Compare commits
30 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
4c9df62bbd | ||
|
9499284780 | ||
|
66aebe955a | ||
|
b6bda2dd7f | ||
|
2d5ee413ae | ||
|
3c27c875b7 | ||
|
4c80037896 | ||
|
d8d7ab916a | ||
|
8a5c19cd14 | ||
|
91a5f84c4e | ||
|
b263f398aa | ||
|
89124ab716 | ||
|
a8d6ed0d03 | ||
|
c02b336ae5 | ||
|
206ba71f3b | ||
|
5421a7ac42 | ||
|
39f9584222 | ||
|
9c697fc1c9 | ||
|
b94a90c4f8 | ||
|
c9f95e64e6 | ||
|
feafcbceb6 | ||
|
7a5408348e | ||
|
57f8f94800 | ||
|
a8ed2fc107 | ||
|
e6b903faa9 | ||
|
f34aee5f3c | ||
|
71973658c1 | ||
|
bb81545818 | ||
|
bab31444d7 | ||
|
0e461dd512 |
27
.gitignore
vendored
27
.gitignore
vendored
@ -78,30 +78,3 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-1.15.2.tar.gz
|
||||
/sssd-1.15.3.tar.gz
|
||||
/sssd-1.16.0.tar.gz
|
||||
/sssd-1.16.1.tar.gz
|
||||
/sssd-1.16.2.tar.gz
|
||||
/sssd-2.0.0.tar.gz
|
||||
/sssd-2.1.0.tar.gz
|
||||
/sssd-2.2.0.tar.gz
|
||||
/sssd-2.2.1.tar.gz
|
||||
/sssd-2.2.2.tar.gz
|
||||
/sssd-2.2.3.tar.gz
|
||||
/sssd-2.3.0.tar.gz
|
||||
/sssd-2.3.1.tar.gz
|
||||
/sssd-2.4.0.tar.gz
|
||||
/sssd-2.4.1.tar.gz
|
||||
/sssd-2.4.2.tar.gz
|
||||
/sssd-2.5.0.tar.gz
|
||||
/sssd-2.5.1.tar.gz
|
||||
/sssd-2.5.2.tar.gz
|
||||
/sssd-2.6.0.tar.gz
|
||||
/sssd-2.6.1.tar.gz
|
||||
/sssd-2.6.2.tar.gz
|
||||
/sssd-2.6.3.tar.gz
|
||||
/sssd-2.7.0.tar.gz
|
||||
/sssd-2.7.1.tar.gz
|
||||
/sssd-2.7.3.tar.gz
|
||||
/sssd-2.7.4.tar.gz
|
||||
/sssd-2.8.0.tar.gz
|
||||
/sssd-2.8.1.tar.gz
|
||||
/sssd-2.8.2.tar.gz
|
||||
|
38
0001-KCM-Fix-typo-in-comments.patch
Normal file
38
0001-KCM-Fix-typo-in-comments.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From fd7226ff51eb9af70d0fcb63727cd1a48ab0534b Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 23 Oct 2017 07:35:52 +0200
|
||||
Subject: [PATCH 01/79] KCM: Fix typo in comments
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ccache_json.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c
|
||||
index 8199bc613e4204859438e1cd820f3f4b2123dd7e..f1cca9880d128d05ad1edfc5c3b2f709d1a67d48 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ccache_json.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ccache_json.c
|
||||
@@ -265,7 +265,7 @@ static json_t *princ_data_to_json(TALLOC_CTX *mem_ctx,
|
||||
* {
|
||||
* "type": "number",
|
||||
* "realm": "string",
|
||||
- * "componenents": [ "elem1", "elem2", ...]
|
||||
+ * "components": [ "elem1", "elem2", ...]
|
||||
* }
|
||||
*/
|
||||
static json_t *princ_to_json(TALLOC_CTX *mem_ctx,
|
||||
@@ -400,7 +400,7 @@ static json_t *creds_to_json_array(struct kcm_cred *creds)
|
||||
* principal : {
|
||||
* "type": "number",
|
||||
* "realm": "string",
|
||||
- * "componenents": [ "elem1", "elem2", ...]
|
||||
+ * "components": [ "elem1", "elem2", ...]
|
||||
* }
|
||||
* creds : [
|
||||
* {
|
||||
--
|
||||
2.15.1
|
||||
|
556
0002-Fix-minor-spelling-mistakes.patch
Normal file
556
0002-Fix-minor-spelling-mistakes.patch
Normal file
@ -0,0 +1,556 @@
|
||||
From aeb34cfcb9ded4cd7d272220a3d3802be89b7dd8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ren=C3=A9=20Genz?= <liebundartig@freenet.de>
|
||||
Date: Sun, 22 Oct 2017 22:24:27 +0200
|
||||
Subject: [PATCH 02/79] Fix minor spelling mistakes
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3556
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
contrib/sssd.spec.in | 6 +++---
|
||||
src/db/sysdb_private.h | 2 +-
|
||||
src/db/sysdb_views.c | 4 ++--
|
||||
src/examples/sssd-example.conf | 2 +-
|
||||
src/lib/idmap/sss_idmap.doxy.in | 2 +-
|
||||
src/man/sssd-secrets.5.xml | 2 +-
|
||||
src/providers/ad/ad_gpo.c | 4 ++--
|
||||
src/providers/be_dyndns.c | 2 +-
|
||||
src/providers/data_provider/dp_request.c | 2 +-
|
||||
src/providers/krb5/krb5_child.c | 2 +-
|
||||
src/providers/ldap/sdap_async_sudo.c | 2 +-
|
||||
src/responder/kcm/kcmsrv_ccache_json.c | 2 +-
|
||||
src/responder/kcm/kcmsrv_op_queue.c | 4 ++--
|
||||
src/sbus/sssd_dbus_connection.c | 4 ++--
|
||||
src/shared/safealign.h | 4 ++--
|
||||
src/sss_client/autofs/sss_autofs.c | 4 ++--
|
||||
src/sss_client/idmap/sss_nss_idmap.doxy.in | 2 +-
|
||||
src/sss_client/libwbclient/wbc_pwd_sssd.c | 2 +-
|
||||
src/sss_client/sudo/sss_sudo.h | 10 +++++-----
|
||||
src/tests/cmocka/common_mock_resp_dp.c | 2 +-
|
||||
src/tests/cmocka/test_sbus_opath.c | 2 +-
|
||||
src/tools/common/sss_process.c | 2 +-
|
||||
src/tools/common/sss_process.h | 2 +-
|
||||
src/tools/sssctl/sssctl.c | 4 ++--
|
||||
src/tools/sssctl/sssctl_data.c | 2 +-
|
||||
src/util/crypto/libcrypto/crypto_sha512crypt.c | 2 +-
|
||||
src/util/crypto/nss/nss_sha512crypt.c | 2 +-
|
||||
src/util/server.c | 6 +++---
|
||||
src/util/sss_ini.h | 2 +-
|
||||
src/util/tev_curl.c | 2 +-
|
||||
src/util/util_lock.c | 2 +-
|
||||
31 files changed, 46 insertions(+), 46 deletions(-)
|
||||
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index e76b51833d5dfa3207d28add4af1016c00f25e1f..d6ab73e60863316cbf239d34242959fdfe8d4b1b 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -241,7 +241,7 @@ the system and a pluggable backend system to connect to multiple different
|
||||
account sources. It is also the basis to provide client auditing and policy
|
||||
services for projects like FreeIPA.
|
||||
|
||||
-The sssd subpackage is a meta-package that contains the deamon as well as all
|
||||
+The sssd subpackage is a meta-package that contains the daemon as well as all
|
||||
the existing back ends.
|
||||
|
||||
%package common
|
||||
@@ -496,7 +496,7 @@ Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
|
||||
%description -n libsss_idmap
|
||||
-Utility library to convert SIDs to Unix uids and gids
|
||||
+Utility library to convert SIDs to UNIX UIDs and GIDs
|
||||
|
||||
%package -n libsss_idmap-devel
|
||||
Summary: FreeIPA Idmap library
|
||||
@@ -505,7 +505,7 @@ License: LGPLv3+
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
|
||||
%description -n libsss_idmap-devel
|
||||
-Utility library to SIDs to Unix uids and gids
|
||||
+Utility library to SIDs to UNIX UIDs and GIDs
|
||||
|
||||
%package -n libipa_hbac
|
||||
Summary: FreeIPA HBAC Evaluator library
|
||||
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
||||
index dbd75615bc212e73c4338a76dceaa68a5889ed1d..7c3347fec99f60160804a6eed178baedafb81d33 100644
|
||||
--- a/src/db/sysdb_private.h
|
||||
+++ b/src/db/sysdb_private.h
|
||||
@@ -185,7 +185,7 @@ int sysdb_delete_ulong(struct ldb_message *msg,
|
||||
|
||||
/* The utility function to create a subdomain sss_domain_info object is handy
|
||||
* for unit tests, so it should be available in a header, but not a public util
|
||||
- * one, because the only interface for the deamon itself should be adding
|
||||
+ * one, because the only interface for the daemon itself should be adding
|
||||
* the sysdb domain object and calling sysdb_update_subdomains()
|
||||
*/
|
||||
struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
||||
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
|
||||
index afc7852ecf402ef144beca9c1b94fbe3cc4bbb6a..f640c813acf4deafe98eb15708d3a94790502dcb 100644
|
||||
--- a/src/db/sysdb_views.c
|
||||
+++ b/src/db/sysdb_views.c
|
||||
@@ -722,7 +722,7 @@ static errno_t safe_original_attributes(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* Safe orginal values in attributes prefixed by OriginalAD. */
|
||||
+ /* Safe original values in attributes prefixed by OriginalAD. */
|
||||
for (c = 0; allowed_attrs[c] != NULL; c++) {
|
||||
el = ldb_msg_find_element(orig_obj->msgs[0], allowed_attrs[c]);
|
||||
if (el != NULL) {
|
||||
@@ -753,7 +753,7 @@ static errno_t safe_original_attributes(struct sss_domain_info *domain,
|
||||
el = ldb_msg_find_element(orig_obj->msgs[0], SYSDB_NAME_ALIAS);
|
||||
if (el != NULL) {
|
||||
for (c = 0; c < el->num_values; c++) {
|
||||
- /* To avoid issue with ldb_modify if e.g. the orginal and the
|
||||
+ /* To avoid issue with ldb_modify if e.g. the original and the
|
||||
* override name are the same, we use the *_safe version here. */
|
||||
ret = sysdb_attrs_add_val_safe(attrs, SYSDB_NAME_ALIAS,
|
||||
&el->values[c]);
|
||||
diff --git a/src/examples/sssd-example.conf b/src/examples/sssd-example.conf
|
||||
index 59df41673586d5c7d2602cc5290c40ec5bd64986..34b2b22c5f619f49bb9aa1edf04849df5e40c787 100644
