From 5225c3262bf87ab990bb90751452029940f9e5c7 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Wed, 22 Dec 2010 14:08:33 -0500 Subject: [PATCH] - New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations --- .gitignore | 1 + 0001-Log-startup-errors-to-syslog.patch | 56 ----------- ...ly-document-ldap_purge_cache_timeout.patch | 72 -------------- ...-shuts-down-completely-before-restar.patch | 34 ------- 0004-Wait-for-all-children-to-exit.patch | 96 ------------------- sources | 2 +- sssd.spec | 88 +++++++++++------ 7 files changed, 63 insertions(+), 286 deletions(-) delete mode 100644 0001-Log-startup-errors-to-syslog.patch delete mode 100644 0002-Properly-document-ldap_purge_cache_timeout.patch delete mode 100644 0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch delete mode 100644 0004-Wait-for-all-children-to-exit.patch diff --git a/.gitignore b/.gitignore index 5d50a4f..c61d659 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ sssd-1.2.91.tar.gz /sssd-1.3.0.tar.gz /sssd-1.4.0.tar.gz /sssd-1.4.1.tar.gz +/sssd-1.5.0.tar.gz diff --git a/0001-Log-startup-errors-to-syslog.patch b/0001-Log-startup-errors-to-syslog.patch deleted file mode 100644 index 17a4da6..0000000 --- a/0001-Log-startup-errors-to-syslog.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 57736f3037984574b42b72fef7ae14fa2bce35b0 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Wed, 10 Nov 2010 11:04:31 -0500 -Subject: [PATCH 1/2] Log startup errors to syslog - ---- - src/monitor/monitor.c | 16 +++++++++------- - 1 files changed, 9 insertions(+), 7 deletions(-) - -diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c -index 1c2a058e5a8d684798dcb2ea461199467c73f407..6479f7a9fd5877e7b5baaaee4f3f92001506d730 100644 ---- a/src/monitor/monitor.c -+++ b/src/monitor/monitor.c -@@ -2167,7 +2167,7 @@ int main(int argc, const char *argv[]) - uid = getuid(); - if (uid != 0) { - DEBUG(1, ("Running under %d, must be root\n", uid)); -- ERROR("sssd must be run as root\n"); -+ sss_log(SSS_LOG_ALERT, "sssd must be run as root"); - return 8; - } - -@@ -2202,9 +2202,10 @@ int main(int argc, const char *argv[]) - ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL); - if (ret == EOK) { - DEBUG(0, ("WARNING: nscd appears to be running\n")); -- ERROR("nscd socket was detected. As nscd caching capabilities " -- "may conflict with SSSD, it is recommended to not run " -- "nscd in parallel with SSSD\n"); -+ sss_log(SSS_LOG_NOTICE, -+ "nscd socket was detected. As nscd caching capabilities " -+ "may conflict with SSSD, it is recommended to not run " -+ "nscd in parallel with SSSD"); - } - - /* Parse config file, fail if cannot be done */ -@@ -2212,12 +2213,13 @@ int main(int argc, const char *argv[]) - if (ret != EOK) { - if (ret == EPERM) { - DEBUG(1, ("Cannot read configuration file %s\n", config_file)); -- ERROR("Cannot read config file %s, please check if permissions " -- "are 0600 and the file is owned by root.root\n", config_file); -+ sss_log(SSS_LOG_ALERT, -+ "Cannot read config file %s, please check if permissions " -+ "are 0600 and the file is owned by root.root", config_file); - } else { - DEBUG(1, ("Error loading configuration database: [%d]: %s", - ret, strerror(ret))); -- ERROR("Cannot load configuration database\n"); -+ sss_log(SSS_LOG_ALERT, "Cannot load configuration database"); - } - return 4; - } --- -1.7.3.2 - diff --git a/0002-Properly-document-ldap_purge_cache_timeout.patch b/0002-Properly-document-ldap_purge_cache_timeout.patch deleted file mode 100644 index fc1dc8c..0000000 --- a/0002-Properly-document-ldap_purge_cache_timeout.