diff --git a/0001-confdb-avoid-syslog-message-when-no-domains-are-enab.patch b/0001-confdb-avoid-syslog-message-when-no-domains-are-enab.patch new file mode 100644 index 0000000..03142a9 --- /dev/null +++ b/0001-confdb-avoid-syslog-message-when-no-domains-are-enab.patch @@ -0,0 +1,96 @@ +From b38fdc8185fcd6a2e5d4b483d3119964f9922070 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 11 Oct 2022 12:10:25 +0200 +Subject: [PATCH 1/6] confdb: avoid syslog message when no domains are enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This syslog message would also appear when calling other tools like +sss_cache which is confusing. We return specific error code instead +and let the error be syslogged in the monitor in monitor.c:main (this +is already implemented). + +Resolves: https://github.com/SSSD/sssd/issues/6387 + +:fixes: A regression when running sss_cache when no SSSD domain is + enabled would produce a syslog critical message was fixed. + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose +--- + src/confdb/confdb.c | 8 ++++---- + src/monitor/monitor.c | 2 +- + src/util/util_errors.c | 1 + + src/util/util_errors.h | 1 + + 4 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index ae2d90bf5e4bc231e878c0d5e2c84e46abd9f999..9465bffe394ebed783b8217f96049f3d07ba7e77 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1800,10 +1800,10 @@ int confdb_get_domains(struct confdb_ctx *cdb, + ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domlist); + if (ret == ENOENT) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured, fatal error!\n"); +- sss_log(SSS_LOG_CRIT, "No domains configured, fatal error!\n"); ++ ret = ERR_NO_DOMAIN_ENABLED; + goto done; + } +- if (ret != EOK ) { ++ if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n"); + goto done; + } +@@ -2472,9 +2472,9 @@ int confdb_expand_app_domains(struct confdb_ctx *cdb) + ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domlist); + if (ret == ENOENT) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured, fatal error!\n"); +- sss_log(SSS_LOG_CRIT, "No domains configured, fatal error!\n"); ++ ret = ERR_NO_DOMAIN_ENABLED; + goto done; +- } else if (ret != EOK ) { ++ } else if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n"); + goto done; + } +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 17bb1d6685257f204e56baad43919366b75a140d..7670114d37646ebcacd1d0f8c6876e40ff03938e 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -2566,7 +2566,7 @@ int main(int argc, const char *argv[]) + "SSSD couldn't load the configuration database.\n"); + sss_log(SSS_LOG_CRIT, + "SSSD couldn't load the configuration database [%d]: %s.\n", +- ret, strerror(ret)); ++ ret, sss_strerror(ret)); + break; + } + return 4; +diff --git a/src/util/util_errors.c b/src/util/util_errors.c +index 647bc70a77ec8697e287f61d5895143f0a575157..899bef2f40e4f1c503c843b8307120e18c6c2d52 100644 +--- a/src/util/util_errors.c ++++ b/src/util/util_errors.c +@@ -64,6 +64,7 @@ struct err_string error_to_str[] = { + { "Cannot parse input" }, /* ERR_INPUT_PARSE */ + { "Entry not found" }, /* ERR_NOT_FOUND */ + { "Domain not found" }, /* ERR_DOMAIN_NOT_FOUND */ ++ { "No domain is enabled" }, /* ERR_NO_DOMAIN_ENABLED */ + { "Malformed search filter" }, /* ERR_INVALID_FILTER, */ + { "No POSIX attributes detected" }, /* ERR_NO_POSIX */ + { "Extra attribute is a duplicate" }, /* ERR_DUP_EXTRA_ATTR */ +diff --git a/src/util/util_errors.h b/src/util/util_errors.h +index 1a752753e4df2a9de5913920bb75ebf49a8f60a6..b55b340fcdcfd9b01a9053b6b2a24b68243f14f5 100644 +--- a/src/util/util_errors.h ++++ b/src/util/util_errors.h +@@ -85,6 +85,7 @@ enum sssd_errors { + ERR_INPUT_PARSE, + ERR_NOT_FOUND, + ERR_DOMAIN_NOT_FOUND, ++ ERR_NO_DOMAIN_ENABLED, + ERR_INVALID_FILTER, + ERR_NO_POSIX, + ERR_DUP_EXTRA_ATTR, +-- +2.37.3 + diff --git a/0002-monitor-read-all-enabled-domains-in-add_implicit_ser.patch b/0002-monitor-read-all-enabled-domains-in-add_implicit_ser.patch new file mode 100644 index 0000000..bc20edb --- /dev/null +++ b/0002-monitor-read-all-enabled-domains-in-add_implicit_ser.patch @@ -0,0 +1,101 @@ +From 