|
||||
--- a/src/examples/sssd-example.conf
|
||||
+++ b/src/examples/sssd-example.conf
|
||||
@@ -32,7 +32,7 @@ services = nss, pam
|
||||
# An example Active Directory domain. Please note that this configuration
|
||||
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
|
||||
# compliant attribute names. To support UNIX clients with AD 2003 or older,
|
||||
-# you must install Microsoft Services For Unix and map LDAP attributes onto
|
||||
+# you must install Microsoft Services For UNIX and map LDAP attributes onto
|
||||
# msSFU30* attribute names.
|
||||
; [domain/AD]
|
||||
; id_provider = ldap
|
||||
diff --git a/src/lib/idmap/sss_idmap.doxy.in b/src/lib/idmap/sss_idmap.doxy.in
|
||||
index 991028f65c251e2bc0086487817271b527fa439b..833498b189a038a06414ff623179ef69d24affb7 100644
|
||||
--- a/src/lib/idmap/sss_idmap.doxy.in
|
||||
+++ b/src/lib/idmap/sss_idmap.doxy.in
|
||||
@@ -719,7 +719,7 @@ RECURSIVE = NO
|
||||
EXCLUDE =
|
||||
|
||||
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
|
||||
-# directories that are symbolic links (a Unix file system feature) are excluded
|
||||
+# directories that are symbolic links (a UNIX file system feature) are excluded
|
||||
# from the input.
|
||||
|
||||
EXCLUDE_SYMLINKS = NO
|
||||
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
|
||||
index 08ab371c64eb49e4f153bb2183c07681b1050bb0..a738fbfffa1bdb7038e70a4a49651eb6a9286b1c 100644
|
||||
--- a/src/man/sssd-secrets.5.xml
|
||||
+++ b/src/man/sssd-secrets.5.xml
|
||||
@@ -46,7 +46,7 @@
|
||||
project was born to deal with this problem in cloud like
|
||||
environments, but we found the idea compelling even at a
|
||||
single system level. As a security service, SSSD is ideal to
|
||||
- host this capability while offering the same API via a Unix
|
||||
+ host this capability while offering the same API via a UNIX
|
||||
Socket. This will make it possible to use local calls and have
|
||||
them transparently routed to a local or a remote key management
|
||||
store like IPA Vault for storage, escrow and recovery.
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index a5237f6fad7fc79fbcbafc8aac28cff15677009f..d9ea311417fc5d57850aa9a6c3736964844675bd 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -680,7 +680,7 @@ ad_gpo_ace_includes_client_sid(const char *user_sid,
|
||||
* named "ApplyGroupPolicy" (AGP) is allowed, by comparing the specified
|
||||
* user_sid and group_sids against the specified access control entry (ACE).
|
||||
* This function returns ALLOWED, DENIED, or NEUTRAL depending on whether
|
||||
- * the ACE explictly allows, explicitly denies, or does neither.
|
||||
+ * the ACE explicitly allows, explicitly denies, or does neither.
|
||||
*
|
||||
* Note that the 'M' abbreviation used in the evaluation algorithm stands for
|
||||
* "access_mask", which represents the set of access rights associated with an
|
||||
@@ -3860,7 +3860,7 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
|
||||
ret = sysdb_attrs_get_int32_t(result, AD_AT_FUNC_VERSION,
|
||||
&gp_gpo->gpo_func_version);
|
||||
if (ret == ENOENT) {
|
||||
- /* If this attrbute is missing we can skip the GPO. It will
|
||||
+ /* If this attribute is missing we can skip the GPO. It will
|
||||
* be filtered out according to MS-GPOL:
|
||||
* https://msdn.microsoft.com/en-us/library/cc232538.aspx */
|
||||
DEBUG(SSSDBG_TRACE_ALL, "GPO with GUID %s is missing attribute "
|
||||
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
|
||||
index ee264156824d7c5ab27c919ae0c56bbd6c0bc54f..b968e67b3e3e6a4f2937dce502c2c9b4ad136a4b 100644
|
||||
--- a/src/providers/be_dyndns.c
|
||||
+++ b/src/providers/be_dyndns.c
|
||||
@@ -706,7 +706,7 @@ nsupdate_get_addrs_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- /* The second address matched either immediatelly or after a retry.
|
||||
+ /* The second address matched either immediately or after a retry.
|
||||
* No need to retry again. */
|
||||
ret = EOK;
|
||||
|
||||
diff --git a/src/providers/data_provider/dp_request.c b/src/providers/data_provider/dp_request.c
|
||||
index a6bc020e0649760c46637d6f90569248792f7f04..295758a765bfdedd539d44f86a37efae0846763f 100644
|
||||
--- a/src/providers/data_provider/dp_request.c
|
||||
+++ b/src/providers/data_provider/dp_request.c
|
||||
@@ -412,7 +412,7 @@ static void dp_terminate_request(struct dp_req *dp_req)
|
||||
{
|
||||
if (dp_req->handler_req == NULL) {
|
||||
/* This may occur when the handler already finished but the caller
|
||||
- * of dp request did not yet recieved data/free dp_req. We just
|
||||
+ * of dp request did not yet received data/free dp_req. We just
|
||||
* return here. */
|
||||
return;
|
||||
}
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index 888cc5d6f5c554901cc46d4315844d7bbbe582b8..b8ee497728b4b70fae89e528172e9d5bd42239c0 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -1612,7 +1612,7 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* Successfull authentication! Check if ccache contains the
|
||||
+ /* Successful authentication! Check if ccache contains the
|
||||
* right principal...
|
||||
*/
|
||||
kerr = sss_krb5_check_ccache_princ(kr->ctx, kr->ccname, kr->creds->client);
|
||||
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
|
||||
index 3c69837fda313b2645c3a8497252670312f600ea..f33d5b5fa86dc1806695482d627bd71a2b040d6e 100644
|
||||
--- a/src/providers/ldap/sdap_async_sudo.c
|
||||
+++ b/src/providers/ldap/sdap_async_sudo.c
|
||||
@@ -616,7 +616,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
|
||||
}
|
||||
in_transaction = false;
|
||||
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfuly stored in cache\n");
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfully stored in cache\n");
|
||||
|
||||
/* remember new usn */
|
||||
ret = sysdb_get_highest_usn(state, rules, rules_count, &usn);
|
||||
diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c
|
||||
index f1cca9880d128d05ad1edfc5c3b2f709d1a67d48..33cb51621f26a11051e2fac4c5d7c959b30d9f00 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ccache_json.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ccache_json.c
|
||||
@@ -210,7 +210,7 @@ bool sec_key_match_uuid(const char *sec_key,
|
||||
/*
|
||||
* Creates an array of principal elements that will be used later
|
||||
* in the form of:
|
||||
- * "componenets": [ "elem1", "elem2", ...]
|
||||
+ * "components": [ "elem1", "elem2", ...]
|
||||
*/
|
||||
static json_t *princ_data_to_json(TALLOC_CTX *mem_ctx,
|
||||
krb5_principal princ)
|
||||
diff --git a/src/responder/kcm/kcmsrv_op_queue.c b/src/responder/kcm/kcmsrv_op_queue.c
|
||||
index 55c8b65d94f70979fe56fcc4d8747547a9cc9d33..ee1aa47ab629022bb726c4d5deb1eb1456124df1 100644
|
||||
--- a/src/responder/kcm/kcmsrv_op_queue.c
|
||||
+++ b/src/responder/kcm/kcmsrv_op_queue.c
|
||||
@@ -179,7 +179,7 @@ static struct kcm_ops_queue *kcm_op_queue_get(struct kcm_ops_queue_ctx *qctx,
|
||||
case HASH_ERROR_KEY_NOT_FOUND:
|
||||
/* No request for this UID yet. Enqueue this request in case
|
||||
* another one comes in and return EOK to run the current request
|
||||
- * immediatelly
|
||||
+ * immediately
|
||||
*/
|
||||
DEBUG(SSSDBG_TRACE_LIBS, "No existing queue for this ID\n");
|
||||
|
||||
@@ -220,7 +220,7 @@ static errno_t kcm_op_queue_add_req(struct kcm_ops_queue *kq,
|
||||
* Enqueue a request.
|
||||
*
|
||||
* If the request queue /for the given ID/ is empty, that is, if this
|
||||
- * request is the first one in the queue, run the request immediatelly.
|
||||
+ * request is the first one in the queue, run the request immediately.
