomain sss_domain_info object is handy + * for unit tests, so it should be available in a header, but not a public util +- * one, because the only interface for the deamon itself should be adding ++ * one, because the only interface for the daemon itself should be adding + * the sysdb domain object and calling sysdb_update_subdomains() + */ + struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, +diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c +index afc7852ecf402ef144beca9c1b94fbe3cc4bbb6a..f640c813acf4deafe98eb15708d3a94790502dcb 100644 +--- a/src/db/sysdb_views.c ++++ b/src/db/sysdb_views.c +@@ -722,7 +722,7 @@ static errno_t safe_original_attributes(struct sss_domain_info *domain, + goto done; + } + +- /* Safe orginal values in attributes prefixed by OriginalAD. */ ++ /* Safe original values in attributes prefixed by OriginalAD. */ + for (c = 0; allowed_attrs[c] != NULL; c++) { + el = ldb_msg_find_element(orig_obj->msgs[0], allowed_attrs[c]); + if (el != NULL) { +@@ -753,7 +753,7 @@ static errno_t safe_original_attributes(struct sss_domain_info *domain, + el = ldb_msg_find_element(orig_obj->msgs[0], SYSDB_NAME_ALIAS); + if (el != NULL) { + for (c = 0; c < el->num_values; c++) { +- /* To avoid issue with ldb_modify if e.g. the orginal and the ++ /* To avoid issue with ldb_modify if e.g. the original and the + * override name are the same, we use the *_safe version here. */ + ret = sysdb_attrs_add_val_safe(attrs, SYSDB_NAME_ALIAS, + &el->values[c]); +diff --git a/src/examples/sssd-example.conf b/src/examples/sssd-example.conf +index 59df41673586d5c7d2602cc5290c40ec5bd64986..34b2b22c5f619f49bb9aa1edf04849df5e40c787 100644 +--- a/src/examples/sssd-example.conf ++++ b/src/examples/sssd-example.conf +@@ -32,7 +32,7 @@ services = nss, pam + # An example Active Directory domain. Please note that this configuration + # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis + # compliant attribute names. To support UNIX clients with AD 2003 or older, +-# you must install Microsoft Services For Unix and map LDAP attributes onto ++# you must install Microsoft Services For UNIX and map LDAP attributes onto + # msSFU30* attribute names. + ; [domain/AD] + ; id_provider = ldap +diff --git a/src/lib/idmap/sss_idmap.doxy.in b/src/lib/idmap/sss_idmap.doxy.in +index 991028f65c251e2bc0086487817271b527fa439b..833498b189a038a06414ff623179ef69d24affb7 100644 +--- a/src/lib/idmap/sss_idmap.doxy.in ++++ b/src/lib/idmap/sss_idmap.doxy.in +@@ -719,7 +719,7 @@ RECURSIVE = NO + EXCLUDE = + + # The EXCLUDE_SYMLINKS tag can be used to select whether or not files or +-# directories that are symbolic links (a Unix file system feature) are excluded ++# directories that are symbolic links (a UNIX file system feature) are excluded + # from the input. + + EXCLUDE_SYMLINKS = NO +diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml +index 08ab371c64eb49e4f153bb2183c07681b1050bb0..a738fbfffa1bdb7038e70a4a49651eb6a9286b1c 100644 +--- a/src/man/sssd-secrets.5.xml ++++ b/src/man/sssd-secrets.5.xml +@@ -46,7 +46,7 @@ + project was born to deal with this problem in cloud like + environments, but we found the idea compelling even at a + single system level. As a security service, SSSD is ideal to +- host this capability while offering the same API via a Unix ++ host this capability while offering the same API via a UNIX + Socket. This will make it possible to use local calls and have + them transparently routed to a local or a remote key management + store like IPA Vault for storage, escrow and recovery. +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index a5237f6fad7fc79fbcbafc8aac28cff15677009f..d9ea311417fc5d57850aa9a6c3736964844675bd 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -680,7 +680,7 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, + * named "ApplyGroupPolicy" (AGP) is allowed, by comparing the specified + * user_sid and group_sids against the specified access control entry (ACE). + * This function returns ALLOWED, DENIED, or NEUTRAL depending on whether +- * the ACE explictly allows, explicitly denies, or does neither. ++ * the ACE explicitly allows, explicitly denies, or does neither. + * + * Note that the 'M' abbreviation used in the evaluation algorithm stands for + * "access_mask", which represents the set of access rights associated with an +@@ -3860,7 +3860,7 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, + ret = sysdb_attrs_get_int32_t(result, AD_AT_FUNC_VERSION, + &gp_gpo->gpo_func_version); + if (ret == ENOENT) { +- /* If this attrbute is missing we can skip the GPO. It will ++ /* If this attribute is missing we can skip the GPO. It will + * be filtered out according to MS-GPOL: + * https://msdn.microsoft.com/en-us/library/cc232538.aspx */ + DEBUG(SSSDBG_TRACE_ALL, "GPO with GUID %s is missing attribute " +diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c +index ee264156824d7c5ab27c919ae0c56bbd6c0bc54f..b968e67b3e3e6a4f2937dce502c2c9b4ad136a4b 100644 +--- a/src/providers/be_dyndns.c ++++ b/src/providers/be_dyndns.c +@@ -706,7 +706,7 @@ nsupdate_get_addrs_done(struct tevent_req *subreq) + return; + } + +- /* The second address matched either immediatelly or after a retry. ++ /* The second address matched either immediately or after a retry. + * No need to retry again. */ + ret = EOK; + +diff --git a/src/providers/data_provider/dp_request.c b/src/providers/data_provider/dp_request.c +index a6bc020e0649760c46637d6f90569248792f7f04..295758a765bfdedd539d44f86a37efae0846763f 100644 +--- a/src/providers/data_provider/dp_request.c ++++ b/src/providers/data_provider/dp_request.c +@@ -412,7 +412,7 @@ static void dp_terminate_request(struct dp_req *dp_req) + { + if (dp_req->handler_req == NULL) { + /* This may occur when the handler already finished but the caller +- * of dp request did not yet recieved data/free dp_req. We just ++ * of dp request did not yet received data/free dp_req. We just + * return here. */ + return; + } +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 888cc5d6f5c554901cc46d4315844d7bbbe582b8..b8ee497728b4b70fae89e528172e9d5bd42239c0 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -1612,7 +1612,7 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, + goto done; + } + +- /* Successfull authentication! Check if ccache contains the ++ /* Successful authentication! Check if ccache contains the + * right principal... + */ + kerr = sss_krb5_check_ccache_princ(kr->ctx, kr->ccname, kr->creds->client); +diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c +index 3c69837fda313b2645c3a8497252670312f600ea..f33d5b5fa86dc1806695482d627bd71a2b040d6e 100644 +--- a/src/providers/ldap/sdap_async_sudo.c ++++ b/src/providers/ldap/sdap_async_sudo.c +@@ -616,7 +616,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq) + } + in_transaction = false; + +- DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfuly stored in cache\n"); ++ DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfully stored in cache\n"); + + /* remember new usn */ + ret = sysdb_get_highest_usn(state, rules, rules_count, &usn); +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index f1cca9880d128d05ad1edfc5c3b2f709d1a67d48..33cb51621f26a11051e2fac4c5d7c959b30d9f00 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -210,7 +210,7 @@ bool sec_key_match_uuid(const char *sec_key, + /* + * Creates an array of principal elements that will be used later + * in the form of: +- * "componenets": [ "elem1", "elem2", ...] ++ * "components": [ "elem1", "elem2", ...] + */ + static json_t *princ_data_to_json(TALLOC_CTX *mem_ctx, + krb5_principal princ) +diff --git a/src/responder/kcm/kcmsrv_op_queue.c b/src/responder/kcm/kcmsrv_op_queue.c +index 55c8b65d94f70979fe56fcc4d8747547a9cc9d33..ee1aa47ab629022bb726c4d5deb1eb1456124df1 100644 +--- a/src/responder/kcm/kcmsrv_op_queue.c ++++ b/src/responder/kcm/kcmsrv_op_queue.c +@@ -179,7 +179,7 @@ static struct kcm_ops_queue *kcm_op_queue_get(struct kcm_ops_queue_ctx *qctx, + case HASH_ERROR_KEY_NOT_FOUND: + /* No request for this UID yet. Enqueue this request in case + * another one comes in and return EOK to run the current request +- * immediatelly ++ * immediately + */ + DEBUG(SSSDBG_TRACE_LIBS, "No existing queue for this ID\n"); + +@@ -220,7 +220,7 @@ static errno_t kcm_op_queue_add_req(struct kcm_ops_queue *kq, + * Enqueue a request. + * + * If the request queue /for the given ID/ is empty, that is, if this +- * request is the first one in the queue, run the request immediatelly. ++ * request is the first one in the queue, run the request immediately. + * + * Otherwise just add it to the queue and wait until the previous request + * finishes and only at that point mark the current request as done, which +diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c +index de134f2f21bfb9697fcc8a42622817bc50b54f2a..bdd4a247a670f1928573a1bd18dc8e585b997b7d 100644 +--- a/src/sbus/sssd_dbus_connection.c ++++ b/src/sbus/sssd_dbus_connection.c +@@ -179,7 +179,7 @@ int sbus_init_connection(TALLOC_CTX *ctx, + + conn->incoming_signals = sbus_incoming_signal_hash_init(conn); + if (conn->incoming_signals == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming singals " ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming signals " + "hash table\n"); + talloc_free(conn); + return EIO; +@@ -327,7 +327,7 @@ static int connection_destructor(void *ctx) + + /* + * sbus_get_connection +- * Utility function to retreive the DBusConnection object ++ * Utility function to retrieve the DBusConnection object + * from a sbus_connection + */ + DBusConnection *sbus_get_connection(struct sbus_connection *conn) +diff --git a/src/shared/safealign.h b/src/shared/safealign.h +index 2316ed14245c4469171f9eb4a42e70fc6b3fd8a8..b00c37f5b98bd4bf7ff6cea8e1208d80c77f0228 100644 +--- a/src/shared/safealign.h ++++ b/src/shared/safealign.h +@@ -98,8 +98,8 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) + SAFEALIGN_SETMEM_VALUE(dest, value, uint16_t, pctr) + + /* These macros are the same as their equivalents without _CHECK suffix, +- * but additionally make the caller return EINVAL immediatelly if *pctr +- * would excceed len. */ ++ * but additionally make the caller return EINVAL immediately if *pctr ++ * would exceed len. */ + #define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \ + if ((*(pctr) + sizeof(uint32_t)) > (len) || \ + SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) { return EINVAL; } \ +diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c +index 02f91ab2b3d29a189e949f6a8d645ea4ccd7f6e3..482ff2c400b10829ccb6d6a921c8c2e15c7fcdd2 100644 +--- a/src/sss_client/autofs/sss_autofs.c ++++ b/src/sss_client/autofs/sss_autofs.c +@@ -30,7 +30,7 @@ + #define MAX_AUTOMNTMAPNAME_LEN NAME_MAX + #define MAX_AUTOMNTKEYNAME_LEN PATH_MAX + +-/* How many entries shall _sss_getautomntent_r retreive at once */ ++/* How many entries shall _sss_getautomntent_r retrieve at once */ + #define GETAUTOMNTENT_MAX_ENTRIES 512 + + struct automtent { +@@ -287,7 +287,7 @@ _sss_getautomntent_r(char **key, char **value, void *context) + data_len = sizeof(uint32_t) + /* mapname len */ + name_len + 1 + /* mapname\0 */ + sizeof(uint32_t) + /* index into the map */ +- sizeof(uint32_t); /* num entries to retreive */ ++ sizeof(uint32_t); /* num entries to retrieve */ + + data = malloc(data_len); + if (!data) { +diff --git a/src/sss_client/idmap/sss_nss_idmap.doxy.in b/src/sss_client/idmap/sss_nss_idmap.doxy.in +index d75237622507d2a43ef382815544b8339054f474..f6c18ba1f0d368e989ce0d18a500b6523622b9c1 100644 +--- a/src/sss_client/idmap/sss_nss_idmap.doxy.in ++++ b/src/sss_client/idmap/sss_nss_idmap.doxy.in +@@ -616,7 +616,7 @@ RECURSIVE = NO + EXCLUDE = + + # The EXCLUDE_SYMLINKS tag can be used select whether or not files or +-# directories that are symbolic links (a Unix filesystem feature) are excluded ++# directories that are symbolic links (a UNIX filesystem feature) are excluded + # from the input. + + EXCLUDE_SYMLINKS = NO +diff --git a/src/sss_client/libwbclient/wbc_pwd_sssd.c b/src/sss_client/libwbclient/wbc_pwd_sssd.c +index 08c3b86372c86f228aeeb584068f82bd97cfe0fe..cacad9d3230c341ae478a4e4e41864ecdc4209b3 100644 +--- a/src/sss_client/libwbclient/wbc_pwd_sssd.c ++++ b/src/sss_client/libwbclient/wbc_pwd_sssd.c +@@ -606,7 +606,7 @@ wbcErr wbcGetgrlist(struct group **grp) + WBC_SSSD_NOT_IMPLEMENTED; + } + +-/* Return the unix group array belonging to the given user */ ++/* Return the Unix group array belonging to the given user */ + wbcErr wbcGetGroups(const char *account, + uint32_t *num_groups, + gid_t **_groups) +diff --git a/src/sss_client/sudo/sss_sudo.h b/src/sss_client/sudo/sss_sudo.h +index 1a275cfafbb0476b163599854cbbc1f91101f360..1dcd569a59cde2eec88476aef2bc3ab35a089c86 100644 +--- a/src/sss_client/sudo/sss_sudo.h ++++ b/src/sss_client/sudo/sss_sudo.h +@@ -87,11 +87,11 @@ struct sss_sudo_result { + }; + + /** +- * @brief Send a request to SSSD to retreive all SUDO rules for a given ++ * @brief Send a request to SSSD to retrieve all SUDO rules for a given + * user. + * +- * @param[in] uid The uid of the user to retreive the rules for. +- * @param[in] username The username to retreive the rules for ++ * @param[in] uid The uid of the user to retrieve the rules for. ++ * @param[in] username The username to retrieve the rules for + * @param[in] domainname The domain name the user is a member of. + * @param[out] _error The result of the search in SSSD's domains. If the + * user was present in the domain, the _error code is +@@ -122,9 +122,9 @@ int sss_sudo_send_recv(uid_t uid, + * @brief Send a request to SSSD to retrieve the default options, commonly + * stored in the "cn=defaults" record, + * +- * @param[in] uid The uid of the user to retreive the rules for. ++ * @param[in] uid The uid of the user to retrieve the rules for. + * +- * @param[in] username The username to retreive the rules for. ++ * @param[in] username The username to retrieve the rules for. + * + * @param[out] _error The result of the search in SSSD's domains. If the + * options were present in the domain, the _error code +diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c +index 4b38a38e6f53499132f9fe14a0ec0af157cf85ca..ece887b12d472c3fb01477d213f4308a535f8fe7 100644 +--- a/src/tests/cmocka/common_mock_resp_dp.c ++++ b/src/tests/cmocka/common_mock_resp_dp.c +@@ -24,7 +24,7 @@ + #include "responder/common/responder.h" + #include "tests/cmocka/common_mock_resp.h" + +-/* Mock DP requests that finish immediatelly and return ++/* Mock DP requests that finish immediately and return + * mocked values as per previous set by mock_account_recv + */ + struct tevent_req * +diff --git a/src/tests/cmocka/test_sbus_opath.c b/src/tests/cmocka/test_sbus_opath.c +index e38eaf1972b55f01d712584b67c731ac0031736d..b469fa8da90b6f54e15a590014be650e32221136 100644 +--- a/src/tests/cmocka/test_sbus_opath.c ++++ b/src/tests/cmocka/test_sbus_opath.c +@@ -72,7 +72,7 @@ void test_sbus_opath_escape_unescape(void **state) + + escaped = sbus_opath_escape_part(mem_ctx, "path_with_underscore"); + assert_non_null(escaped); +- /* underscore is 0x5F in ascii */ ++ /* underscore is 0x5F in ASCII */ + assert_string_equal(escaped, "path_5fwith_5funderscore"); + raw = sbus_opath_unescape_part(mem_ctx, escaped); + talloc_free(escaped); +diff --git a/src/tools/common/sss_process.c b/src/tools/common/sss_process.c +index 574ccab24d0ff20784f6223e743bf9561ea2281e..fc710a553dbf6a27e23693be79bb333dcbcd3a3e 100644 +--- a/src/tools/common/sss_process.c ++++ b/src/tools/common/sss_process.c +@@ -97,7 +97,7 @@ done: + return ret; + } + +-bool sss_deamon_running(void) ++bool sss_daemon_running(void) + { + return sss_signal(0) == EOK; + } +diff --git a/src/tools/common/sss_process.h b/src/tools/common/sss_process.h +index 43408afc7fab3caed3febd1a159dbfc6acbbb3f9..6bbb0947570a5fc9e77b479c7386db1cead05aaf 100644 +--- a/src/tools/common/sss_process.h ++++ b/src/tools/common/sss_process.h +@@ -23,7 +23,7 @@ + + #include "util/util.h" + +-bool sss_deamon_running(void); ++bool sss_daemon_running(void); + errno_t sss_signal(int signum); + + #endif /* _SSS_PROCESS_H_ */ +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 1e061c00d2238bf34adff4183e560dc127dd62c7..d9bc897c1a32954bbdd2d4ae2b0a9fb6d2c34752 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -148,7 +148,7 @@ bool sssctl_start_sssd(bool force) + enum sssctl_prompt_result prompt; + errno_t ret; + +- if (sss_deamon_running()) { ++ if (sss_daemon_running()) { + return true; + } + +@@ -187,7 +187,7 @@ bool sssctl_stop_sssd(bool force) + enum sssctl_prompt_result prompt; + errno_t ret; + +- if (!sss_deamon_running()) { ++ if (!sss_daemon_running()) { + return true; + } + +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 4b7f1dfff666743f9c47bc34515bbe63ee85eff1..b16fede1e2f3f743f65f8f86b0a5bdcfdca71f0b 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -270,7 +270,7 @@ errno_t sssctl_cache_upgrade(struct sss_cmdline *cmdline, + return ret; + } + +- if (sss_deamon_running()) { ++ if (sss_daemon_running()) { + return ERR_SSSD_RUNNING; + } + +diff --git a/src/util/crypto/libcrypto/crypto_sha512crypt.c b/src/util/crypto/libcrypto/crypto_sha512crypt.c +index 1023566624f0e7b8fc08e30d4ea7ad031fbffff9..b074eee555fafac6e486bfdf9efb9ddf4964a990 100644 +--- a/src/util/crypto/libcrypto/crypto_sha512crypt.c ++++ b/src/util/crypto/libcrypto/crypto_sha512crypt.c +@@ -7,7 +7,7 @@ + * Sumit Bose + * George McCollister + */ +-/* SHA512-based Unix crypt implementation. ++/* SHA512-based UNIX crypt implementation. + Released into the Public Domain by Ulrich Drepper . */ + + #include "config.h" +diff --git a/src/util/crypto/nss/nss_sha512crypt.c b/src/util/crypto/nss/nss_sha512crypt.c +index 9fedd5ec6c62855d9cc0c9c2869d8c9be7fb5ade..2f1624e6396c40f539a4e2034ab545cad8f05434 100644 +--- a/src/util/crypto/nss/nss_sha512crypt.c ++++ b/src/util/crypto/nss/nss_sha512crypt.c +@@ -5,7 +5,7 @@ + * + * Sumit Bose + */ +-/* SHA512-based Unix crypt implementation. ++/* SHA512-based UNIX crypt implementation. + Released into the Public Domain by Ulrich Drepper . */ + + #include "config.h" +diff --git a/src/util/server.c b/src/util/server.c +index 0046c9737bc0d9aea7be59b4fed5e0f8930ff66e..4e65cc66c01ba020b13a88df8e017765ac97f76e 100644 +--- a/src/util/server.c ++++ b/src/util/server.c +@@ -69,7 +69,7 @@ static void close_low_fds(void) + #endif + } + +-static void deamon_parent_sigterm(int sig) ++static void daemon_parent_sigterm(int sig) + { + _exit(0); + } +@@ -88,10 +88,10 @@ void become_daemon(bool Fork) + pid = fork(); + if (pid != 0) { + /* Terminate parent process on demand so we can hold systemd +- * or initd from starting next service until sssd in initialized. ++ * or initd from starting next service until sssd is initialized. + * We use signals directly here because we don't have a tevent + * context yet. */ +- CatchSignal(SIGTERM, deamon_parent_sigterm); ++ CatchSignal(SIGTERM, daemon_parent_sigterm); + + /* or exit when sssd monitor is terminated */ + do { +diff --git a/src/util/sss_ini.h b/src/util/sss_ini.h +index 77fbddc3ab073d930eecd68dacb00dae52847744..0b173831d4fd7c283fa939a2f3bfda2a3bb97515 100644 +--- a/src/util/sss_ini.h ++++ b/src/util/sss_ini.h +@@ -94,7 +94,7 @@ int sss_ini_call_validators_strs(TALLOC_CTX *mem_ctx, + struct ref_array * + sss_ini_get_ra_error_list(struct sss_ini_initdata *init_data); + +-/* Get pointer to list of successfuly merged snippet files */ ++/* Get pointer to list of successfully merged snippet files */ + struct ref_array * + sss_ini_get_ra_success_list(struct sss_ini_initdata *init_data); + +diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c +index 52c86adde65c173a874534a7001d7859789581cd..4c2f1ec9ff0127ccfd72010460ed75dad43e9ce3 100644 +--- a/src/util/tev_curl.c ++++ b/src/util/tev_curl.c +@@ -67,7 +67,7 @@ struct tcurl_ctx { + struct tcurl_sock { + struct tcurl_ctx *tctx; /* Backchannel to the main context */ + +- curl_socket_t sockfd; /* curl socket is an int typedef on Unix */ ++ curl_socket_t sockfd; /* curl socket is an int typedef on UNIX */ + struct tevent_fd *fde; /* tevent tracker of the fd events */ + }; + +diff --git a/src/util/util_lock.c b/src/util/util_lock.c +index b8e41cc29fbdcf3b5b75bf1507a4d33f5ba07be0..58d3b1bdf60f411fb7116055a5de775355d1839e 100644 +--- a/src/util/util_lock.c ++++ b/src/util/util_lock.c +@@ -74,7 +74,7 @@ errno_t sss_br_lock_file(int fd, size_t start, size_t len, + return ret; + } + } else if (ret == 0) { +- /* File successfuly locked */ ++ /* File successfully locked */ + break; + } + } +-- +2.15.1 + diff --git a/0003-CONFIG-Add-a-new-option-auto_private_groups.patch b/0003-CONFIG-Add-a-new-option-auto_private_groups.patch new file mode 100644 index 0000000..3a619c0 --- /dev/null +++ b/0003-CONFIG-Add-a-new-option-auto_private_groups.patch @@ -0,0 +1,158 @@ +From 04fc0d758ae1e5c4ab71ab3bf8b8f50b99a6c63a Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 3 Oct 2017 12:34:33 +0200 +Subject: [PATCH 03/79] CONFIG: Add a new option auto_private_groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The auto_private_groups option is used to configure the domain->mpg flag +which was already set automatically for subdomains, but for some time was +not settable by the admin via the configuration file. + +The new option name, instead of the old magic_private_groups, was chosen +purely because this name would hopefully be better understood by admins. + +The option doesn't do anything yet, it is just added to all the places a +new option should be added to. + +Related: + https://pagure.io/SSSD/sssd/issue/1872 + +Reviewed-by: Fabiano Fidêncio +Reviewed-by: Pavel Březina +--- + src/confdb/confdb.c | 8 ++++++++ + src/confdb/confdb.h | 1 + + src/config/SSSDConfig/__init__.py.in | 1 + + src/config/SSSDConfigTest.py | 6 ++++-- + src/config/cfg_rules.ini | 1 + + src/config/etc/sssd.api.conf | 1 + + src/man/sssd.conf.5.xml | 20 ++++++++++++++++++++ + 7 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index fefecc03d554f6eca12efe07990bfae17033bd02..a028224817f12ace2a0c4165d7b9cb0bb80ce5a1 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -936,6 +936,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + goto done; + } + ++ ret = get_entry_as_bool(res->msgs[0], &domain->mpg, ++ CONFDB_DOMAIN_AUTO_UPG, 0); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Invalid value for %s\n", CONFDB_DOMAIN_AUTO_UPG); ++ goto done; ++ } ++ + if (strcasecmp(domain->provider, "local") == 0) { + /* If this is the local provider, we need to ensure that + * no other provider was specified for other types, since +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index bcea99ae49a3fa5f0393ce6b2c215b5b2d4bc3fc..2539b906993edbceb38aac9265e04deed69cf2e4 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -198,6 +198,7 @@ + #define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8 + #define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords" + #define CONFDB_DOMAIN_MPG "magic_private_groups" ++#define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups" + #define CONFDB_DOMAIN_FQ "use_fully_qualified_names" + #define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout" + #define CONFDB_DOMAIN_ACCOUNT_CACHE_EXPIRATION "account_cache_expiration" +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index d99b718e09283d113f73639e0f94e7f1cec55f68..d2bb709d69c8790558b5c06a7e405463b508c189 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -195,6 +195,7 @@ option_strings = { + 'cached_auth_timeout' : _('How long can cached credentials be used for cached authentication'), + 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'), + 're_expression' : _('Regex to parse username and domain'), ++ 'auto_private_groups' : _('Whether to automatically create private groups for users'), + + # [provider/ipa] + 'ipa_domain' : _('IPA domain'), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 4a583bdd3124dc05a116d2e6bd48afb92aa0b54d..87d1f6e6410dfeafc77d578cf0b950dc71a1f0a2 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -624,7 +624,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'subdomain_homedir', + 'full_name_format', + 're_expression', +- 'cached_auth_timeout'] ++ 'cached_auth_timeout', ++ 'auto_private_groups'] + + self.assertTrue(type(options) == dict, + "Options should be a dictionary") +@@ -994,7 +995,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'subdomain_homedir', + 'full_name_format', + 're_expression', +- 'cached_auth_timeout'] ++ 'cached_auth_timeout', ++ 'auto_private_groups'] + + self.assertTrue(type(options) == dict, + "Options should be a dictionary") +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index e49e8d43f4aead14d833866110784fd62382cc2b..4e70bf7b6f0fa7421a0c35bd4279830265bf3470 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -382,6 +382,7 @@ option = cached_auth_timeout + option = wildcard_limit + option = full_name_format + option = re_expression ++option = auto_private_groups + + #Entry cache timeouts + option = entry_cache_user_timeout +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index 7f2b8977b7e67fcfc20df49056cda8ebe6da0be8..2be2e3e685ba3abd9a4a419f93332a89ff774262 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -185,6 +185,7 @@ subdomain_homedir = str, None, false + cached_auth_timeout = int, None, false + full_name_format = str, None, false + re_expression = str, None, false ++auto_private_groups = str, None, false + + #Entry cache timeouts + entry_cache_user_timeout = int, None, false +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index 7752e450835b5beba50ddc4c635ff985d38ca421..1e8d9537517c85c3021b9c2c4185ea272c5bfffa 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -2816,6 +2816,26 @@ subdomain_inherit = ldap_purge_cache_timeout + + + ++ ++ auto_private_groups (string) ++ ++ ++ If this option is enabled, SSSD will automatically ++ create user private groups based on user's ++ UID number. The GID number is ignored in this case. ++ ++ ++ NOTE: Because the GID number and the user private group ++ are inferred frm the UID number, it is not supported ++ to have multiple entries with the same UID or GID number ++ with this option. In other words, enabling this option ++ enforces uniqueness across the ID space. ++ ++ ++ Default: False ++ ++ ++ + + + +-- +2.15.1 + diff --git a/0004-CONFDB-Remove-the-obsolete-option-magic_private_grou.patch b/0004-CONFDB-Remove-the-obsolete-option-magic_private_grou.patch new file mode 100644 index 0000000..8e7abe1 --- /dev/null +++ b/0004-CONFDB-Remove-the-obsolete-option-magic_private_grou.patch @@ -0,0 +1,32 @@ +From bd4e962128c7ea95fa0bdc5aa8f360ab11cda178 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 3 Oct 2017 12:36:02 +0200 +Subject: [PATCH 04/79] CONFDB: Remove the obsolete option magic_private_groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since this confdb definition was completely unused across the codebase, +this patch just removes the definition. + +Reviewed-by: Pavel Březina +Reviewed-by: Fabiano Fidêncio +--- + src/confdb/confdb.