4da861368b88c03b22993f95de5b508ad5637c25 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 11 Oct 2022 12:30:56 +0200 +Subject: [PATCH 2/6] monitor: read all enabled domains in + add_implicit_services +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reading sssd/domains option is no longer sufficient since domains +can be enabled through domain/enabled. + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose +--- + src/confdb/confdb.c | 15 ++------------- + src/confdb/confdb.h | 11 +++++++++++ + src/monitor/monitor.c | 9 +++++---- + 3 files changed, 18 insertions(+), 17 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 9465bffe394ebed783b8217f96049f3d07ba7e77..3ecdaa3b91e3b550f670768d336e9d7d85bb66e6 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -45,9 +45,6 @@ + /* SSSD domain name that is used for the auto-configured files domain */ + #define IMPLICIT_FILES_DOMAIN_NAME "implicit_files" + +- +-static int confdb_get_enabled_domain_list(struct confdb_ctx *cdb, +- TALLOC_CTX *ctx, char ***_result); + static int confdb_get_domain_enabled(struct confdb_ctx *cdb, + const char *domain, bool *_enabled); + +@@ -2675,16 +2672,8 @@ done: + return ret; + } + +-/** +- * Retrieve the list of enabled domains considering the explicit list +- * and the 'enabled' attribute. +- * @param cdb The database configuration context. +- * @param ctx The memory context. +- * @param result Output variable where the list of domains will be stored. +- * @return 0 if the list was retrieved properly, another value on error. +- */ +-static int confdb_get_enabled_domain_list(struct confdb_ctx *cdb, +- TALLOC_CTX *ctx, char ***_result) ++int confdb_get_enabled_domain_list(struct confdb_ctx *cdb, ++ TALLOC_CTX *ctx, char ***_result) + { + int ret; + char **domlist = NULL; +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 0effd1193708676ade230d8922ab78fae9b5c15a..a53894846737467f12e5dcd99ce35ebee165ccf7 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -497,6 +497,17 @@ int confdb_get_domain(struct confdb_ctx *cdb, + int confdb_get_domains(struct confdb_ctx *cdb, + struct sss_domain_info **domains); + ++/** ++ * Retrieve the list of enabled domains considering the explicit list ++ * and the 'enabled' attribute. ++ * @param cdb The database configuration context. ++ * @param ctx The memory context. ++ * @param result Output variable where the list of domains will be stored. ++ * @return 0 if the list was retrieved properly, ENOENT if no domain is enabled, another value on error. ++ */ ++int confdb_get_enabled_domain_list(struct confdb_ctx *cdb, ++ TALLOC_CTX *ctx, char ***_result); ++ + int confdb_expand_app_domains(struct confdb_ctx *cdb); + + /** +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 7670114d37646ebcacd1d0f8c6876e40ff03938e..511e13971d253bc25cb9a04008c1a363f2182748 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -777,13 +777,14 @@ static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx + return ENOMEM; + } + +- ret = confdb_get_string_as_list(cdb, tmp_ctx, +- CONFDB_MONITOR_CONF_ENTRY, +- CONFDB_MONITOR_ACTIVE_DOMAINS, +- &domain_names); ++ ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domain_names); + if (ret == ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "No domains configured!\n"); + goto done; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Error retrieving domains list [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; + } + + ret = confdb_get_bool(cdb, CONFDB_MONITOR_CONF_ENTRY, +-- +2.37.3 + diff --git a/0003-sss_cache-use-ERR_NO_DOMAIN_ENABLED-instead-of-ENOEN.patch b/0003-sss_cache-use-ERR_NO_DOMAIN_ENABLED-instead-of-ENOEN.patch new file mode 100644 index 0000000..5342920 --- /dev/null +++ b/0003-sss_cache-use-ERR_NO_DOMAIN_ENABLED-instead-of-ENOEN.patch @@ -0,0 +1,39 @@ +From 64c22dd1c4f79f953b879fc167b535de928f4bfd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 11 Oct 2022 14:51:53 +0200 +Subject: [PATCH 3/6] sss_cache: use ERR_NO_DOMAIN_ENABLED instead of ENOENT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose +--- + src/tools/sss_cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c +index 6740e83b0359911824805d565c7c3e5a6d36f68c..79de13ac8725acd4cdde92a8869fcf1a3c289bb3 100644 +--- a/src/tools/sss_cache.c ++++ b/src/tools/sss_cache.c +@@ -165,7 +165,7 @@ int main(int argc, const char *argv[]) + } + + ret = init_context(argc, argv, &tctx); +- if (ret == ENOENT) { ++ if (ret == ERR_NO_DOMAIN_ENABLED) { + /* nothing to invalidate; no reason to fail */ + ret = EOK; + goto done; +@@ -909,7 +909,7 @@ static errno_t init_context(int argc, const char *argv[], + } + + ret = init_domains(ctx, values.domain); +- if (ret == ENOENT && values.domain == NULL) { ++ if (ret == ERR_NO_DOMAIN_ENABLED && values.domain == NULL) { + /* Nothing to invalidate; do not log confusing messages. */ + goto fini; + } else if (ret != EOK) { +-- +2.37.3 + diff --git a/0004-confdb-chande-debug-level-when-no-domain-are-found-i.patch b/0004-confdb-chande-debug-level-when-no-domain-are-found-i.patch new file mode 100644 index 0000000..46f0688 --- /dev/null +++ b/0004-confdb-chande-debug-level-when-no-domain-are-found-i.patch @@ -0,0 +1,63 @@ +From df55b1f16ea2fb5e56f0fe69419904d50b7e2476 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 12 Oct 2022 14:32:31 +0200 +Subject: [PATCH 4/6] confdb: chande debug level when no domain are found in + confdb_get_domains +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We print the error as fatal error in the monitor to make sure the +message is correctly visible. However, the error is not fatal for tools +like sss_cache and it should not be printed there by default. + +Since the tools have default debug level set to SSSDBG_FATAL_FAILURE, it +is sufficient to just drop the level to critical. + +Resolves: https://github.com/SSSD/sssd/issues/6387 + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose +--- + src/confdb/confdb.c | 5 ++--- + src/monitor/monitor.c | 5 +++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 3ecdaa3b91e3b550f670768d336e9d7d85bb66e6..cf0476f759827f3e1aa1f445d4e71c09b3ec3239 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1796,11 +1796,10 @@ int confdb_get_domains(struct confdb_ctx *cdb, + + ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domlist); + if (ret == ENOENT) { +- DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured, fatal error!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "No domains configured, fatal error!\n"); + ret = ERR_NO_DOMAIN_ENABLED; + goto done; +- } +- if (ret != EOK) { ++ } else if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n"); + goto done; + } +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 511e13971d253bc25cb9a04008c1a363f2182748..2196c2e0b0fdd630335333e7d53026e34302e512 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -2564,9 +2564,10 @@ int main(int argc, const char *argv[]) + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, +- "SSSD couldn't load the configuration database.\n"); ++ "SSSD couldn't load the configuration database [%d]: %s\n", ++ ret, sss_strerror(ret)); + sss_log(SSS_LOG_CRIT, +- "SSSD couldn't load the configuration database [%d]: %s.\n", ++ "SSSD couldn't load the configuration database [%d]: %s\n", + ret, sss_strerror(ret)); + break; + } +-- +2.37.3 + diff --git a/sssd.spec b/sssd.spec index 89a0502..4730830 100644 --- a/sssd.spec +++ b/sssd.spec @@ -43,7 +43,7 @@ Name: sssd Version: 2.8.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -51,6 +51,11 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.8.0/sssd-2.8.0.tar.gz ### Patches ### +Patch0001: 0001-confdb-avoid-syslog-message-when-no-domains-are-enab.patch +Patch0002: 0002-monitor-read-all-enabled-domains-in-add_implicit_ser.patch +Patch0003: 0003-sss_cache-use-ERR_NO_DOMAIN_ENABLED-instead-of-ENOEN.patch +Patch0004: 0004-confdb-chande-debug-level-when-no-domain-are-found-i.patch + ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -1058,6 +1063,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Oct 24 2022 Pavel Březina - 2.8.0-2 +- Fix regression, syslog is no longer spammed when no SSSD domain is configured (#2133437) + * Fri Oct 7 2022 Pavel Březina - 2.8.0-1 - Rebase to SSSD 2.8.0