|
||||
*
|
||||
* Otherwise just add it to the queue and wait until the previous request
|
||||
* finishes and only at that point mark the current request as done, which
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index de134f2f21bfb9697fcc8a42622817bc50b54f2a..bdd4a247a670f1928573a1bd18dc8e585b997b7d 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -179,7 +179,7 @@ int sbus_init_connection(TALLOC_CTX *ctx,
|
||||
|
||||
conn->incoming_signals = sbus_incoming_signal_hash_init(conn);
|
||||
if (conn->incoming_signals == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming singals "
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming signals "
|
||||
"hash table\n");
|
||||
talloc_free(conn);
|
||||
return EIO;
|
||||
@@ -327,7 +327,7 @@ static int connection_destructor(void *ctx)
|
||||
|
||||
/*
|
||||
* sbus_get_connection
|
||||
- * Utility function to retreive the DBusConnection object
|
||||
+ * Utility function to retrieve the DBusConnection object
|
||||
* from a sbus_connection
|
||||
*/
|
||||
DBusConnection *sbus_get_connection(struct sbus_connection *conn)
|
||||
diff --git a/src/shared/safealign.h b/src/shared/safealign.h
|
||||
index 2316ed14245c4469171f9eb4a42e70fc6b3fd8a8..b00c37f5b98bd4bf7ff6cea8e1208d80c77f0228 100644
|
||||
--- a/src/shared/safealign.h
|
||||
+++ b/src/shared/safealign.h
|
||||
@@ -98,8 +98,8 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
|
||||
SAFEALIGN_SETMEM_VALUE(dest, value, uint16_t, pctr)
|
||||
|
||||
/* These macros are the same as their equivalents without _CHECK suffix,
|
||||
- * but additionally make the caller return EINVAL immediatelly if *pctr
|
||||
- * would excceed len. */
|
||||
+ * but additionally make the caller return EINVAL immediately if *pctr
|
||||
+ * would exceed len. */
|
||||
#define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \
|
||||
if ((*(pctr) + sizeof(uint32_t)) > (len) || \
|
||||
SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) { return EINVAL; } \
|
||||
diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c
|
||||
index 02f91ab2b3d29a189e949f6a8d645ea4ccd7f6e3..482ff2c400b10829ccb6d6a921c8c2e15c7fcdd2 100644
|
||||
--- a/src/sss_client/autofs/sss_autofs.c
|
||||
+++ b/src/sss_client/autofs/sss_autofs.c
|
||||
@@ -30,7 +30,7 @@
|
||||
#define MAX_AUTOMNTMAPNAME_LEN NAME_MAX
|
||||
#define MAX_AUTOMNTKEYNAME_LEN PATH_MAX
|
||||
|
||||
-/* How many entries shall _sss_getautomntent_r retreive at once */
|
||||
+/* How many entries shall _sss_getautomntent_r retrieve at once */
|
||||
#define GETAUTOMNTENT_MAX_ENTRIES 512
|
||||
|
||||
struct automtent {
|
||||
@@ -287,7 +287,7 @@ _sss_getautomntent_r(char **key, char **value, void *context)
|
||||
data_len = sizeof(uint32_t) + /* mapname len */
|
||||
name_len + 1 + /* mapname\0 */
|
||||
sizeof(uint32_t) + /* index into the map */
|
||||
- sizeof(uint32_t); /* num entries to retreive */
|
||||
+ sizeof(uint32_t); /* num entries to retrieve */
|
||||
|
||||
data = malloc(data_len);
|
||||
if (!data) {
|
||||
diff --git a/src/sss_client/idmap/sss_nss_idmap.doxy.in b/src/sss_client/idmap/sss_nss_idmap.doxy.in
|
||||
index d75237622507d2a43ef382815544b8339054f474..f6c18ba1f0d368e989ce0d18a500b6523622b9c1 100644
|
||||
--- a/src/sss_client/idmap/sss_nss_idmap.doxy.in
|
||||
+++ b/src/sss_client/idmap/sss_nss_idmap.doxy.in
|
||||
@@ -616,7 +616,7 @@ RECURSIVE = NO
|
||||
EXCLUDE =
|
||||
|
||||
# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
|
||||
-# directories that are symbolic links (a Unix filesystem feature) are excluded
|
||||
+# directories that are symbolic links (a UNIX filesystem feature) are excluded
|
||||
# from the input.
|
||||
|
||||
EXCLUDE_SYMLINKS = NO
|
||||
diff --git a/src/sss_client/libwbclient/wbc_pwd_sssd.c b/src/sss_client/libwbclient/wbc_pwd_sssd.c
|
||||
index 08c3b86372c86f228aeeb584068f82bd97cfe0fe..cacad9d3230c341ae478a4e4e41864ecdc4209b3 100644
|
||||
--- a/src/sss_client/libwbclient/wbc_pwd_sssd.c
|
||||
+++ b/src/sss_client/libwbclient/wbc_pwd_sssd.c
|
||||
@@ -606,7 +606,7 @@ wbcErr wbcGetgrlist(struct group **grp)
|
||||
WBC_SSSD_NOT_IMPLEMENTED;
|
||||
}
|
||||
|
||||
-/* Return the unix group array belonging to the given user */
|
||||
+/* Return the Unix group array belonging to the given user */
|
||||
wbcErr wbcGetGroups(const char *account,
|
||||
uint32_t *num_groups,
|
||||
gid_t **_groups)
|
||||
diff --git a/src/sss_client/sudo/sss_sudo.h b/src/sss_client/sudo/sss_sudo.h
|
||||
index 1a275cfafbb0476b163599854cbbc1f91101f360..1dcd569a59cde2eec88476aef2bc3ab35a089c86 100644
|
||||
--- a/src/sss_client/sudo/sss_sudo.h
|
||||
+++ b/src/sss_client/sudo/sss_sudo.h
|
||||
@@ -87,11 +87,11 @@ struct sss_sudo_result {
|
||||
};
|
||||
|
||||
/**
|
||||
- * @brief Send a request to SSSD to retreive all SUDO rules for a given
|
||||
+ * @brief Send a request to SSSD to retrieve all SUDO rules for a given
|
||||
* user.
|
||||
*
|
||||
- * @param[in] uid The uid of the user to retreive the rules for.
|
||||
- * @param[in] username The username to retreive the rules for
|
||||
+ * @param[in] uid The uid of the user to retrieve the rules for.
|
||||
+ * @param[in] username The username to retrieve the rules for
|
||||
* @param[in] domainname The domain name the user is a member of.
|
||||
* @param[out] _error The result of the search in SSSD's domains. If the
|
||||
* user was present in the domain, the _error code is
|
||||
@@ -122,9 +122,9 @@ int sss_sudo_send_recv(uid_t uid,
|
||||
* @brief Send a request to SSSD to retrieve the default options, commonly
|
||||
* stored in the "cn=defaults" record,
|
||||
*
|
||||
- * @param[in] uid The uid of the user to retreive the rules for.
|
||||
+ * @param[in] uid The uid of the user to retrieve the rules for.
|
||||
*
|
||||
- * @param[in] username The username to retreive the rules for.
|
||||
+ * @param[in] username The username to retrieve the rules for.
|
||||
*
|
||||
* @param[out] _error The result of the search in SSSD's domains. If the
|
||||
* options were present in the domain, the _error code
|
||||
diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
index 4b38a38e6f53499132f9fe14a0ec0af157cf85ca..ece887b12d472c3fb01477d213f4308a535f8fe7 100644
|
||||
--- a/src/tests/cmocka/common_mock_resp_dp.c
|
||||
+++ b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
@@ -24,7 +24,7 @@
|
||||
#include "responder/common/responder.h"
|
||||
#include "tests/cmocka/common_mock_resp.h"
|
||||
|
||||
-/* Mock DP requests that finish immediatelly and return
|
||||
+/* Mock DP requests that finish immediately and return
|
||||
* mocked values as per previous set by mock_account_recv
|
||||
*/
|
||||
struct tevent_req *
|
||||
diff --git a/src/tests/cmocka/test_sbus_opath.c b/src/tests/cmocka/test_sbus_opath.c
|
||||
index e38eaf1972b55f01d712584b67c731ac0031736d..b469fa8da90b6f54e15a590014be650e32221136 100644
|
||||
--- a/src/tests/cmocka/test_sbus_opath.c
|
||||
+++ b/src/tests/cmocka/test_sbus_opath.c
|
||||
@@ -72,7 +72,7 @@ void test_sbus_opath_escape_unescape(void **state)
|
||||
|
||||
escaped = sbus_opath_escape_part(mem_ctx, "path_with_underscore");
|
||||
assert_non_null(escaped);
|
||||
- /* underscore is 0x5F in ascii */
|
||||
+ /* underscore is 0x5F in ASCII */
|
||||
assert_string_equal(escaped, "path_5fwith_5funderscore");
|
||||
raw = sbus_opath_unescape_part(mem_ctx, escaped);
|
||||
talloc_free(escaped);
|
||||
diff --git a/src/tools/common/sss_process.c b/src/tools/common/sss_process.c
|
||||
index 574ccab24d0ff20784f6223e743bf9561ea2281e..fc710a553dbf6a27e23693be79bb333dcbcd3a3e 100644
|
||||
--- a/src/tools/common/sss_process.c
|
||||
+++ b/src/tools/common/sss_process.c
|
||||
@@ -97,7 +97,7 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-bool sss_deamon_running(void)
|
||||
+bool sss_daemon_running(void)
|
||||
{
|
||||
return sss_signal(0) == EOK;
|
||||
}
|
||||
diff --git a/src/tools/common/sss_process.h b/src/tools/common/sss_process.h
|
||||
index 43408afc7fab3caed3febd1a159dbfc6acbbb3f9..6bbb0947570a5fc9e77b479c7386db1cead05aaf 100644
|
||||
--- a/src/tools/common/sss_process.h
|
||||
+++ b/src/tools/common/sss_process.h
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
#include "util/util.h"
|
||||
|
||||
-bool sss_deamon_running(void);
|
||||
+bool sss_daemon_running(void);
|
||||
errno_t sss_signal(int signum);
|
||||
|
||||
#endif /* _SSS_PROCESS_H_ */
|
||||
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
|
||||
index 1e061c00d2238bf34adff4183e560dc127dd62c7..d9bc897c1a32954bbdd2d4ae2b0a9fb6d2c34752 100644
|
||||
--- a/src/tools/sssctl/sssctl.c
|
||||
+++ b/src/tools/sssctl/sssctl.c
|
||||
@@ -148,7 +148,7 @@ bool sssctl_start_sssd(bool force)
|
||||
enum sssctl_prompt_result prompt;
|
||||
errno_t ret;
|
||||
|
||||
- if (sss_deamon_running()) {
|
||||
+ if (sss_daemon_running()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -187,7 +187,7 @@ bool sssctl_stop_sssd(bool force)
|
||||
enum sssctl_prompt_result prompt;
|
||||
errno_t ret;
|
||||
|
||||
- if (!sss_deamon_running()) {
|
||||
+ if (!sss_daemon_running()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
|
||||
index 4b7f1dfff666743f9c47bc34515bbe63ee85eff1..b16fede1e2f3f743f65f8f86b0a5bdcfdca71f0b 100644
|
||||
--- a/src/tools/sssctl/sssctl_data.c
|
||||
+++ b/src/tools/sssctl/sssctl_data.c
|
||||
@@ -270,7 +270,7 @@ errno_t sssctl_cache_upgrade(struct sss_cmdline *cmdline,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- if (sss_deamon_running()) {
|
||||
+ if (sss_daemon_running()) {
|
||||
return ERR_SSSD_RUNNING;
|
||||
}
|
||||
|
||||
diff --git a/src/util/crypto/libcrypto/crypto_sha512crypt.c b/src/util/crypto/libcrypto/crypto_sha512crypt.c
|
||||
index 1023566624f0e7b8fc08e30d4ea7ad031fbffff9..b074eee555fafac6e486bfdf9efb9ddf4964a990 100644
|
||||
--- a/src/util/crypto/libcrypto/crypto_sha512crypt.c
|
||||
+++ b/src/util/crypto/libcrypto/crypto_sha512crypt.c
|
||||
@@ -7,7 +7,7 @@
|
||||
* Sumit Bose <sbose@redhat.com>
|
||||
* George McCollister <georgem@novatech-llc.com>
|
||||
*/
|
||||
-/* SHA512-based Unix crypt implementation.
|
||||
+/* SHA512-based UNIX crypt implementation.
|
||||
Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
|
||||
|
||||
#include "config.h"
|
||||
diff --git a/src/util/crypto/nss/nss_sha512crypt.c b/src/util/crypto/nss/nss_sha512crypt.c
|
||||
index 9fedd5ec6c62855d9cc0c9c2869d8c9be7fb5ade..2f1624e6396c40f539a4e2034ab545cad8f05434 100644
|
||||
--- a/src/util/crypto/nss/nss_sha512crypt.c
|
||||
+++ b/src/util/crypto/nss/nss_sha512crypt.c
|
||||
@@ -5,7 +5,7 @@
|
||||
*
|
||||
* Sumit Bose <sbose@redhat.com>
|
||||
*/
|
||||
-/* SHA512-based Unix crypt implementation.
|
||||
+/* SHA512-based UNIX crypt implementation.
|
||||
Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
|
||||
|
||||
#include "config.h"
|
||||
diff --git a/src/util/server.c b/src/util/server.c
|
||||
index 0046c9737bc0d9aea7be59b4fed5e0f8930ff66e..4e65cc66c01ba020b13a88df8e017765ac97f76e 100644
|
||||
--- a/src/util/server.c
|
||||
+++ b/src/util/server.c
|
||||
@@ -69,7 +69,7 @@ static void close_low_fds(void)
|
||||
#endif
|
||||
}
|
||||
|
||||
-static void deamon_parent_sigterm(int sig)
|
||||
+static void daemon_parent_sigterm(int sig)
|
||||
{
|
||||
_exit(0);
|
||||
}
|
||||
@@ -88,10 +88,10 @@ void become_daemon(bool Fork)
|
||||
pid = fork();
|
||||
if (pid != 0) {
|
||||
/* Terminate parent process on demand so we can hold systemd
|
||||
- * or initd from starting next service until sssd in initialized.
|
||||
+ * or initd from starting next service until sssd is initialized.
|
||||
* We use signals directly here because we don't have a tevent
|
||||
* context yet. */
|
||||
- CatchSignal(SIGTERM, deamon_parent_sigterm);
|
||||
+ CatchSignal(SIGTERM, daemon_parent_sigterm);
|
||||
|
||||
/* or exit when sssd monitor is terminated */
|
||||
do {
|
||||
diff --git a/src/util/sss_ini.h b/src/util/sss_ini.h
|
||||
index 77fbddc3ab073d930eecd68dacb00dae52847744..0b173831d4fd7c283fa939a2f3bfda2a3bb97515 100644
|
||||
--- a/src/util/sss_ini.h
|
||||
+++ b/src/util/sss_ini.h
|
||||
@@ -94,7 +94,7 @@ int sss_ini_call_validators_strs(TALLOC_CTX *mem_ctx,
|
||||
struct ref_array *
|
||||
sss_ini_get_ra_error_list(struct sss_ini_initdata *init_data);
|
||||
|
||||
-/* Get pointer to list of successfuly merged snippet files */
|
||||
+/* Get pointer to list of successfully merged snippet files */
|
||||
struct ref_array *
|
||||
sss_ini_get_ra_success_list(struct sss_ini_initdata *init_data);
|
||||
|
||||
diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
|
||||
index 52c86adde65c173a874534a7001d7859789581cd..4c2f1ec9ff0127ccfd72010460ed75dad43e9ce3 100644
|
||||
--- a/src/util/tev_curl.c
|
||||
+++ b/src/util/tev_curl.c
|
||||
@@ -67,7 +67,7 @@ struct tcurl_ctx {
|
||||
struct tcurl_sock {
|
||||
struct tcurl_ctx *tctx; /* Backchannel to the main context */
|
||||
|
||||
- curl_socket_t sockfd; /* curl socket is an int typedef on Unix */
|
||||
+ curl_socket_t sockfd; /* curl socket is an int typedef on UNIX */
|
||||
struct tevent_fd *fde; /* tevent tracker of the fd events */
|
||||
};
|
||||
|
||||
diff --git a/src/util/util_lock.c b/src/util/util_lock.c
|
||||
index b8e41cc29fbdcf3b5b75bf1507a4d33f5ba07be0..58d3b1bdf60f411fb7116055a5de775355d1839e 100644
|
||||
--- a/src/util/util_lock.c
|
||||
+++ b/src/util/util_lock.c
|
||||
@@ -74,7 +74,7 @@ errno_t sss_br_lock_file(int fd, size_t start, size_t len,
|
||||
return ret;
|
||||
}
|
||||
} else if (ret == 0) {
|
||||
- /* File successfuly locked */
|
||||
+ /* File successfully locked */
|
||||
break;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.15.1
|
||||
|
158
0003-CONFIG-Add-a-new-option-auto_private_groups.patch
Normal file
158
0003-CONFIG-Add-a-new-option-auto_private_groups.patch
Normal file
@ -0,0 +1,158 @@
|
||||
From 04fc0d758ae1e5c4ab71ab3bf8b8f50b99a6c63a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 3 Oct 2017 12:34:33 +0200
|
||||
Subject: [PATCH 03/79] CONFIG: Add a new option auto_private_groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The auto_private_groups option is used to configure the domain->mpg flag
|
||||
which was already set automatically for subdomains, but for some time was
|
||||
not settable by the admin via the configuration file.
|
||||
|
||||
The new option name, instead of the old magic_private_groups, was chosen
|
||||
purely because this name would hopefully be better understood by admins.
|
||||
|
||||
The option doesn't do anything yet, it is just added to all the places a
|
||||
new option should be added to.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/1872
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 8 ++++++++
|
||||
src/confdb/confdb.h | 1 +
|
||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||
src/config/SSSDConfigTest.py | 6 ++++--
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.conf | 1 +
|
||||
src/man/sssd.conf.5.xml | 20 ++++++++++++++++++++
|
||||
7 files changed, 36 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index fefecc03d554f6eca12efe07990bfae17033bd02..a028224817f12ace2a0c4165d7b9cb0bb80ce5a1 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -936,6 +936,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = get_entry_as_bool(res->msgs[0], &domain->mpg,
|
||||
+ CONFDB_DOMAIN_AUTO_UPG, 0);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Invalid value for %s\n", CONFDB_DOMAIN_AUTO_UPG);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
if (strcasecmp(domain->provider, "local") == 0) {
|
||||
/* If this is the local provider, we need to ensure that
|
||||
* no other provider was specified for other types, since
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index bcea99ae49a3fa5f0393ce6b2c215b5b2d4bc3fc..2539b906993edbceb38aac9265e04deed69cf2e4 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -198,6 +198,7 @@
|
||||
#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
|
||||
#define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
|
||||
#define CONFDB_DOMAIN_MPG "magic_private_groups"
|
||||
+#define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups"
|
||||
#define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
|
||||
#define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout"
|
||||
#define CONFDB_DOMAIN_ACCOUNT_CACHE_EXPIRATION "account_cache_expiration"
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index d99b718e09283d113f73639e0f94e7f1cec55f68..d2bb709d69c8790558b5c06a7e405463b508c189 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -195,6 +195,7 @@ option_strings = {
|
||||
'cached_auth_timeout' : _('How long can cached credentials be used for cached authentication'),
|
||||
'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
|
||||
're_expression' : _('Regex to parse username and domain'),
|
||||
+ 'auto_private_groups' : _('Whether to automatically create private groups for users'),
|
||||
|
||||
# [provider/ipa]
|
||||
'ipa_domain' : _('IPA domain'),
|
||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
||||
index 4a583bdd3124dc05a116d2e6bd48afb92aa0b54d..87d1f6e6410dfeafc77d578cf0b950dc71a1f0a2 100755
|
||||
--- a/src/config/SSSDConfigTest.py
|
||||
+++ b/src/config/SSSDConfigTest.py
|
||||
@@ -624,7 +624,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
||||
'subdomain_homedir',
|
||||
'full_name_format',
|
||||
're_expression',
|
||||
- 'cached_auth_timeout']
|
||||
+ 'cached_auth_timeout',
|
||||
+ 'auto_private_groups']
|
||||
|
||||
self.assertTrue(type(options) == dict,
|
||||
"Options should be a dictionary")
|
||||
@@ -994,7 +995,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
||||
'subdomain_homedir',
|
||||
'full_name_format',
|
||||
're_expression',
|
||||
- 'cached_auth_timeout']
|
||||
+ 'cached_auth_timeout',
|
||||
+ 'auto_private_groups']
|
||||
|
||||
self.assertTrue(type(options) == dict,
|
||||
"Options should be a dictionary")
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index e49e8d43f4aead14d833866110784fd62382cc2b..4e70bf7b6f0fa7421a0c35bd4279830265bf3470 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -382,6 +382,7 @@ option = cached_auth_timeout
|
||||
option = wildcard_limit
|
||||
option = full_name_format
|
||||
option = re_expression
|
||||
+option = auto_private_groups
|
||||
|
||||
#Entry cache timeouts
|
||||
option = entry_cache_user_timeout
|
||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
||||
index 7f2b8977b7e67fcfc20df49056cda8ebe6da0be8..2be2e3e685ba3abd9a4a419f93332a89ff774262 100644
|
||||
--- a/src/config/etc/sssd.api.conf
|
||||
+++ b/src/config/etc/sssd.api.conf
|
||||
@@ -185,6 +185,7 @@ subdomain_homedir = str, None, false
|
||||
cached_auth_timeout = int, None, false
|
||||
full_name_format = str, None, false
|
||||
re_expression = str, None, false
|
||||
+auto_private_groups = str, None, false
|
||||
|
||||
#Entry cache timeouts
|
||||
entry_cache_user_timeout = int, None, false
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 7752e450835b5beba50ddc4c635ff985d38ca421..1e8d9537517c85c3021b9c2c4185ea272c5bfffa 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -2816,6 +2816,26 @@ subdomain_inherit = ldap_purge_cache_timeout
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>auto_private_groups (string)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ If this option is enabled, SSSD will automatically
|
||||
+ create user private groups based on user's
|
||||
+ UID number. The GID number is ignored in this case.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ NOTE: Because the GID number and the user private group
|
||||
+ are inferred frm the UID number, it is not supported
|
||||
+ to have multiple entries with the same UID or GID number
|
||||
+ with this option. In other words, enabling this option
|
||||
+ enforces uniqueness across the ID space.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: False
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,32 @@
|
||||
From bd4e962128c7ea95fa0bdc5aa8f360ab11cda178 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 3 Oct 2017 12:36:02 +0200
|
||||
Subject: [PATCH 04/79] CONFDB: Remove the obsolete option magic_private_groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Since this confdb definition was completely unused across the codebase,
|
||||
this patch just removes the definition.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 2539b906993edbceb38aac9265e04deed69cf2e4..1471949623e9dd7a8536e3ac3048a10227a5d857 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -197,7 +197,6 @@
|
||||
"cache_credentials_minimal_first_factor_length"
|
||||
#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
|
||||
#define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
|
||||
-#define CONFDB_DOMAIN_MPG "magic_private_groups"
|
||||
#define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups"
|
||||
#define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
|
||||
#define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout"
|
||||
--
|
||||
2.15.1
|
||||
|
166
0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch
Normal file
166
0005-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch
Normal file
@ -0,0 +1,166 @@
|
||||
From f7c559955ab380d097f8e98786ba710c7bff812c Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 3 Oct 2017 12:34:49 +0200
|
||||
Subject: [PATCH 05/79] SDAP: Allow the mpg flag for the main domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This commit allows saving the users in the MPG domain in the SDAP
|
||||
layer.
|
||||
|
||||
The commit contains the following changes:
|
||||
- abstracts the change where if the primary GID exists in the original
|
||||
object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute,
|
||||
which will allow the original primary GID to be exposed as a
|
||||
secondary group
|
||||
|
||||
- if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM
|
||||
is added. This will allow to handle LDAP objects that only contain
|
||||
the UID but no GID. Since this is a new use-case, a test is added
|
||||
later
|
||||
|
||||
- a branch that handles the above is added to sdap_save_user() also
|
||||
for joined domains that set the MPG flag. Previously, only
|
||||
subdomains were handled.
|
||||
|
||||
- to allow passing GID=0 to the sysdb layer, the range check is
|
||||
relaxed.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/1872
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ldap/sdap_async_users.c | 83 +++++++++++++++++++++++++++++++----
|
||||
1 file changed, 75 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
|
||||
index 09d096e84cac6c9d52bcde0e1587c47dbd88b504..7338b4a15694b1d0a16723990130a23a7280af5f 100644
|
||||
--- a/src/providers/ldap/sdap_async_users.c
|
||||
+++ b/src/providers/ldap/sdap_async_users.c
|
||||
@@ -136,6 +136,38 @@ static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static int sdap_user_set_mpg(struct sysdb_attrs *user_attrs,
|
||||
+ gid_t *_gid)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ if (_gid == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (*_gid == 0) {
|
||||
+ /* The original entry had no GID number. This is OK, we just won't add
|
||||
+ * the SYSDB_PRIMARY_GROUP_GIDNUM attribute
|
||||
+ */
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_uint32(user_attrs,
|
||||
+ SYSDB_PRIMARY_GROUP_GIDNUM,
|
||||
+ (uint32_t) *_gid);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ /* We won't really store gidNumber=0, but the zero value tells
|
||||
+ * the sysdb layer that no GID is set, which sysdb requires for
|
||||
+ * MPG-enabled domains
|
||||
+ */
|
||||
+ *_gid = 0;
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/* FIXME: support storing additional attributes */
|
||||
int sdap_save_user(TALLOC_CTX *memctx,
|
||||
struct sdap_options *opts,
|
||||
@@ -357,7 +389,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (IS_SUBDOMAIN(dom)) {
|
||||
+ if (IS_SUBDOMAIN(dom) || dom->mpg == true) {
|
||||
/* For subdomain users, only create the private group as
|
||||
* the subdomain is an MPG domain.
|
||||
* But we have to save the GID of the original primary group
|
||||
@@ -365,14 +397,13 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
||||
* typically (Unix and AD) the user is not listed in his primary
|
||||
* group as a member.
|
||||
*/
|
||||
- ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM,
|
||||
- (uint32_t) gid);
|
||||
+ ret = sdap_user_set_mpg(user_attrs, &gid);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sdap_user_set_mpg failed [%d]: %s\n", ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
-
|
||||
- gid = 0;
|
||||
}
|
||||
|
||||
/* Store the GID in the ldap_attrs so it doesn't get
|
||||
@@ -380,6 +411,41 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
||||
*/
|
||||
ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid);
|
||||
if (ret != EOK) goto done;
|
||||
+ } else if (dom->mpg) {
|
||||
+ /* Likewise, if a domain is set to contain 'magic private groups', do
|
||||
+ * not process the real GID, but save it in the cache as originalGID
|
||||
+ * (if available)
|
||||
+ */
|
||||
+ ret = sysdb_attrs_get_uint32_t(attrs,
|
||||
+ opts->user_map[SDAP_AT_USER_GID].sys_name,
|
||||
+ &gid);
|
||||
+ if (ret == ENOENT) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Missing GID, won't save the %s attribute\n",
|
||||
+ SYSDB_PRIMARY_GROUP_GIDNUM);
|
||||
+
|
||||
+ /* Store the UID as GID (since we're in a MPG domain so that it doesn't
|
||||
+ * get treated as a missing attribute and removed
|
||||
+ */
|
||||
+ ret = sdap_replace_id(attrs, SYSDB_GIDNUM, uid);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ gid = 0;
|
||||
+ } else if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Cannot retrieve GID, won't save the %s attribute\n",
|
||||
+ SYSDB_PRIMARY_GROUP_GIDNUM);
|
||||
+ gid = 0;
|
||||
+ }
|
||||
+
|
||||
+ ret = sdap_user_set_mpg(user_attrs, &gid);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sdap_user_set_mpg failed [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
} else {
|
||||
ret = sysdb_attrs_get_uint32_t(attrs,
|
||||
opts->user_map[SDAP_AT_USER_GID].sys_name,
|
||||
@@ -403,8 +469,9 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
||||
}
|
||||
|
||||
/* check that the gid is valid for this domain */
|
||||
- if (is_posix == true && IS_SUBDOMAIN(dom) == false &&
|
||||
- OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
|
||||
+ if (is_posix == true && IS_SUBDOMAIN(dom) == false
|
||||
+ && dom->mpg == false
|
||||
+ && OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"User [%s] filtered out! (primary gid out of range)\n",
|
||||
user_name);
|
||||
--
|
||||
2.15.1
|
||||
|
221
0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch
Normal file
221
0006-LDAP-Turn-group-request-into-user-request-for-MPG-do.patch
Normal file
@ -0,0 +1,221 @@
|
||||
From 80ea108ab4263c1a1ac67ce6eac41dc6040b21dd Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 3 Oct 2017 14:31:18 +0200
|
||||
Subject: [PATCH 06/79] LDAP: Turn group request into user request for MPG
|
||||
domains if needed
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the primary group GID or the group name is requested before the user
|
||||
is, we need to also search the user space to save the user in the back
|
||||
end which then allows the responder to generate the group from the
|
||||
user entry.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/1872
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ldap/ldap_id.c | 162 +++++++++++++++++++++++++++++++------------
|
||||
1 file changed, 118 insertions(+), 44 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
||||
index 93204d35ea3782c9aa5d622a962c295869472631..e89fc6133316f684810afe4c1a0731b8a04f2931 100644
|
||||
--- a/src/providers/ldap/ldap_id.c
|
||||
+++ b/src/providers/ldap/ldap_id.c
|
||||
@@ -694,6 +694,8 @@ struct groups_get_state {
|
||||
static int groups_get_retry(struct tevent_req *req);
|
||||
static void groups_get_connect_done(struct tevent_req *subreq);
|
||||
static void groups_get_posix_check_done(struct tevent_req *subreq);
|
||||
+static void groups_get_mpg_done(struct tevent_req *subreq);
|
||||
+static errno_t groups_get_handle_no_group(struct tevent_req *req);
|
||||
static void groups_get_search(struct tevent_req *req);
|
||||
static void groups_get_done(struct tevent_req *subreq);
|
||||
|
||||
@@ -1051,8 +1053,6 @@ static void groups_get_done(struct tevent_req *subreq)
|
||||
struct tevent_req);
|
||||
struct groups_get_state *state = tevent_req_data(req,
|
||||
struct groups_get_state);
|
||||
- char *endptr;
|
||||
- gid_t gid;
|
||||
int dp_error = DP_ERR_FATAL;
|
||||
int ret;
|
||||
|
||||
@@ -1078,49 +1078,33 @@ static void groups_get_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (ret == ENOENT && state->noexist_delete == true) {
|
||||
- switch (state->filter_type) {
|
||||
- case BE_FILTER_ENUM:
|
||||
- tevent_req_error(req, ret);
|
||||
+ if (ret == ENOENT
|
||||
+ && state->domain->mpg == true) {
|
||||
+ /* The requested filter did not find a group. Before giving up, we must
|
||||
+ * also check if the GID can be resolved through a primary group of a
|
||||
+ * user
|
||||
+ */
|
||||
+ subreq = users_get_send(state,
|
||||
+ state->ev,
|
||||
+ state->ctx,
|
||||
+ state->sdom,
|
||||
+ state->conn,
|
||||
+ state->filter_value,
|
||||
+ state->filter_type,
|
||||
+ NULL,
|
||||
+ state->noexist_delete);
|
||||
+ if (subreq == NULL) {
|
||||
+ tevent_req_error(req, ENOMEM);
|
||||
return;
|
||||
- case BE_FILTER_NAME:
|
||||
- ret = sysdb_delete_group(state->domain, state->filter_value, 0);
|
||||
- if (ret != EOK && ret != ENOENT) {
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
- }
|
||||
- break;
|
||||
-
|
||||
- case BE_FILTER_IDNUM:
|
||||
- gid = (gid_t) strtouint32(state->filter_value, &endptr, 10);
|
||||
- if (errno || *endptr || (state->filter_value == endptr)) {
|
||||
- tevent_req_error(req, errno ? errno : EINVAL);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- ret = sysdb_delete_group(state->domain, NULL, gid);
|
||||
- if (ret != EOK && ret != ENOENT) {
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
- }
|
||||
- break;
|
||||
-
|
||||
- case BE_FILTER_SECID:
|
||||
- case BE_FILTER_UUID:
|
||||
- /* Since it is not clear if the SID/UUID belongs to a user or a
|
||||
- * group we have nothing to do here. */
|
||||
- break;
|
||||
-
|
||||
- case BE_FILTER_WILDCARD:
|
||||
- /* We can't know if all groups are up-to-date, especially in
|
||||
- * a large environment. Do not delete any records, let the
|
||||
- * responder fetch the entries they are requested in.
|
||||
- */
|
||||
- break;
|
||||
-
|
||||
-
|
||||
- default:
|
||||
- tevent_req_error(req, EINVAL);
|
||||
+ }
|
||||
+ tevent_req_set_callback(subreq, groups_get_mpg_done, req);
|
||||
+ return;
|
||||
+ } else if (ret == ENOENT && state->noexist_delete == true) {
|
||||
+ ret = groups_get_handle_no_group(req);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not delete group [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ tevent_req_error(req, ret);
|
||||
return;
|
||||
}
|
||||
}
|
||||
@@ -1129,6 +1113,96 @@ static void groups_get_done(struct tevent_req *subreq)
|
||||
tevent_req_done(req);
|
||||
}
|
||||
|
||||
+static void groups_get_mpg_done(struct tevent_req *subreq)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ struct tevent_req *req = tevent_req_callback_data(subreq,
|
||||
+ struct tevent_req);
|
||||
+ struct groups_get_state *state = tevent_req_data(req,
|
||||
+ struct groups_get_state);
|
||||
+
|
||||
+ ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret);
|
||||
+ talloc_zfree(subreq);
|
||||
+
|
||||
+ if (ret != EOK) {
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (state->sdap_ret == ENOENT && state->noexist_delete == true) {
|
||||
+ ret = groups_get_handle_no_group(req);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not delete group [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* GID resolved to a user private group, done */
|
||||
+ tevent_req_done(req);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+static errno_t groups_get_handle_no_group(struct tevent_req *req)
|
||||
+{
|
||||
+ struct groups_get_state *state = tevent_req_data(req,
|
||||
+ struct groups_get_state);
|
||||
+ errno_t ret;
|
||||
+ char *endptr;
|
||||
+ gid_t gid;
|
||||
+
|
||||
+ switch (state->filter_type) {
|
||||
+ case BE_FILTER_ENUM:
|
||||
+ ret = ENOENT;
|
||||
+ break;
|
||||
+ case BE_FILTER_NAME:
|
||||
+ ret = sysdb_delete_group(state->domain, state->filter_value, 0);
|
||||
+ if (ret != EOK && ret != ENOENT) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Cannot delete group %s [%d]: %s\n",
|
||||
+ state->filter_value, ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+ ret = EOK;
|
||||
+ break;
|
||||
+ case BE_FILTER_IDNUM:
|
||||
+ gid = (gid_t) strtouint32(state->filter_value, &endptr, 10);
|
||||
+ if (errno || *endptr || (state->filter_value == endptr)) {
|
||||
+ ret = errno ? errno : EINVAL;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_delete_group(state->domain, NULL, gid);
|
||||
+ if (ret != EOK && ret != ENOENT) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Cannot delete group %"SPRIgid" [%d]: %s\n",
|
||||
+ gid, ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+ ret = EOK;
|
||||
+ break;
|
||||
+ case BE_FILTER_SECID:
|
||||
+ case BE_FILTER_UUID:
|
||||
+ /* Since it is not clear if the SID/UUID belongs to a user or a
|
||||
+ * group we have nothing to do here. */
|
||||
+ ret = EOK;
|
||||
+ break;
|
||||
+ case BE_FILTER_WILDCARD:
|
||||
+ /* We can't know if all groups are up-to-date, especially in
|
||||
+ * a large environment. Do not delete any records, let the
|
||||
+ * responder fetch the entries they are requested in.
|
||||
+ */
|
||||
+ ret = EOK;
|
||||
+ break;
|
||||
+ default:
|
||||
+ ret = EINVAL;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int groups_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret)
|
||||
{
|
||||
struct groups_get_state *state = tevent_req_data(req,
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,96 @@
|
||||
From 561b887c08c6199a50f1295071626b3e9040a7d1 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 19 Oct 2017 17:18:15 +0200
|
||||
Subject: [PATCH 07/79] SYSDB: Prevent users and groups ID collision in MPG
|
||||
domains except for id_provider=local
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This commit makes the check when adding an object in a MPG domain
|
||||
stricter in the sense that not only same names are allowed in a MPG
|
||||
domain, but also the same groups are not allowed either.
|
||||
|
||||
This commit is a backwards-incompatible change, but one that is needed,
|
||||
otherwise requesting the duplicate group first and then requesting the
|
||||
user entry would yield two object when searching by GID.
|
||||
|
||||
In order to keep backwards-compatibility, this uniqueness is NOT
|
||||
enforced with id_provider=local. This constraint can be removed in
|
||||
the future (or the local provider can be dropped altogether)
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/db/sysdb_ops.c | 41 ++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 38 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 0e39a629a5823ff49ed02ec4c08a21b66119f06f..2f8e36c6c9a2c2cefe4af5fb78957763304d989a 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -1960,16 +1960,34 @@ int sysdb_add_user(struct sss_domain_info *domain,
|
||||
}
|
||||
|
||||
if (domain->mpg) {
|
||||
- /* In MPG domains you can't have groups with the same name as users,
|
||||
- * search if a group with the same name exists.
|
||||
+ /* In MPG domains you can't have groups with the same name or GID
|
||||
+ * as users, search if a group with the same name exists.