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 4f8400f86d33d0f64adccb71c8190ad33db2770a Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Tue, 2 Nov 2010 07:46:13 -0400 -Subject: [PATCH 2/2] Properly document ldap_purge_cache_timeout - -Also allow it to be disabled entirely ---- - src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++ - src/providers/ldap/ldap_common.c | 10 +++++++++- - 2 files changed, 28 insertions(+), 1 deletions(-) - -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index 87d388ade2b9b3613a18eb70e079b1266e940a14..64f216f5f5092a23635b9c4f96dbb133b309e556 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -447,6 +447,25 @@ - - - -+ ldap_purge_cache_timeout -+ -+ -+ Determine how often to check the cache for -+ inactive entries (such as groups with no -+ members and users who have never logged in) and -+ remove them to save space. -+ -+ -+ Setting this option to zero will disable the -+ cache cleanup operation. -+ -+ -+ Default: 10800 (12 hours) -+ -+ -+ -+ -+ - ldap_user_fullname (string) - - -diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c -index ea5f957076675b4b8210917a928761e68088d485..c074098d6574078a6ec0e80851a1b02a51f5b0e1 100644 ---- a/src/providers/ldap/ldap_common.c -+++ b/src/providers/ldap/ldap_common.c -@@ -397,6 +397,7 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx) - { - struct timeval tv; - int ret = EOK; -+ int delay; - - /* set up enumeration task */ - if (ctx->be->domain->enumerate) { -@@ -406,7 +407,14 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx) - ret = ldap_id_enumerate_set_timer(ctx, tv); - } else { - /* the enumeration task, runs the cleanup process by itself, -- * but if enumeration is not runnig we need to schedule it */ -+ * but if enumeration is not running we need to schedule it */ -+ delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT); -+ if (delay == 0) { -+ /* Cleanup has been explicitly disabled, so we won't -+ * schedule any cleanup tasks. -+ */ -+ return EOK; -+ } - - /* run the first one in a couple of seconds so that we have time to - * finish initializations first*/ --- -1.7.3.2 - diff --git a/0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch b/0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch deleted file mode 100644 index 6bf2b99..0000000 --- a/0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e3751e0a7567ccd7cc335a9c73acd278862ab5d0 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Wed, 17 Nov 2010 08:29:19 -0500 -Subject: [PATCH 3/4] Ensure that SSSD shuts down completely before restarting - ---- - src/sysv/sssd | 9 +++++++++ - 1 files changed, 9 insertions(+), 0 deletions(-) - -diff --git a/src/sysv/sssd b/src/sysv/sssd -index 47804371d0be6b537bc03226f0fd67d03c6ce58e..7339d86deb9792285691032bebb5205f4894a671 100644 ---- a/src/sysv/sssd -+++ b/src/sysv/sssd -@@ -48,8 +48,17 @@ start() { - - stop() { - echo -n $"Stopping $prog: " -+ pid=`cat $PID_FILE` -+ - killproc -p $PID_FILE $SSSD -TERM - RETVAL=$? -+ -+ # Wait until the monitor exits -+ while (checkpid $pid) -+ do -+ usleep 100000 -+ done -+ - echo - [ "$RETVAL" = 0 ] && rm -f $LOCK_FILE - return $RETVAL --- -1.7.3.2 - diff --git a/0004-Wait-for-all-children-to-exit.patch b/0004-Wait-for-all-children-to-exit.patch deleted file mode 100644 index 876b713..0000000 --- a/0004-Wait-for-all-children-to-exit.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 1f1d7ead30d566a47cdcc2d8fe2618817851e1e1 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Thu, 11 Nov 2010 09:04:22 -0500 -Subject: [PATCH 4/4] Wait for all children to exit - -Previously, there was a race-condition where the monitor might -terminate before its children. ---- - src/monitor/monitor.