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 2539b906993edbceb38aac9265e04deed69cf2e4..1471949623e9dd7a8536e3ac3048a10227a5d857 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -197,7 +197,6 @@ + "cache_credentials_minimal_first_factor_length" + #define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8 + #define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords" +-#define CONFDB_DOMAIN_MPG "magic_private_groups" + #define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups" + #define CONFDB_DOMAIN_FQ "use_fully_qualified_names" + #define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout" +-- +2.15.1 + diff --git a/0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch b/0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch new file mode 100644 index 0000000..ed77921 --- /dev/null +++ b/0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch @@ -0,0 +1,166 @@ +From f7c559955ab380d097f8e98786ba710c7bff812c Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 3 Oct 2017 12:34:49 +0200 +Subject: [PATCH 05/79] SDAP: Allow the mpg flag for the main domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit allows saving the users in the MPG domain in the SDAP +layer. + +The commit contains the following changes: + - abstracts the change where if the primary GID exists in the original + object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute, + which will allow the original primary GID to be exposed as a + secondary group + + - if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM + is added. This will allow to handle LDAP objects that only contain + the UID but no GID. Since this is a new use-case, a test is added + later + + - a branch that handles the above is added to sdap_save_user() also + for joined domains that set the MPG flag. Previously, only + subdomains were handled. + + - to allow passing GID=0 to the sysdb layer, the range check is + relaxed. + +Related: + https://pagure.io/SSSD/sssd/issue/1872 + +Reviewed-by: Fabiano Fidêncio +Reviewed-by: Pavel Březina +--- + src/providers/ldap/sdap_async_users.c | 83 +++++++++++++++++++++++++++++++---- + 1 file changed, 75 insertions(+), 8 deletions(-) + +diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c +index 09d096e84cac6c9d52bcde0e1587c47dbd88b504..7338b4a15694b1d0a16723990130a23a7280af5f 100644 +--- a/src/providers/ldap/sdap_async_users.c ++++ b/src/providers/ldap/sdap_async_users.c +@@ -136,6 +136,38 @@ static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs, + return EOK; + } + ++static int sdap_user_set_mpg(struct sysdb_attrs *user_attrs, ++ gid_t *_gid) ++{ ++ errno_t ret; ++ ++ if (_gid == NULL) { ++ return EINVAL; ++ } ++ ++ if (*_gid == 0) { ++ /* The original entry had no GID number. This is OK, we just won't add ++ * the SYSDB_PRIMARY_GROUP_GIDNUM attribute ++ */ ++ return EOK; ++ } ++ ++ ret = sysdb_attrs_add_uint32(user_attrs, ++ SYSDB_PRIMARY_GROUP_GIDNUM, ++ (uint32_t) *_gid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n"); ++ return ret; ++ } ++ ++ /* We won't really store gidNumber=0, but the zero value tells ++ * the sysdb layer that no GID is set, which sysdb requires for ++ * MPG-enabled domains ++ */ ++ *_gid = 0; ++ return EOK; ++} ++ + /* FIXME: support storing additional attributes */ + int sdap_save_user(TALLOC_CTX *memctx, + struct sdap_options *opts, +@@ -357,7 +389,7 @@ int sdap_save_user(TALLOC_CTX *memctx, + goto done; + } + +- if (IS_SUBDOMAIN(dom)) { ++ if (IS_SUBDOMAIN(dom) || dom->mpg == true) { + /* For subdomain users, only create the private group as + * the subdomain is an MPG domain. + * But we have to save the GID of the original primary group +@@ -365,14 +397,13 @@ int sdap_save_user(TALLOC_CTX *memctx, + * typically (Unix and AD) the user is not listed in his primary + * group as a member. + */ +- ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM, +- (uint32_t) gid); ++ ret = sdap_user_set_mpg(user_attrs, &gid); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sdap_user_set_mpg failed [%d]: %s\n", ret, ++ sss_strerror(ret)); + goto done; + } +- +- gid = 0; + } + + /* Store the GID in the ldap_attrs so it doesn't get +@@ -380,6 +411,41 @@ int sdap_save_user(TALLOC_CTX *memctx, + */ + ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid); + if (ret != EOK) goto done; ++ } else if (dom->mpg) { ++ /* Likewise, if a domain is set to contain 'magic private groups', do ++ * not process the real GID, but save it in the cache as originalGID ++ * (if available) ++ */ ++ ret = sysdb_attrs_get_uint32_t(attrs, ++ opts->user_map[SDAP_AT_USER_GID].sys_name, ++ &gid); ++ if (ret == ENOENT) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ "Missing GID, won't save the %s attribute\n", ++ SYSDB_PRIMARY_GROUP_GIDNUM); ++ ++ /* Store the UID as GID (since we're in a MPG domain so that it doesn't ++ * get treated as a missing attribute and removed ++ */ ++ ret = sdap_replace_id(attrs, SYSDB_GIDNUM, uid); ++ if (ret) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n"); ++ goto done; ++ } ++ gid = 0; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Cannot retrieve GID, won't save the %s attribute\n", ++ SYSDB_PRIMARY_GROUP_GIDNUM); ++ gid = 0; ++ } ++ ++ ret = sdap_user_set_mpg(user_attrs, &gid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sdap_user_set_mpg failed [%d]: %s\n", ret, sss_strerror(ret)); ++ goto done; ++ } + } else { + ret = sysdb_attrs_get_uint32_t(attrs, + opts->user_map[SDAP_AT_USER_GID].sys_name, +@@ -403,8 +469,9 @@ int sdap_save_user(TALLOC_CTX *memctx, + } + + /* check that the gid is valid for this domain */ +- if (is_posix == true && IS_SUBDOMAIN(dom) == false && +- OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) { ++ if (is_posix == true && IS_SUBDOMAIN(dom) == false ++ && dom->mpg == false ++ && OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "User [%s] filtered out! (primary gid out of range)\n", + user_name); +-- +2.15.1 + diff --git a/0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch b/0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch new file mode 100644 index 0000000..2cf181c --- /dev/null +++ b/0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch @@ -0,0 +1,221 @@ +From 80ea108ab4263c1a1ac67ce6eac41dc6040b21dd Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 3 Oct 2017 14:31:18 +0200 +Subject: [PATCH 06/79] LDAP: Turn group request into user request for MPG + domains if needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the primary group GID or the group name is requested before the user +is, we need to also search the user space to save the user in the back +end which then allows the responder to generate the group from the +user entry. + +Related: + https://pagure.io/SSSD/sssd/issue/1872 + +Reviewed-by: Pavel Březina +Reviewed-by: Fabiano Fidêncio +--- + src/providers/ldap/ldap_id.c | 162 +++++++++++++++++++++++++++++++------------ + 1 file changed, 118 insertions(+), 44 deletions(-) + +diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c +index 93204d35ea3782c9aa5d622a962c295869472631..e89fc6133316f684810afe4c1a0731b8a04f2931 100644 +--- a/src/providers/ldap/ldap_id.c ++++ b/src/providers/ldap/ldap_id.c +@@ -694,6 +694,8 @@ struct groups_get_state { + static int groups_get_retry(struct tevent_req *req); + static void groups_get_connect_done(struct tevent_req *subreq); + static void groups_get_posix_check_done(struct tevent_req *subreq); ++static void groups_get_mpg_done(struct tevent_req *subreq); ++static errno_t groups_get_handle_no_group(struct tevent_req *req); + static void groups_get_search(struct tevent_req *req); + static void groups_get_done(struct tevent_req *subreq); + +@@ -1051,8 +1053,6 @@ static void groups_get_done(struct tevent_req *subreq) + struct tevent_req); + struct groups_get_state *state = tevent_req_data(req, + struct groups_get_state); +- char *endptr; +- gid_t gid; + int dp_error = DP_ERR_FATAL; + int ret; + +@@ -1078,49 +1078,33 @@ static void groups_get_done(struct tevent_req *subreq) + return; + } + +- if (ret == ENOENT && state->noexist_delete == true) { +- switch (state->filter_type) { +- case BE_FILTER_ENUM: +- tevent_req_error(req, ret); ++ if (ret == ENOENT ++ && state->domain->mpg == true) { ++ /* The requested filter did not find a group. Before giving up, we must ++ * also check if the GID can be resolved through a primary group of a ++ * user ++ */ ++ subreq = users_get_send(state, ++ state->ev, ++ state->ctx, ++ state->sdom, ++ state->conn, ++ state->filter_value, ++ state->filter_type, ++ NULL, ++ state->noexist_delete); ++ if (subreq == NULL) { ++ tevent_req_error(req, ENOMEM); + return; +- case BE_FILTER_NAME: +- ret = sysdb_delete_group(state->domain, state->filter_value, 0); +- if (ret != EOK && ret != ENOENT) { +- tevent_req_error(req, ret); +- return; +- } +- break; +- +- case BE_FILTER_IDNUM: +- gid = (gid_t) strtouint32(state->filter_value, &endptr, 10); +- if (errno || *endptr || (state->filter_value == endptr)) { +- tevent_req_error(req, errno ? errno : EINVAL); +- return; +- } +- +- ret = sysdb_delete_group(state->domain, NULL, gid); +- if (ret != EOK && ret != ENOENT) { +- tevent_req_error(req, ret); +- return; +- } +- break; +- +- case BE_FILTER_SECID: +- case BE_FILTER_UUID: +- /* Since it is not clear if the SID/UUID belongs to a user or a +- * group we have nothing to do here. */ +- break; +- +- case BE_FILTER_WILDCARD: +- /* We can't know if all groups are up-to-date, especially in +- * a large environment. Do not delete any records, let the +- * responder fetch the entries they are requested in. +- */ +- break; +- +- +- default: +- tevent_req_error(req, EINVAL); ++ } ++ tevent_req_set_callback(subreq, groups_get_mpg_done, req); ++ return; ++ } else if (ret == ENOENT && state->noexist_delete == true) { ++ ret = groups_get_handle_no_group(req); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Could not delete group [%d]: %s\n", ret, sss_strerror(ret)); ++ tevent_req_error(req, ret); + return; + } + } +@@ -1129,6 +1113,96 @@ static void groups_get_done(struct tevent_req *subreq) + tevent_req_done(req); + } + ++static void groups_get_mpg_done(struct tevent_req *subreq) ++{ ++ errno_t ret; ++ struct tevent_req *req = tevent_req_callback_data(subreq, ++ struct tevent_req); ++ struct groups_get_state *state = tevent_req_data(req, ++ struct groups_get_state); ++ ++ ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); ++ talloc_zfree(subreq); ++ ++ if (ret != EOK) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ ++ if (state->sdap_ret == ENOENT && state->noexist_delete == true) { ++ ret = groups_get_handle_no_group(req); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Could not delete group [%d]: %s\n", ret, sss_strerror(ret)); ++ tevent_req_error(req, ret); ++ return; ++ } ++ } ++ ++ /* GID resolved to a user private group, done */ ++ tevent_req_done(req); ++ return; ++} ++ ++static errno_t groups_get_handle_no_group(struct tevent_req *req) ++{ ++ struct groups_get_state *state = tevent_req_data(req, ++ struct groups_get_state); ++ errno_t ret; ++ char *endptr; ++ gid_t gid; ++ ++ switch (state->filter_type) { ++ case BE_FILTER_ENUM: ++ ret = ENOENT; ++ break; ++ case BE_FILTER_NAME: ++ ret = sysdb_delete_group(state->domain, state->filter_value, 0); ++ if (ret != EOK && ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Cannot delete group %s [%d]: %s\n", ++ state->filter_value, ret, sss_strerror(ret)); ++ return ret; ++ } ++ ret = EOK; ++ break; ++ case BE_FILTER_IDNUM: ++ gid = (gid_t) strtouint32(state->filter_value, &endptr, 10); ++ if (errno || *endptr || (state->filter_value == endptr)) { ++ ret = errno ? errno : EINVAL; ++ break; ++ } ++ ++ ret = sysdb_delete_group(state->domain, NULL, gid); ++ if (ret != EOK && ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Cannot delete group %"SPRIgid" [%d]: %s\n", ++ gid, ret, sss_strerror(ret)); ++ return ret; ++ } ++ ret = EOK; ++ break; ++ case BE_FILTER_SECID: ++ case BE_FILTER_UUID: ++ /* Since it is not clear if the SID/UUID belongs to a user or a ++ * group we have nothing to do here. */ ++ ret = EOK; ++ break; ++ case BE_FILTER_WILDCARD: ++ /* We can't know if all groups are up-to-date, especially in ++ * a large environment. Do not delete any records, let the ++ * responder fetch the entries they are requested in. ++ */ ++ ret = EOK; ++ break; ++ default: ++ ret = EINVAL; ++ break; ++ } ++ ++ return ret; ++} ++ + int groups_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret) + { + struct groups_get_state *state = tevent_req_data(req, +-- +2.15.1 + diff --git a/0007-SYSDB-Prevent-users-and-groups-ID-collision-in-MPG-d.patch b/0007-SYSDB-Prevent-users-and-groups-ID-collision-in-MPG-d.patch new file mode 100644 index 0000000..384691b --- /dev/null +++ b/0007-SYSDB-Prevent-users-and-groups-ID-collision-in-MPG-d.patch @@ -0,0 +1,96 @@ +From 561b887c08c6199a50f1295071626b3e9040a7d1 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Thu, 19 Oct 2017 17:18:15 +0200 +Subject: [PATCH 07/79] SYSDB: Prevent users and groups ID collision in MPG + domains except for id_provider=local +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit makes the check when adding an object in a MPG domain +stricter in the sense that not only same names are allowed in a MPG +domain, but also the same groups are not allowed either. + +This commit is a backwards-incompatible change, but one that is needed, +otherwise requesting the duplicate group first and then requesting the +user entry would yield two object when searching by GID. + +In order to keep backwards-compatibility, this uniqueness is NOT +enforced with id_provider=local. This constraint can be removed in +the future (or the local provider can be dropped altogether) + +Reviewed-by: Pavel Březina +Reviewed-by: Fabiano Fidêncio +--- + src/db/sysdb_ops.c | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 0e39a629a5823ff49ed02ec4c08a21b66119f06f..2f8e36c6c9a2c2cefe4af5fb78957763304d989a 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -1960,16 +1960,34 @@ int sysdb_add_user(struct sss_domain_info *domain, + } + + if (domain->mpg) { +- /* In MPG domains you can't have groups with the same name as users, +- * search if a group with the same name exists. ++ /* In MPG domains you can't have groups with the same name or GID ++ * as users, search if a group with the same name exists. + * Don't worry about users, if we try to add a user with the same + * name the operation will fail */ + + ret = sysdb_search_group_by_name(tmp_ctx, domain, name, NULL, &msg); + if (ret != ENOENT) { +- if (ret == EOK) ret = EEXIST; ++ if (ret == EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Group named %s already exists in an MPG domain\n", ++ name); ++ ret = EEXIST; ++ } + goto done; + } ++ ++ if (strcasecmp(domain->provider, "local") != 0) { ++ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg); ++ if (ret != ENOENT) { ++ if (ret == EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Group with GID [%"SPRIgid"] already exists in an " ++ "MPG domain\n", gid); ++ ret = EEXIST; ++ } ++ goto done; ++ } ++ } + } + + /* check no other user with the same uid exist */ +@@ -2177,6 +2195,23 @@ int sysdb_add_group(struct sss_domain_info *domain, + } + goto done; + } ++ ++ if (strcasecmp(domain->provider, "local") != 0) { ++ ret = sysdb_search_user_by_uid(tmp_ctx, domain, gid, NULL, &msg); ++ if (ret != ENOENT) { ++ if (ret == EOK) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ "User with the same UID exists in MPG domain: " ++ "[%"SPRIgid"].\n", gid); ++ ret = EEXIST; ++ } else { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ "sysdb_search_user_by_uid failed for gid: " ++ "[%"SPRIgid"].\n", gid); ++ } ++ goto done; ++ } ++ } + } + + /* check no other groups with the same gid exist */ +-- +2.15.1 + diff --git a/0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch b/0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch new file mode 100644 index 0000000..62ba27a --- /dev/null +++ b/0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch @@ -0,0 +1,345 @@ +From dc8e3fcdd6807974122e47ff97e9bbd3be16557f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 3 Oct 2017 16:55:40 +0200 +Subject: [PATCH 08/79] TESTS: Add integration tests for the + auto_private_groups option +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Related: + https://pagure.io/SSSD/sssd/issue/1872 + +Reviewed-by: Fabiano Fidêncio +Reviewed-by: Pavel Březina +--- + src/tests/intg/test_enumeration.py | 79 +++++++++++++- + src/tests/intg/test_ldap.py | 214 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 290 insertions(+), 3 deletions(-) + +diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py +index fdb8d376879f756957f8f25fd28b37d7178aeff5..c7d78155c64dc6c85cb4dc070b205bdcfceff6af 100644 +--- a/src/tests/intg/test_enumeration.py ++++ b/src/tests/intg/test_enumeration.py +@@ -237,9 +237,7 @@ def sanity_rfc2307(request, ldap_conn): + create_sssd_fixture(request) + return None + +- +-@pytest.fixture +-def sanity_rfc2307_bis(request, ldap_conn): ++def populate_rfc2307bis(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) +@@ -266,6 +264,11 @@ def sanity_rfc2307_bis(request, ldap_conn): + [], ["one_user_group1", "one_user_group2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) ++ ++ ++@pytest.fixture ++def sanity_rfc2307_bis(request, ldap_conn): ++ populate_rfc2307bis(request, ldap_conn) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) +@@ -695,3 +698,73 @@ def test_vetoed_shells(vetoed_shells): + shell="/bin/default") + ) + ) ++ ++ ++@pytest.fixture ++def sanity_rfc2307_bis_mpg(request, ldap_conn): ++ populate_rfc2307bis(request, ldap_conn) ++ ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ent_list.add_group_bis("conflict1", 1001) ++ ent_list.add_group_bis("conflict2", 1002) ++ create_ldap_fixture(request, ldap_conn, ent_list) ++ ++ conf = \ ++ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ ++ unindent(""" ++ [domain/LDAP] ++ auto_private_groups = True ++ """).format(**locals()) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ ++def test_ldap_auto_private_groups_enumerate(ldap_conn, ++ sanity_rfc2307_bis_mpg): ++ """ ++ Test the auto_private_groups together with enumeration ++ """ ++ passwd_pattern = ent.contains_only( ++ dict(name='user1', passwd='*', uid=1001, gid=1001, gecos='1001', ++ dir='/home/user1', shell='/bin/bash'), ++ dict(name='user2', passwd='*', uid=1002, gid=1002, gecos='1002', ++ dir='/home/user2', shell='/bin/bash'), ++ dict(name='user3', passwd='*', uid=1003, gid=1003, gecos='1003', ++ dir='/home/user3', shell='/bin/bash') ++ ) ++ ent.assert_passwd(passwd_pattern) ++ ++ group_pattern = ent.contains_only( ++ dict(name='user1', passwd='*', gid=1001, mem=ent.contains_only()), ++ dict(name='user2', passwd='*', gid=1002, mem=ent.contains_only()), ++ dict(name='user3', passwd='*', gid=1003, mem=ent.contains_only()), ++ dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), ++ dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), ++ dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), ++ dict(name='empty_group1', passwd='*', gid=2010, ++ mem=ent.contains_only()), ++ dict(name='empty_group2', passwd='*', gid=2011, ++ mem=ent.contains_only()), ++ dict(name='two_user_group', passwd='*', gid=2012, ++ mem=ent.contains_only("user1", "user2")), ++ dict(name='group_empty_group', passwd='*', gid=2013, ++ mem=ent.contains_only()), ++ dict(name='group_two_empty_groups', passwd='*', gid=2014, ++ mem=ent.contains_only()), ++ dict(name='one_user_group1', passwd='*', gid=2015, ++ mem=ent.contains_only("user1")), ++ dict(name='one_user_group2', passwd='*', gid=2016, ++ mem=ent.contains_only("user2")), ++ dict(name='group_one_user_group', passwd='*', gid=2017, ++ mem=ent.contains_only("user1")), ++ dict(name='group_two_user_group', passwd='*', gid=2018, ++ mem=ent.contains_only("user1", "user2")), ++ dict(name='group_two_one_user_groups', passwd='*', gid=2019, ++ mem=ent.contains_only("user1", "user2")) ++ ) ++ ent.assert_group(group_pattern) ++ ++ with pytest.raises(KeyError): ++ grp.getgrnam("conflict1") ++ ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only())) +diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py +index f2467f1ffe9890049ad73bba6432102d029510e8..a6659b1b78df4d72eb98c208d67ee5d10c9c88ea 100644 +--- a/src/tests/intg/test_ldap.py ++++ b/src/tests/intg/test_ldap.py +@@ -1169,3 +1169,217 @@ def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached): + + res, _ = call_sssd_getgrgid(0) + assert res == NssReturnCode.NOTFOUND ++ ++ ++@pytest.fixture ++def mpg_setup(request, ldap_conn): ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ent_list.add_user("user1", 1001, 2001) ++ ent_list.add_user("user2", 1002, 2002) ++ ent_list.add_user("user3", 1003, 2003) ++ ++ ent_list.add_group_bis("group1", 2001) ++ ent_list.add_group_bis("group2", 2002) ++ ent_list.add_group_bis("group3", 2003) ++ ++ ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"]) ++ ent_list.add_group_bis("one_user_group1", 2015, ["user1"]) ++ ent_list.add_group_bis("one_user_group2", 2016, ["user2"]) ++ ++ create_ldap_entries(ldap_conn, ent_list) ++ create_ldap_cleanup(request, ldap_conn, None) ++ ++ conf = \ ++ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ ++ unindent(""" ++ [domain/LDAP] ++ auto_private_groups = True ++ """).format(**locals()) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ ++def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup): ++ """ ++ Integration test for auto_private_groups ++ ++ See also ticket https://pagure.io/SSSD/sssd/issue/1872 ++ """ ++ # Make sure the user's GID is taken from their uidNumber ++ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) ++ # Make sure the private group is resolvable by name and by GID ++ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ++ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) ++ ++ # The group referenced in user's gidNumber attribute should be still ++ # visible, but it's fine that it doesn't contain the user as a member ++ # as the group is currently added during the initgroups operation only ++ ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only())) ++ ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only())) ++ ++ # The user's secondary groups list must be correct as well ++ # Note that the original GID is listed as well -- this is correct and expected ++ # because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute ++ user1_expected_gids = [1001, 2001, 2012, 2015] ++ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001) ++ assert res == sssd_id.NssReturnCode.SUCCESS ++ ++ assert sorted(gids) == sorted(user1_expected_gids), \ ++ "result: %s\n expected %s" % ( ++ ", ".join(["%s" % s for s in sorted(gids)]), ++ ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) ++ ) ++ ++ # Request user2's private group by GID without resolving the user first. ++ # This must trigger user resolution through by-GID resolution, since the GID ++ # doesn't exist on its own in LDAP ++ ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only())) ++ ++ # Test supplementary groups for user2 as well ++ user1_expected_gids = [1002, 2002, 2012, 2016] ++ (res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002) ++ assert res == sssd_id.NssReturnCode.SUCCESS ++ ++ assert sorted(gids) == sorted(user1_expected_gids), \ ++ "result: %s\n expected %s" % ( ++ ", ".join(["%s" % s for s in sorted(gids)]), ++ ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) ++ ) ++ ++ # Request user3's private group by name without resolving the user first ++ # This must trigger user resolution through by-name resolution, since the ++ # name doesn't exist on its own in LDAP ++ ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only())) ++ ++ # Remove entries and request them again to make sure they are not ++ # resolvable anymore ++ cleanup_ldap_entries(ldap_conn, None) ++ ++ if subprocess.call(["sss_cache", "-GU"]) != 0: ++ raise Exception("sssd_cache failed") ++ ++ with pytest.raises(KeyError): ++ pwd.getpwnam("user1") ++ with pytest.raises(KeyError): ++ grp.getgrnam("user1") ++ with pytest.raises(KeyError): ++ grp.getgrgid(1002) ++ with pytest.raises(KeyError): ++ grp.getgrnam("user3") ++ ++ ++@pytest.fixture ++def mpg_setup_conflict(request, ldap_conn): ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ent_list.add_user("user1", 1001, 2001) ++ ent_list.add_user("user2", 1002, 2002) ++ ent_list.add_user("user3", 1003, 1003) ++ ent_list.add_group_bis("group1", 1001) ++ ent_list.add_group_bis("group2", 1002) ++ ent_list.add_group_bis("group3", 1003) ++ ent_list.add_group_bis("supp_group", 2015, ["user3"]) ++ create_ldap_fixture(request, ldap_conn, ent_list) ++ ++ conf = \ ++ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ ++ unindent(""" ++ [domain/LDAP] ++ auto_private_groups = True ++ """).format(**locals()) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ ++def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict): ++ """ ++ Make sure that conflicts between groups that are auto-created with the ++ help of the auto_private_groups option and between 'real' LDAP groups ++ are handled in a predictable manner. ++ """ ++ # Make sure the user's GID is taken from their uidNumber ++ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) ++ # Make sure the private group is resolvable by name and by GID ++ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ++ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) ++ ++ # Let's request the group with the same ID as user2's private group ++ # The request should match the 'real' group ++ ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only())) ++ # But because of the GID conflict, the user cannot be resolved ++ with pytest.raises(KeyError): ++ pwd.getpwnam("user2") ++ ++ # This user's GID is the same as the UID in this entry. The most important ++ # thing here is that the supplementary groups are correct and the GID ++ # resolves to the private group (as long as the user was requested first) ++ user3_expected_gids = [1003, 2015] ++ ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003)) ++ (res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003) ++ assert res == sssd_id.NssReturnCode.SUCCESS ++ ++ assert sorted(gids) == sorted(user3_expected_gids), \ ++ "result: %s\n expected %s" % ( ++ ", ".join(["%s" % s for s in sorted(gids)]), ++ ", ".join(["%s" % s for s in sorted(user3_expected_gids)]) ++ ) ++ # Make sure the private group is resolvable by name and by GID ++ ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only())) ++ ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only())) ++ ++ ++@pytest.fixture ++def mpg_setup_no_gid(request, ldap_conn): ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ent_list.add_user("user1", 1001, 2001) ++ ++ ent_list.add_group_bis("group1", 2001) ++ ent_list.add_group_bis("one_user_group1", 2015, ["user1"]) ++ ++ create_ldap_entries(ldap_conn, ent_list) ++ create_ldap_cleanup(request, ldap_conn, None) ++ ++ conf = \ ++ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ ++ unindent(""" ++ [domain/LDAP] ++ auto_private_groups = True ++ ldap_user_gid_number = no_such_attribute ++ """).format(**locals()) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ ++def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid): ++ """ ++ Integration test for auto_private_groups - test that even a user with ++ no GID assigned at all can be resolved including their autogenerated ++ primary group. ++ ++ See also ticket https://pagure.io/SSSD/sssd/issue/1872 ++ """ ++ # Make sure the user's GID is taken from their uidNumber ++ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) ++ # Make sure the private group is resolvable by name and by GID ++ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) ++ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) ++ ++ # The group referenced in user's gidNumber attribute should be still ++ # visible, but shouldn't have any relation to the user ++ ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only())) ++ ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only())) ++ ++ # The user's secondary groups list must be correct as well. This time only ++ # the generated group and the explicit secondary group are added, since ++ # there is no original GID ++ user1_expected_gids = [1001, 2015] ++ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001) ++ assert res == sssd_id.NssReturnCode.SUCCESS ++ ++ assert sorted(gids) == sorted(user1_expected_gids), \ ++ "result: %s\n expected %s" % ( ++ ", ".join(["%s" % s for s in sorted(gids)]), ++ ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) ++ ) +-- +2.15.1 + diff --git a/0013-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch b/0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch similarity index 97% rename from 0013-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch rename to 0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch index 97bf6be..277e633 100644 --- a/0013-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch +++ b/0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch @@ -1,7 +1,7 @@ -From 0f44eefe2ce75a0814c8688495477f6c57f3d39a Mon Sep 17 00:00:00 2001 +From ec2489ab1ba7075e69f1f3747d96656ac2b0aab5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 20 Oct 2017 09:26:43 +0200 -Subject: [PATCH] CACHE_REQ: Copy the cr_domain list for each request +Subject: [PATCH 09/79] CACHE_REQ: Copy the cr_domain list for each request MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -137,5 +137,5 @@ index 3780a5d8d88d76e100738d28d1dd0e697edf5eae..ebdc71dd635d5d8a5d06e30e96c5d410 -- -2.15.0 +2.15.1 diff --git a/0010-sudo-document-background-activity.patch b/0010-sudo-document-background-activity.patch new file mode 100644 index 0000000..122c336 --- /dev/null +++ b/0010-sudo-document-background-activity.patch @@ -0,0 +1,41 @@ +From a0f79dd38cffc5ad382aae9baba76863678c26ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 20 Oct 2017 11:49:26 +0200 +Subject: [PATCH 10/79] sudo: document background activity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When we introduced socket activation, we changed the internall behaviour. +Previously we disabled sudo if it was not listed in services, with +socket activation we removed this feature. Some users were confused +so this change documents current behaviour. + +Reviewed-by: Jakub Hrozek +Reviewed-by: Fabiano Fidêncio +--- + src/man/sssd.conf.5.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index 1e8d9537517c85c3021b9c2c4185ea272c5bfffa..b247b5ac75a82d45f29023f5f9ca24a3a7a5ce0c 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -2348,6 +2348,14 @@ pam_account_locked_message = Account locked, please contact help desk. + 5 + . + ++ ++ NOTE: Sudo rules are ++ periodically downloaded in the background unless ++ the sudo provider is explicitly disabled. Set ++ sudo_provider = None to ++ disable all sudo-related activity in SSSD if you do ++ not want to use sudo with SSSD at all. ++ + + + +-- +2.15.1 + diff --git a/0011-MAN-GPO-Security-Filtering-limitation.patch b/0011-MAN-GPO-Security-Filtering-limitation.patch new file mode 100644 index 0000000..7747636 --- /dev/null +++ b/0011-MAN-GPO-Security-Filtering-limitation.patch @@ -0,0 +1,40 @@ +From bb20c565417a2c2ab274b254e6238657c5d8c73a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20=C5=BDidek?= +Date: Thu, 26 Oct 2017 17:12:17 +0200 +Subject: [PATCH 11/79] MAN: GPO Security Filtering limitation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Note in the man pages that current version of SSSD does not support +host entries in the 'Security filtering' list. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3444 + +Reviewed-by: Fabiano Fidêncio +--- + src/man/sssd-ad.5.xml | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml +index 08c1dd09fb829c6cffb416250b9b518668ec5790..649042d587de3d3600fff59866681e302c721af8 100644 +--- a/src/man/sssd-ad.5.xml ++++ b/src/man/sssd-ad.5.xml +@@ -345,6 +345,13 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example, + particular user is allowed to logon to a particular + host. + ++ ++ NOTE: The current version of SSSD does not support ++ host (computer) entries in the GPO 'Security ++ Filtering' list. Only user and group entries are ++ supported. Host entries in the list have no ++ effect. ++ + + NOTE: If the operation mode is set to enforcing, it + is possible that users that were previously allowed +-- +2.15.1 + diff --git a/0012-CI-Ignore-source-file-generated-by-systemtap.patch b/0012-CI-Ignore-source-file-generated-by-systemtap.patch new file mode 100644 index 0000000..f571dbc --- /dev/null +++ b/0012-CI-Ignore-source-file-generated-by-systemtap.patch @@ -0,0 +1,55 @@ +From 5b34c650b387192282f3c2cd6211db0fd4944870 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 30 Oct 2017 14:54:07 +0100 +Subject: [PATCH 12/79] CI: Ignore source file generated by systemtap + +There are some changes in systemtap 3.2 which generate temporary +source files and remove them later. We are not interested in code +coverage in this area. Lets ignore them. + +... +genhtml: failure 00:00:01 ci-build-coverage/ci-genhtml.log +FAILURE + +sh$ cat ci-build-coverage/ci-genhtml.log +Start: Mon Oct 30 13:43:52 UTC 2017 ++ eval 'genhtml --output-directory \ + "$coverage_report_dir" \ + --title "sssd" --show-details \ + --legend --prefix "$BASE_DIR" \ + ci.info |& tee ci-genhtml.out' +++ genhtml --output-directory ci-report-coverage --title sssd \ + --show-details --legend --prefix /home/build/sssd ci.info +++ tee ci-genhtml.out +Reading data file ci.info +Found 447 entries. +Using user-specified filename prefix "/home/build/sssd" +Writing .css and .png files. +Generating output. +genhtml: ERROR: cannot read /home/build/sssd/stap_generated_probes.o.dtrace-temp.c +Processing file stap_generated_probes.o.dtrace-temp.c +End: Mon Oct 30 13:43:53 UTC 2017 + +sh$ ls -l /home/build/sssd/stap_generated_probes.o.dtrace-temp.c +ls: cannot access '/home/build/sssd/stap_generated_probes.o.dtrace-temp.c': No such file or directory + +Reviewed-by: Jakub Hrozek +--- + contrib/ci/run | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/ci/run b/contrib/ci/run +index aa6d35abedbd24fce49651e43f4a704b2b1b9880..26cd32b3316eb9fdfd9fd07e26dd862fec7b669d 100755 +--- a/contrib/ci/run ++++ b/contrib/ci/run +@@ -300,6 +300,7 @@ function build_coverage() + --output-file ci-dirty.info + stage lcov-clean lcov --remove ci-dirty.info \ + "/usr/*" "src/tests/*" "/tmp/*" \ ++ "*dtrace-temp.c" \ + --output-file ci.info + stage genhtml eval 'genhtml --output-directory \ + "$coverage_report_dir" \ +-- +2.15.1 + diff --git a/0013-sudo-always-use-srv_opts-from-id-context.patch b/0013-sudo-always-use-srv_opts-from-id-context.patch new file mode 100644 index 0000000..ac0fb0b --- /dev/null +++ b/0013-sudo-always-use-srv_opts-from-id-context.patch @@ -0,0 +1,63 @@ +From 25bc436bccacb7f995314465b2923c6e08f654d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 19 Oct 2017 10:39:21 +0200 +Subject: [PATCH 13/79] sudo: always use srv_opts from id context + +Prior this patch, we remember id_ctx->srv_opts in sudo request to switch +the latest usn values. This works fine most of the time but it may cause +a crash. + +If we have two concurrent sudo refresh and one of these fails, it causes +failover to try the next server and possibly replacing the old srv_opts +with new one and it causes an access after free in the other refresh. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3562 + +Reviewed-by: Jakub Hrozek +--- + src/providers/ldap/sdap_async_sudo.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c +index f33d5b5fa86dc1806695482d627bd71a2b040d6e..5dc58012845b7109f0fa138e2e291b8ec3267799 100644 +--- a/src/providers/ldap/sdap_async_sudo.c ++++ b/src/providers/ldap/sdap_async_sudo.c +@@ -279,7 +279,6 @@ done: + struct sdap_sudo_refresh_state { + struct sdap_sudo_ctx *sudo_ctx; + struct tevent_context *ev; +- struct sdap_server_opts *srv_opts; + struct sdap_options *opts; + struct sdap_id_op *sdap_op; + struct sysdb_ctx *sysdb; +@@ -405,9 +404,6 @@ static void sdap_sudo_refresh_connect_done(struct tevent_req *subreq) + + DEBUG(SSSDBG_TRACE_FUNC, "SUDO LDAP connection successful\n"); + +- /* Obtain srv_opts here in case of first connection. */ +- state->srv_opts = state->sudo_ctx->id_ctx->srv_opts; +- + /* Renew host information if needed. */ + if (state->sudo_ctx->run_hostinfo) { + subreq = sdap_sudo_get_hostinfo_send(state, state->opts, +@@ -586,7 +582,6 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq) + goto done; + } + +- + /* start transaction */ + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { +@@ -621,7 +616,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq) + /* remember new usn */ + ret = sysdb_get_highest_usn(state, rules, rules_count, &usn); + if (ret == EOK) { +- sdap_sudo_set_usn(state->srv_opts, usn); ++ sdap_sudo_set_usn(state->sudo_ctx->id_ctx->srv_opts, usn); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get highest USN [%d]: %s\n", + ret, sss_strerror(ret)); +-- +2.15.1 + diff --git a/0014-AD-Remember-last-site-discovered.patch b/0014-AD-Remember-last-site-discovered.patch new file mode 100644 index 0000000..7c80fe7 --- /dev/null +++ b/0014-AD-Remember-last-site-discovered.patch @@ -0,0 +1,108 @@ +From ceb9cc228793551eb0fc42234ee3f9b3c9d6cb9b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 18 Oct 2017 15:20:34 +0200 +Subject: [PATCH 14/79] AD: Remember last site discovered + +To discover Active Directory site for a client we must first contact any +directory controller for an LDAP ping. This is done by searching +domain-wide DNS tree which may however contain servers that are not +reachable from current site and than we face long timeouts or failure. + +This patch makes sssd remember the last successfuly discovered site +and use this for DNS search to lookup a site and forest again similar +to what we do when ad_site option is set. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3265 + +Reviewed-by: Jakub Hrozek +--- + src/providers/ad/ad_srv.c | 44 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 43 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c +index ff01ee95c4d2c6875a989394489f1a0495cc3003..be1ba0f237add894566ae713ce5e29fd202d414c 100644 +--- a/src/providers/ad/ad_srv.c ++++ b/src/providers/ad/ad_srv.c +@@ -481,6 +481,7 @@ struct ad_srv_plugin_ctx { + const char *hostname; + const char *ad_domain; + const char *ad_site_override; ++ const char *current_site; + }; + + struct ad_srv_plugin_ctx * +@@ -518,6 +519,11 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + if (ctx->ad_site_override == NULL) { + goto fail; + } ++ ++ ctx->current_site = talloc_strdup(ctx, ad_site_override); ++ if (ctx->current_site == NULL) { ++ goto fail; ++ } + } + + return ctx; +@@ -527,6 +533,32 @@ fail: + return NULL; + } + ++static errno_t ++ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx, ++ const char *new_site) ++{ ++ const char *site; ++ errno_t ret; ++ ++ if (new_site == NULL) { ++ return EOK; ++ } ++ ++ if (ctx->current_site != NULL && strcmp(ctx->current_site, new_site) == 0) { ++ return EOK; ++ } ++ ++ site = talloc_strdup(ctx, new_site); ++ if (site == NULL) { ++ return ENOMEM; ++ } ++ ++ talloc_zfree(ctx->current_site); ++ ctx->current_site = site; ++ ++ return EOK; ++} ++ + struct ad_srv_plugin_state { + struct tevent_context *ev; + struct ad_srv_plugin_ctx *ctx; +@@ -613,7 +645,7 @@ struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx, + + subreq = ad_get_dc_servers_send(state, ev, ctx->be_res->resolv, + state->discovery_domain, +- state->ctx->ad_site_override); ++ state->ctx->current_site); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; +@@ -709,6 +741,16 @@ static void ad_srv_plugin_site_done(struct tevent_req *subreq) + backup_domain = NULL; + + if (ret == EOK) { ++ /* Remember current site so it can be used during next lookup so ++ * we can contact directory controllers within a known reachable ++ * site first. */ ++ ret = ad_srv_plugin_ctx_switch_site(state->ctx, state->site); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set site [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ + if (strcmp(state->service, "gc") == 0) { + if (state->forest != NULL) { + if (state->site != NULL) { +-- +2.15.1 + diff --git a/0015-sysdb-add-functions-to-get-set-client-site.patch b/0015-sysdb-add-functions-to-get-set-client-site.patch new file mode 100644 index 0000000..1b9c6f7 --- /dev/null +++ b/0015-sysdb-add-functions-to-get-set-client-site.patch @@ -0,0 +1,205 @@ +From 8687782eb971d0fa6f8f4420a8616ba943d7252b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 24 Oct 2017 12:09:39 +0200 +Subject: [PATCH 15/79] sysdb: add functions to get/set client site + +Reviewed-by: Jakub Hrozek +--- + src/db/sysdb.h | 10 +++ + src/db/sysdb_subdomains.c | 108 +++++++++++++++++++++++++++++++ + src/tests/cmocka/test_sysdb_subdomains.c | 28 ++++++++ + 3 files changed, 146 insertions(+) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index fbbe321072385bd43353ef2f7d0e30667887d128..4192f9085d941814eccd2ac60ce8fb6d4e1bfa67 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -154,6 +154,7 @@ + #define SYSDB_SUBDOMAIN_FOREST "memberOfForest" + #define SYSDB_SUBDOMAIN_TRUST_DIRECTION "trustDirection" + #define SYSDB_UPN_SUFFIXES "upnSuffixes" ++#define SYSDB_SITE "site" + + #define SYSDB_BASE_ID "baseID" + #define SYSDB_ID_RANGE_SIZE "idRangeSize" +@@ -509,6 +510,15 @@ errno_t sysdb_domain_update_domain_resolution_order( + const char *domain_name, + const char *domain_resolution_order); + ++errno_t ++sysdb_get_site(TALLOC_CTX *mem_ctx, ++ struct sss_domain_info *dom, ++ const char **_site); ++ ++errno_t ++sysdb_set_site(struct sss_domain_info *dom, ++ const char *site); ++ + errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, + const char *name, const char *realm, + const char *flat_name, const char *domain_id, +diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c +index 2789cc4949fb7be9ad272d7613ed18a64fa8a20a..cb5de1afe3e8c9692789c5d2679eb3a4e6e1cdb2 100644 +--- a/src/db/sysdb_subdomains.c ++++ b/src/db/sysdb_subdomains.c +@@ -1284,3 +1284,111 @@ done: + talloc_free(tmp_ctx); + return ret; + } ++ ++errno_t ++sysdb_get_site(TALLOC_CTX *mem_ctx, ++ struct sss_domain_info *dom, ++ const char **_site) ++{ ++ TALLOC_CTX *tmp_ctx; ++ struct ldb_res *res; ++ struct ldb_dn *dn; ++ const char *attrs[] = { SYSDB_SITE, NULL }; ++ errno_t ret; ++ ++ tmp_ctx = talloc_new(NULL); ++ if (tmp_ctx == NULL) { ++ return ENOMEM; ++ } ++ ++ dn = ldb_dn_new_fmt(tmp_ctx, dom->sysdb->ldb, SYSDB_DOM_BASE, dom->name); ++ if (dn == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = ldb_search(dom->sysdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, ++ attrs, NULL); ++ if (ret != LDB_SUCCESS) { ++ ret = sysdb_error_to_errno(ret); ++ goto done; ++ } ++ ++ if (res->count == 0) { ++ *_site = NULL; ++ ret = EOK; ++ goto done; ++ } else if (res->count != 1) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Got more than one reply for base search!\n"); ++ ret = EIO; ++ goto done; ++ } ++ ++ *_site = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SITE, NULL); ++ talloc_steal(mem_ctx, *_site); ++ ++ ret = EOK; ++ ++done: ++ talloc_free(tmp_ctx); ++ return ret; ++} ++ ++errno_t ++sysdb_set_site(struct sss_domain_info *dom, ++ const char *site) ++{ ++ TALLOC_CTX *tmp_ctx; ++ struct ldb_message *msg; ++ struct ldb_dn *dn; ++ errno_t ret; ++ ++ tmp_ctx = talloc_new(NULL); ++ if (tmp_ctx == NULL) { ++ return ENOMEM; ++ } ++ ++ dn = ldb_dn_new_fmt(tmp_ctx, dom->sysdb->ldb, SYSDB_DOM_BASE, dom->name); ++ if (dn == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ msg = ldb_msg_new(tmp_ctx); ++ if (msg == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ msg->dn = dn; ++ ++ ret = ldb_msg_add_empty(msg, SYSDB_SITE, LDB_FLAG_MOD_REPLACE, NULL); ++ if (ret != LDB_SUCCESS) { ++ ret = sysdb_error_to_errno(ret); ++ goto done; ++ } ++ ++ if (site != NULL) { ++ ret = ldb_msg_add_string(msg, SYSDB_SITE, site); ++ if (ret != LDB_SUCCESS) { ++ ret = sysdb_error_to_errno(ret); ++ goto done; ++ } ++ } ++ ++ ret = ldb_modify(dom->sysdb->ldb, msg); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_modify()_failed: [%s][%d][%s]\n", ++ ldb_strerror(ret), ret, ldb_errstring(dom->sysdb->ldb)); ++ ret = sysdb_error_to_errno(ret); ++ goto done; ++ } ++ ++ ret = EOK; ++ ++done: ++ talloc_free(tmp_ctx); ++ return ret; ++} +diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c +index 84bcdc17b39dbc8822097c2006f157a09ea5e466..f8e3e1d915dba0f3a79adbf5af733980bf23a265 100644 +--- a/src/tests/cmocka/test_sysdb_subdomains.c ++++ b/src/tests/cmocka/test_sysdb_subdomains.c +@@ -513,6 +513,31 @@ static void test_sysdb_link_ad_multidom(void **state) + + } + ++static void test_sysdb_set_and_get_site(void **state) ++{ ++ TALLOC_CTX *tmp_ctx; ++ struct subdom_test_ctx *test_ctx = ++ talloc_get_type(*state, struct subdom_test_ctx); ++ const char *site; ++ errno_t ret; ++ ++ tmp_ctx = talloc_new(NULL); ++ assert_non_null(test_ctx); ++ ++ ret = sysdb_get_site(test_ctx, test_ctx->tctx->dom, &site); ++ assert_int_equal(ret, EOK); ++ assert_null(site); ++ ++ ret = sysdb_set_site(test_ctx->tctx->dom, "TestSite"); ++ assert_int_equal(ret, EOK); ++ ++ ret = sysdb_get_site(tmp_ctx, test_ctx->tctx->dom, &site); ++ assert_int_equal(ret, EOK); ++ assert_string_equal(site, "TestSite"); ++ ++ talloc_free(tmp_ctx); ++} ++ + int main(int argc, const char *argv[]) + { + int rv; +@@ -546,6 +571,9 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_sysdb_link_ad_multidom, + test_sysdb_subdom_setup, + test_sysdb_subdom_teardown), ++ cmocka_unit_test_setup_teardown(test_sysdb_set_and_get_site, ++ test_sysdb_subdom_setup, ++ test_sysdb_subdom_teardown), + }; + + /* Set debug level to invalid value so we can deside if -d 0 was used. */ +-- +2.15.1 + diff --git a/0016-AD-Remember-last-site-discovered-in-sysdb.patch b/0016-AD-Remember-last-site-discovered-in-sysdb.patch new file mode 100644 index 0000000..f3b05a9 --- /dev/null +++ b/0016-AD-Remember-last-site-discovered-in-sysdb.patch @@ -0,0 +1,160 @@ +From 48f58549e2b687ba405162bd5db23f1c323732f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 1 Nov 2017 14:57:17 +0100 +Subject: [PATCH 16/79] AD: Remember last site discovered in sysdb + +This can speed up sssd startup. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3265 + +Reviewed-by: Jakub Hrozek +--- + src/db/sysdb_subdomains.c | 2 +- + src/providers/ad/ad_init.c | 2 +- + src/providers/ad/ad_srv.c | 21 +++++++++++++++++++++ + src/providers/ad/ad_srv.h | 1 + + src/providers/ad/ad_subdomains.c | 2 +- + src/providers/ipa/ipa_subdomains_server.c | 2 +- + 6 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c +index cb5de1afe3e8c9692789c5d2679eb3a4e6e1cdb2..353561765904efe4bd698c38949a1b290ecf0b80 100644 +--- a/src/db/sysdb_subdomains.c ++++ b/src/db/sysdb_subdomains.c +@@ -1291,7 +1291,7 @@ sysdb_get_site(TALLOC_CTX *mem_ctx, + const char **_site) + { + TALLOC_CTX *tmp_ctx; +- struct ldb_res *res; ++ struct ldb_result *res; + struct ldb_dn *dn; + const char *attrs[] = { SYSDB_SITE, NULL }; + errno_t ret; +diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c +index 131e960d4c623398506f834742400df9c786b86b..e62025d4acd24844a5c7082d00c597516f35de16 100644 +--- a/src/providers/ad/ad_init.c ++++ b/src/providers/ad/ad_init.c +@@ -199,7 +199,7 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx, + return EOK; + } + +- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res, ++ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, ad_options->id, + hostname, ad_domain, + ad_site_override); +diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c +index be1ba0f237add894566ae713ce5e29fd202d414c..4fa1668605e131b2e31802b1401f49fc6e00a23b 100644 +--- a/src/providers/ad/ad_srv.c ++++ b/src/providers/ad/ad_srv.c +@@ -34,6 +34,7 @@ + #include "providers/fail_over_srv.h" + #include "providers/ldap/sdap.h" + #include "providers/ldap/sdap_async.h" ++#include "db/sysdb.h" + + #define AD_SITE_DOMAIN_FMT "%s._sites.%s" + +@@ -475,6 +476,7 @@ int ad_get_client_site_recv(TALLOC_CTX *mem_ctx, + } + + struct ad_srv_plugin_ctx { ++ struct be_ctx *be_ctx; + struct be_resolv_ctx *be_res; + enum host_database *host_dbs; + struct sdap_options *opts; +@@ -486,6 +488,7 @@ struct ad_srv_plugin_ctx { + + struct ad_srv_plugin_ctx * + ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, ++ struct be_ctx *be_ctx, + struct be_resolv_ctx *be_res, + enum host_database *host_dbs, + struct sdap_options *opts, +@@ -494,12 +497,14 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + const char *ad_site_override) + { + struct ad_srv_plugin_ctx *ctx = NULL; ++ errno_t ret; + + ctx = talloc_zero(mem_ctx, struct ad_srv_plugin_ctx); + if (ctx == NULL) { + return NULL; + } + ++ ctx->be_ctx = be_ctx; + ctx->be_res = be_res; + ctx->host_dbs = host_dbs; + ctx->opts = opts; +@@ -524,6 +529,15 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + if (ctx->current_site == NULL) { + goto fail; + } ++ } else { ++ ret = sysdb_get_site(ctx, be_ctx->domain, &ctx->current_site); ++ if (ret != EOK) { ++ /* Not fatal. */ ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Unable to get current site from cache [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ ctx->current_site = NULL; ++ } + } + + return ctx; +@@ -556,6 +570,13 @@ ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx, + talloc_zfree(ctx->current_site); + ctx->current_site = site; + ++ ret = sysdb_set_site(ctx->be_ctx->domain, ctx->current_site); ++ if (ret != EOK) { ++ /* Not fatal. */ ++ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information " ++ "[%d]: %s\n", ret, sss_strerror(ret)); ++ } ++ + return EOK; + } + +diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h +index ae5efe44755fa09f74064014cce749e35b1831da..fddef686762e57bb95d648247131d39a797aa516 100644 +--- a/src/providers/ad/ad_srv.h ++++ b/src/providers/ad/ad_srv.h +@@ -25,6 +25,7 @@ struct ad_srv_plugin_ctx; + + struct ad_srv_plugin_ctx * + ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, ++ struct be_ctx *be_ctx, + struct be_resolv_ctx *be_res, + enum host_database *host_dbs, + struct sdap_options *opts, +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 280aa54c23bf61e60d23ea91bd44a39f9f43d155..3fb9b950f171d85817cce35ac92ad7c4974ccb68 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -245,7 +245,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, + ad_options->id_ctx = ad_id_ctx; + + /* use AD plugin */ +- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res, ++ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, + ad_id_ctx->ad_options->id, + hostname, +diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c +index 10166d162f746fde176e6c7c2bfbe3906b1bfddc..d670a156b37608d20d49d79131138f02e4abf82b 100644 +--- a/src/providers/ipa/ipa_subdomains_server.c ++++ b/src/providers/ipa/ipa_subdomains_server.c +@@ -305,7 +305,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, + ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); + + /* use AD plugin */ +- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res, ++ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, + ad_id_ctx->ad_options->id, + id_ctx->server_mode->hostname, +-- +2.15.1 + diff --git a/0017-UTIL-Add-wrapper-function-to-configure-logger.patch b/0017-UTIL-Add-wrapper-function-to-configure-logger.patch new file mode 100644 index 0000000..2e0f13f --- /dev/null +++ b/0017-UTIL-Add-wrapper-function-to-configure-logger.patch @@ -0,0 +1,132 @@ +From dad79765d9ccafb3ba5d31a20462d73af96fa058 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 23 Oct 2017 14:58:14 +0200 +Subject: [PATCH 17/79] UTIL: Add wrapper function to configure logger +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let's use one enum for logger type instead of many integers (debug_to_file, +debug_to_stderr plus some weird combination for journald). +Old variable were also transformed to enum for backward compatibility + +Reviewed-by: Fabiano Fidêncio +--- + src/util/debug.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/util/debug.h | 18 ++++++++++++++++++ + 2 files changed, 72 insertions(+) + +diff --git a/src/util/debug.c b/src/util/debug.c +index ca4fa4c6f5b150700a0a136d8a7ca9df30c29d73..4e469447e5ab8aa89cd57bcd6d00269875a12bc6 100644 +--- a/src/util/debug.c ++++ b/src/util/debug.c +@@ -43,9 +43,63 @@ int debug_timestamps = SSSDBG_TIMESTAMP_UNRESOLVED; + int debug_microseconds = SSSDBG_MICROSECONDS_UNRESOLVED; + int debug_to_file = 0; + int debug_to_stderr = 0; ++enum sss_logger_t sss_logger; + const char *debug_log_file = "sssd"; + FILE *debug_file = NULL; + ++const char *sss_logger_str[] = { ++ [STDERR_LOGGER] = "stderr", ++ [FILES_LOGGER] = "files", ++#ifdef WITH_JOURNALD ++ [JOURNALD_LOGGER] = "journald", ++#endif ++ NULL, ++}; ++ ++#ifdef WITH_JOURNALD ++#define JOURNALD_STR " journald," ++#else ++#define JOURNALD_STR "" ++#endif ++ ++void sss_set_logger(const char *logger) ++{ ++ /* use old flags */ ++ if (logger == NULL) { ++ if (debug_to_stderr != 0) { ++ sss_logger = STDERR_LOGGER; ++ } ++ /* It is never described what should be used in case of ++ * debug_to_stderr == 1 && debug_to_file == 1. Because neither ++ * of binaries provide both command line arguments. ++ * Let files have higher priority. ++ */ ++ if (debug_to_file != 0) { ++ sss_logger = FILES_LOGGER; ++ } ++#ifdef WITH_JOURNALD ++ if (debug_to_file == 0 && debug_to_stderr == 0) { ++ sss_logger = JOURNALD_LOGGER; ++ } ++#endif ++ } else { ++ if (strcmp(logger, "stderr") == 0) { ++ sss_logger = STDERR_LOGGER; ++ } else if (strcmp(logger, "files") == 0) { ++ sss_logger = FILES_LOGGER; ++#ifdef WITH_JOURNALD ++ } else if (strcmp(logger, "journald") == 0) { ++ sss_logger = JOURNALD_LOGGER; ++#endif ++ } else { ++ /* unexpected value */ ++ fprintf(stderr, "Unexpected logger: %s\nExpected:%s stderr, " ++ "files\n", logger, JOURNALD_STR); ++ sss_logger = STDERR_LOGGER; ++ } ++ } ++} ++ + errno_t set_debug_file_from_fd(const int fd) + { + FILE *dummy; +diff --git a/src/util/debug.h b/src/util/debug.h +index 2a1bd4ffd30817d7128805996c21105fe40982a2..4adafb7cfc03f7381c4d03071eb44edad04bee00 100644 +--- a/src/util/debug.h ++++ b/src/util/debug.h +@@ -31,13 +31,26 @@ + + #define APPEND_LINE_FEED 0x1 + ++enum sss_logger_t { ++ STDERR_LOGGER = 0, ++ FILES_LOGGER, ++#ifdef WITH_JOURNALD ++ JOURNALD_LOGGER, ++#endif ++}; ++ ++extern const char *sss_logger_str[]; + extern const char *debug_prg_name; + extern int debug_level; + extern int debug_timestamps; + extern int debug_microseconds; + extern int debug_to_file; + extern int debug_to_stderr; ++extern enum sss_logger_t sss_logger; + extern const char *debug_log_file; ++ ++void sss_set_logger(const char *logger); ++ + void sss_vdebug_fn(const char *file, + long line, + const char *function, +@@ -80,6 +93,11 @@ int get_fd_from_debug_file(void); + #define SSSDBG_MICROSECONDS_UNRESOLVED -1 + #define SSSDBG_MICROSECONDS_DEFAULT 0 + ++#define SSSD_LOGGER_OPTS \ ++ {"logger", '\0', POPT_ARG_STRING, &opt_logger, 0, \ ++ _("Set logger"), "stderr|files|journald"}, ++ ++ + #define SSSD_DEBUG_OPTS \ + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, \ + _("Debug level"), NULL}, \ +-- +2.15.1 + diff --git a/0018-Add-parameter-logger-to-daemons.patch b/0018-Add-parameter-logger-to-daemons.patch new file mode 100644 index 0000000..4d8585c --- /dev/null +++ b/0018-Add-parameter-logger-to-daemons.patch @@ -0,0 +1,829 @@ +From 0256b7734738302da9752db5297a3d41fccd40ac Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 23 Oct 2017 15:18:47 +0200 +Subject: [PATCH 18/79] Add parameter --logger to daemons +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Different binary handled information about logging differently + e,g, --debug-to-files --debug-to-stderr +And logging to journald was a special case of previous options +(!debug_file && !debug_to_stderr). It was also tied to the monitor option +"--daemon" and therefore loggind to stderr was used in interactive mode ++ systemd Type=notify. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3433 + +Reviewed-by: Justin Stephenson +Reviewed-by: Fabiano Fidêncio +--- + src/man/sssd.8.xml | 31 +++++++++++++++++++++++++ + src/monitor/monitor.c | 48 ++++++++++++--------------------------- + src/p11_child/p11_child_nss.c | 3 +++ + src/providers/ad/ad_gpo_child.c | 4 ++++ + src/providers/data_provider_be.c | 4 ++++ + src/providers/ipa/selinux_child.c | 4 ++++ + src/providers/krb5/krb5_child.c | 4 ++++ + src/providers/ldap/ldap_child.c | 4 ++++ + src/providers/proxy/proxy_auth.c | 4 ++-- + src/providers/proxy/proxy_child.c | 4 ++++ + src/responder/autofs/autofssrv.c | 4 ++++ + src/responder/ifp/ifpsrv.c | 4 ++++ + src/responder/kcm/kcm.c | 4 ++++ + src/responder/nss/nsssrv.c | 4 ++++ + src/responder/pac/pacsrv.c | 4 ++++ + src/responder/pam/pamsrv.c | 4 ++++ + src/responder/secrets/secsrv.c | 4 ++++ + src/responder/ssh/sshsrv.c | 4 ++++ + src/responder/sudo/sudosrv.c | 4 ++++ + src/tests/cmocka/dummy_child.c | 4 ++++ + src/tests/debug-tests.c | 10 ++++++++ + src/util/child_common.c | 2 +- + src/util/debug.c | 4 ++-- + src/util/server.c | 12 ++++++---- + 24 files changed, 135 insertions(+), 43 deletions(-) + +diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml +index 923da6824907f0d2d140d9ca83f87338e7664f83..0b725628ff93f48f832140dd5dc15b040a8b179f 100644 +--- a/src/man/sssd.8.xml ++++ b/src/man/sssd.8.xml +@@ -92,6 +92,37 @@ + + + ++ ++ ++ value ++ ++ ++ ++ Location where SSSD will send log messages. This option ++ overrides the value of the deprecated option ++ . The deprecated ++ option will still work if the ++ is not used. ++ ++ ++ stderr: Redirect debug messages to ++ standard error output. ++ ++ ++ files: Redirect debug messages to ++ the log files. By default, the log files are stored in ++ /var/log/sssd and there are ++ separate log files for every SSSD service and domain. ++ ++ ++ journald: Redirect debug messages ++ to systemd-journald ++ ++ ++ Default: not set ++ ++ ++ + + + , +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 7726548bbb666bb189667efc1de2295f8a001105..3c0b7ab2dac10fe15a8a5b807cb68ea4b7ab8461 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1211,22 +1211,11 @@ static int get_service_config(struct mt_ctx *ctx, const char *name, + } + } + +- if (debug_to_file) { +- svc->command = talloc_strdup_append( +- svc->command, " --debug-to-files" +- ); +- if (!svc->command) { +- talloc_free(svc); +- return ENOMEM; +- } +- } else if (ctx->is_daemon == false) { +- svc->command = talloc_strdup_append( +- svc->command, " --debug-to-stderr" +- ); +- if (!svc->command) { +- talloc_free(svc); +- return ENOMEM; +- } ++ svc->command = talloc_asprintf_append( ++ svc->command, " --logger=%s", sss_logger_str[sss_logger]); ++ if (!svc->command) { ++ talloc_free(svc); ++ return ENOMEM; + } + } + +@@ -1374,22 +1363,11 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name, + } + } + +- if (debug_to_file) { +- svc->command = talloc_strdup_append( +- svc->command, " --debug-to-files" +- ); +- if (!svc->command) { +- talloc_free(svc); +- return ENOMEM; +- } +- } else if (ctx->is_daemon == false) { +- svc->command = talloc_strdup_append( +- svc->command, " --debug-to-stderr" +- ); +- if (!svc->command) { +- talloc_free(svc); +- return ENOMEM; +- } ++ svc->command = talloc_asprintf_append( ++ svc->command, " --logger=%s", sss_logger_str[sss_logger]); ++ if (!svc->command) { ++ talloc_free(svc); ++ return ENOMEM; + } + } + +@@ -2454,6 +2432,7 @@ int main(int argc, const char *argv[]) + int opt_version = 0; + int opt_netlinkoff = 0; + char *opt_config_file = NULL; ++ char *opt_logger = NULL; + char *config_file = NULL; + int flags = 0; + struct main_context *main_ctx; +@@ -2465,6 +2444,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + {"daemon", 'D', POPT_ARG_NONE, &opt_daemon, 0, \ + _("Become a daemon (default)"), NULL }, \ + {"interactive", 'i', POPT_ARG_NONE, &opt_interactive, 0, \ +@@ -2551,6 +2531,8 @@ int main(int argc, const char *argv[]) + debug_to_stderr = 1; + } + ++ sss_set_logger(opt_logger); ++ + if (opt_config_file) { + config_file = talloc_strdup(tmp_ctx, opt_config_file); + } else { +@@ -2575,7 +2557,7 @@ int main(int argc, const char *argv[]) + + /* Open before server_setup() does to have logging + * during configuration checking */ +- if (debug_to_file) { ++ if (sss_logger == FILES_LOGGER) { + ret = open_debug_file(); + if (ret) { + return 7; +diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c +index f165b58e63d2b8a6f26acf8bd89e7b41713e7359..e7dbcb689220d1cd2585fbde5f26e84f8fa15cc2 100644 +--- a/src/p11_child/p11_child_nss.c ++++ b/src/p11_child/p11_child_nss.c +@@ -537,6 +537,7 @@ int main(int argc, const char *argv[]) + int opt; + poptContext pc; + int debug_fd = -1; ++ char *opt_logger = NULL; + errno_t ret; + TALLOC_CTX *main_ctx = NULL; + char *cert; +@@ -564,6 +565,7 @@ int main(int argc, const char *argv[]) + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &debug_to_stderr, 0, + _("Send the debug output to stderr directly."), NULL }, ++ SSSD_LOGGER_OPTS + {"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL}, + {"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL}, + {"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL}, +@@ -672,6 +674,7 @@ int main(int argc, const char *argv[]) + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } + } ++ sss_set_logger(opt_logger); + + DEBUG(SSSDBG_TRACE_FUNC, "p11_child started.\n"); + +diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c +index 8e5e062547721567cb450f9d0f72f1ec8cb99f96..5375cc691e8649c289672b74c4bfe5266c8222c9 100644 +--- a/src/providers/ad/ad_gpo_child.c ++++ b/src/providers/ad/ad_gpo_child.c +@@ -687,6 +687,7 @@ main(int argc, const char *argv[]) + int opt; + poptContext pc; + int debug_fd = -1; ++ char *opt_logger = NULL; + errno_t ret; + int sysvol_gpt_version; + int result; +@@ -710,6 +711,7 @@ main(int argc, const char *argv[]) + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &debug_to_stderr, 0, + _("Send the debug output to stderr directly."), NULL }, ++ SSSD_LOGGER_OPTS + POPT_TABLEEND + }; + +@@ -744,6 +746,8 @@ main(int argc, const char *argv[]) + } + } + ++ sss_set_logger(opt_logger); ++ + DEBUG(SSSDBG_TRACE_FUNC, "gpo_child started.\n"); + + main_ctx = talloc_new(NULL); +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index 2e55dc4e3fe9ba1aa8c1c51c426efee00b9ae91d..56ddac112a209b6937313d3d3c94a73d2067331f 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -537,6 +537,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + char *be_domain = NULL; + char *srv_name = NULL; + struct main_context *main_ctx; +@@ -548,6 +549,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + {"domain", 0, POPT_ARG_STRING, &be_domain, 0, + _("Domain of the information provider (mandatory)"), NULL }, +@@ -582,6 +584,8 @@ int main(int argc, const char *argv[]) + debug_log_file = talloc_asprintf(NULL, "sssd_%s", be_domain); + if (!debug_log_file) return 2; + ++ sss_set_logger(opt_logger); ++ + srv_name = talloc_asprintf(NULL, "sssd[be[%s]]", be_domain); + if (!srv_name) return 2; + +diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c +index 073475094ee491bd5453898c6ba65214fa14fe59..120492686963241b7e419413f489cc38953e32f2 100644 +--- a/src/providers/ipa/selinux_child.c ++++ b/src/providers/ipa/selinux_child.c +@@ -206,6 +206,7 @@ int main(int argc, const char *argv[]) + struct response *resp = NULL; + ssize_t written; + bool needs_update; ++ char *opt_logger = NULL; + + struct poptOption long_options[] = { + POPT_AUTOHELP +@@ -220,6 +221,7 @@ int main(int argc, const char *argv[]) + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &debug_to_stderr, 0, + _("Send the debug output to stderr directly."), NULL }, ++ SSSD_LOGGER_OPTS + POPT_TABLEEND + }; + +@@ -254,6 +256,8 @@ int main(int argc, const char *argv[]) + } + } + ++ sss_set_logger(opt_logger); ++ + DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n"); + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n", +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index b8ee497728b4b70fae89e528172e9d5bd42239c0..b44f3a20f1c0725304a37620d36f8872cf9ca5d7 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -3020,6 +3020,7 @@ int main(int argc, const char *argv[]) + int opt; + poptContext pc; + int debug_fd = -1; ++ char *opt_logger = NULL; + errno_t ret; + krb5_error_code kerr; + uid_t fast_uid; +@@ -3039,6 +3040,7 @@ int main(int argc, const char *argv[]) + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &debug_to_stderr, 0, + _("Send the debug output to stderr directly."), NULL }, ++ SSSD_LOGGER_OPTS + {CHILD_OPT_FAST_CCACHE_UID, 0, POPT_ARG_INT, &fast_uid, 0, + _("The user to create FAST ccache as"), NULL}, + {CHILD_OPT_FAST_CCACHE_GID, 0, POPT_ARG_INT, &fast_gid, 0, +@@ -3097,6 +3099,8 @@ int main(int argc, const char *argv[]) + } + } + ++ sss_set_logger(opt_logger); ++ + DEBUG(SSSDBG_TRACE_FUNC, "krb5_child started.\n"); + + kr = talloc_zero(NULL, struct krb5_req); +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index b796e5cae01517c85c2fc1605b1e5877454691dc..baeed239db5dc7ffa482edcbc155f25f718c8249 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -599,6 +599,7 @@ int main(int argc, const char *argv[]) + int kerr; + int opt; + int debug_fd = -1; ++ char *opt_logger = NULL; + poptContext pc; + TALLOC_CTX *main_ctx = NULL; + uint8_t *buf = NULL; +@@ -622,6 +623,7 @@ int main(int argc, const char *argv[]) + _("An open file descriptor for the debug logs"), NULL}, + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \ + _("Send the debug output to stderr directly."), NULL }, \ ++ SSSD_LOGGER_OPTS + POPT_TABLEEND + }; + +@@ -657,6 +659,8 @@ int main(int argc, const char *argv[]) + } + } + ++ sss_set_logger(opt_logger); ++ + BlockSignals(false, SIGTERM); + CatchSignal(SIGTERM, sig_term_handler); + +diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c +index a05586e60b6ef894b0fcf1b8b3f30fdbf51a808d..665a29cf779290b8d35973245a36a1b5224bca78 100644 +--- a/src/providers/proxy/proxy_auth.c ++++ b/src/providers/proxy/proxy_auth.c +@@ -178,9 +178,9 @@ static struct tevent_req *proxy_child_init_send(TALLOC_CTX *mem_ctx, + + state->command = talloc_asprintf(req, + "%s/proxy_child -d %#.4x --debug-timestamps=%d " +- "--debug-microseconds=%d%s --domain %s --id %d", ++ "--debug-microseconds=%d --logger=%s --domain %s --id %d", + SSSD_LIBEXEC_PATH, debug_level, debug_timestamps, +- debug_microseconds, (debug_to_file ? " --debug-to-files" : ""), ++ debug_microseconds, sss_logger_str[sss_logger], + auth_ctx->be->domain->name, + child_ctx->id); + if (state->command == NULL) { +diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c +index be58622eb8b26231eeb6699976d51f57dc44de98..ae4855adeb5cc68f1a19003355a5d94f5b1bb378 100644 +--- a/src/providers/proxy/proxy_child.c ++++ b/src/providers/proxy/proxy_child.c +@@ -504,6 +504,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + char *domain = NULL; + char *srv_name = NULL; + char *conf_entry = NULL; +@@ -517,6 +518,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + {"domain", 0, POPT_ARG_STRING, &domain, 0, + _("Domain of the information provider (mandatory)"), NULL }, +@@ -561,6 +563,8 @@ int main(int argc, const char *argv[]) + debug_log_file = talloc_asprintf(NULL, "proxy_child_%s", domain); + if (!debug_log_file) return 2; + ++ sss_set_logger(opt_logger); ++ + srv_name = talloc_asprintf(NULL, "sssd[proxy_child[%s]]", domain); + if (!srv_name) return 2; + +diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c +index cfb2233fdfc346bf27b128ee8c4261f4c73e3470..b0762a2b685a7c5ab3abfa281f0906ad8bfe1c88 100644 +--- a/src/responder/autofs/autofssrv.c ++++ b/src/responder/autofs/autofssrv.c +@@ -185,6 +185,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -193,6 +194,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND +@@ -221,6 +223,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_autofs"; + ++ sss_set_logger(opt_logger); ++ + ret = server_setup("sssd[autofs]", 0, uid, gid, + CONFDB_AUTOFS_CONF_ENTRY, &main_ctx); + if (ret != EOK) { +diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c +index 0dc61a42200cc79fc6f12515a8f581ad0201a043..85dfbacc217e2870dd7517e36a1d39e7f2054a8b 100644 +--- a/src/responder/ifp/ifpsrv.c ++++ b/src/responder/ifp/ifpsrv.c +@@ -355,6 +355,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -363,6 +364,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND +@@ -391,6 +393,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_ifp"; + ++ sss_set_logger(opt_logger); ++ + ret = server_setup("sssd[ifp]", 0, 0, 0, + CONFDB_IFP_CONF_ENTRY, &main_ctx); + if (ret != EOK) return 2; +diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c +index 2202f96381a2622a2c5433e281172287b325f960..358fcc18165dec7b41a7389a3ef22660ac04b4a8 100644 +--- a/src/responder/kcm/kcm.c ++++ b/src/responder/kcm/kcm.c +@@ -258,6 +258,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -266,6 +267,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + POPT_TABLEEND + }; +@@ -293,6 +295,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_kcm"; + ++ sss_set_logger(opt_logger); ++ + ret = server_setup("sssd[kcm]", 0, uid, gid, CONFDB_KCM_CONF_ENTRY, + &main_ctx); + if (ret != EOK) return 2; +diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c +index d67b9fac8d770d113560e41b259e2d5edd219343..1559c314e5353d41c61c83ecc712311ac18a7202 100644 +--- a/src/responder/nss/nsssrv.c ++++ b/src/responder/nss/nsssrv.c +@@ -405,6 +405,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -413,6 +414,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND +@@ -441,6 +443,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_nss"; + ++ sss_set_logger(opt_logger); ++ + ret = server_setup("sssd[nss]", 0, uid, gid, CONFDB_NSS_CONF_ENTRY, + &main_ctx); + if (ret != EOK) return 2; +diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c +index 1f820c07f5c55fe8df75cce05b403c41075d9f94..b72e5c8d2a42bc85f0974dcb81a1290d3f740986 100644 +--- a/src/responder/pac/pacsrv.c ++++ b/src/responder/pac/pacsrv.c +@@ -209,6 +209,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -217,6 +218,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND +@@ -245,6 +247,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_pac"; + ++ sss_set_logger(opt_logger); ++ + ret = server_setup("sssd[pac]", 0, uid, gid, + CONFDB_PAC_CONF_ENTRY, &main_ctx); + if (ret != EOK) return 2; +diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c +index 79470823d18138da6ef9235e6336a3220ead1797..cc0e4bddcdbecfadabea78a6d2815d0ac6d651b6 100644 +--- a/src/responder/pam/pamsrv.c ++++ b/src/responder/pam/pamsrv.c +@@ -355,6 +355,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -365,6 +366,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND +@@ -393,6 +395,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_pam"; + ++ sss_set_logger(opt_logger); ++ + if (!is_socket_activated()) { + /* Crate pipe file descriptors here before privileges are dropped + * in server_setup() */ +diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c +index 2b661b165ef0c174557f53012b2dbaa236a6e359..59c0f3a56040a6fc0c092247fbd124a069f97153 100644 +--- a/src/responder/secrets/secsrv.c ++++ b/src/responder/secrets/secsrv.c +@@ -324,6 +324,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -332,6 +333,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + POPT_TABLEEND + }; +@@ -359,6 +361,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_secrets"; + ++ sss_set_logger(opt_logger); ++ + ret = server_setup("sssd[secrets]", 0, uid, gid, CONFDB_SEC_CONF_ENTRY, + &main_ctx); + if (ret != EOK) return 2; +diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c +index 440f0e2b9dc06e3dc52ff96d7207b8a3727865c0..8b0e7cc2d71044d7ab3bd2439041f678ddedb4cd 100644 +--- a/src/responder/ssh/sshsrv.c ++++ b/src/responder/ssh/sshsrv.c +@@ -177,6 +177,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -185,6 +186,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND +@@ -213,6 +215,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_ssh"; + ++ sss_set_logger(opt_logger); ++ + ret = server_setup("sssd[ssh]", 0, uid, gid, + CONFDB_SSH_CONF_ENTRY, &main_ctx); + if (ret != EOK) { +diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c +index dca70ea4afc0e6df6d1b1864338c7b1091a98fee..19058321a25022d7704556ec0ef79729db3ac1f2 100644 +--- a/src/responder/sudo/sudosrv.c ++++ b/src/responder/sudo/sudosrv.c +@@ -178,6 +178,7 @@ int main(int argc, const char *argv[]) + { + int opt; + poptContext pc; ++ char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; +@@ -186,6 +187,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS ++ SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND +@@ -214,6 +216,8 @@ int main(int argc, const char *argv[]) + /* set up things like debug, signals, daemonization, etc... */ + debug_log_file = "sssd_sudo"; + ++ sss_set_logger(opt_logger); ++ + ret = server_setup("sssd[sudo]", 0, uid, gid, CONFDB_SUDO_CONF_ENTRY, + &main_ctx); + if (ret != EOK) { +diff --git a/src/tests/cmocka/dummy_child.c b/src/tests/cmocka/dummy_child.c +index bcaa9455037a0604422750bf7cc719a25cef4a99..811cb40490c89c4250401e0d8d3e9d1c277f57af 100644 +--- a/src/tests/cmocka/dummy_child.c ++++ b/src/tests/cmocka/dummy_child.c +@@ -34,6 +34,7 @@ int main(int argc, const char *argv[]) + { + int opt; + int debug_fd = -1; ++ char *opt_logger = NULL; + poptContext pc; + ssize_t len; + ssize_t written; +@@ -55,6 +56,7 @@ int main(int argc, const char *argv[]) + _("An open file descriptor for the debug logs"), NULL}, + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \ + _("Send the debug output to stderr directly."), NULL }, ++ SSSD_LOGGER_OPTS + {"guitar", 0, POPT_ARG_STRING, &guitar, 0, _("Who plays guitar"), NULL }, + {"drums", 0, POPT_ARG_STRING, &drums, 0, _("Who plays drums"), NULL }, + POPT_TABLEEND +@@ -76,6 +78,8 @@ int main(int argc, const char *argv[]) + } + poptFreeContext(pc); + ++ sss_set_logger(opt_logger); ++ + action = getenv("TEST_CHILD_ACTION"); + if (action) { + if (strcasecmp(action, "check_extra_args") == 0) { +diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c +index d904d7eb8b5418608023faca0d62067f3106d23b..1446ec0474ab4bf72e66b58831fef59defd7be76 100644 +--- a/src/tests/debug-tests.c ++++ b/src/tests/debug-tests.c +@@ -343,6 +343,7 @@ START_TEST(test_debug_is_set_single_no_timestamp) + debug_microseconds = 0; + debug_to_file = 1; + debug_prg_name = "sssd"; ++ sss_set_logger(sss_logger_str[FILES_LOGGER]); + + for (i = 0; i <= 9; i++) { + debug_level = levels[i]; +@@ -385,6 +386,8 @@ START_TEST(test_debug_is_set_single_timestamp) + debug_microseconds = 0; + debug_to_file = 1; + debug_prg_name = "sssd"; ++ sss_set_logger(sss_logger_str[FILES_LOGGER]); ++ + + for (i = 0; i <= 9; i++) { + debug_level = levels[i]; +@@ -432,6 +435,8 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds) + debug_microseconds = 1; + debug_to_file = 1; + debug_prg_name = "sssd"; ++ sss_set_logger(sss_logger_str[FILES_LOGGER]); ++ + + for (i = 0; i <= 9; i++) { + debug_level = levels[i]; +@@ -480,6 +485,8 @@ START_TEST(test_debug_is_notset_no_timestamp) + debug_microseconds = 0; + debug_to_file = 1; + debug_prg_name = "sssd"; ++ sss_set_logger(sss_logger_str[FILES_LOGGER]); ++ + + for (i = 0; i <= 9; i++) { + debug_level = all_set & ~levels[i]; +@@ -525,6 +532,8 @@ START_TEST(test_debug_is_notset_timestamp) + debug_microseconds = 0; + debug_to_file = 1; + debug_prg_name = "sssd"; ++ sss_set_logger(sss_logger_str[FILES_LOGGER]); ++ + + for (i = 0; i <= 9; i++) { + debug_level = all_set & ~levels[i]; +@@ -570,6 +579,7 @@ START_TEST(test_debug_is_notset_timestamp_microseconds) + debug_microseconds = 1; + debug_to_file = 1; + debug_prg_name = "sssd"; ++ sss_set_logger(sss_logger_str[FILES_LOGGER]); + + for (i = 0; i <= 9; i++) { + debug_level = all_set & ~levels[i]; +diff --git a/src/util/child_common.c b/src/util/child_common.c +index b300d84bf432608db96de36e04637b5fb115212e..dc070f26446305e07cbb34edd1e4d72db72aedc5 100644 +--- a/src/util/child_common.c ++++ b/src/util/child_common.c +@@ -676,7 +676,7 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx, + } + + if (child_debug_stderr) { +- argv[--argc] = talloc_strdup(argv, "--debug-to-stderr"); ++ argv[--argc] = talloc_strdup(argv, "--logger=stderr"); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; +diff --git a/src/util/debug.c b/src/util/debug.c +index 4e469447e5ab8aa89cd57bcd6d00269875a12bc6..30801fce7c27b115d1cafd4ed826a57c7d444a72 100644 +--- a/src/util/debug.c ++++ b/src/util/debug.c +@@ -277,7 +277,7 @@ void sss_vdebug_fn(const char *file, + errno_t ret; + va_list ap_fallback; + +- if (!debug_file && !debug_to_stderr) { ++ if (sss_logger == JOURNALD_LOGGER) { + /* If we are not outputting logs to files, we should be sending them + * to journald. + * NOTE: on modern systems, this is where stdout/stderr will end up +@@ -470,7 +470,7 @@ int rotate_debug_files(void) + int ret; + errno_t error; + +- if (!debug_to_file) return EOK; ++ if (sss_logger != FILES_LOGGER) return EOK; + + do { + error = 0; +diff --git a/src/util/server.c b/src/util/server.c +index 4e65cc66c01ba020b13a88df8e017765ac97f76e..f76cb6a0838324d4fc3ed376eb425fee2412a817 100644 +--- a/src/util/server.c ++++ b/src/util/server.c +@@ -455,7 +455,7 @@ int server_setup(const char *name, int flags, + char *conf_db; + int ret = EOK; + bool dt; +- bool dl; ++ bool dl = false; + bool dm; + struct tevent_signal *tes; + struct logrotate_ctx *lctx; +@@ -637,16 +637,18 @@ int server_setup(const char *name, int flags, + } + + /* same for debug to file */ +- dl = (debug_to_file != 0); + ret = confdb_get_bool(ctx->confdb_ctx, conf_entry, + CONFDB_SERVICE_DEBUG_TO_FILES, +- dl, &dl); ++ false, &dl); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + return ret; + } +- if (dl) debug_to_file = 1; ++ if (dl) { ++ debug_to_file = 1; ++ sss_set_logger(sss_logger_str[FILES_LOGGER]); ++ } + + /* before opening the log file set up log rotation */ + lctx = talloc_zero(ctx, struct logrotate_ctx); +@@ -662,7 +664,7 @@ int server_setup(const char *name, int flags, + } + + /* open log file if told so */ +- if (debug_to_file) { ++ if (sss_logger == FILES_LOGGER) { + ret = open_debug_file(); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) " +-- +2.15.1 + diff --git a/0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch b/0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch new file mode 100644 index 0000000..13166f1 --- /dev/null +++ b/0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch @@ -0,0 +1,258 @@ +From e2c0eecb49af621de77426cb46fff9bbb9a3f220 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 23 Oct 2017 18:03:46 +0200 +Subject: [PATCH 19/79] SYSTEMD: Replace parameter --debug-to-files with + ${DEBUG_LOGGER} +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Users can set variable DEBUG_LOGGER in environment files +(/etc/sysconfig/sssd or /etc/default/sssd; depending on the distribution) +to override default logging to files. + +e.g. +DEBUG_LOGGER=--logger=stderr +DEBUG_LOGGER=--logger=journald + +Resolves: +https://pagure.io/SSSD/sssd/issue/3433 + +Reviewed-by: Fabiano Fidêncio +--- + Makefile.am | 12 +----------- + contrib/sssd.spec.in | 4 ---- + src/sysv/systemd/journal.conf.in | 7 ------- + src/sysv/systemd/sssd-autofs.service.in | 3 ++- + src/sysv/systemd/sssd-ifp.service.in | 3 ++- + src/sysv/systemd/sssd-kcm.service.in | 3 ++- + src/sysv/systemd/sssd-nss.service.in | 3 ++- + src/sysv/systemd/sssd-pac.service.in | 3 ++- + src/sysv/systemd/sssd-pam.service.in | 3 ++- + src/sysv/systemd/sssd-secrets.service.in | 3 ++- + src/sysv/systemd/sssd-ssh.service.in | 3 ++- + src/sysv/systemd/sssd-sudo.service.in | 3 ++- + src/sysv/systemd/sssd.service.in | 3 ++- + 13 files changed, 21 insertions(+), 32 deletions(-) + delete mode 100644 src/sysv/systemd/journal.conf.in + +diff --git a/Makefile.am b/Makefile.am +index 41a8f32f4e76fdcbd09ad833161f0bdada19e389..5483375167d99568e8313c9a0488900419be6ec3 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -91,7 +91,7 @@ sssdkcmdatadir = $(datadir)/sssd-kcm + deskprofilepath = $(sss_statedir)/deskprofile + + if HAVE_SYSTEMD_UNIT +-ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --debug-to-files --dbus-activated ++ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated + ifp_systemdservice = SystemdService=sssd-ifp.service + ifp_restart = Restart=on-failure + else +@@ -4483,10 +4483,6 @@ if BUILD_KCM + src/sysv/systemd/sssd-kcm.service \ + $(NULL) + endif +-if WITH_JOURNALD +- systemdconf_DATA += \ +- src/sysv/systemd/journal.conf +-endif + else + if HAVE_SUSE + init_SCRIPTS += \ +@@ -4535,7 +4531,6 @@ replace_script = \ + + EXTRA_DIST += \ + src/sysv/systemd/sssd.service.in \ +- src/sysv/systemd/journal.conf.in \ + src/sysv/systemd/sssd-nss.socket.in \ + src/sysv/systemd/sssd-nss.service.in \ + src/sysv/systemd/sssd-pam.socket.in \ +@@ -4585,10 +4580,6 @@ src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +-src/sysv/systemd/journal.conf: src/sysv/systemd/journal.conf.in Makefile +- @$(MKDIR_P) src/sysv/systemd/ +- $(replace_script) +- + src/sysv/systemd/sssd-nss.socket: src/sysv/systemd/sssd-nss.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) +@@ -4924,7 +4915,6 @@ endif + rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service + rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket + rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service +- rm -f $(builddir)/src/sysv/systemd/journal.conf + rm -f $(builddir)/src/tools/wrappers/sss_debuglevel + + CLEANFILES += *.X */*.X */*/*.X +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index d6ab73e60863316cbf239d34242959fdfe8d4b1b..4aafd1832b67161ff1c25a4e9ad689586a227a25 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -971,10 +971,6 @@ done + %attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd + %attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d + %ghost %attr(0600,sssd,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf +-%if (0%{?use_systemd} == 1) +-%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/sssd.service.d +-%config(noreplace) %{_sysconfdir}/systemd/system/sssd.service.d/journal.conf +-%endif + %dir %{_sysconfdir}/logrotate.d + %config(noreplace) %{_sysconfdir}/logrotate.d/sssd + %dir %{_sysconfdir}/rwtab.d +diff --git a/src/sysv/systemd/journal.conf.in b/src/sysv/systemd/journal.conf.in +deleted file mode 100644 +index 9ce170b4893629792516aab41573adea1fb741f0..0000000000000000000000000000000000000000 +--- a/src/sysv/systemd/journal.conf.in ++++ /dev/null +@@ -1,7 +0,0 @@ +-[Service] +-# Uncomment *both* of the following lines to enable debug logging +-# to go to journald instead of /var/log/sssd. You will need to +-# run 'systemctl daemon-reload' and then restart the SSSD service +-# for this to take effect +-#ExecStart= +-#ExecStart=@sbindir@/sssd -i +diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in +index 32ea6e19ca7f9aa65599c0cf296a8c5e73362271..c2dc254c8f3f56cb6ae4dc481781688aa702b102 100644 +--- a/src/sysv/systemd/sssd-autofs.service.in ++++ b/src/sysv/systemd/sssd-autofs.service.in +@@ -9,8 +9,9 @@ RefuseManualStart=true + Also=sssd-autofs.socket + + [Service] ++Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log +-ExecStart=@libexecdir@/sssd/sssd_autofs --debug-to-files --socket-activated ++ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated + Restart=on-failure + User=@SSSD_USER@ + Group=@SSSD_USER@ +diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in +index 8e7abdb0e8c5ec83f9423c688daf845a16c57e7e..05a9a602b2d27c54a4faa79c58e0ecba90267100 100644 +--- a/src/sysv/systemd/sssd-ifp.service.in ++++ b/src/sysv/systemd/sssd-ifp.service.in +@@ -5,7 +5,8 @@ After=sssd.service + BindsTo=sssd.service + + [Service] ++Environment=DEBUG_LOGGER=--logger=files + Type=dbus + BusName=org.freedesktop.sssd.infopipe +-ExecStart=@ifp_exec_cmd@ ++ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER} + @ifp_restart@ +diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in +index 1e2bee12dc3bedd17d41b86f91c9b2b52d985c40..92306f97ec73a775739bfdb4454df14956e5e133 100644 +--- a/src/sysv/systemd/sssd-kcm.service.in ++++ b/src/sysv/systemd/sssd-kcm.service.in +@@ -6,4 +6,5 @@ Documentation=man:sssd-kcm(5) + Also=sssd-kcm.socket + + [Service] +-ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 --debug-to-files ++Environment=DEBUG_LOGGER=--logger=files ++ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} +diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in +index 6a29078d5a36dff229e47bf7ce953e46443ce023..fe771ad0fa99968bb1d42037abf2f960271589b1 100644 +--- a/src/sysv/systemd/sssd-nss.service.in ++++ b/src/sysv/systemd/sssd-nss.service.in +@@ -9,5 +9,6 @@ RefuseManualStart=true + Also=sssd-nss.socket + + [Service] +-ExecStart=@libexecdir@/sssd/sssd_nss --debug-to-files --socket-activated ++Environment=DEBUG_LOGGER=--logger=files ++ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated + Restart=on-failure +diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in +index ffbfdec030ba6d5cf75c989854c27bc46b6983a5..dbd25abc476f579c9d8cce171fdeafa06e567610 100644 +--- a/src/sysv/systemd/sssd-pac.service.in ++++ b/src/sysv/systemd/sssd-pac.service.in +@@ -9,8 +9,9 @@ RefuseManualStart=true + Also=sssd-pac.socket + + [Service] ++Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log +-ExecStart=@libexecdir@/sssd/sssd_pac --debug-to-files --socket-activated ++ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated + Restart=on-failure + User=@SSSD_USER@ + Group=@SSSD_USER@ +diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in +index 6dec46f0c5d384c500268dafcd00af894088e0b6..df722d1f3014bf62cc60114c30331424d14f411b 100644 +--- a/src/sysv/systemd/sssd-pam.service.in ++++ b/src/sysv/systemd/sssd-pam.service.in +@@ -9,8 +9,9 @@ RefuseManualStart=true + Also=sssd-pam.socket sssd-pam-priv.socket + + [Service] ++Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log +-ExecStart=@libexecdir@/sssd/sssd_pam --debug-to-files --socket-activated ++ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated + Restart=on-failure + User=@SSSD_USER@ + Group=@SSSD_USER@ +diff --git a/src/sysv/systemd/sssd-secrets.service.in b/src/sysv/systemd/sssd-secrets.service.in +index f45d647677a62900c01c7eb103597f2b1387498c..a7b41e0b16a5fa882546b41047e616fd2140329f 100644 +--- a/src/sysv/systemd/sssd-secrets.service.in ++++ b/src/sysv/systemd/sssd-secrets.service.in +@@ -6,4 +6,5 @@ Documentation=man:sssd-secrets(5) + Also=sssd-secrets.socket + + [Service] +-ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 --debug-to-files ++Environment=DEBUG_LOGGER=--logger=files ++ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 ${DEBUG_LOGGER} +diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in +index 6f233b4854018d79cc0ad9d67d53ebd67a49f7b7..f41249ea0fe19e5044d5d06ba195ab604d8e6a29 100644 +--- a/src/sysv/systemd/sssd-ssh.service.in ++++ b/src/sysv/systemd/sssd-ssh.service.in +@@ -9,8 +9,9 @@ RefuseManualStart=true + Also=sssd-ssh.socket + + [Service] ++Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log +-ExecStart=@libexecdir@/sssd/sssd_ssh --debug-to-files --socket-activated ++ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated + Restart=on-failure + User=@SSSD_USER@ + Group=@SSSD_USER@ +diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in +index b59bcbcd817c3986d7ee245b1083f90ff5a3775a..da022f768af91e360182fad0ff885fad43ecfdc0 100644 +--- a/src/sysv/systemd/sssd-sudo.service.in ++++ b/src/sysv/systemd/sssd-sudo.service.in +@@ -9,8 +9,9 @@ RefuseManualStart=true + Also=sssd-sudo.socket + + [Service] ++Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log +-ExecStart=@libexecdir@/sssd/sssd_sudo --debug-to-files --socket-activated ++ExecStart=@libexecdir@/sssd/sssd_sudo --socket-activated + Restart=on-failure + User=@SSSD_USER@ + Group=@SSSD_USER@ +diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in +index 05cfd3705084dbff8b46fb07e736612612c58b70..cea848fac80303d6fae12dd84316a91dbc60072d 100644 +--- a/src/sysv/systemd/sssd.service.in ++++ b/src/sysv/systemd/sssd.service.in +@@ -5,8 +5,9 @@ Before=systemd-user-sessions.service nss-user-lookup.target + Wants=nss-user-lookup.target + + [Service] ++Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ +-ExecStart=@sbindir@/sssd -i -f ++ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} + Type=notify + NotifyAccess=main + +-- +2.15.1 + diff --git a/0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch b/0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch new file mode 100644 index 0000000..6f860c3 --- /dev/null +++ b/0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch @@ -0,0 +1,106 @@ +From 536c8687921a0afe072bf81fca0bbb618a4c92fc Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 24 Oct 2017 12:15:48 +0200 +Subject: [PATCH 20/79] SYSTEMD: Add environment file to responder service + files +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Fabiano Fidêncio +--- + src/sysv/systemd/sssd-autofs.service.in | 1 + + src/sysv/systemd/sssd-ifp.service.in | 1 + + src/sysv/systemd/sssd-nss.service.in | 1 + + src/sysv/systemd/sssd-pac.service.in | 1 + + src/sysv/systemd/sssd-pam.service.in | 1 + + src/sysv/systemd/sssd-ssh.service.in | 1 + + src/sysv/systemd/sssd-sudo.service.in | 1 + + 7 files changed, 7 insertions(+) + +diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in +index c2dc254c8f3f56cb6ae4dc481781688aa702b102..7f920ad66a46bb0785c3f947bc26c15d0e370259 100644 +--- a/src/sysv/systemd/sssd-autofs.service.in ++++ b/src/sysv/systemd/sssd-autofs.service.in +@@ -10,6 +10,7 @@ Also=sssd-autofs.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files ++EnvironmentFile=-@environment_file@ + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log + ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated + Restart=on-failure +diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in +index 05a9a602b2d27c54a4faa79c58e0ecba90267100..f3bf92223ce8847858f57c2bb04b97c858be0ead 100644 +--- a/src/sysv/systemd/sssd-ifp.service.in ++++ b/src/sysv/systemd/sssd-ifp.service.in +@@ -6,6 +6,7 @@ BindsTo=sssd.service + + [Service] + Environment=DEBUG_LOGGER=--logger=files ++EnvironmentFile=-@environment_file@ + Type=dbus + BusName=org.freedesktop.sssd.infopipe + ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER} +diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in +index fe771ad0fa99968bb1d42037abf2f960271589b1..c671280f2c8a7f85fd09a72983a21db0c30df3b9 100644 +--- a/src/sysv/systemd/sssd-nss.service.in ++++ b/src/sysv/systemd/sssd-nss.service.in +@@ -10,5 +10,6 @@ Also=sssd-nss.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files ++EnvironmentFile=-@environment_file@ + ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated + Restart=on-failure +diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in +index dbd25abc476f579c9d8cce171fdeafa06e567610..590449b01223fe799eebb12b63229dfb8f2438f9 100644 +--- a/src/sysv/systemd/sssd-pac.service.in ++++ b/src/sysv/systemd/sssd-pac.service.in +@@ -10,6 +10,7 @@ Also=sssd-pac.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files ++EnvironmentFile=-@environment_file@ + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log + ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated + Restart=on-failure +diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in +index df722d1f3014bf62cc60114c30331424d14f411b..f2e938579c7ef4254bb2e05231bfe83d7e20f395 100644 +--- a/src/sysv/systemd/sssd-pam.service.in ++++ b/src/sysv/systemd/sssd-pam.service.in +@@ -10,6 +10,7 @@ Also=sssd-pam.socket sssd-pam-priv.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files ++EnvironmentFile=-@environment_file@ + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log + ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated + Restart=on-failure +diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in +index f41249ea0fe19e5044d5d06ba195ab604d8e6a29..1c185466dfa8c13804cc980bbbdbc997d4ebe955 100644 +--- a/src/sysv/systemd/sssd-ssh.service.in ++++ b/src/sysv/systemd/sssd-ssh.service.in +@@ -10,6 +10,7 @@ Also=sssd-ssh.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files ++EnvironmentFile=-@environment_file@ + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log + ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated + Restart=on-failure +diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in +index da022f768af91e360182fad0ff885fad43ecfdc0..f13d88107eccd9e80447390c9c0f8940ae933106 100644 +--- a/src/sysv/systemd/sssd-sudo.service.in ++++ b/src/sysv/systemd/sssd-sudo.service.in +@@ -10,6 +10,7 @@ Also=sssd-sudo.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files ++EnvironmentFile=-@environment_file@ + ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log + ExecStart=@libexecdir@/sssd/sssd_sudo --socket-activated + Restart=on-failure +-- +2.15.1 + diff --git a/0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch b/0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch new file mode 100644 index 0000000..dadccdb --- /dev/null +++ b/0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch @@ -0,0 +1,46 @@ +From d344095ece6000e7641a9c867c8e00335b8d1ab0 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 24 Oct 2017 12:07:46 +0200 +Subject: [PATCH 21/79] UTIL: Hide and deprecate parameter --debug-to-files +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Justin Stephenson +Reviewed-by: Fabiano Fidêncio +--- + src/man/sssd.8.xml | 4 ++++ + src/util/debug.h | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml +index 0b725628ff93f48f832140dd5dc15b040a8b179f..f2cbe015b844579af98aebd864770bc651dcf4b1 100644 +--- a/src/man/sssd.8.xml ++++ b/src/man/sssd.8.xml +@@ -90,6 +90,10 @@ + log files are stored in /var/log/sssd and + there are separate log files for every SSSD service and domain. + ++ ++ This option is deprecated. It is replaced by ++ . ++ + + + +diff --git a/src/util/debug.h b/src/util/debug.h +index 4adafb7cfc03f7381c4d03071eb44edad04bee00..09f50cc9f3122f02d8ba2092dfb7ee633332de9b 100644 +--- a/src/util/debug.h ++++ b/src/util/debug.h +@@ -101,7 +101,7 @@ int get_fd_from_debug_file(void); + #define SSSD_DEBUG_OPTS \ + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, \ + _("Debug level"), NULL}, \ +- {"debug-to-files", 'f', POPT_ARG_NONE, &debug_to_file, 0, \ ++ {"debug-to-files", 'f', POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_file, 0, \ + _("Send the debug output to files instead of stderr"), NULL }, \ + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \ + _("Send the debug output to stderr directly."), NULL }, \ +-- +2.15.1 + diff --git a/0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch b/0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch new file mode 100644 index 0000000..f844b89 --- /dev/null +++ b/0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch @@ -0,0 +1,212 @@ +From eafe5f3e981a951c0ff20807a0486cfa62dcc3ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 25 Oct 2017 11:25:09 +0200 +Subject: [PATCH 23/79] LDAP: Bind to the LDAP server also in the auth +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When dealing with id_provider not being the same as auth_provider, SSSD +has to bind the DN of the user which wants to authenticate with the +ldap_default_bind_dn and the password provided by the user. + +In order to do so, the least intrusive way is just by replacing +sdap_connect*() functions by sdap_cli_connect*() functions in the LDAP's +auth module. + +The simple change also allowed us to remove some code that is already +executed as part of sdap_cli_connect*() and some functions had their +names adapted to reflect better their new purpose. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3451 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Sumit Bose +--- + src/providers/ldap/ldap_auth.c | 114 +++++++++-------------------------------- + 1 file changed, 25 insertions(+), 89 deletions(-) + +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 00ddd889b6294e457c13218491547b84f1468266..a3b1480aae4272d2e10f105a1eaf3a5816c3487c 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -619,14 +619,11 @@ struct auth_state { + char *dn; + enum pwexpire pw_expire_type; + void *pw_expire_data; +- +- struct fo_server *srv; + }; + +-static struct tevent_req *auth_get_server(struct tevent_req *req); ++static struct tevent_req *auth_connect_send(struct tevent_req *req); + static void auth_get_dn_done(struct tevent_req *subreq); + static void auth_do_bind(struct tevent_req *req); +-static void auth_resolve_done(struct tevent_req *subreq); + static void auth_connect_done(struct tevent_req *subreq); + static void auth_bind_user_done(struct tevent_req *subreq); + +@@ -659,7 +656,6 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, + state->ctx = ctx; + state->username = username; + state->authtok = authtok; +- state->srv = NULL; + if (try_chpass_service && ctx->chpass_service != NULL && + ctx->chpass_service->name != NULL) { + state->sdap_service = ctx->chpass_service; +@@ -667,7 +663,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, + state->sdap_service = ctx->service; + } + +- if (!auth_get_server(req)) goto fail; ++ if (!auth_connect_send(req)) goto fail; + + return req; + +@@ -676,75 +672,37 @@ fail: + return NULL; + } + +-static struct tevent_req *auth_get_server(struct tevent_req *req) ++static struct tevent_req *auth_connect_send(struct tevent_req *req) + { +- struct tevent_req *next_req; ++ struct tevent_req *subreq; + struct auth_state *state = tevent_req_data(req, + struct auth_state); +- +- /* NOTE: this call may cause service->uri to be refreshed +- * with a new valid server. Do not use service->uri before */ +- next_req = be_resolve_server_send(state, +- state->ev, +- state->ctx->be, +- state->sdap_service->name, +- state->srv == NULL ? true : false); +- if (!next_req) { +- DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n"); +- return NULL; +- } +- +- tevent_req_set_callback(next_req, auth_resolve_done, req); +- return next_req; +-} +- +-static void auth_resolve_done(struct tevent_req *subreq) +-{ +- struct tevent_req *req = tevent_req_callback_data(subreq, +- struct tevent_req); +- struct auth_state *state = tevent_req_data(req, +- struct auth_state); +- int ret; + bool use_tls; + +- ret = be_resolve_server_recv(subreq, state, &state->srv); +- talloc_zfree(subreq); +- if (ret) { +- /* all servers have been tried and none +- * was found good, go offline */ +- tevent_req_error(req, ETIMEDOUT); +- return; ++ /* Check for undocumented debugging feature to disable TLS ++ * for authentication. This should never be used in production ++ * for obvious reasons. ++ */ ++ use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS); ++ if (!use_tls) { ++ sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over " ++ "insecure connection. This should be done " ++ "for debugging purposes only."); + } + +- /* Determine whether we need to use TLS */ +- if (sdap_is_secure_uri(state->ctx->service->uri)) { +- DEBUG(SSSDBG_TRACE_INTERNAL, +- "[%s] is a secure channel. No need to run START_TLS\n", +- state->ctx->service->uri); +- use_tls = false; +- } else { ++ subreq = sdap_cli_connect_send(state, state->ev, state->ctx->opts, ++ state->ctx->be, ++ state->sdap_service, false, ++ use_tls ? CON_TLS_ON : CON_TLS_OFF, false); + +- /* Check for undocumented debugging feature to disable TLS +- * for authentication. This should never be used in production +- * for obvious reasons. +- */ +- use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS); +- if (!use_tls) { +- sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over " +- "insecure connection. This should be done " +- "for debugging purposes only."); +- } +- } +- +- subreq = sdap_connect_send(state, state->ev, state->ctx->opts, +- state->sdap_service->uri, +- state->sdap_service->sockaddr, use_tls); +- if (!subreq) { ++ if (subreq == NULL) { + tevent_req_error(req, ENOMEM); +- return; ++ return NULL; + } + + tevent_req_set_callback(subreq, auth_connect_done, req); ++ ++ return subreq; + } + + static void auth_connect_done(struct tevent_req *subreq) +@@ -755,35 +713,13 @@ static void auth_connect_done(struct tevent_req *subreq) + struct auth_state); + int ret; + +- ret = sdap_connect_recv(subreq, state, &state->sh); ++ ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL); + talloc_zfree(subreq); +- if (ret) { +- if (state->srv) { +- /* mark this server as bad if connection failed */ +- be_fo_set_port_status(state->ctx->be, +- state->sdap_service->name, +- state->srv, PORT_NOT_WORKING); +- } +- +- if (auth_get_server(req) == NULL) { ++ if (ret != EOK) { ++ if (auth_connect_send(req) == NULL) { + tevent_req_error(req, ENOMEM); + } + return; +- } else if (state->srv) { +- be_fo_set_port_status(state->ctx->be, state->sdap_service->name, +- state->srv, PORT_WORKING); +- } +- +- /* In case the ID provider is set to proxy, this might be the first +- * LDAP operation at all, so we need to set the connection status +- */ +- if (state->sh->connected == false) { +- ret = sdap_set_connected(state->sh, state->ev); +- if (ret) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot set connected status\n"); +- tevent_req_error(req, ret); +- return; +- } + } + + ret = get_user_dn(state, state->ctx->be->domain, +@@ -870,7 +806,7 @@ static void auth_bind_user_done(struct tevent_req *subreq) + break; + case ETIMEDOUT: + case ERR_NETWORK_IO: +- if (auth_get_server(req) == NULL) { ++ if (auth_connect_send(req) == NULL) { + tevent_req_error(req, ENOMEM); + } + return; +-- +2.15.1 + diff --git a/0001-KCM-Fix-restart-during-after-upgrade.patch b/0024-KCM-Fix-restart-during-after-upgrade.patch similarity index 93% rename from 0001-KCM-Fix-restart-during-after-upgrade.patch rename to 0024-KCM-Fix-restart-during-after-upgrade.patch index f37fc5a..8f0d619 100644 --- a/0001-KCM-Fix-restart-during-after-upgrade.patch +++ b/0024-KCM-Fix-restart-during-after-upgrade.patch @@ -1,7 +1,7 @@ -From 53d1459e9b87196b4f6e327f0f5db4d9229bf541 Mon Sep 17 00:00:00 2001 +From 6010476f08fb52bfcea9c2b10461b0d53ce0860c Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 3 Nov 2017 11:43:18 +0100 -Subject: [PATCH] KCM: Fix restart during/after upgrade +Subject: [PATCH 24/79] KCM: Fix restart during/after upgrade MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -51,5 +51,5 @@ index a7b41e0b16a5fa882546b41047e616fd2140329f..a9756acf8a3c71e861b443259c071338 [Install] Also=sssd-secrets.socket -- -2.14.3 +2.15.1 diff --git a/0035-RESP-Add-some-missing-NULL-checks.patch b/0035-RESP-Add-some-missing-NULL-checks.patch new file mode 100644 index 0000000..0b309dd --- /dev/null +++ b/0035-RESP-Add-some-missing-NULL-checks.patch @@ -0,0 +1,79 @@ +From 6e4b53c819d2cbc0a4e25b9813e24c47ad12febb Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Thu, 9 Nov 2017 13:24:47 +0100 +Subject: [PATCH 35/79] RESP: Add some missing NULL checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Fabiano Fidêncio +--- + src/responder/autofs/autofssrv_dp.c | 4 ++++ + src/responder/common/responder_dp.c | 4 ++++ + src/responder/common/responder_dp_ssh.c | 4 ++++ + src/responder/sudo/sudosrv_dp.c | 4 ++++ + 4 files changed, 16 insertions(+) + +diff --git a/src/responder/autofs/autofssrv_dp.c b/src/responder/autofs/autofssrv_dp.c +index a323d83d9deb4e51180da9ff291044f1b9f64f76..bb8c2a42899b163b7727af778e554a5f55ca2d56 100644 +--- a/src/responder/autofs/autofssrv_dp.c ++++ b/src/responder/autofs/autofssrv_dp.c +@@ -65,6 +65,10 @@ sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx, + } + + info = talloc_zero(state, struct sss_dp_get_autofs_info); ++ if (info == NULL) { ++ ret = ENOMEM; ++ goto error; ++ } + info->fast_reply = fast_reply; + info->type = type; + info->name = name; +diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c +index a75a611960801f5f5bdc95f00aea9ab921e8e293..935a36d28d15d1074a0971fe9781474072578b8f 100644 +--- a/src/responder/common/responder_dp.c ++++ b/src/responder/common/responder_dp.c +@@ -536,6 +536,10 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx, + } + + info = talloc_zero(state, struct sss_dp_account_info); ++ if (info == NULL) { ++ ret = ENOMEM; ++ goto error; ++ } + info->fast_reply = fast_reply; + info->type = type; + info->opt_name = opt_name; +diff --git a/src/responder/common/responder_dp_ssh.c b/src/responder/common/responder_dp_ssh.c +index 303ba1568b6230b0d4dfa718e4a7c024ae84d4e9..f78052296f07d3e21d8d4841a58c85fcf178fa1a 100644 +--- a/src/responder/common/responder_dp_ssh.c ++++ b/src/responder/common/responder_dp_ssh.c +@@ -64,6 +64,10 @@ sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx, + } + + info = talloc_zero(state, struct sss_dp_get_ssh_host_info); ++ if (info == NULL) { ++ ret = ENOMEM; ++ goto error; ++ } + info->fast_reply = fast_reply; + info->name = name; + info->alias = alias; +diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c +index 3a4a79473ff9915b3845643505d63411585aa262..f8ec8abc26d9710a2bccaadc4f807f963fe35f89 100644 +--- a/src/responder/sudo/sudosrv_dp.c ++++ b/src/responder/sudo/sudosrv_dp.c +@@ -72,6 +72,10 @@ sss_dp_get_sudoers_send(TALLOC_CTX *mem_ctx, + } + + info = talloc_zero(state, struct sss_dp_get_sudoers_info); ++ if (info == NULL) { ++ ret = ENOMEM; ++ goto error; ++ } + info->fast_reply = fast_reply; + info->type = type; + info->name = name; +-- +2.15.1 + diff --git a/0036-BUILD-Properly-expand-variables-in-sssd-ifp.service.patch b/0036-BUILD-Properly-expand-variables-in-sssd-ifp.service.patch new file mode 100644 index 0000000..35e0ec7 --- /dev/null +++ b/0036-BUILD-Properly-expand-variables-in-sssd-ifp.service.patch @@ -0,0 +1,50 @@ +From c514089df0e3c357bb8465bca297806b253569e9 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 7 Nov 2017 17:11:52 +0100 +Subject: [PATCH 36/79] BUILD: Properly expand variables in sssd-ifp.service +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +systemd[1]: [/usr/lib/systemd/system/sssd-ifp.service:9] + Path '-@environment_file@' is not absolute, ignoring. + +sh-4.2# systemctl cat sssd-ifp.service + # /usr/lib/systemd/system/sssd-ifp.service +[Unit] +Description=SSSD IFP Service responder +Documentation=man:sssd-ifp(5) +After=sssd.service +BindsTo=sssd.service + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +Type=dbus +BusName=org.freedesktop.sssd.infopipe +ExecStart=/usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --dbus-activated ${DEBUG_LOGGER} + +Resolves: +https://pagure.io/SSSD/sssd/issue/3433 + +Reviewed-by: Fabiano Fidêncio +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 286ba47e3c421864362717be5258de960efca9f2..bbc90d9bad4d22ca0284ea95281a487d42399c05 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1491,7 +1491,7 @@ EXTRA_DIST += \ + src/responder/ifp/org.freedesktop.sssd.infopipe.service.in \ + $(NULL) + +-ifp_edit_cmd = $(SED) \ ++ifp_edit_cmd = $(edit_cmd) \ + -e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \ + -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \ + -e 's|@ifp_restart[@]|$(ifp_restart)|g' +-- +2.15.1 + diff --git a/0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch b/0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch new file mode 100644 index 0000000..92a9a27 --- /dev/null +++ b/0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch @@ -0,0 +1,38 @@ +From 8d1779240b4b193ecdc7ff8601def88a95cd7d47 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 8 Nov 2017 14:09:36 +0100 +Subject: [PATCH 37/79] SYSTEMD: Clean pid file in corner cases +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +SSSD can cleanup pid file in case of standard stopping of daemon. +It's done in function monitor_cleanup. However monitor does not have a +change to cleanup file in case of OOM or sending SIGKILL to monitor. + +Even though PIDFile is not necessary for services with Type notify +we should let systemd to clean this file in unexpected situations. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3528 + +Reviewed-by: Fabiano Fidêncio +--- + src/sysv/systemd/sssd.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in +index cea848fac80303d6fae12dd84316a91dbc60072d..0c515d34caaa3ea397c4c7e95eef0188df170840 100644 +--- a/src/sysv/systemd/sssd.service.in ++++ b/src/sysv/systemd/sssd.service.in +@@ -10,6 +10,7 @@ EnvironmentFile=-@environment_file@ + ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} + Type=notify + NotifyAccess=main ++PIDFile=@localstatedir@/run/sssd.pid + + [Install] + WantedBy=multi-user.target +-- +2.15.1 + diff --git a/0038-CHILD-Pass-information-about-logger-to-children.patch b/0038-CHILD-Pass-information-about-logger-to-children.patch new file mode 100644 index 0000000..707f7d1 --- /dev/null +++ b/0038-CHILD-Pass-information-about-logger-to-children.patch @@ -0,0 +1,197 @@ +From 9ff9b0e5f6599d178d374753d7fbc99e7258ca4c Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 8 Nov 2017 08:13:02 +0100 +Subject: [PATCH 38/79] CHILD: Pass information about logger to children +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Variables debug_to_file or debug_to_stderr were not set +because back-end already user parameter --logger=%s. +And therefore logs were not sent to files. + +It could only work in case of direct usage of --debug-to-files in back-end via +command configuration option. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3433 + +Reviewed-by: Fabiano Fidêncio +--- + src/p11_child/p11_child_nss.c | 4 +++- + src/providers/ad/ad_gpo_child.c | 3 ++- + src/providers/ipa/selinux_child.c | 3 ++- + src/providers/krb5/krb5_child.c | 3 ++- + src/providers/ldap/ldap_child.c | 3 ++- + src/util/child_common.c | 24 ++++++++++-------------- + 6 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c +index e7dbcb689220d1cd2585fbde5f26e84f8fa15cc2..b0ec69be321c4b4186ce851c07bfcc3e1afe9694 100644 +--- a/src/p11_child/p11_child_nss.c ++++ b/src/p11_child/p11_child_nss.c +@@ -537,7 +537,7 @@ int main(int argc, const char *argv[]) + int opt; + poptContext pc; + int debug_fd = -1; +- char *opt_logger = NULL; ++ const char *opt_logger = NULL; + errno_t ret; + TALLOC_CTX *main_ctx = NULL; + char *cert; +@@ -673,7 +673,9 @@ int main(int argc, const char *argv[]) + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } ++ opt_logger = sss_logger_str[FILES_LOGGER]; + } ++ + sss_set_logger(opt_logger); + + DEBUG(SSSDBG_TRACE_FUNC, "p11_child started.\n"); +diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c +index 5375cc691e8649c289672b74c4bfe5266c8222c9..a0bd6e13a31fe0f92924d49302d1b8b17bac4d67 100644 +--- a/src/providers/ad/ad_gpo_child.c ++++ b/src/providers/ad/ad_gpo_child.c +@@ -687,7 +687,7 @@ main(int argc, const char *argv[]) + int opt; + poptContext pc; + int debug_fd = -1; +- char *opt_logger = NULL; ++ const char *opt_logger = NULL; + errno_t ret; + int sysvol_gpt_version; + int result; +@@ -744,6 +744,7 @@ main(int argc, const char *argv[]) + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } ++ opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); +diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c +index 120492686963241b7e419413f489cc38953e32f2..a7e20f715626d0f3ecef7cc06f3de5d44b6a15c1 100644 +--- a/src/providers/ipa/selinux_child.c ++++ b/src/providers/ipa/selinux_child.c +@@ -206,7 +206,7 @@ int main(int argc, const char *argv[]) + struct response *resp = NULL; + ssize_t written; + bool needs_update; +- char *opt_logger = NULL; ++ const char *opt_logger = NULL; + + struct poptOption long_options[] = { + POPT_AUTOHELP +@@ -254,6 +254,7 @@ int main(int argc, const char *argv[]) + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } ++ opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index b44f3a20f1c0725304a37620d36f8872cf9ca5d7..7ee6c34eb1f8b78d5a6fd7b6f87996e3c9572d4f 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -3020,7 +3020,7 @@ int main(int argc, const char *argv[]) + int opt; + poptContext pc; + int debug_fd = -1; +- char *opt_logger = NULL; ++ const char *opt_logger = NULL; + errno_t ret; + krb5_error_code kerr; + uid_t fast_uid; +@@ -3097,6 +3097,7 @@ int main(int argc, const char *argv[]) + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } ++ opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index baeed239db5dc7ffa482edcbc155f25f718c8249..c0618d6d8828f102c32cf56731995e2b370590e7 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -599,7 +599,7 @@ int main(int argc, const char *argv[]) + int kerr; + int opt; + int debug_fd = -1; +- char *opt_logger = NULL; ++ const char *opt_logger = NULL; + poptContext pc; + TALLOC_CTX *main_ctx = NULL; + uint8_t *buf = NULL; +@@ -657,6 +657,7 @@ int main(int argc, const char *argv[]) + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } ++ opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); +diff --git a/src/util/child_common.c b/src/util/child_common.c +index dc070f26446305e07cbb34edd1e4d72db72aedc5..203c115f9e7c4ecc2178b5660473d4f960fbbb6d 100644 +--- a/src/util/child_common.c ++++ b/src/util/child_common.c +@@ -630,14 +630,11 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx, + } + + /* Save the current state in case an interrupt changes it */ +- bool child_debug_to_file = debug_to_file; + bool child_debug_timestamps = debug_timestamps; + bool child_debug_microseconds = debug_microseconds; +- bool child_debug_stderr = debug_to_stderr; + + if (!extra_args_only) { +- if (child_debug_to_file) argc++; +- if (child_debug_stderr) argc++; ++ argc++; + } + + if (extra_argv) { +@@ -675,21 +672,20 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx, + goto fail; + } + +- if (child_debug_stderr) { +- argv[--argc] = talloc_strdup(argv, "--logger=stderr"); +- if (argv[argc] == NULL) { +- ret = ENOMEM; +- goto fail; +- } +- } +- +- if (child_debug_to_file) { ++ if (sss_logger == FILES_LOGGER) { + argv[--argc] = talloc_asprintf(argv, "--debug-fd=%d", + child_debug_fd); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; + } ++ } else { ++ argv[--argc] = talloc_asprintf(argv, "--logger=%s", ++ sss_logger_str[sss_logger]); ++ if (argv[argc] == NULL) { ++ ret = ENOMEM; ++ goto fail; ++ } + } + + argv[--argc] = talloc_asprintf(argv, "--debug-timestamps=%d", +@@ -816,7 +812,7 @@ errno_t child_debug_init(const char *logfile, int *debug_fd) + return EOK; + } + +- if (debug_to_file != 0 && *debug_fd == -1) { ++ if (sss_logger == FILES_LOGGER && *debug_fd == -1) { + ret = open_debug_file_ex(logfile, &debug_filep, false); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) [%s]\n", +-- +2.15.1 + diff --git a/0039-TOOLS-Double-quote-array-expansions-in-sss_debugleve.patch b/0039-TOOLS-Double-quote-array-expansions-in-sss_debugleve.patch new file mode 100644 index 0000000..61e18c3 --- /dev/null +++ b/0039-TOOLS-Double-quote-array-expansions-in-sss_debugleve.patch @@ -0,0 +1,33 @@ +From 6d15db05c0975fed2b18cc52056fa29aedec823c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 7 Nov 2017 09:09:55 +0100 +Subject: [PATCH 39/79] TOOLS: Double quote array expansions in sss_debuglevel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise they're like $* and break on spaces. + +This issue has been caught by coverity: + Defect type: SHELLCHECK_WARNING + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Lukáš Slebodník +--- + src/tools/wrappers/sss_debuglevel.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/wrappers/sss_debuglevel.in b/src/tools/wrappers/sss_debuglevel.in +index 4deeafff6bf472dbe63578f57bfacee7b774d09f..aa19f790a26c67186123c87675d527f403b06264 100644 +--- a/src/tools/wrappers/sss_debuglevel.in ++++ b/src/tools/wrappers/sss_debuglevel.in +@@ -1,4 +1,4 @@ + #!/bin/sh + sbindir=@sbindir@ + echo "Redirecting to $sbindir/sssctl debug-level" >&2 +-$sbindir/sssctl debug-level $@ ++$sbindir/sssctl debug-level "$@" +-- +2.15.1 + diff --git a/0040-TOOLS-Call-exec-for-sss_debuglevel.patch b/0040-TOOLS-Call-exec-for-sss_debuglevel.patch new file mode 100644 index 0000000..34f476b --- /dev/null +++ b/0040-TOOLS-Call-exec-for-sss_debuglevel.patch @@ -0,0 +1,31 @@ +From 58932b42802c93fdfc3eea8cdcdcca4534293941 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 8 Nov 2017 17:59:15 +0100 +Subject: [PATCH 40/79] TOOLS: Call "exec" for sss_debuglevel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This suggestion came from Lukáš Slebodník. The advantage of calling +"exec" is to avoid forking another child of the process. + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Lukáš Slebodník +--- + src/tools/wrappers/sss_debuglevel.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/wrappers/sss_debuglevel.in b/src/tools/wrappers/sss_debuglevel.in +index aa19f790a26c67186123c87675d527f403b06264..a55afcddc547dfda4ac0a7e22da5f9f9407fe45f 100644 +--- a/src/tools/wrappers/sss_debuglevel.in ++++ b/src/tools/wrappers/sss_debuglevel.in +@@ -1,4 +1,4 @@ + #!/bin/sh + sbindir=@sbindir@ + echo "Redirecting to $sbindir/sssctl debug-level" >&2 +-$sbindir/sssctl debug-level "$@" ++exec $sbindir/sssctl debug-level "$@" +-- +2.15.1 + diff --git a/0041-LDAP-Improve-error-treatment-from-sdap_cli_connect-i.patch b/0041-LDAP-Improve-error-treatment-from-sdap_cli_connect-i.patch new file mode 100644 index 0000000..26e71eb --- /dev/null +++ b/0041-LDAP-Improve-error-treatment-from-sdap_cli_connect-i.patch @@ -0,0 +1,57 @@ +From 1e50148c7eadeff96b96811ede747399628a06c6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 7 Nov 2017 23:34:42 +0100 +Subject: [PATCH 41/79] LDAP: Improve error treatment from sdap_cli_connect() + in ldap_auth +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Because we weren't treating the errors coming from +sdap_cli_connect_recv() properly we ended up introducing a regression in +the commit add72860c7, related to offline authentication. + +From now on, let's properly treat errors coming from auth_connect_send(), +which were treated before by going offline when be_resolve_server_recv() +failed, and propagate ETIMEDOUT to the request, thus going offline and +allowing offline authentication on those cases. + +Related: +https://pagure.io/SSSD/sssd/issue/3451 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Sumit Bose +--- + src/providers/ldap/ldap_auth.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index a3b1480aae4272d2e10f105a1eaf3a5816c3487c..2e0e2cfd6f8af2bf0c9ad15bd956a55a34777a3c 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -716,8 +716,20 @@ static void auth_connect_done(struct tevent_req *subreq) + ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL); + talloc_zfree(subreq); + if (ret != EOK) { +- if (auth_connect_send(req) == NULL) { +- tevent_req_error(req, ENOMEM); ++ /* As sdap_cli_connect_recv() returns EIO in case all the servers are ++ * down and we have to go offline, let's treat it accordingly here and ++ * allow the PAM responder to with to offline authentication. ++ * ++ * Unfortunately, there's not much pattern within our code and the way ++ * to indicate we're going down in this part of the code is returning ++ * an ETIMEDOUT. ++ */ ++ if (ret == EIO) { ++ tevent_req_error(req, ETIMEDOUT); ++ } else { ++ if (auth_connect_send(req) == NULL) { ++ tevent_req_error(req, ENOMEM); ++ } + } + return; + } +-- +2.15.1 + diff --git a/0053-NSS-Use-enum_ctx-as-memory_context-in-_setnetgrent_s.patch b/0053-NSS-Use-enum_ctx-as-memory_context-in-_setnetgrent_s.patch new file mode 100644 index 0000000..cf2b01c --- /dev/null +++ b/0053-NSS-Use-enum_ctx-as-memory_context-in-_setnetgrent_s.patch @@ -0,0 +1,38 @@ +From 22cc09e379710b29520d5bbc6fdf6ad84473cd43 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 6 Nov 2017 17:03:19 +0100 +Subject: [PATCH 53/79] NSS: Use enum_ctx as memory_context in + _setnetgrent_set_timeout() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We've noticed some crashes that happened because enum_ctx is already +freed, but the timeout handler is still called. In order to avoid that, +let's remove the timeout handler when enum_ctx is freed at other places. + +Resolves: https://pagure.io/SSSD/sssd/issue/3523 + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Pavel Březina +--- + src/responder/nss/nss_enum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c +index aa7d8428f37e943a6b5904495c40ad4b8011b767..da844fbced529f606a3e98669fb7b95e0696ce00 100644 +--- a/src/responder/nss/nss_enum.c ++++ b/src/responder/nss/nss_enum.c +@@ -283,7 +283,7 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev, + timeout = enum_ctx->result[0]->domain->netgroup_timeout; + + tv = tevent_timeval_current_ofs(timeout, 0); +- te = tevent_add_timer(ev, nss_ctx, tv, nss_setnetgrent_timeout, enum_ctx); ++ te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx); + if (te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set up life timer for enumeration object.\n"); +-- +2.15.1 + diff --git a/0054-cache_req-Correction-of-cache_req-debug-string-ID-fo.patch b/0054-cache_req-Correction-of-cache_req-debug-string-ID-fo.patch new file mode 100644 index 0000000..25b7305 --- /dev/null +++ b/0054-cache_req-Correction-of-cache_req-debug-string-ID-fo.patch @@ -0,0 +1,67 @@ +From 5fb2959852b53c6015cbf1cea653365708b379e9 Mon Sep 17 00:00:00 2001 +From: amitkuma +Date: Tue, 14 Nov 2017 13:59:12 +0530 +Subject: [PATCH 54/79] cache_req: Correction of cache_req debug string ID + format +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The cache-req debug string representation uses a wrong format +specifier for by-ID requests. +data->id (uint32_t) should be replaced with %"PRIu32" +in cache_req_group_by_id.c, cache_req_object_by_id.c & +cache_req_user_by_id.c. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3570 + +Reviewed-by: Lukáš Slebodník +--- + src/responder/common/cache_req/plugins/cache_req_group_by_id.c | 2 +- + src/responder/common/cache_req/plugins/cache_req_object_by_id.c | 2 +- + src/responder/common/cache_req/plugins/cache_req_user_by_id.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +index 5ca64283a781318bc4e4d6920fff989c3f3919b4..121f95abe86d2466aaea69f0fe68dfb33b1fee9e 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c ++++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@@ -31,7 +31,7 @@ cache_req_group_by_id_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) + { +- return talloc_asprintf(mem_ctx, "GID:%d@%s", data->id, domain->name); ++ return talloc_asprintf(mem_ctx, "GID:%"PRIu32"@%s", data->id, domain->name); + } + + static errno_t +diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c +index 339bd4f5fef827acc1aa3c123d041e426d9e4782..4c88e1035b41969703c1c38d740e15516ac0d622 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c ++++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@@ -31,7 +31,7 @@ cache_req_object_by_id_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) + { +- return talloc_asprintf(mem_ctx, "ID:%d@%s", data->id, domain->name); ++ return talloc_asprintf(mem_ctx, "ID:%"PRIu32"@%s", data->id, domain->name); + } + + static errno_t +diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c +index 913f9be5bcc2dfd074b52cb3b15fb6948826e831..3c25c7631b3da4a829ab577629334a7ee97980da 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c ++++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@@ -31,7 +31,7 @@ cache_req_user_by_id_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) + { +- return talloc_asprintf(mem_ctx, "UID:%d@%s", data->id, domain->name); ++ return talloc_asprintf(mem_ctx, "UID:%"PRIu32"@%s", data->id, domain->name); + } + + static errno_t +-- +2.15.1 + diff --git a/0012-TESTS-Order-list-of-entries-in-some-lists.patch b/0055-TESTS-Order-list-of-entries-in-some-lists.patch similarity index 97% rename from 0012-TESTS-Order-list-of-entries-in-some-lists.patch rename to 0055-TESTS-Order-list-of-entries-in-some-lists.patch index 7011d24..b786019 100644 --- a/0012-TESTS-Order-list-of-entries-in-some-lists.patch +++ b/0055-TESTS-Order-list-of-entries-in-some-lists.patch @@ -1,7 +1,7 @@ -From caae0e53e6091806634943699f4398b6a20273b4 Mon Sep 17 00:00:00 2001 +From 0e73859e68b8dc348c2ee1e00a45646d9ac2c63c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= Date: Mon, 13 Nov 2017 16:15:21 +0100 -Subject: [PATCH] TESTS: Order list of entries in some lists +Subject: [PATCH 55/79] TESTS: Order list of entries in some lists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -167,5 +167,5 @@ index 0378254b4440b29c3182faf2adde8c3db8a4ce97..dd3eb50f9310ff925734dcf51a669d08 "three", TEST_GID_OVERRIDE_BASE + 2); assert_group_attrs(res->msgs[1], test_ctx->domain, "two", -- -2.15.0 +2.15.1 diff --git a/0063-WATCHDOG-Restart-providers-with-SIGUSR2-after-time-d.patch b/0063-WATCHDOG-Restart-providers-with-SIGUSR2-after-time-d.patch new file mode 100644 index 0000000..882388c --- /dev/null +++ b/0063-WATCHDOG-Restart-providers-with-SIGUSR2-after-time-d.patch @@ -0,0 +1,42 @@ +From 97b56f1ec15a3270cc2e85c9b367e4d38f91ae1a Mon Sep 17 00:00:00 2001 +From: Victor Tapia +Date: Mon, 16 Oct 2017 09:45:24 +0200 +Subject: [PATCH 63/79] WATCHDOG: Restart providers with SIGUSR2 after time + drift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Restarting the providers using the already implemented SIGUSR2 (for +method .resetOffline, used after netlink detects an interface change) +when a time drift is detected, ensures that affected connection retries +(e.g. LDAP) will be rescheduled immediately instead of having to wait +the time shifted to return to its normal execution. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3285 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Fabiano Fidêncio +--- + src/util/util_watchdog.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c +index 59293db60e4ffbe566f8b17f3f289503e8d9aee6..20a8b896791118c1ae9b5bfe101a539b213497a4 100644 +--- a/src/util/util_watchdog.c ++++ b/src/util/util_watchdog.c +@@ -160,6 +160,10 @@ static void watchdog_fd_read_handler(struct tevent_context *ev, + "[%d]: %s\n", ret, sss_strerror(ret)); + orderly_shutdown(1); + } ++ if (strncmp(debug_prg_name, "sssd[be[", sizeof("sssd[be[") - 1) == 0) { ++ kill(getpid(), SIGUSR2); ++ DEBUG(SSSDBG_IMPORTANT_INFO, "SIGUSR2 sent to %s\n", debug_prg_name); ++ } + } + + int setup_watchdog(struct tevent_context *ev, int interval) +-- +2.15.1 + diff --git a/0064-mmap_cache-make-checks-independent-of-input-size.patch b/0064-mmap_cache-make-checks-independent-of-input-size.patch new file mode 100644 index 0000000..61f443b --- /dev/null +++ b/0064-mmap_cache-make-checks-independent-of-input-size.patch @@ -0,0 +1,168 @@ +From b70b4099b049b6a2bd85e773dbd81974dee24e05 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 17 Nov 2017 10:51:44 +0100 +Subject: [PATCH 64/79] mmap_cache: make checks independent of input size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently the consistency checks for the mmap_cache payload data on the +client and the responder side include the length of the input string of +the current request. Since there might be hash collisions which other +much longer or much shorter names those checks might fail although there +is no data corruption. + +This patch removes the checks using the length of the input and adds a +check if the name found in the payload is zero-terminated inside of the +payload data. + +Resolves https://pagure.io/SSSD/sssd/issue/3571 + +Reviewed-by: Michal Židek +Reviewed-by: Lukáš Slebodník +--- + src/responder/nss/nsssrv_mmap_cache.c | 34 ++++++++++++++++++++++++---------- + src/sss_client/nss_mc_group.c | 12 ++++++------ + src/sss_client/nss_mc_initgr.c | 12 +++++++----- + src/sss_client/nss_mc_passwd.c | 12 ++++++------ + 4 files changed, 43 insertions(+), 27 deletions(-) + +diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c +index a87ad646f9b741db3eb18680678697032fc420ba..ad5adbce15e50c065d4d16e626be97fd23d06643 100644 +--- a/src/responder/nss/nsssrv_mmap_cache.c ++++ b/src/responder/nss/nsssrv_mmap_cache.c +@@ -547,18 +547,32 @@ static struct sss_mc_rec *sss_mc_find_record(struct sss_mc_ctx *mcc, + return NULL; + } + ++ if (key->len > strs_len) { ++ /* The string cannot be in current record */ ++ slot = sss_mc_next_slot_with_hash(rec, hash); ++ continue; ++ } ++ + safealign_memcpy(&name_ptr, rec->data, sizeof(rel_ptr_t), NULL); +- if (key->len > strs_len +- || (name_ptr + key->len) > (strs_offset + strs_len) +- || (uint8_t *)rec->data + strs_offset + strs_len > max_addr) { +- DEBUG(SSSDBG_FATAL_FAILURE, +- "Corrupted fastcache. name_ptr value is %u.\n", name_ptr); +- sss_mc_save_corrupted(mcc); +- sss_mmap_cache_reset(mcc); +- return NULL; +- } +- + t_key = (char *)rec->data + name_ptr; ++ /* name_ptr must point to some data in the strs/gids area of the data ++ * payload. Since it is a pointer relative to rec->data it must larger ++ * equal strs_offset and must be smaller then strs_offset + strs_len. ++ * Additionally the area must not end outside of the data table and ++ * t_key must be a zero-terminates string. */ ++ if (name_ptr < strs_offset ++ || name_ptr >= strs_offset + strs_len ++ || (uint8_t *)rec->data > max_addr ++ || strs_offset > max_addr - (uint8_t *)rec->data ++ || strs_len > max_addr - (uint8_t *)rec->data - strs_offset) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Corrupted fastcache entry at slot %u. " ++ "name_ptr value is %u.\n", slot, name_ptr); ++ sss_mc_save_corrupted(mcc); ++ sss_mmap_cache_reset(mcc); ++ return NULL; ++ } ++ + if (strcmp(key->str, t_key) == 0) { + break; + } +diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c +index ce88d42fdaf4f19e78fc43e187bc28651cdc3c4e..ba582fe55cf3abf90d8e016c82a0bee48608ce78 100644 +--- a/src/sss_client/nss_mc_group.c ++++ b/src/sss_client/nss_mc_group.c +@@ -148,20 +148,20 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len, + } + + data = (struct sss_mc_grp_data *)rec->data; ++ rec_name = (char *)data + data->name; + /* Integrity check +- * - name_len cannot be longer than all strings + * - data->name cannot point outside strings + * - all strings must be within copy of record +- * - size of record must be lower that data table size */ +- if (name_len > data->strs_len +- || (data->name + name_len) > (strs_offset + data->strs_len) ++ * - record must not end outside data table ++ * - rec_name is a zero-terminated string */ ++ if (data->name < strs_offset ++ || data->name >= strs_offset + data->strs_len + || data->strs_len > rec->len +- || rec->len > data_size) { ++ || (uint8_t *) rec + rec->len > gr_mc_ctx.data_table + data_size ) { + ret = ENOENT; + goto done; + } + +- rec_name = (char *)data + data->name; + if (strcmp(name, rec_name) == 0) { + break; + } +diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c +index a77088d849ad3601cb3edb55fc5ea4ae4c52fe38..606f1c7ee2526a15378831d4512e943bac214d0e 100644 +--- a/src/sss_client/nss_mc_initgr.c ++++ b/src/sss_client/nss_mc_initgr.c +@@ -131,15 +131,17 @@ errno_t sss_nss_mc_initgroups_dyn(const char *name, size_t name_len, + data = (struct sss_mc_initgr_data *)rec->data; + rec_name = (char *)data + data->name; + /* Integrity check +- * - name_len cannot be longer than all strings or data ++ * - data->name cannot point outside all strings or data + * - all data must be within copy of record + * - size of record must be lower that data table size +- * - data->strs cannot point outside strings */ +- if (name_len > data->strs_len ++ * - data->strs cannot point outside strings ++ * - rec_name is a zero-terminated string */ ++ if (data->name < data_offset ++ || data->name >= data_offset + data->data_len + || data->strs_len > data->data_len + || data->data_len > rec->len +- || rec->len > data_size +- || (data->strs + name_len) > (data_offset + data->data_len)) { ++ || (uint8_t *) rec + rec->len ++ > initgr_mc_ctx.data_table + data_size ) { + ret = ENOENT; + goto done; + } +diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c +index 0da7ad0aeece7d38ca34bb3fde64adc898eaf0ae..0bc1237446d3691c8c83aa0fc0cf692d4b336f9e 100644 +--- a/src/sss_client/nss_mc_passwd.c ++++ b/src/sss_client/nss_mc_passwd.c +@@ -141,20 +141,20 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len, + } + + data = (struct sss_mc_pwd_data *)rec->data; ++ rec_name = (char *)data + data->name; + /* Integrity check +- * - name_len cannot be longer than all strings + * - data->name cannot point outside strings + * - all strings must be within copy of record +- * - size of record must be lower that data table size */ +- if (name_len > data->strs_len +- || (data->name + name_len) > (strs_offset + data->strs_len) ++ * - record must not end outside data table ++ * - rec_name is a zero-terminated string */ ++ if (data->name < strs_offset ++ || data->name >= strs_offset + data->strs_len + || data->strs_len > rec->len +- || rec->len > data_size) { ++ || (uint8_t *) rec + rec->len > pw_mc_ctx.data_table + data_size ) { + ret = ENOENT; + goto done; + } + +- rec_name = (char *)data + data->name; + if (strcmp(name, rec_name) == 0) { + break; + } +-- +2.15.1 + diff --git a/0066-krb5-show-error-message-for-krb5_init_context-failur.patch b/0066-krb5-show-error-message-for-krb5_init_context-failur.patch new file mode 100644 index 0000000..c8bea80 --- /dev/null +++ b/0066-krb5-show-error-message-for-krb5_init_context-failur.patch @@ -0,0 +1,187 @@ +From 209caaad9d545aeb601f64854a2ffb978b77c4b1 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 27 Nov 2017 13:45:14 +0100 +Subject: [PATCH 66/79] krb5: show error message for krb5_init_context() + failures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If there are typos in /etc/krb5.conf (or one of the included config +snippets) krb5_init_context(), the initial call always needed to do any +other operation with libkrb5, fails because /etc/krb5.conf cannot be +parsed. + +Currently the related debug/syslog messages might be misleading, e.g. +failed to read keytab. This is because SSSD does not use a global krb5 +context but creates a fresh one for every new request or operation (to +always use the latest settings from /etc/krb5.conf) and typically there +is an error message indicating that the related operation failed but not +giving more details. + +Since krb5_init_context() is fundamental for Kerberos support this patch +tries to add as much details as libkrb5 provides in the logs if the call +fails. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3586 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Robbie Harwood +--- + src/providers/krb5/krb5_ccache.c | 6 +++--- + src/providers/krb5/krb5_common.c | 2 +- + src/providers/ldap/ldap_child.c | 2 +- + src/providers/ldap/ldap_common.c | 2 +- + src/responder/kcm/kcm.c | 3 ++- + src/util/sss_krb5.c | 25 ++++++++++++++++++++++--- + src/util/sss_krb5.h | 2 ++ + 7 files changed, 32 insertions(+), 10 deletions(-) + +diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c +index f9bb25efd4ca3257845c3b157667d21d24299f4a..2e28276b72b6d5961de33c0ceb61774074a92d11 100644 +--- a/src/providers/krb5/krb5_ccache.c ++++ b/src/providers/krb5/krb5_ccache.c +@@ -299,7 +299,7 @@ static errno_t sss_open_ccache_as_user(TALLOC_CTX *mem_ctx, + goto done; + } + +- kerr = krb5_init_context(&cc->context); ++ kerr = sss_krb5_init_context(&cc->context); + if (kerr) { + ret = EIO; + goto done; +@@ -565,9 +565,9 @@ errno_t get_ccache_file_data(const char *ccache_file, const char *client_name, + const char *realm_name; + int realm_length; + +- kerr = krb5_init_context(&ctx); ++ kerr = sss_krb5_init_context(&ctx); + if (kerr != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "krb5_init_context failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_init_context failed.\n"); + goto done; + } + +diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c +index 0b32da94dd8320d51708e2b7e827b94c472642a6..520e7591ce1b37b4a8dea357b6dd0ec7afd76f58 100644 +--- a/src/providers/krb5/krb5_common.c ++++ b/src/providers/krb5/krb5_common.c +@@ -106,7 +106,7 @@ static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx, + + *ccname = NULL; + +- ret = krb5_init_context(&ctx); ++ ret = sss_krb5_init_context(&ctx); + if (ret) return ret; + + ret = krb5_get_profile(ctx, &p); +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index c0618d6d8828f102c32cf56731995e2b370590e7..4558fd7c42be03c4472dbf3092ce8044e8ae89d9 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -574,7 +574,7 @@ static krb5_error_code privileged_krb5_setup(struct input_buffer *ibuf) + krb5_error_code kerr; + char *keytab_name; + +- kerr = krb5_init_context(&ibuf->context); ++ kerr = sss_krb5_init_context(&ibuf->context); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to init kerberos context\n"); + return kerr; +diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c +index 0597e91f7fade47aeb34565597c730ac406e0cfc..4ec36584ad5acc52cf442b015caec80a6a8936da 100644 +--- a/src/providers/ldap/ldap_common.c ++++ b/src/providers/ldap/ldap_common.c +@@ -364,7 +364,7 @@ sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx) + krb5_error_code krberr; + krb5_context context = NULL; + +- krberr = krb5_init_context(&context); ++ krberr = sss_krb5_init_context(&context); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n"); + goto done; +diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c +index 358fcc18165dec7b41a7389a3ef22660ac04b4a8..0fc09376888544570ca1bcf8c1ff1ba1d72d5906 100644 +--- a/src/responder/kcm/kcm.c ++++ b/src/responder/kcm/kcm.c +@@ -28,6 +28,7 @@ + #include "responder/kcm/kcmsrv_pvt.h" + #include "responder/common/responder.h" + #include "util/util.h" ++#include "util/sss_krb5.h" + + #define DEFAULT_KCM_FD_LIMIT 2048 + +@@ -183,7 +184,7 @@ static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx, + return NULL; + } + +- kret = krb5_init_context(&kcm_data->k5c); ++ kret = sss_krb5_init_context(&kcm_data->k5c); + if (kret != EOK) { + talloc_free(kcm_data); + return NULL; +diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c +index a702a8b57c55bdb4215edf73731ddeaba156a84f..12660b0dd2e9170108afd54492e7ce30415741cb 100644 +--- a/src/util/sss_krb5.c ++++ b/src/util/sss_krb5.c +@@ -113,7 +113,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- kerr = krb5_init_context(&krb_ctx); ++ kerr = sss_krb5_init_context(&krb_ctx); + if (kerr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n"); + ret = EFAULT; +@@ -1096,9 +1096,9 @@ bool sss_krb5_realm_has_proxy(const char *realm) + return false; + } + +- kerr = krb5_init_context(&context); ++ kerr = sss_krb5_init_context(&context); + if (kerr != 0) { +- DEBUG(SSSDBG_OP_FAILURE, "krb5_init_context failed.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, "sss_krb5_init_context failed.\n"); + return false; + } + +@@ -1330,3 +1330,22 @@ krb5_error_code sss_krb5_marshal_princ(krb5_principal princ, + } + return EOK; + } ++ ++krb5_error_code sss_krb5_init_context(krb5_context *context) ++{ ++ krb5_error_code kerr; ++ const char *msg; ++ ++ kerr = krb5_init_context(context); ++ if (kerr != 0) { ++ /* It is safe to call (sss_)krb5_get_error_message() with NULL as first ++ * argument. */ ++ msg = sss_krb5_get_error_message(NULL, kerr); ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Failed to init kerberos context [%s]\n", msg); ++ sss_log(SSS_LOG_CRIT, "Failed to init kerberos context [%s]\n", msg); ++ sss_krb5_free_error_message(NULL, msg); ++ } ++ ++ return kerr; ++} +diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h +index 0d9043be98749b1a21a1b74c68f07298fa27f230..423951443c8c512211b1e894c41f1c8891be479f 100644 +--- a/src/util/sss_krb5.h ++++ b/src/util/sss_krb5.h +@@ -195,4 +195,6 @@ krb5_error_code sss_krb5_unmarshal_princ(TALLOC_CTX *mem_ctx, + struct sss_iobuf *iobuf, + krb5_principal *_princ); + ++krb5_error_code sss_krb5_init_context(krb5_context *context); ++ + #endif /* __SSS_KRB5_H__ */ +-- +2.15.1 + diff --git a/0067-responder-Fix-talloc-hierarchy-in-sized_output_name.patch b/0067-responder-Fix-talloc-hierarchy-in-sized_output_name.patch new file mode 100644 index 0000000..a819eb4 --- /dev/null +++ b/0067-responder-Fix-talloc-hierarchy-in-sized_output_name.patch @@ -0,0 +1,58 @@ +From ddff278e709a2aa882f2d8d64c263cddc3a93a2c Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 28 Nov 2017 12:19:54 +0100 +Subject: [PATCH 67/79] responder: Fix talloc hierarchy in sized_output_name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +sized_output_name was a called with NULL context in +memcache_delete_entry but returned data from sized_output_name +didn't have proper talloc hierarchy and we could not release all +all returned data. + +==00:01:01:29.871 10088== 934,414 bytes in 8,731 blocks are definitely lost in loss record 121 of 121 +==00:01:01:29.871 10088== at 0x4C29BE3: malloc (vg_replace_malloc.c:299) +==00:01:01:29.871 10088== by 0x8FF4EAB: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.9) +==00:01:01:29.871 10088== by 0x52933B9: sss_output_name (usertools.c:808) +==00:01:01:29.871 10088== by 0x5293550: sss_output_fqname (usertools.c:863) +==00:01:01:29.871 10088== by 0x1211F9: sized_output_name (responder_common.c:1708) +==00:01:01:29.871 10088== by 0x1137E6: memcache_delete_entry (nss_get_object.c:112) +==00:01:01:29.871 10088== by 0x113BB6: nss_get_object_done (nss_get_object.c:245) +==00:01:01:29.871 10088== by 0x8DE5291: _tevent_req_error (in /usr/lib64/libtevent.so.0.9.31) +==00:01:01:29.871 10088== by 0x1276CE: cache_req_done (cache_req.c:1047) +==00:01:01:29.871 10088== by 0x8DE5291: _tevent_req_error (in /usr/lib64/libtevent.so.0.9.31) +==00:01:01:29.871 10088== by 0x126AF6: cache_req_search_domains_done (cache_req.c:607) +==00:01:01:29.871 10088== by 0x8DE4AB9: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.31) +==00:01:01:29.871 10088== by 0x8DE9C9C: ??? (in /usr/lib64/libtevent.so.0.9.31) +==00:01:01:29.871 10088== by 0x8DE82A6: ??? (in /usr/lib64/libtevent.so.0.9.31) +==00:01:01:29.871 10088== by 0x8DE40CC: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.31) +==00:01:01:29.871 10088== by 0x8DE42FA: tevent_common_loop_wait (in /usr/lib64/libtevent.so.0.9.31) +==00:01:01:29.871 10088== by 0x8DE8246: ??? (in /usr/lib64/libtevent.so.0.9.31) +==00:01:01:29.871 10088== by 0x5291B32: server_loop (server.c:718) +==00:01:01:29.871 10088== by 0x11004C: main (nsssrv.c:560) + +Resolves: +https://pagure.io/SSSD/sssd/issue/3588 + +Reviewed-by: Fabiano Fidêncio +--- + src/responder/common/responder_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index 6b4d2d9e5936c79944b6f883e9fe46fd03ff32f6..e1100ce4b1eaae8bc561246699dc9bacc96133c8 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -1815,7 +1815,7 @@ int sized_output_name(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sss_output_fqname(mem_ctx, name_dom, orig_name, ++ ret = sss_output_fqname(name, name_dom, orig_name, + rctx->override_space, &name_str); + if (ret != EOK) { + goto done; +-- +2.15.1 + diff --git a/0068-test_responder-Check-memory-leak-in-sized_output_nam.patch b/0068-test_responder-Check-memory-leak-in-sized_output_nam.patch new file mode 100644 index 0000000..2b2ede3 --- /dev/null +++ b/0068-test_responder-Check-memory-leak-in-sized_output_nam.patch @@ -0,0 +1,57 @@ +From 878fa7d0d4a3c9de1e813a550c5968153faae0a9 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 28 Nov 2017 12:20:26 +0100 +Subject: [PATCH 68/79] test_responder: Check memory leak in sized_output_name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: +https://pagure.io/SSSD/sssd/issue/3588 + +Reviewed-by: Fabiano Fidêncio +--- + src/tests/cmocka/test_responder_common.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c +index fb7e4ee500570319999e6e85ee14a05cddea8de3..5441167caeb284982ee76926117da029966ec997 100644 +--- a/src/tests/cmocka/test_responder_common.c ++++ b/src/tests/cmocka/test_responder_common.c +@@ -316,6 +316,23 @@ void test_schedule_get_domains_task(void **state) + talloc_free(dummy_ncache_ptr); + } + ++void test_sss_output_fqname(void **state) ++{ ++ struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state, ++ struct parse_inp_test_ctx); ++ errno_t ret; ++ struct sized_string *res = NULL; ++ ++ ret = sized_output_name(parse_inp_ctx, parse_inp_ctx->rctx, "dummy", ++ parse_inp_ctx->tctx->dom, &res); ++ assert_int_equal(ret, EOK); ++ assert_non_null(res); ++ assert_string_equal("dummy", res->str); ++ assert_int_equal(6, res->len); ++ ++ talloc_zfree(res); ++} ++ + int main(int argc, const char *argv[]) + { + int rv; +@@ -346,6 +363,9 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_schedule_get_domains_task, + parse_inp_test_setup, + parse_inp_test_teardown), ++ cmocka_unit_test_setup_teardown(test_sss_output_fqname, ++ parse_inp_test_setup, ++ parse_inp_test_teardown), + }; + + /* Set debug level to invalid value so we can deside if -d 0 was used. */ +-- +2.15.1 + diff --git a/0069-UTIL-add-find_domain_by_object_name_ex.patch b/0069-UTIL-add-find_domain_by_object_name_ex.patch new file mode 100644 index 0000000..e94d73a --- /dev/null +++ b/0069-UTIL-add-find_domain_by_object_name_ex.patch @@ -0,0 +1,81 @@ +From 8b98ab849993ddd2bddbe475f443fbee24081c1a Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 20 Nov 2017 12:08:30 +0100 +Subject: [PATCH 69/79] UTIL: add find_domain_by_object_name_ex() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The _ex version of find_domain_by_object_name() has a additional option +'strict'. If set to 'true' NULL is return instead to domain from the +first argument. This way the caller can see if the provider object name +really contains a known domain. + +Related to https://pagure.io/SSSD/sssd/issue/3579 + +Reviewed-by: Fabiano Fidêncio +--- + src/util/domain_info_utils.c | 17 ++++++++++++++--- + src/util/util.h | 4 ++++ + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index 3a3f5130a32e2c5fe4b81819bf2de697a4474111..66077092a40111967a98b0937506d9e4472f50d5 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -174,8 +174,8 @@ sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain, + } + + struct sss_domain_info * +-find_domain_by_object_name(struct sss_domain_info *domain, +- const char *object_name) ++find_domain_by_object_name_ex(struct sss_domain_info *domain, ++ const char *object_name, bool strict) + { + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *dom = NULL; +@@ -197,7 +197,11 @@ find_domain_by_object_name(struct sss_domain_info *domain, + } + + if (domainname == NULL) { +- dom = domain; ++ if (strict) { ++ dom = NULL; ++ } else { ++ dom = domain; ++ } + } else { + dom = find_domain_by_name(domain, domainname, true); + } +@@ -207,6 +211,13 @@ done: + return dom; + } + ++struct sss_domain_info * ++find_domain_by_object_name(struct sss_domain_info *domain, ++ const char *object_name) ++{ ++ return find_domain_by_object_name_ex(domain, object_name, false); ++} ++ + errno_t sssd_domain_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *domain_name, +diff --git a/src/util/util.h b/src/util/util.h +index 37383011763a9a2a3c2c066215e3ed94aca77308..2521b1789b0b8701b1fbcce33890eedb7fe18d5e 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -551,6 +551,10 @@ struct sss_domain_info * + find_domain_by_object_name(struct sss_domain_info *domain, + const char *object_name); + ++struct sss_domain_info * ++find_domain_by_object_name_ex(struct sss_domain_info *domain, ++ const char *object_name, bool strict); ++ + bool subdomain_enumerates(struct sss_domain_info *parent, + const char *sd_name); + +-- +2.15.1 + diff --git a/0070-ipa-handle-users-from-different-domains-in-ipa_resol.patch b/0070-ipa-handle-users-from-different-domains-in-ipa_resol.patch new file mode 100644 index 0000000..e7b7f1c --- /dev/null +++ b/0070-ipa-handle-users-from-different-domains-in-ipa_resol.patch @@ -0,0 +1,75 @@ +From 2029b7b32c868dd5ad33dcc9b078d362ee9bb602 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 20 Nov 2017 12:04:50 +0100 +Subject: [PATCH 70/79] ipa: handle users from different domains in + ipa_resolve_user_list_send() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of assuming that all users in the list can be found in the +provided domain with this patch the domain name part of the user name is +preferred. The provided domain name is used as a fallback. + +Related to https://pagure.io/SSSD/sssd/issue/3579 + +Reviewed-by: Fabiano Fidêncio +--- + src/providers/ipa/ipa_id.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c +index 5044577f0faa95b19de9233240e92aa60f029774..9a092bc837f762af8d229ff5a7eb4c4ba4b78f2f 100644 +--- a/src/providers/ipa/ipa_id.c ++++ b/src/providers/ipa/ipa_id.c +@@ -63,6 +63,8 @@ struct ipa_resolve_user_list_state { + struct ipa_id_ctx *ipa_ctx; + struct ldb_message_element *users; + const char *domain_name; ++ struct sss_domain_info *domain; ++ struct sss_domain_info *user_domain; + size_t user_idx; + + int dp_error; +@@ -91,6 +93,8 @@ ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev, + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->domain_name = domain_name; ++ state->domain = find_domain_by_name(state->ipa_ctx->sdap_id_ctx->be->domain, ++ state->domain_name, true); + state->users = users; + state->user_idx = 0; + state->dp_error = DP_ERR_FATAL; +@@ -132,8 +136,17 @@ static errno_t ipa_resolve_user_list_get_user_step(struct tevent_req *req) + + DEBUG(SSSDBG_TRACE_ALL, "Trying to resolve user [%s].\n", ar->filter_value); + +- if (strcasecmp(state->domain_name, +- state->ipa_ctx->sdap_id_ctx->be->domain->name) != 0) { ++ state->user_domain = find_domain_by_object_name_ex( ++ state->ipa_ctx->sdap_id_ctx->be->domain, ++ ar->filter_value, true); ++ /* Use provided domain as as fallback is no known domain was found in the ++ * user name. */ ++ if (state->user_domain == NULL) { ++ state->user_domain = state->domain; ++ } ++ ar->domain = state->user_domain->name; ++ ++ if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) { + subreq = ipa_subdomain_account_send(state, state->ev, state->ipa_ctx, + ar); + } else { +@@ -158,8 +171,7 @@ static void ipa_resolve_user_list_get_user_done(struct tevent_req *subreq) + struct ipa_resolve_user_list_state); + int ret; + +- if (strcasecmp(state->domain_name, +- state->ipa_ctx->sdap_id_ctx->be->domain->name) != 0) { ++ if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) { + ret = ipa_subdomain_account_recv(subreq, &state->dp_error); + } else { + ret = ipa_id_get_account_info_recv(subreq, &state->dp_error); +-- +2.15.1 + diff --git a/0071-overrides-fixes-for-sysdb_invalidate_overrides.patch b/0071-overrides-fixes-for-sysdb_invalidate_overrides.patch new file mode 100644 index 0000000..89fdaac --- /dev/null +++ b/0071-overrides-fixes-for-sysdb_invalidate_overrides.patch @@ -0,0 +1,202 @@ +From 3edca52d650154bcd784674d631a76512c6c4004 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 20 Nov 2017 15:51:27 +0100 +Subject: [PATCH 71/79] overrides: fixes for sysdb_invalidate_overrides() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were two issues in sysdb_invalidate_overrides(). + +First, SYSDB_CACHE_EXPIRE was only reset for the entry in the data cache +but not in the timestamp cache. + +Second, if one of the steps in the combined replace and delete operation +failed no change was committed to the cache. If, for whatever reasons, +a user or group object didn't had SYSDB_OVERRIDE_DN set the delete +failed and hence SYSDB_CACHE_EXPIRE wasn't reset as well. To make sure +the cache is in a consistent state after a view change the replace and +the delete operations are don in two steps. + +Related to https://pagure.io/SSSD/sssd/issue/3579 + +Reviewed-by: Fabiano Fidêncio +--- + src/db/sysdb_views.c | 111 +++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 80 insertions(+), 31 deletions(-) + +diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c +index f640c813acf4deafe98eb15708d3a94790502dcb..bcd7dd46168aecdf808ad315175a12cef9ee03dd 100644 +--- a/src/db/sysdb_views.c ++++ b/src/db/sysdb_views.c +@@ -279,6 +279,45 @@ done: + return ret; + } + ++static errno_t invalidate_entry_override(struct sysdb_ctx *sysdb, ++ struct ldb_dn *dn, ++ struct ldb_message *msg_del, ++ struct ldb_message *msg_repl) ++{ ++ int ret; ++ ++ msg_del->dn = dn; ++ msg_repl->dn = dn; ++ ++ ret = ldb_modify(sysdb->ldb, msg_del); ++ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_modify failed: [%s](%d)[%s]\n", ++ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb)); ++ return sysdb_error_to_errno(ret); ++ } ++ ++ ret = ldb_modify(sysdb->ldb, msg_repl); ++ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_modify failed: [%s](%d)[%s]\n", ++ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb)); ++ return sysdb_error_to_errno(ret); ++ } ++ ++ if (sysdb->ldb_ts != NULL) { ++ ret = ldb_modify(sysdb->ldb_ts, msg_repl); ++ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_modify failed: [%s](%d)[%s]\n", ++ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb_ts)); ++ return sysdb_error_to_errno(ret); ++ } ++ } ++ ++ return EOK; ++} ++ + errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb) + { + int ret; +@@ -287,22 +326,23 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb) + bool in_transaction = false; + struct ldb_result *res; + size_t c; +- struct ldb_message *msg; ++ struct ldb_message *msg_del; ++ struct ldb_message *msg_repl; + struct ldb_dn *base_dn; + ++ if (sysdb->ldb_ts == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Timestamp cache context not available, cache might not be " ++ "invalidated completely. Please call 'sss_cache -E' or remove " ++ "the cache file if there are issues after a view name change.\n"); ++ } ++ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + +- msg = ldb_msg_new(tmp_ctx); +- if (msg == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n"); +- ret = ENOMEM; +- goto done; +- } +- + base_dn = ldb_dn_new(tmp_ctx, sysdb->ldb, SYSDB_BASE); + if (base_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed\n"); +@@ -310,27 +350,40 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb) + goto done; + } + +- ret = ldb_msg_add_empty(msg, SYSDB_CACHE_EXPIRE, LDB_FLAG_MOD_REPLACE, ++ msg_del = ldb_msg_new(tmp_ctx); ++ if (msg_del == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ret = ldb_msg_add_empty(msg_del, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, + NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n"); + ret = sysdb_error_to_errno(ret); + goto done; + } +- ret = ldb_msg_add_string(msg, SYSDB_CACHE_EXPIRE, "1"); ++ ++ msg_repl = ldb_msg_new(tmp_ctx); ++ if (msg_repl == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ret = ldb_msg_add_empty(msg_repl, SYSDB_CACHE_EXPIRE, ++ LDB_FLAG_MOD_REPLACE, NULL); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n"); ++ ret = sysdb_error_to_errno(ret); ++ goto done; ++ } ++ ret = ldb_msg_add_string(msg_repl, SYSDB_CACHE_EXPIRE, "1"); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n"); + ret = sysdb_error_to_errno(ret); + goto done; + } + +- ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, NULL); +- if (ret != LDB_SUCCESS) { +- DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n"); +- ret = sysdb_error_to_errno(ret); +- goto done; +- } +- + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_transaction_start failed.\n"); +@@ -347,14 +400,12 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb) + } + + for (c = 0; c < res->count; c++) { +- msg->dn = res->msgs[c]->dn; +- +- ret = ldb_modify(sysdb->ldb, msg); +- if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) { ++ ret = invalidate_entry_override(sysdb, res->msgs[c]->dn, msg_del, ++ msg_repl); ++ if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +- "ldb_modify failed: [%s](%d)[%s]\n", +- ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb)); +- ret = sysdb_error_to_errno(ret); ++ "invalidate_entry_override failed [%d][%s].\n", ++ ret, sss_strerror(ret)); + goto done; + } + } +@@ -370,14 +421,12 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb) + } + + for (c = 0; c < res->count; c++) { +- msg->dn = res->msgs[c]->dn; +- +- ret = ldb_modify(sysdb->ldb, msg); +- if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) { ++ ret = invalidate_entry_override(sysdb, res->msgs[c]->dn, msg_del, ++ msg_repl); ++ if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +- "ldb_modify failed: [%s](%d)[%s]\n", +- ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb)); +- ret = sysdb_error_to_errno(ret); ++ "invalidate_entry_override failed [%d][%s].\n", ++ ret, sss_strerror(ret)); + goto done; + } + } +-- +2.15.1 + diff --git a/0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch b/0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch new file mode 100644 index 0000000..2a94c0a --- /dev/null +++ b/0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch @@ -0,0 +1,253 @@ +From afa3e5d8401c529dad9fb6f2e3a3f4c2aa79a977 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 20 Nov 2017 16:12:58 +0100 +Subject: [PATCH 72/79] ipa: check for SYSDB_OVERRIDE_DN in process_members and + get_group_dn_list +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +process_members() and get_group_dn_list() are used on an IPA client to +determine a list of users or groups which are missing in the cache and +are needed to properly add a group or user object to the cache +respectively. + +If a non-default view is assigned to the client the SYSDB_OVERRIDE_DN +must be set for all user and group objects to indicate that it was +already checked if there is an id-override defined for the object or +not. There a circumstances were SYSDB_OVERRIDE_DN is not set, e.g. after +a view name change. To make sure the cache is in a consistent state with +this patch user and group entries without SYSDB_OVERRIDE_DN are +considered as missing is a non-default view is assigned to the client. + +Related to https://pagure.io/SSSD/sssd/issue/3579 + +Reviewed-by: Fabiano Fidêncio +--- + src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++----------------- + 1 file changed, 83 insertions(+), 62 deletions(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 39ed17cbf0e8c523212084197e9f2963fed88dc8..c6132f509dcc8e7af84e03e8bfe20701107d1392 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1523,6 +1523,7 @@ fail: + } + + static errno_t process_members(struct sss_domain_info *domain, ++ bool is_default_view, + struct sysdb_attrs *group_attrs, + char **members, + TALLOC_CTX *mem_ctx, char ***_missing_members) +@@ -1536,6 +1537,7 @@ static errno_t process_members(struct sss_domain_info *domain, + struct sss_domain_info *parent_domain; + char **missing_members = NULL; + size_t miss_count = 0; ++ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL}; + + if (members == NULL) { + DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n"); +@@ -1572,53 +1574,59 @@ static errno_t process_members(struct sss_domain_info *domain, + goto done; + } + +- ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], NULL, ++ ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs, + &msg); +- if (ret == EOK) { +- if (group_attrs != NULL) { +- dn_str = ldb_dn_get_linearized(msg->dn); +- if (dn_str == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n"); +- ret = EINVAL; +- goto done; +- } +- +- DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n", +- members[c], dn_str); ++ if (ret == EOK || ret == ENOENT) { ++ if (ret == ENOENT ++ || (!is_default_view ++ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN, ++ NULL) == NULL)) { ++ /* only add ghost if the member is really missing */ ++ if (group_attrs != NULL && ret == ENOENT) { ++ DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n", ++ members[c]); + +- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER, +- dn_str); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sysdb_attrs_add_string_safe failed.\n"); +- goto done; ++ /* There were cases where the server returned the same user ++ * multiple times */ ++ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST, ++ members[c]); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_attrs_add_string failed.\n"); ++ goto done; ++ } + } +- } +- } else if (ret == ENOENT) { +- if (group_attrs != NULL) { +- DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n", +- members[c]); + +- /* There were cases where the server returned the same user +- * multiple times */ +- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST, +- members[c]); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sysdb_attrs_add_string failed.\n"); +- goto done; ++ if (missing_members != NULL) { ++ missing_members[miss_count] = talloc_strdup(missing_members, ++ members[c]); ++ if (missing_members[miss_count] == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ miss_count++; + } +- } ++ } else { ++ if (group_attrs != NULL) { ++ dn_str = ldb_dn_get_linearized(msg->dn); ++ if (dn_str == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n"); ++ ret = EINVAL; ++ goto done; ++ } ++ ++ DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n", ++ members[c], dn_str); + +- if (missing_members != NULL) { +- missing_members[miss_count] = talloc_strdup(missing_members, +- members[c]); +- if (missing_members[miss_count] == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); +- ret = ENOMEM; +- goto done; ++ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER, ++ dn_str); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_attrs_add_string_safe failed.\n"); ++ goto done; ++ } + } +- miss_count++; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n"); +@@ -1649,6 +1657,7 @@ done: + } + + static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx, ++ bool is_default_view, + struct sss_domain_info *dom, + size_t ngroups, char **groups, + struct ldb_dn ***_dn_list, +@@ -1664,6 +1673,7 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx, + size_t n_missing = 0; + struct sss_domain_info *obj_domain; + struct sss_domain_info *parent_domain; ++ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL}; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { +@@ -1689,25 +1699,31 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], NULL, ++ ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], attrs, + &msg); +- if (ret == EOK) { +- dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn); +- if (dn_list[n_dns] == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n"); +- ret = ENOMEM; +- goto done; ++ if (ret == EOK || ret == ENOENT) { ++ if (ret == ENOENT ++ || (!is_default_view ++ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN, ++ NULL) == NULL)) { ++ missing_groups[n_missing] = talloc_strdup(missing_groups, ++ groups[c]); ++ if (missing_groups[n_missing] == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ n_missing++; ++ ++ } else { ++ dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn); ++ if (dn_list[n_dns] == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ n_dns++; + } +- n_dns++; +- } else if (ret == ENOENT) { +- missing_groups[n_missing] = talloc_strdup(missing_groups, +- groups[c]); +- if (missing_groups[n_missing] == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); +- ret = ENOMEM; +- goto done; +- } +- n_missing++; + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_group_by_name failed.\n"); + goto done; +@@ -1803,7 +1819,9 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) + } + + +- ret = get_group_dn_list(state, state->dom, ++ ret = get_group_dn_list(state, ++ is_default_view(state->ipa_ctx->view_name), ++ state->dom, + attrs->ngroups, attrs->groups, + &group_dn_list, &missing_list); + if (ret != EOK) { +@@ -1832,8 +1850,10 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) + } + break; + } else if (attrs->response_type == RESP_GROUP_MEMBERS) { +- ret = process_members(state->dom, NULL, attrs->a.group.gr_mem, +- state, &missing_list); ++ ret = process_members(state->dom, ++ is_default_view(state->ipa_ctx->view_name), ++ NULL, attrs->a.group.gr_mem, state, ++ &missing_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n"); + goto done; +@@ -2572,8 +2592,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + } + } + +- ret = process_members(dom, attrs->sysdb_attrs, +- attrs->a.group.gr_mem, NULL, NULL); ++ ret = process_members(dom, is_default_view(view_name), ++ attrs->sysdb_attrs, attrs->a.group.gr_mem, ++ NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n"); + goto done; +-- +2.15.1 + diff --git a/0073-IPA-use-cache-searches-in-get_groups_dns.patch b/0073-IPA-use-cache-searches-in-get_groups_dns.patch new file mode 100644 index 0000000..7cd8d7a --- /dev/null +++ b/0073-IPA-use-cache-searches-in-get_groups_dns.patch @@ -0,0 +1,69 @@ +From d1d62630e1d1c6a88fe4bf8612cb4f9a2fff7181 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 20 Nov 2017 16:41:29 +0100 +Subject: [PATCH 73/79] IPA: use cache searches in get_groups_dns() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the group name is overridden in the default view we have to search +for the name and cannot construct it because the extdom plugin will +return the overridden name but the DN of the related group object in the +cache will contain the original name. + +Related to https://pagure.io/SSSD/sssd/issue/3579 + +Reviewed-by: Fabiano Fidêncio +--- + src/providers/ipa/ipa_s2n_exop.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index c6132f509dcc8e7af84e03e8bfe20701107d1392..49c393e9a1eb19ab683949cf633a6838274bc0fe 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -2038,6 +2038,7 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + int c; + struct sss_domain_info *root_domain; + char **dn_list; ++ struct ldb_message *msg; + + if (name_list == NULL) { + *_dn_list = NULL; +@@ -2082,15 +2083,25 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + goto done; + } + +- /* This might fail if some unexpected cases are used. But current +- * sysdb code which handles group membership constructs DNs this way +- * as well, IPA names are lowercased and AD names by default will be +- * lowercased as well. If there are really use-cases which cause an +- * issue here, sysdb_group_strdn() has to be replaced by a proper +- * search. */ +- dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]); ++ /* If the group name is overridden in the default view we have to ++ * search for the name and cannot construct it because the extdom ++ * plugin will return the overridden name but the DN of the related ++ * group object in the cache will contain the original name. */ ++ ++ ret = sysdb_search_group_by_name(tmp_ctx, dom, name_list[c], NULL, ++ &msg); ++ if (ret == EOK) { ++ dn_list[c] = ldb_dn_alloc_linearized(dn_list, msg->dn); ++ } else { ++ /* best effort, try to construct the DN */ ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "sysdb_search_group_by_name failed with [%d], " ++ "generating DN for [%s] in domain [%s].\n", ++ ret, name_list[c], dom->name); ++ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]); ++ } + if (dn_list[c] == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_alloc_linearized failed.\n"); + ret = ENOMEM; + goto done; + } +-- +2.15.1 + diff --git a/0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch b/0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch new file mode 100644 index 0000000..1f087be --- /dev/null +++ b/0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch @@ -0,0 +1,85 @@ +From 97becd502f5d8aa74b94eee78a949825222b6933 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 20 Nov 2017 16:45:45 +0100 +Subject: [PATCH 74/79] ipa: compare DNs instead of group names in + ipa_s2n_save_objects() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If group names are used to compare the current list of group memberships +returned by the server with the one from the cache some groups might end +up in the wrong result list if group names are overridden. This +ambiguity can be resolved by using the DNs of the cached objects. + +Related to https://pagure.io/SSSD/sssd/issue/3579 + +Reviewed-by: Fabiano Fidêncio +--- + src/providers/ipa/ipa_s2n_exop.c | 31 ++++++++++++------------------- + 1 file changed, 12 insertions(+), 19 deletions(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 49c393e9a1eb19ab683949cf633a6838274bc0fe..8b97f78620f19b0708e8a480cb72fd7f12d96dfb 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -2185,10 +2185,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + struct ldb_result *res; + enum sysdb_member_type type; + char **sysdb_grouplist; +- char **add_groups; + char **add_groups_dns; +- char **del_groups; + char **del_groups_dns; ++ char **groups_dns; + bool in_transaction = false; + int tret; + struct sysdb_attrs *gid_override_attrs = NULL; +@@ -2514,33 +2513,27 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + } + + if (attrs->response_type == RESP_USER_GROUPLIST) { +- ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name, +- &sysdb_grouplist); ++ ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name, ++ &sysdb_grouplist); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n"); + goto done; + } + +- ret = diff_string_lists(tmp_ctx, attrs->groups, +- sysdb_grouplist, &add_groups, +- &del_groups, NULL); ++ ret = get_groups_dns(tmp_ctx, dom, attrs->groups, &groups_dns); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n"); ++ goto done; ++ } ++ ++ ret = diff_string_lists(tmp_ctx, groups_dns, ++ sysdb_grouplist, &add_groups_dns, ++ &del_groups_dns, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n"); + goto done; + } + +- ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n"); +- goto done; +- } +- +- ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n"); +- goto done; +- } +- + DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n", + name); + ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER, +-- +2.15.1 + diff --git a/0075-nss-Fix-invalid-enum-nss_status-return-values.patch b/0075-nss-Fix-invalid-enum-nss_status-return-values.patch new file mode 100644 index 0000000..c7ea5de --- /dev/null +++ b/0075-nss-Fix-invalid-enum-nss_status-return-values.patch @@ -0,0 +1,150 @@ +From fd0fb14e613f15a7d1fbde86bf371a72d8dfe3b8 Mon Sep 17 00:00:00 2001 +From: Carlos O'Donell +Date: Wed, 29 Nov 2017 22:36:39 -0800 +Subject: [PATCH 75/79] nss: Fix invalid enum nss_status return values. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The upstream glibc test nss/bug17079 covers several cases where the +NSS infrastructure passes invalid pointers to NSS plugins. The plugins +should return correct results for the invalid values e.g. ERANGE, +but it should do so by setting *errnop to the error and returning +NSS_STATUS_TRYAGAIN. This commit fixes the group, netgroup, passwd +and service handling code to correctly return ERANGE in *errnop +and NSS_TATUS_TRYAGAIN in the case of invalid buffer (NULL) or +zero sized buffer length. This fixes the nss/bug17079 regression test +when run in a test configuration with sss enabled for any of the +above mentioned services. + +Upstream glibc bug: +Bug 22530 - FAIL: nss/bug17079 due to _nss_sss_getpwuid_r +https://sourceware.org/bugzilla/show_bug.cgi?id=22530 + +Merges: https://pagure.io/SSSD/sssd/pull-request/3561 + +Signed-off-by: Carlos O'Donell +Reviewed-by: Florian Weimer +Reviewed-by: Lukáš Slebodník +--- + src/sss_client/nss_group.c | 10 ++++++++-- + src/sss_client/nss_netgroup.c | 5 ++++- + src/sss_client/nss_passwd.c | 10 ++++++++-- + src/sss_client/nss_services.c | 15 ++++++++++++--- + 4 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c +index 42fba6242d23fc1d52cfd7be10cf10383010f091..054f30e13f8d5f8300a3e63c9035b98d30473c0e 100644 +--- a/src/sss_client/nss_group.c ++++ b/src/sss_client/nss_group.c +@@ -522,7 +522,10 @@ enum nss_status _nss_sss_getgrgid_r(gid_t gid, struct group *result, + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ +- if (!buffer || !buflen) return ERANGE; ++ if (!buffer || !buflen) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } + + ret = sss_nss_mc_getgrgid(gid, result, buffer, buflen); + switch (ret) { +@@ -655,7 +658,10 @@ static enum nss_status internal_getgrent_r(struct group *result, + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ +- if (!buffer || !buflen) return ERANGE; ++ if (!buffer || !buflen) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } + + /* if there are leftovers return the next one */ + if (sss_nss_getgrent_data.data != NULL && +diff --git a/src/sss_client/nss_netgroup.c b/src/sss_client/nss_netgroup.c +index 8594fc460514d6f92e786605168fa7d15c7ee913..3a1834a311e6658c6160b5f95a01434fed69ad1c 100644 +--- a/src/sss_client/nss_netgroup.c ++++ b/src/sss_client/nss_netgroup.c +@@ -231,7 +231,10 @@ static enum nss_status internal_getnetgrent_r(struct __netgrent *result, + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ +- if (!buffer || !buflen) return ERANGE; ++ if (!buffer || !buflen) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } + + /* If we're already processing result data, continue to + * return it. +diff --git a/src/sss_client/nss_passwd.c b/src/sss_client/nss_passwd.c +index 61e2a567e684fbc7664b5d425e81cfa28a98e845..5b1c2ce66b0954bc304dfb458f509defa8eed889 100644 +--- a/src/sss_client/nss_passwd.c ++++ b/src/sss_client/nss_passwd.c +@@ -251,7 +251,10 @@ enum nss_status _nss_sss_getpwuid_r(uid_t uid, struct passwd *result, + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ +- if (!buffer || !buflen) return ERANGE; ++ if (!buffer || !buflen) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } + + ret = sss_nss_mc_getpwuid(uid, result, buffer, buflen); + switch (ret) { +@@ -376,7 +379,10 @@ static enum nss_status internal_getpwent_r(struct passwd *result, + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ +- if (!buffer || !buflen) return ERANGE; ++ if (!buffer || !buflen) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } + + /* if there are leftovers return the next one */ + if (sss_nss_getpwent_data.data != NULL && +diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c +index 64e0b43e1643e4e76d2381a6b062335c3d513a21..161dad9ae27f822b40af8368e5af38b020d6549a 100644 +--- a/src/sss_client/nss_services.c ++++ b/src/sss_client/nss_services.c +@@ -177,7 +177,10 @@ _nss_sss_getservbyname_r(const char *name, + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ +- if (!buffer || !buflen) return ERANGE; ++ if (!buffer || !buflen) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } + + ret = sss_strnlen(name, SSS_NAME_MAX, &name_len); + if (ret != 0) { +@@ -278,7 +281,10 @@ _nss_sss_getservbyport_r(int port, const char *protocol, + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ +- if (!buffer || !buflen) return ERANGE; ++ if (!buffer || !buflen) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } + + if (protocol) { + ret = sss_strnlen(protocol, SSS_NAME_MAX, &proto_len); +@@ -411,7 +417,10 @@ static enum nss_status internal_getservent_r(struct servent *result, + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ +- if (!buffer || !buflen) return ERANGE; ++ if (!buffer || !buflen) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } + + /* if there are leftovers return the next one */ + if (sss_nss_getservent_data.data != NULL && +-- +2.15.1 + diff --git a/0076-confdb-Move-detection-files-to-separate-function.patch b/0076-confdb-Move-detection-files-to-separate-function.patch new file mode 100644 index 0000000..70da307 --- /dev/null +++ b/0076-confdb-Move-detection-files-to-separate-function.patch @@ -0,0 +1,110 @@ +From 5af7dcbba7a54c9a017a7d317f74453254125eb7 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 29 Nov 2017 17:57:56 +0100 +Subject: [PATCH 76/79] confdb: Move detection files to separate function + +--- + src/confdb/confdb.c | 73 ++++++++++++++++++++++++++++++----------------------- + 1 file changed, 41 insertions(+), 32 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index a028224817f12ace2a0c4165d7b9cb0bb80ce5a1..c41bd5087592ba15d8956e0279aaf72ba86936ed 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1718,52 +1718,61 @@ done: + return ret; + } + +-static int confdb_has_files_domain(struct confdb_ctx *cdb) ++static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx, ++ struct ldb_result *doms) + { +- TALLOC_CTX *tmp_ctx = NULL; +- struct ldb_dn *dn = NULL; +- struct ldb_result *res = NULL; +- static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL }; + const char *id_provider = NULL; +- int ret; + unsigned int i; + +- tmp_ctx = talloc_new(NULL); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN); +- if (dn == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL, +- attrs, NULL); +- if (ret != LDB_SUCCESS) { +- ret = EIO; +- goto done; +- } +- +- for (i = 0; i < res->count; i++) { +- id_provider = ldb_msg_find_attr_as_string(res->msgs[i], ++ for (i = 0; i < doms->count; i++) { ++ id_provider = ldb_msg_find_attr_as_string(doms->msgs[i], + CONFDB_DOMAIN_ID_PROVIDER, + NULL); + if (id_provider == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "The object [%s] doesn't have a id_provider\n", +- ldb_dn_get_linearized(res->msgs[i]->dn)); +- ret = EINVAL; +- goto done; ++ ldb_dn_get_linearized(doms->msgs[i]->dn)); ++ continue; + } + + if (strcasecmp(id_provider, "files") == 0) { +- break; ++ return false; + } + } + +- ret = i < res->count ? EOK : ENOENT; ++ return true; ++} ++ ++static int confdb_has_files_domain(struct confdb_ctx *cdb) ++{ ++ TALLOC_CTX *tmp_ctx = NULL; ++ struct ldb_dn *dn = NULL; ++ struct ldb_result *res = NULL; ++ static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL }; ++ int ret; ++ bool need_files_dom; ++ ++ tmp_ctx = talloc_new(NULL); ++ if (tmp_ctx == NULL) { ++ return ENOMEM; ++ } ++ ++ dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN); ++ if (dn == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL, ++ attrs, NULL); ++ if (ret != LDB_SUCCESS) { ++ ret = EIO; ++ goto done; ++ } ++ ++ need_files_dom = need_implicit_files_domain(tmp_ctx, res); ++ ++ ret = need_files_dom ? ENOENT : EOK; + done: + talloc_free(tmp_ctx); + return ret; +-- +2.15.1 + diff --git a/0077-confdb-Fix-starting-of-implicit-files-domain.patch b/0077-confdb-Fix-starting-of-implicit-files-domain.patch new file mode 100644 index 0000000..de3d873 --- /dev/null +++ b/0077-confdb-Fix-starting-of-implicit-files-domain.patch @@ -0,0 +1,96 @@ +From 57720f0d0945262a13d9ab7d1ec8220837ab618f Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 29 Nov 2017 20:02:35 +0100 +Subject: [PATCH 77/79] confdb: Fix starting of implicit files domain + +We did not start implicit_files domain when sssd configuration +contains files domain which was disabled. +--- + src/confdb/confdb.c | 36 +++++++++++++++++++++++++++++++++-- + src/tests/intg/test_files_provider.py | 3 +++ + 2 files changed, 37 insertions(+), 2 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index c41bd5087592ba15d8956e0279aaf72ba86936ed..ef1be4a6e6daee2644d535e561fac7735eb6a0b2 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1719,12 +1719,43 @@ done: + } + + static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx, ++ struct confdb_ctx *cdb, + struct ldb_result *doms) + { + const char *id_provider = NULL; + unsigned int i; ++ errno_t ret; ++ char **domlist; ++ const char *val; ++ ++ ret = confdb_get_string_as_list(cdb, tmp_ctx, ++ CONFDB_MONITOR_CONF_ENTRY, ++ CONFDB_MONITOR_ACTIVE_DOMAINS, ++ &domlist); ++ if (ret == ENOENT) { ++ return true; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Cannot get active domains %d[%s]\n", ++ ret, sss_strerror(ret)); ++ return false; ++ } + + for (i = 0; i < doms->count; i++) { ++ val = ldb_msg_find_attr_as_string(doms->msgs[i], CONFDB_DOMAIN_ATTR, ++ NULL); ++ if (val == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "The object [%s] doesn't have a name\n", ++ ldb_dn_get_linearized(doms->msgs[i]->dn)); ++ continue; ++ } ++ ++ /* skip disabled domain */ ++ if (!string_in_list(val, domlist, false)) { ++ continue; ++ } ++ + id_provider = ldb_msg_find_attr_as_string(doms->msgs[i], + CONFDB_DOMAIN_ID_PROVIDER, + NULL); +@@ -1748,7 +1779,8 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb) + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_dn *dn = NULL; + struct ldb_result *res = NULL; +- static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL }; ++ static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, ++ CONFDB_DOMAIN_ATTR, NULL }; + int ret; + bool need_files_dom; + +@@ -1770,7 +1802,7 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb) + goto done; + } + +- need_files_dom = need_implicit_files_domain(tmp_ctx, res); ++ need_files_dom = need_implicit_files_domain(tmp_ctx, cdb, res); + + ret = need_files_dom ? ENOENT : EOK; + done: +diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py +index e507ea10d78b9b35ee57178e78f4621372d0c2e5..169da713767b6495e117d805b29d8d6346237ebc 100644 +--- a/src/tests/intg/test_files_provider.py ++++ b/src/tests/intg/test_files_provider.py +@@ -167,6 +167,9 @@ def no_files_domain(request): + + [domain/local] + id_provider = local ++ ++ [domain/disabled.files] ++ id_provider = files + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) +-- +2.15.1 + diff --git a/0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch b/0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch new file mode 100644 index 0000000..1115366 --- /dev/null +++ b/0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch @@ -0,0 +1,59 @@ +From 8cf5e390b38f0be4f88b0ebbbd1b14f52d35cd02 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Thu, 30 Nov 2017 07:59:33 +0100 +Subject: [PATCH 78/79] confdb: Do not start implicit_files with proxy domain + +id_provider = proxy + proxy_lib_name = files is equivalent +to id_provider = files. But requests to user hit implicit_files +domain instead of proxy domain and therefore it broke usage +of proxy domain with auth_provider = krb5. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3590 +--- + src/confdb/confdb.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index ef1be4a6e6daee2644d535e561fac7735eb6a0b2..0a4be57e08791f8a9eb5fc143a56352cd4ef4b5e 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1769,6 +1769,25 @@ static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx, + if (strcasecmp(id_provider, "files") == 0) { + return false; + } ++ ++ if (strcasecmp(id_provider, "proxy") == 0) { ++ val = ldb_msg_find_attr_as_string(doms->msgs[i], ++ CONFDB_PROXY_LIBNAME, NULL); ++ if (val == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "The object [%s] doesn't have proxy_lib_name with " ++ "id_provider proxy\n", ++ ldb_dn_get_linearized(doms->msgs[i]->dn)); ++ continue; ++ } ++ ++ /* id_provider = proxy + proxy_lib_name = files is equivalent ++ * to id_provider = files ++ */ ++ if (strcmp(val, "files") == 0) { ++ return false; ++ } ++ } + } + + return true; +@@ -1780,7 +1799,8 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb) + struct ldb_dn *dn = NULL; + struct ldb_result *res = NULL; + static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, +- CONFDB_DOMAIN_ATTR, NULL }; ++ CONFDB_DOMAIN_ATTR, ++ CONFDB_PROXY_LIBNAME, NULL }; + int ret; + bool need_files_dom; + +-- +2.15.1 + diff --git a/0079-test_files_provider-Regression-test-for-implicit_fil.patch b/0079-test_files_provider-Regression-test-for-implicit_fil.patch new file mode 100644 index 0000000..eda6524 --- /dev/null +++ b/0079-test_files_provider-Regression-test-for-implicit_fil.patch @@ -0,0 +1,73 @@ +From f9518dce861a1fe9a3a5c5c63ac45f67fdbc5e68 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Thu, 30 Nov 2017 10:21:17 +0100 +Subject: [PATCH 79/79] test_files_provider: Regression test for implicit_files + + proxy + +Related to: +https://pagure.io/SSSD/sssd/issue/3590 +--- + src/tests/intg/test_files_provider.py | 40 +++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py +index 169da713767b6495e117d805b29d8d6346237ebc..ea4e5b70a3626cb43217b59488cf186e3325ae8d 100644 +--- a/src/tests/intg/test_files_provider.py ++++ b/src/tests/intg/test_files_provider.py +@@ -145,6 +145,26 @@ def files_domain_only(request): + return None + + ++@pytest.fixture ++def proxy_to_files_domain_only(request): ++ conf = unindent("""\ ++ [sssd] ++ domains = proxy, local ++ services = nss ++ ++ [domain/local] ++ id_provider = local ++ ++ [domain/proxy] ++ id_provider = proxy ++ proxy_lib_name = files ++ auth_provider = none ++ """).format(**locals()) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ + @pytest.fixture + def no_sssd_domain(request): + conf = unindent("""\ +@@ -980,6 +1000,26 @@ def test_no_sssd_domain(add_user_with_canary, no_sssd_domain): + assert user == USER1 + + ++def test_proxy_to_files_domain_only(add_user_with_canary, ++ proxy_to_files_domain_only): ++ """ ++ Test that implicit_files domain is not started together with proxy to files ++ """ ++ local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009, ++ gecos='user1', dir='/home/user1', shell='/bin/bash') ++ ++ # Add a user with a different UID than the one in files ++ subprocess.check_call( ++ ["sss_useradd", "-u", "10009", "-M", USER1["name"]]) ++ ++ res, user = call_sssd_getpwnam(USER1["name"]) ++ assert res == NssReturnCode.SUCCESS ++ assert user == local_user1 ++ ++ res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"])) ++ assert res == NssReturnCode.NOTFOUND ++ ++ + def test_no_files_domain(add_user_with_canary, no_files_domain): + """ + Test that if no files domain is configured, sssd will add the implicit one +-- +2.15.1 + diff --git a/0502-SYSTEMD-Use-capabilities.patch b/0502-SYSTEMD-Use-capabilities.patch index 9d35c85..cfc1827 100644 --- a/0502-SYSTEMD-Use-capabilities.patch +++ b/0502-SYSTEMD-Use-capabilities.patch @@ -1,4 +1,4 @@ -From 5381ad1bd7693a6681f00bef093241f13e3a2c4f Mon Sep 17 00:00:00 2001 +From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mon, 12 Dec 2016 21:56:16 +0100 Subject: [PATCH] SYSTEMD: Use capabilities @@ -9,17 +9,17 @@ copied from selinux policy 1 file changed, 1 insertion(+) diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in -index 05cfd3705084dbff8b46fb07e736612612c58b70..e7bbbdb5093f52e4b71e3c85a9082192013385e8 100644 +index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in -@@ -9,6 +9,7 @@ EnvironmentFile=-@environment_file@ - ExecStart=@sbindir@/sssd -i -f +@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main + PIDFile=@localstatedir@/run/sssd.pid +CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND [Install] WantedBy=multi-user.target -- -2.11.0 +2.15.1 diff --git a/sssd.spec b/sssd.spec index 912a485..1f62ee2 100644 --- a/sssd.spec +++ b/sssd.spec @@ -32,7 +32,7 @@ Name: sssd Version: 1.16.0 -Release: 3%{?dist} +Release: 4%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -41,9 +41,55 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-KCM-Fix-restart-during-after-upgrade.patch -Patch0012: 0012-TESTS-Order-list-of-entries-in-some-lists.patch -Patch0013: 0013-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch +Patch0001: 0001-KCM-Fix-typo-in-comments.patch +Patch0002: 0002-Fix-minor-spelling-mistakes.patch +Patch0003: 0003-CONFIG-Add-a-new-option-auto_private_groups.patch +Patch0004: 0004-CONFDB-Remove-the-obsolete-option-magic_private_grou.patch +Patch0005: 0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch +Patch0006: 0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch +Patch0007: 0007-SYSDB-Prevent-users-and-groups-ID-collision-in-MPG-d.patch +Patch0008: 0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch +Patch0009: 0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch +Patch0010: 0010-sudo-document-background-activity.patch +Patch0011: 0011-MAN-GPO-Security-Filtering-limitation.patch +Patch0012: 0012-CI-Ignore-source-file-generated-by-systemtap.patch +Patch0013: 0013-sudo-always-use-srv_opts-from-id-context.patch +Patch0014: 0014-AD-Remember-last-site-discovered.patch +Patch0015: 0015-sysdb-add-functions-to-get-set-client-site.patch +Patch0016: 0016-AD-Remember-last-site-discovered-in-sysdb.patch +Patch0017: 0017-UTIL-Add-wrapper-function-to-configure-logger.patch +Patch0018: 0018-Add-parameter-logger-to-daemons.patch +Patch0019: 0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch +Patch0020: 0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch +Patch0021: 0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch +Patch0023: 0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch +Patch0024: 0024-KCM-Fix-restart-during-after-upgrade.patch +Patch0035: 0035-RESP-Add-some-missing-NULL-checks.patch +Patch0036: 0036-BUILD-Properly-expand-variables-in-sssd-ifp.service.patch +Patch0037: 0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch +Patch0038: 0038-CHILD-Pass-information-about-logger-to-children.patch +Patch0039: 0039-TOOLS-Double-quote-array-expansions-in-sss_debugleve.patch +Patch0040: 0040-TOOLS-Call-exec-for-sss_debuglevel.patch +Patch0041: 0041-LDAP-Improve-error-treatment-from-sdap_cli_connect-i.patch +Patch0053: 0053-NSS-Use-enum_ctx-as-memory_context-in-_setnetgrent_s.patch +Patch0054: 0054-cache_req-Correction-of-cache_req-debug-string-ID-fo.patch +Patch0055: 0055-TESTS-Order-list-of-entries-in-some-lists.patch +Patch0063: 0063-WATCHDOG-Restart-providers-with-SIGUSR2-after-time-d.patch +Patch0064: 0064-mmap_cache-make-checks-independent-of-input-size.patch +Patch0066: 0066-krb5-show-error-message-for-krb5_init_context-failur.patch +Patch0067: 0067-responder-Fix-talloc-hierarchy-in-sized_output_name.patch +Patch0068: 0068-test_responder-Check-memory-leak-in-sized_output_nam.patch +Patch0069: 0069-UTIL-add-find_domain_by_object_name_ex.patch +Patch0070: 0070-ipa-handle-users-from-different-domains-in-ipa_resol.patch +Patch0071: 0071-overrides-fixes-for-sysdb_invalidate_overrides.patch +Patch0072: 0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch +Patch0073: 0073-IPA-use-cache-searches-in-get_groups_dns.patch +Patch0074: 0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch +Patch0075: 0075-nss-Fix-invalid-enum-nss_status-return-values.patch +Patch0076: 0076-confdb-Move-detection-files-to-separate-function.patch +Patch0077: 0077-confdb-Fix-starting-of-implicit-files-domain.patch +Patch0078: 0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch +Patch0079: 0079-test_files_provider-Regression-test-for-implicit_fil.patch Patch0500: 0500-Revert-libwbclient-sssd-update-interface-to-version-.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -841,8 +887,6 @@ done %attr(700,root,root) %dir %{_sysconfdir}/sssd %attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf -%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/sssd.service.d -%config(noreplace) %{_sysconfdir}/systemd/system/sssd.service.d/journal.conf %dir %{_sysconfdir}/logrotate.d %config(noreplace) %{_sysconfdir}/logrotate.d/sssd %dir %{_sysconfdir}/rwtab.d @@ -1241,6 +1285,28 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Mon Dec 04 2017 Lukas Slebodnik - 1.16.0-4 +- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in + setnetgrent_result_timeout +- Resolves: upstream#3562 - Use-after free if more sudo requests run and one + of them fails, causing a fail-over to a next server +- Resolves: upstream#3588 - sssd_nss consumes more memory until restarted + or machine swaps +- Resolves: failure in glibc tests + https://sourceware.org/bugzilla/show_bug.cgi?id=22530 +- Resolves: upstream#3451 - When sssd is configured with id_provider proxy and + auth_provider ldap, login fails if the LDAP server + is not allowing anonymous binds +- Resolves: upstream#3285 - SSSD needs restart after incorrect clock is + corrected with AD +- Resolves: upstream#3586 - Give a more detailed debug and system-log message + if krb5_init_context() failed +- Resolves: rhbz#1479283 - proxy to files does not work with + implicit_files_domain +- Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet + in /etc/systemd/system + + * Tue Nov 21 2017 Lukas Slebodnik - 1.16.0-3 - Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next