|
||||
* Don't worry about users, if we try to add a user with the same
|
||||
* name the operation will fail */
|
||||
|
||||
ret = sysdb_search_group_by_name(tmp_ctx, domain, name, NULL, &msg);
|
||||
if (ret != ENOENT) {
|
||||
- if (ret == EOK) ret = EEXIST;
|
||||
+ if (ret == EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Group named %s already exists in an MPG domain\n",
|
||||
+ name);
|
||||
+ ret = EEXIST;
|
||||
+ }
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
+ if (strcasecmp(domain->provider, "local") != 0) {
|
||||
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
|
||||
+ if (ret != ENOENT) {
|
||||
+ if (ret == EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Group with GID [%"SPRIgid"] already exists in an "
|
||||
+ "MPG domain\n", gid);
|
||||
+ ret = EEXIST;
|
||||
+ }
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
/* check no other user with the same uid exist */
|
||||
@@ -2177,6 +2195,23 @@ int sysdb_add_group(struct sss_domain_info *domain,
|
||||
}
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
+ if (strcasecmp(domain->provider, "local") != 0) {
|
||||
+ ret = sysdb_search_user_by_uid(tmp_ctx, domain, gid, NULL, &msg);
|
||||
+ if (ret != ENOENT) {
|
||||
+ if (ret == EOK) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "User with the same UID exists in MPG domain: "
|
||||
+ "[%"SPRIgid"].\n", gid);
|
||||
+ ret = EEXIST;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "sysdb_search_user_by_uid failed for gid: "
|
||||
+ "[%"SPRIgid"].\n", gid);
|
||||
+ }
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
/* check no other groups with the same gid exist */
|
||||
--
|
||||
2.15.1
|
||||
|
345
0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch
Normal file
345
0008-TESTS-Add-integration-tests-for-the-auto_private_gro.patch
Normal file
@ -0,0 +1,345 @@
|
||||
From dc8e3fcdd6807974122e47ff97e9bbd3be16557f Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 3 Oct 2017 16:55:40 +0200
|
||||
Subject: [PATCH 08/79] TESTS: Add integration tests for the
|
||||
auto_private_groups option
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/1872
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/tests/intg/test_enumeration.py | 79 +++++++++++++-
|
||||
src/tests/intg/test_ldap.py | 214 +++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 290 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py
|
||||
index fdb8d376879f756957f8f25fd28b37d7178aeff5..c7d78155c64dc6c85cb4dc070b205bdcfceff6af 100644
|
||||
--- a/src/tests/intg/test_enumeration.py
|
||||
+++ b/src/tests/intg/test_enumeration.py
|
||||
@@ -237,9 +237,7 @@ def sanity_rfc2307(request, ldap_conn):
|
||||
create_sssd_fixture(request)
|
||||
return None
|
||||
|
||||
-
|
||||
-@pytest.fixture
|
||||
-def sanity_rfc2307_bis(request, ldap_conn):
|
||||
+def populate_rfc2307bis(request, ldap_conn):
|
||||
ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
||||
ent_list.add_user("user1", 1001, 2001)
|
||||
ent_list.add_user("user2", 1002, 2002)
|
||||
@@ -266,6 +264,11 @@ def sanity_rfc2307_bis(request, ldap_conn):
|
||||
[], ["one_user_group1", "one_user_group2"])
|
||||
|
||||
create_ldap_fixture(request, ldap_conn, ent_list)
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def sanity_rfc2307_bis(request, ldap_conn):
|
||||
+ populate_rfc2307bis(request, ldap_conn)
|
||||
conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
|
||||
create_conf_fixture(request, conf)
|
||||
create_sssd_fixture(request)
|
||||
@@ -695,3 +698,73 @@ def test_vetoed_shells(vetoed_shells):
|
||||
shell="/bin/default")
|
||||
)
|
||||
)
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def sanity_rfc2307_bis_mpg(request, ldap_conn):
|
||||
+ populate_rfc2307bis(request, ldap_conn)
|
||||
+
|
||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
||||
+ ent_list.add_group_bis("conflict1", 1001)
|
||||
+ ent_list.add_group_bis("conflict2", 1002)
|
||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
||||
+
|
||||
+ conf = \
|
||||
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
|
||||
+ unindent("""
|
||||
+ [domain/LDAP]
|
||||
+ auto_private_groups = True
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+def test_ldap_auto_private_groups_enumerate(ldap_conn,
|
||||
+ sanity_rfc2307_bis_mpg):
|
||||
+ """
|
||||
+ Test the auto_private_groups together with enumeration
|
||||
+ """
|
||||
+ passwd_pattern = ent.contains_only(
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=1001, gecos='1001',
|
||||
+ dir='/home/user1', shell='/bin/bash'),
|
||||
+ dict(name='user2', passwd='*', uid=1002, gid=1002, gecos='1002',
|
||||
+ dir='/home/user2', shell='/bin/bash'),
|
||||
+ dict(name='user3', passwd='*', uid=1003, gid=1003, gecos='1003',
|
||||
+ dir='/home/user3', shell='/bin/bash')
|
||||
+ )
|
||||
+ ent.assert_passwd(passwd_pattern)
|
||||
+
|
||||
+ group_pattern = ent.contains_only(
|
||||
+ dict(name='user1', passwd='*', gid=1001, mem=ent.contains_only()),
|
||||
+ dict(name='user2', passwd='*', gid=1002, mem=ent.contains_only()),
|
||||
+ dict(name='user3', passwd='*', gid=1003, mem=ent.contains_only()),
|
||||
+ dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()),
|
||||
+ dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()),
|
||||
+ dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()),
|
||||
+ dict(name='empty_group1', passwd='*', gid=2010,
|
||||
+ mem=ent.contains_only()),
|
||||
+ dict(name='empty_group2', passwd='*', gid=2011,
|
||||
+ mem=ent.contains_only()),
|
||||
+ dict(name='two_user_group', passwd='*', gid=2012,
|
||||
+ mem=ent.contains_only("user1", "user2")),
|
||||
+ dict(name='group_empty_group', passwd='*', gid=2013,
|
||||
+ mem=ent.contains_only()),
|
||||
+ dict(name='group_two_empty_groups', passwd='*', gid=2014,
|
||||
+ mem=ent.contains_only()),
|
||||
+ dict(name='one_user_group1', passwd='*', gid=2015,
|
||||
+ mem=ent.contains_only("user1")),
|
||||
+ dict(name='one_user_group2', passwd='*', gid=2016,
|
||||
+ mem=ent.contains_only("user2")),
|
||||
+ dict(name='group_one_user_group', passwd='*', gid=2017,
|
||||
+ mem=ent.contains_only("user1")),
|
||||
+ dict(name='group_two_user_group', passwd='*', gid=2018,
|
||||
+ mem=ent.contains_only("user1", "user2")),
|
||||
+ dict(name='group_two_one_user_groups', passwd='*', gid=2019,
|
||||
+ mem=ent.contains_only("user1", "user2"))
|
||||
+ )
|
||||
+ ent.assert_group(group_pattern)
|
||||
+
|
||||
+ with pytest.raises(KeyError):
|
||||
+ grp.getgrnam("conflict1")
|
||||
+ ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
|
||||
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
|
||||
index f2467f1ffe9890049ad73bba6432102d029510e8..a6659b1b78df4d72eb98c208d67ee5d10c9c88ea 100644
|
||||
--- a/src/tests/intg/test_ldap.py
|
||||
+++ b/src/tests/intg/test_ldap.py
|
||||
@@ -1169,3 +1169,217 @@ def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached):
|
||||
|
||||
res, _ = call_sssd_getgrgid(0)
|
||||
assert res == NssReturnCode.NOTFOUND
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def mpg_setup(request, ldap_conn):
|
||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
||||
+ ent_list.add_user("user1", 1001, 2001)
|
||||
+ ent_list.add_user("user2", 1002, 2002)
|
||||
+ ent_list.add_user("user3", 1003, 2003)
|
||||
+
|
||||
+ ent_list.add_group_bis("group1", 2001)
|
||||
+ ent_list.add_group_bis("group2", 2002)
|
||||
+ ent_list.add_group_bis("group3", 2003)
|
||||
+
|
||||
+ ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"])
|
||||
+ ent_list.add_group_bis("one_user_group1", 2015, ["user1"])
|
||||
+ ent_list.add_group_bis("one_user_group2", 2016, ["user2"])
|
||||
+
|
||||
+ create_ldap_entries(ldap_conn, ent_list)
|
||||
+ create_ldap_cleanup(request, ldap_conn, None)
|
||||
+
|
||||
+ conf = \
|
||||
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
|
||||
+ unindent("""
|
||||
+ [domain/LDAP]
|
||||
+ auto_private_groups = True
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup):
|
||||
+ """
|
||||
+ Integration test for auto_private_groups
|
||||
+
|
||||
+ See also ticket https://pagure.io/SSSD/sssd/issue/1872
|
||||
+ """
|
||||
+ # Make sure the user's GID is taken from their uidNumber
|
||||
+ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
|
||||
+ # Make sure the private group is resolvable by name and by GID
|
||||
+ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
|
||||
+ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
|
||||
+
|
||||
+ # The group referenced in user's gidNumber attribute should be still
|
||||
+ # visible, but it's fine that it doesn't contain the user as a member
|
||||
+ # as the group is currently added during the initgroups operation only
|
||||
+ ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
|
||||
+ ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
|
||||
+
|
||||
+ # The user's secondary groups list must be correct as well
|
||||
+ # Note that the original GID is listed as well -- this is correct and expected
|
||||
+ # because we save the original GID in the SYSDB_PRIMARY_GROUP_GIDNUM attribute
|
||||
+ user1_expected_gids = [1001, 2001, 2012, 2015]
|
||||
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS
|
||||
+
|
||||
+ assert sorted(gids) == sorted(user1_expected_gids), \
|
||||
+ "result: %s\n expected %s" % (
|
||||
+ ", ".join(["%s" % s for s in sorted(gids)]),
|
||||
+ ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
|
||||
+ )
|
||||
+
|
||||
+ # Request user2's private group by GID without resolving the user first.