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++- - 1 files changed, 61 insertions(+), 2 deletions(-) - -diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c -index 6479f7a9fd5877e7b5baaaee4f3f92001506d730..98b671b2970b2a55c34e72a81bfc6e90c36bd820 100644 ---- a/src/monitor/monitor.c -+++ b/src/monitor/monitor.c -@@ -1171,16 +1171,75 @@ static void monitor_quit(struct tevent_context *ev, - void *siginfo, - void *private_data) - { -+ struct mt_ctx *mt_ctx = talloc_get_type(private_data, struct mt_ctx); -+ struct mt_svc *svc; -+ pid_t pid; -+ int status; -+ errno_t error; -+ - DEBUG(8, ("Received shutdown command\n")); -- monitor_cleanup(); -+ -+ DEBUG(0, ("Monitor received %s: terminating children\n", -+ strsignal(signum))); -+ -+ /* Kill all of our known children manually */ -+ DLIST_FOR_EACH(svc, mt_ctx->svc_list) { -+ if (svc->pid == 0) { -+ /* The local provider has no PID */ -+ continue; -+ } -+ -+ DEBUG(1, ("Terminating [%s]\n", svc->name)); -+ kill(svc->pid, SIGTERM); -+ -+ do { -+ errno = 0; -+ pid = waitpid(svc->pid, &status, 0); -+ if (pid == -1) { -+ /* An error occurred while waiting */ -+ error = errno; -+ if (error != EINTR) { -+ DEBUG(0, ("[%d][%s] while waiting for [%s]\n", -+ error, strerror(error), svc->name)); -+ /* Forcibly kill this child */ -+ kill(svc->pid, SIGKILL); -+ break; -+ } -+ } else { -+ error = 0; -+ if WIFEXITED(status) { -+ DEBUG(1, ("Child [%s] exited gracefully\n", svc->name)); -+ } else if WIFSIGNALED(status) { -+ DEBUG(1, ("Child [%s] terminated with a signal\n", svc->name)); -+ } else { -+ DEBUG(0, ("Child [%s] did not exit cleanly\n", svc->name)); -+ /* Forcibly kill this child */ -+ kill(svc->pid, SIGKILL); -+ } -+ } -+ } while (error == EINTR); -+ } - - #if HAVE_GETPGRP -+ /* Kill any remaining children in our process group, just in case -+ * we have any leftover children we don't expect. For example, if -+ * a krb5_child or ldap_child is running at the same moment. -+ */ -+ error = 0; - if (getpgrp() == getpid()) { -- DEBUG(0,("%s: killing children\n", strsignal(signum))); - kill(-getpgrp(), SIGTERM); -+ do { -+ errno = 0; -+ pid = waitpid(0, &status, 0); -+ if (pid == -1) { -+ error = errno; -+ } -+ } while (error == EINTR || pid > 0); - } - #endif - -+ monitor_cleanup(); -+ - exit(0); - } - --- -1.7.3.2 - diff --git a/sources b/sources index f8124ed..e9297c4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4f505e16bd0e9c5a441b2c9543cf0490 sssd-1.4.1.tar.gz +a06468f7d540fa4d5e3de2644d933744 sssd-1.5.0.tar.gz diff --git a/sssd.spec b/sssd.spec index aafa0ff..1735460 100644 --- a/sssd.spec +++ b/sssd.spec @@ -4,8 +4,8 @@ %endif Name: sssd -Version: 1.4.1 -Release: 3%{?dist} +Version: 1.5.0 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -15,10 +15,6 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-Log-startup-errors-to-syslog.patch -Patch0002: 0002-Properly-document-ldap_purge_cache_timeout.patch -Patch0003: 0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch -Patch0004: 0004-Wait-for-all-children-to-exit.patch ### Dependencies ### @@ -78,6 +74,7 @@ BuildRequires: bind-utils BuildRequires: keyutils-libs-devel BuildRequires: libnl-devel BuildRequires: nscd +BuildRequires: po4a %description Provides a set of daemons to manage access to remote directories and @@ -95,14 +92,22 @@ License: LGPLv3+ Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD service. +%package tools +Summary: Userspace tools for use with the SSSD +Group: Applications/System +License: GPLv3+ +Requires: sssd = %{version}-%{release} + +%description tools +Provides userspace tools for manipulating users, groups, and nested groups in +SSSD when using id_provider = local in /etc/sssd/sssd.conf. + +Also provides a userspace tool for generating an obfuscated LDAP password for +use with ldap_default_authtok_type = obfuscated_password. + %prep %setup -q -%patch0001 -p1 -%patch0002 -p1 -%patch0003 -p1 -%patch0004 -p1 - %build %configure \ --with-db-path=%{dbpath} \ @@ -116,6 +121,7 @@ service. --with-test-dir=/dev/shm make %{?_smp_mflags} +make translated-manpages %check export CK_TIMEOUT_MULTIPLIER=10 @@ -172,14 +178,6 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING %{_initrddir}/%{name} %{_sbindir}/sssd -%{_sbindir}/sss_useradd -%{_sbindir}/sss_userdel -%{_sbindir}/sss_usermod -%{_sbindir}/sss_groupadd -%{_sbindir}/sss_groupdel -%{_sbindir}/sss_groupmod -%{_sbindir}/sss_groupshow -%{_sbindir}/sss_obfuscate %{_libexecdir}/%{servicename}/ %{_libdir}/%{name}/ %{_libdir}/ldb/memberof.so @@ -202,17 +200,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/sssd-ldap.5* %{_mandir}/man5/sssd-simple.5* %{_mandir}/man8/sssd.8* -%{_mandir}/man8/sss_groupadd.8* -%{_mandir}/man8/sss_groupdel.8* -%{_mandir}/man8/sss_groupmod.8* -%{_mandir}/man8/sss_groupshow.8* -%{_mandir}/man8/sss_useradd.8* -%{_mandir}/man8/sss_userdel.8* -%{_mandir}/man8/sss_usermod.8* -%{_mandir}/man8/sss_obfuscate.8* %{python_sitearch}/pysss.so %{python_sitelib}/*.py* +%lang(cs) %{_mandir}/cs/man[58]/* + %files client %defattr(-,root,root,-) %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER @@ -222,6 +214,26 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/pam_sss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* +%files tools +%defattr(-,root,root,-) +%doc COPYING +%{_sbindir}/sss_useradd +%{_sbindir}/sss_userdel +%{_sbindir}/sss_usermod +%{_sbindir}/sss_groupadd +%{_sbindir}/sss_groupdel +%{_sbindir}/sss_groupmod +%{_sbindir}/sss_groupshow +%{_sbindir}/sss_obfuscate +%{_mandir}/man8/sss_groupadd.8* +%{_mandir}/man8/sss_groupdel.8* +%{_mandir}/man8/sss_groupmod.8* +%{_mandir}/man8/sss_groupshow.8* +%{_mandir}/man8/sss_useradd.8* +%{_mandir}/man8/sss_userdel.8* +%{_mandir}/man8/sss_usermod.8* +%{_mandir}/man8/sss_obfuscate.8* + %post /sbin/ldconfig /sbin/chkconfig --add %{servicename} @@ -243,6 +255,28 @@ fi %postun client -p /sbin/ldconfig %changelog +* Wed Dec 22 2010 Stephen Gallagher - 1.5.0-1 +- New upstream release 1.5.0 +- Fixed issues with LDAP search filters that needed to be escaped +- Add Kerberos FAST support on platforms that support it +- Reduced verbosity of PAM_TEXT_INFO messages for cached credentials +- Added a Kerberos access provider to honor .k5login +- Addressed several thread-safety issues in the sss_client code +- Improved support for delayed online Kerberos auth +- Significantly reduced time between connecting to the network/VPN and +- acquiring a TGT +- Added feature for automatic Kerberos ticket renewal +- Provides the kerberos ticket for long-lived processes or cron jobs +- even when the user logs out +- Added several new features to the LDAP access provider +- Support for 'shadow' access control +- Support for authorizedService access control +- Ability to mix-and-match LDAP access control features +- Added an option for a separate password-change LDAP server for those +- platforms where LDAP referrals are not supported +- Added support for manpage translations + + * Thu Nov 18 2010 Stephen Gallagher - 1.4.1-3 - Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade