- New upstream release 1.5.0

- Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations
2010-12-22 14:08:33 -05:00 · 2010-12-22 14:08:33 -05:00 · 5225c3262b
parent 9600ada0fd
commit 5225c3262b
7 changed files with 63 additions and 286 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@ sssd-1.2.91.tar.gz
 /sssd-1.3.0.tar.gz
 /sssd-1.4.0.tar.gz
 /sssd-1.4.1.tar.gz
 /sssd-1.5.0.tar.gz
--- a/0001-Log-startup-errors-to-syslog.patch
+++ b/0001-Log-startup-errors-to-syslog.patch
@ -1,56 +0,0 @@
 From 57736f3037984574b42b72fef7ae14fa2bce35b0 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Wed, 10 Nov 2010 11:04:31 -0500
 Subject: [PATCH 1/2] Log startup errors to syslog
 ---
 src/monitor/monitor.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)
 diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
 index 1c2a058e5a8d684798dcb2ea461199467c73f407..6479f7a9fd5877e7b5baaaee4f3f92001506d730 100644
 --- a/src/monitor/monitor.c
 +++ b/src/monitor/monitor.c
@@ -2167,7 +2167,7 @@ int main(int argc, const char *argv[])
     uid = getuid();
     if (uid != 0) {
         DEBUG(1, ("Running under %d, must be root\n", uid));
 -        ERROR("sssd must be run as root\n");
 +        sss_log(SSS_LOG_ALERT, "sssd must be run as root");
         return 8;
     }
@@ -2202,9 +2202,10 @@ int main(int argc, const char *argv[])
     ret = check_file(NSCD_SOCKET_PATH, -1, -1, -1, CHECK_SOCK, NULL);
     if (ret == EOK) {
         DEBUG(0, ("WARNING: nscd appears to be running\n"));
 -        ERROR("nscd socket was detected.  As nscd caching capabilities "
 -              "may conflict with SSSD, it is recommended to not run "
 -              "nscd in parallel with SSSD\n");
 +        sss_log(SSS_LOG_NOTICE,
 +                "nscd socket was detected.  As nscd caching capabilities "
 +                "may conflict with SSSD, it is recommended to not run "
 +                "nscd in parallel with SSSD");
     }
     /* Parse config file, fail if cannot be done */
@@ -2212,12 +2213,13 @@ int main(int argc, const char *argv[])
     if (ret != EOK) {
         if (ret == EPERM) {
             DEBUG(1, ("Cannot read configuration file %s\n", config_file));
 -            ERROR("Cannot read config file %s, please check if permissions "
 -                  "are 0600 and the file is owned by root.root\n", config_file);
 +            sss_log(SSS_LOG_ALERT,
 +                    "Cannot read config file %s, please check if permissions "
 +                    "are 0600 and the file is owned by root.root", config_file);
         } else {
             DEBUG(1, ("Error loading configuration database: [%d]: %s",
                       ret, strerror(ret)));
 -            ERROR("Cannot load configuration database\n");
 +            sss_log(SSS_LOG_ALERT, "Cannot load configuration database");
         }
         return 4;
     }
 -- 
 1.7.3.2
--- a/0002-Properly-document-ldap_purge_cache_timeout.patch
+++ b/0002-Properly-document-ldap_purge_cache_timeout.patch
@ -1,72 +0,0 @@
 From 4f8400f86d33d0f64adccb71c8190ad33db2770a Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 2 Nov 2010 07:46:13 -0400
 Subject: [PATCH 2/2] Properly document ldap_purge_cache_timeout
 Also allow it to be disabled entirely
 ---
 src/man/sssd-ldap.5.xml          |   19 +++++++++++++++++++
 src/providers/ldap/ldap_common.c |   10 +++++++++-
 2 files changed, 28 insertions(+), 1 deletions(-)
 diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
 index 87d388ade2b9b3613a18eb70e079b1266e940a14..64f216f5f5092a23635b9c4f96dbb133b309e556 100644
 --- a/src/man/sssd-ldap.5.xml
 +++ b/src/man/sssd-ldap.5.xml
@@ -447,6 +447,25 @@
                 </varlistentry>
                 <varlistentry>
 +                    <term>ldap_purge_cache_timeout</term>
 +                    <listitem>
 +                        <para>
 +                            Determine how often to check the cache for
 +                            inactive entries (such as groups with no
 +                            members and users who have never logged in) and
 +                            remove them to save space.
 +                        </para>
 +                        <para>
 +                            Setting this option to zero will disable the
 +                            cache cleanup operation.
 +                        </para>
 +                        <para>
 +                            Default: 10800 (12 hours)
 +                        </para>
 +                    </listitem>
 +                </varlistentry>
 +
 +                <varlistentry>
                     <term>ldap_user_fullname (string)</term>
                     <listitem>
                         <para>
 diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
 index ea5f957076675b4b8210917a928761e68088d485..c074098d6574078a6ec0e80851a1b02a51f5b0e1 100644
 --- a/src/providers/ldap/ldap_common.c
 +++ b/src/providers/ldap/ldap_common.c
@@ -397,6 +397,7 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
 {
     struct timeval tv;
     int ret = EOK;
 +    int delay;
     /* set up enumeration task */
     if (ctx->be->domain->enumerate) {
@@ -406,7 +407,14 @@ int sdap_id_setup_tasks(struct sdap_id_ctx *ctx)
         ret = ldap_id_enumerate_set_timer(ctx, tv);
     } else {
         /* the enumeration task, runs the cleanup process by itself,
 -         * but if enumeration is not runnig we need to schedule it */
 +         * but if enumeration is not running we need to schedule it */
 +        delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
 +        if (delay == 0) {
 +            /* Cleanup has been explicitly disabled, so we won't
 +             * schedule any cleanup tasks.
 +             */
 +            return EOK;
 +        }
         /* run the first one in a couple of seconds so that we have time to
          * finish initializations first*/
 -- 
 1.7.3.2
--- a/0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch
+++ b/0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch
@ -1,34 +0,0 @@
 From e3751e0a7567ccd7cc335a9c73acd278862ab5d0 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Wed, 17 Nov 2010 08:29:19 -0500
 Subject: [PATCH 3/4] Ensure that SSSD shuts down completely before restarting
 ---
 src/sysv/sssd |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)
 diff --git a/src/sysv/sssd b/src/sysv/sssd
 index 47804371d0be6b537bc03226f0fd67d03c6ce58e..7339d86deb9792285691032bebb5205f4894a671 100644
 --- a/src/sysv/sssd
 +++ b/src/sysv/sssd
@@ -48,8 +48,17 @@ start() {
 stop() {
     echo -n $"Stopping $prog: "
 +    pid=`cat $PID_FILE`
 +
     killproc -p $PID_FILE $SSSD -TERM
     RETVAL=$?
 +
 +    # Wait until the monitor exits
 +    while (checkpid $pid)
 +    do
 +        usleep 100000
 +    done
 +
     echo
     [ "$RETVAL" = 0 ] && rm -f $LOCK_FILE
     return $RETVAL
 -- 
 1.7.3.2
--- a/0004-Wait-for-all-children-to-exit.patch
+++ b/0004-Wait-for-all-children-to-exit.patch
@ -1,96 +0,0 @@
 From 1f1d7ead30d566a47cdcc2d8fe2618817851e1e1 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Thu, 11 Nov 2010 09:04:22 -0500
 Subject: [PATCH 4/4] Wait for all children to exit
 Previously, there was a race-condition where the monitor might
 terminate before its children.
 ---
 src/monitor/monitor.c |   63 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 61 insertions(+), 2 deletions(-)
 diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
 index 6479f7a9fd5877e7b5baaaee4f3f92001506d730..98b671b2970b2a55c34e72a81bfc6e90c36bd820 100644
 --- a/src/monitor/monitor.c
 +++ b/src/monitor/monitor.c
@@ -1171,16 +1171,75 @@ static void monitor_quit(struct tevent_context *ev,
                          void *siginfo,
                          void *private_data)
 {
 +    struct mt_ctx *mt_ctx = talloc_get_type(private_data, struct mt_ctx);
 +    struct mt_svc *svc;
 +    pid_t pid;
 +    int status;
 +    errno_t error;
 +
     DEBUG(8, ("Received shutdown command\n"));
 -    monitor_cleanup();
 +
 +    DEBUG(0, ("Monitor received %s: terminating children\n",
 +              strsignal(signum)));
 +
 +    /* Kill all of our known children manually */
 +    DLIST_FOR_EACH(svc, mt_ctx->svc_list) {
 +        if (svc->pid == 0) {
 +            /* The local provider has no PID */
 +            continue;
 +        }
 +
 +        DEBUG(1, ("Terminating [%s]\n", svc->name));
 +        kill(svc->pid, SIGTERM);
 +
 +        do {
 +            errno = 0;
 +            pid = waitpid(svc->pid, &status, 0);
 +            if (pid == -1) {
 +                /* An error occurred while waiting */
 +                error = errno;
 +                if (error != EINTR) {
 +                    DEBUG(0, ("[%d][%s] while waiting for [%s]\n",
 +                              error, strerror(error), svc->name));
 +                    /* Forcibly kill this child */
 +                    kill(svc->pid, SIGKILL);
 +                    break;
 +                }
 +            } else {
 +                error = 0;
 +                if WIFEXITED(status) {
 +                    DEBUG(1, ("Child [%s] exited gracefully\n", svc->name));
 +                } else if WIFSIGNALED(status) {
 +                    DEBUG(1, ("Child [%s] terminated with a signal\n", svc->name));
 +                } else {
 +                    DEBUG(0, ("Child [%s] did not exit cleanly\n", svc->name));
 +                    /* Forcibly kill this child */
 +                    kill(svc->pid, SIGKILL);
 +                }
 +            }
 +        } while (error == EINTR);
 +    }
 #if HAVE_GETPGRP
 +    /* Kill any remaining children in our process group, just in case
 +     * we have any leftover children we don't expect. For example, if
 +     * a krb5_child or ldap_child is running at the same moment.
 +     */
 +    error = 0;
     if (getpgrp() == getpid()) {
 -        DEBUG(0,("%s: killing children\n", strsignal(signum)));
         kill(-getpgrp(), SIGTERM);
 +        do {
 +            errno = 0;
 +            pid = waitpid(0, &status, 0);
 +            if (pid == -1) {
 +                error = errno;
 +            }
 +        } while (error == EINTR || pid > 0);
     }
 #endif
 +    monitor_cleanup();
 +
     exit(0);
 }
 -- 
 1.7.3.2
--- a/2
+++ b/2
@ -1 +1 @@
-4f505e16bd0e9c5a441b2c9543cf0490  sssd-1.4.1.tar.gz
+a06468f7d540fa4d5e3de2644d933744  sssd-1.5.0.tar.gz
--- a/sssd.spec
+++ b/sssd.spec
@ -4,8 +4,8 @@
 %endif
 Name: sssd
-Version: 1.4.1
+Version: 1.5.0
-Release: 3%{?dist}
+Release: 1%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -15,10 +15,6 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 ### Patches ###
 Patch0001: 0001-Log-startup-errors-to-syslog.patch
 Patch0002: 0002-Properly-document-ldap_purge_cache_timeout.patch
 Patch0003: 0003-Ensure-that-SSSD-shuts-down-completely-before-restar.patch
 Patch0004: 0004-Wait-for-all-children-to-exit.patch
 ### Dependencies ###
@ -78,6 +74,7 @@ BuildRequires: bind-utils
 BuildRequires: keyutils-libs-devel
 BuildRequires: libnl-devel
 BuildRequires: nscd
 BuildRequires: po4a
 %description
 Provides a set of daemons to manage access to remote directories and
@ -95,14 +92,22 @@ License: LGPLv3+
 Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
 service.
 %package tools
 Summary: Userspace tools for use with the SSSD
 Group: Applications/System
 License: GPLv3+
 Requires: sssd = %{version}-%{release}
 %description tools
 Provides userspace tools for manipulating users, groups, and nested groups in
 SSSD when using id_provider = local in /etc/sssd/sssd.conf.
 Also provides a userspace tool for generating an obfuscated LDAP password for
 use with ldap_default_authtok_type = obfuscated_password.
 %prep
 %setup -q
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
 %patch0004 -p1
 %build
 %configure \
    --with-db-path=%{dbpath} \
@ -116,6 +121,7 @@ service.
    --with-test-dir=/dev/shm
 make %{?_smp_mflags}
 make translated-manpages
 %check
 export CK_TIMEOUT_MULTIPLIER=10
@ -172,14 +178,6 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING
 %{_initrddir}/%{name}
 %{_sbindir}/sssd
 %{_sbindir}/sss_useradd
 %{_sbindir}/sss_userdel
 %{_sbindir}/sss_usermod
 %{_sbindir}/sss_groupadd
 %{_sbindir}/sss_groupdel
 %{_sbindir}/sss_groupmod
 %{_sbindir}/sss_groupshow
 %{_sbindir}/sss_obfuscate
 %{_libexecdir}/%{servicename}/
 %{_libdir}/%{name}/
 %{_libdir}/ldb/memberof.so
@ -202,17 +200,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/sssd-ldap.5*
 %{_mandir}/man5/sssd-simple.5*
 %{_mandir}/man8/sssd.8*
 %{_mandir}/man8/sss_groupadd.8*
 %{_mandir}/man8/sss_groupdel.8*
 %{_mandir}/man8/sss_groupmod.8*
 %{_mandir}/man8/sss_groupshow.8*
 %{_mandir}/man8/sss_useradd.8*
 %{_mandir}/man8/sss_userdel.8*
 %{_mandir}/man8/sss_usermod.8*
 %{_mandir}/man8/sss_obfuscate.8*
 %{python_sitearch}/pysss.so
 %{python_sitelib}/*.py*
 %lang(cs)       %{_mandir}/cs/man[58]/*
 %files client
 %defattr(-,root,root,-)
 %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
@ -222,6 +214,26 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/pam_sss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*
 %files tools
 %defattr(-,root,root,-)
 %doc COPYING
 %{_sbindir}/sss_useradd
 %{_sbindir}/sss_userdel
 %{_sbindir}/sss_usermod
 %{_sbindir}/sss_groupadd
 %{_sbindir}/sss_groupdel
 %{_sbindir}/sss_groupmod
 %{_sbindir}/sss_groupshow
 %{_sbindir}/sss_obfuscate
 %{_mandir}/man8/sss_groupadd.8*
 %{_mandir}/man8/sss_groupdel.8*
 %{_mandir}/man8/sss_groupmod.8*
 %{_mandir}/man8/sss_groupshow.8*
 %{_mandir}/man8/sss_useradd.8*
 %{_mandir}/man8/sss_userdel.8*
 %{_mandir}/man8/sss_usermod.8*
 %{_mandir}/man8/sss_obfuscate.8*
 %post
 /sbin/ldconfig
 /sbin/chkconfig --add %{servicename}
@ -243,6 +255,28 @@ fi
 %postun client -p /sbin/ldconfig
 %changelog
 * Wed Dec 22 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.5.0-1
 - New upstream release 1.5.0
 - Fixed issues with LDAP search filters that needed to be escaped
 - Add Kerberos FAST support on platforms that support it
 - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
 - Added a Kerberos access provider to honor .k5login
 - Addressed several thread-safety issues in the sss_client code
 - Improved support for delayed online Kerberos auth
 - Significantly reduced time between connecting to the network/VPN and
 - acquiring a TGT
 - Added feature for automatic Kerberos ticket renewal
 - Provides the kerberos ticket for long-lived processes or cron jobs
 - even when the user logs out
 - Added several new features to the LDAP access provider
 - Support for 'shadow' access control
 - Support for authorizedService access control
 - Ability to mix-and-match LDAP access control features
 - Added an option for a separate password-change LDAP server for those
 - platforms where LDAP referrals are not supported
 - Added support for manpage translations
 * Thu Nov 18 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-3
 - Solve a shutdown race-condition that sometimes left processes running
 - Resolves: rhbz#606887 - SSSD stops on upgrade
`@ -1 +1 @@`
	`4f505e16bd0e9c5a441b2c9543cf0490 sssd-1.4.1.tar.gz`	`a06468f7d540fa4d5e3de2644d933744 sssd-1.5.0.tar.gz`