|
||||
+ # This must trigger user resolution through by-GID resolution, since the GID
|
||||
+ # doesn't exist on its own in LDAP
|
||||
+ ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only()))
|
||||
+
|
||||
+ # Test supplementary groups for user2 as well
|
||||
+ user1_expected_gids = [1002, 2002, 2012, 2016]
|
||||
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002)
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS
|
||||
+
|
||||
+ assert sorted(gids) == sorted(user1_expected_gids), \
|
||||
+ "result: %s\n expected %s" % (
|
||||
+ ", ".join(["%s" % s for s in sorted(gids)]),
|
||||
+ ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
|
||||
+ )
|
||||
+
|
||||
+ # Request user3's private group by name without resolving the user first
|
||||
+ # This must trigger user resolution through by-name resolution, since the
|
||||
+ # name doesn't exist on its own in LDAP
|
||||
+ ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
|
||||
+
|
||||
+ # Remove entries and request them again to make sure they are not
|
||||
+ # resolvable anymore
|
||||
+ cleanup_ldap_entries(ldap_conn, None)
|
||||
+
|
||||
+ if subprocess.call(["sss_cache", "-GU"]) != 0:
|
||||
+ raise Exception("sssd_cache failed")
|
||||
+
|
||||
+ with pytest.raises(KeyError):
|
||||
+ pwd.getpwnam("user1")
|
||||
+ with pytest.raises(KeyError):
|
||||
+ grp.getgrnam("user1")
|
||||
+ with pytest.raises(KeyError):
|
||||
+ grp.getgrgid(1002)
|
||||
+ with pytest.raises(KeyError):
|
||||
+ grp.getgrnam("user3")
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def mpg_setup_conflict(request, ldap_conn):
|
||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
||||
+ ent_list.add_user("user1", 1001, 2001)
|
||||
+ ent_list.add_user("user2", 1002, 2002)
|
||||
+ ent_list.add_user("user3", 1003, 1003)
|
||||
+ ent_list.add_group_bis("group1", 1001)
|
||||
+ ent_list.add_group_bis("group2", 1002)
|
||||
+ ent_list.add_group_bis("group3", 1003)
|
||||
+ ent_list.add_group_bis("supp_group", 2015, ["user3"])
|
||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
||||
+
|
||||
+ conf = \
|
||||
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
|
||||
+ unindent("""
|
||||
+ [domain/LDAP]
|
||||
+ auto_private_groups = True
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict):
|
||||
+ """
|
||||
+ Make sure that conflicts between groups that are auto-created with the
|
||||
+ help of the auto_private_groups option and between 'real' LDAP groups
|
||||
+ are handled in a predictable manner.
|
||||
+ """
|
||||
+ # Make sure the user's GID is taken from their uidNumber
|
||||
+ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
|
||||
+ # Make sure the private group is resolvable by name and by GID
|
||||
+ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
|
||||
+ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
|
||||
+
|
||||
+ # Let's request the group with the same ID as user2's private group
|
||||
+ # The request should match the 'real' group
|
||||
+ ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only()))
|
||||
+ # But because of the GID conflict, the user cannot be resolved
|
||||
+ with pytest.raises(KeyError):
|
||||
+ pwd.getpwnam("user2")
|
||||
+
|
||||
+ # This user's GID is the same as the UID in this entry. The most important
|
||||
+ # thing here is that the supplementary groups are correct and the GID
|
||||
+ # resolves to the private group (as long as the user was requested first)
|
||||
+ user3_expected_gids = [1003, 2015]
|
||||
+ ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003))
|
||||
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003)
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS
|
||||
+
|
||||
+ assert sorted(gids) == sorted(user3_expected_gids), \
|
||||
+ "result: %s\n expected %s" % (
|
||||
+ ", ".join(["%s" % s for s in sorted(gids)]),
|
||||
+ ", ".join(["%s" % s for s in sorted(user3_expected_gids)])
|
||||
+ )
|
||||
+ # Make sure the private group is resolvable by name and by GID
|
||||
+ ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only()))
|
||||
+ ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only()))
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def mpg_setup_no_gid(request, ldap_conn):
|
||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
||||
+ ent_list.add_user("user1", 1001, 2001)
|
||||
+
|
||||
+ ent_list.add_group_bis("group1", 2001)
|
||||
+ ent_list.add_group_bis("one_user_group1", 2015, ["user1"])
|
||||
+
|
||||
+ create_ldap_entries(ldap_conn, ent_list)
|
||||
+ create_ldap_cleanup(request, ldap_conn, None)
|
||||
+
|
||||
+ conf = \
|
||||
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
|
||||
+ unindent("""
|
||||
+ [domain/LDAP]
|
||||
+ auto_private_groups = True
|
||||
+ ldap_user_gid_number = no_such_attribute
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
|
||||
+ """
|
||||
+ Integration test for auto_private_groups - test that even a user with
|
||||
+ no GID assigned at all can be resolved including their autogenerated
|
||||
+ primary group.
|
||||
+
|
||||
+ See also ticket https://pagure.io/SSSD/sssd/issue/1872
|
||||
+ """
|
||||
+ # Make sure the user's GID is taken from their uidNumber
|
||||
+ ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001))
|
||||
+ # Make sure the private group is resolvable by name and by GID
|
||||
+ ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only()))
|
||||
+ ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only()))
|
||||
+
|
||||
+ # The group referenced in user's gidNumber attribute should be still
|
||||
+ # visible, but shouldn't have any relation to the user
|
||||
+ ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only()))
|
||||
+ ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only()))
|
||||
+
|
||||
+ # The user's secondary groups list must be correct as well. This time only
|
||||
+ # the generated group and the explicit secondary group are added, since
|
||||
+ # there is no original GID
|
||||
+ user1_expected_gids = [1001, 2015]
|
||||
+ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001)
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS
|
||||
+
|
||||
+ assert sorted(gids) == sorted(user1_expected_gids), \
|
||||
+ "result: %s\n expected %s" % (
|
||||
+ ", ".join(["%s" % s for s in sorted(gids)]),
|
||||
+ ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
|
||||
+ )
|
||||
--
|
||||
2.15.1
|
||||
|
141
0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch
Normal file
141
0009-CACHE_REQ-Copy-the-cr_domain-list-for-each-request.patch
Normal file
@ -0,0 +1,141 @@
|
||||
From ec2489ab1ba7075e69f1f3747d96656ac2b0aab5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Fri, 20 Oct 2017 09:26:43 +0200
|
||||
Subject: [PATCH 09/79] CACHE_REQ: Copy the cr_domain list for each request
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Let's copy the cr_domain list for each request as this list may be
|
||||
free'd due to a refresh domains request.
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/3551
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 14 +++++++--
|
||||
src/responder/common/cache_req/cache_req_domain.c | 38 +++++++++++++++++++++++
|
||||
src/responder/common/cache_req/cache_req_domain.h | 5 +++
|
||||
3 files changed, 55 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index abcb9cba351b06e833bacde26a504e5ee3445528..5fed7a2ab8beded2fee91f679a12f9a0ff6013ec 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -699,6 +699,7 @@ struct cache_req_state {
|
||||
const char *domain_name;
|
||||
|
||||
/* work data */
|
||||
+ struct cache_req_domain *cr_domains;
|
||||
struct cache_req_result **results;
|
||||
size_t num_results;
|
||||
bool first_iteration;
|
||||
@@ -953,6 +954,7 @@ static errno_t cache_req_select_domains(struct tevent_req *req,
|
||||
bool bypass_cache;
|
||||
bool bypass_dp;
|
||||
bool search;
|
||||
+ errno_t ret;
|
||||
|
||||
state = tevent_req_data(req, struct cache_req_state);
|
||||
|
||||
@@ -964,12 +966,20 @@ static errno_t cache_req_select_domains(struct tevent_req *req,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+ ret = cache_req_domain_copy_cr_domains(state,
|
||||
+ state->cr->rctx->cr_domains,
|
||||
+ &state->cr_domains);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_copy_cr_domains() failed\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
if (domain_name != NULL) {
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr,
|
||||
"Performing a single domain search\n");
|
||||
|
||||
cr_domain = cache_req_domain_get_domain_by_name(
|
||||
- state->cr->rctx->cr_domains, domain_name);
|
||||
+ state->cr_domains, domain_name);
|
||||
if (cr_domain == NULL) {
|
||||
return ERR_DOMAIN_NOT_FOUND;
|
||||
}
|
||||
@@ -978,7 +988,7 @@ static errno_t cache_req_select_domains(struct tevent_req *req,
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr,
|
||||
"Performing a multi-domain search\n");
|
||||
|
||||
- cr_domain = state->cr->rctx->cr_domains;
|
||||
+ cr_domain = state->cr_domains;
|
||||
check_next = true;
|
||||
}
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
|
||||
index 7b58f7c94a77881429f870bc5162fb2fe0aa57c6..15893ba548f6d0e3979010d6d5bbf27441d5fa97 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_domain.c
|
||||
+++ b/src/responder/common/cache_req/cache_req_domain.c
|
||||
@@ -47,6 +47,44 @@ cache_req_domain_get_domain_by_name(struct cache_req_domain *domains,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+errno_t
|
||||
+cache_req_domain_copy_cr_domains(TALLOC_CTX *mem_ctx,
|
||||
+ struct cache_req_domain *src,
|
||||
+ struct cache_req_domain **_dest)
|
||||
+{
|
||||
+ struct cache_req_domain *cr_domains = NULL;
|
||||
+ struct cache_req_domain *cr_domain;
|
||||
+ struct cache_req_domain *iter;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ if (src == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ DLIST_FOR_EACH(iter, src) {
|
||||
+ cr_domain = talloc_zero(mem_ctx, struct cache_req_domain);
|
||||
+ if (cr_domain == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ cr_domain->domain = iter->domain;
|
||||
+ cr_domain->fqnames = iter->fqnames;
|
||||
+
|
||||
+ DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *);
|
||||
+ }
|
||||
+
|
||||
+ *_dest = cr_domains;
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ if (ret != EOK) {
|
||||
+ cache_req_domain_list_zfree(&cr_domains);
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains)
|
||||
{
|
||||
struct cache_req_domain *p, *q, *r;
|
||||
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
|
||||
index 3780a5d8d88d76e100738d28d1dd0e697edf5eae..ebdc71dd635d5d8a5d06e30e96c5d4101b6d98bf 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_domain.h
|
||||
+++ b/src/responder/common/cache_req/cache_req_domain.h
|
||||
@@ -50,6 +50,11 @@ cache_req_domain_new_list_from_domain_resolution_order(
|
||||
const char *domain_resolution_order,
|
||||
struct cache_req_domain **_cr_domains);
|
||||
|
||||
+errno_t
|
||||
+cache_req_domain_copy_cr_domains(TALLOC_CTX *mem_ctx,
|
||||
+ struct cache_req_domain *src,
|
||||
+ struct cache_req_domain **_dest);
|
||||
+
|
||||
void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains);
|
||||
|
||||
|
||||
--
|
||||
2.15.1
|
||||
|
41
0010-sudo-document-background-activity.patch
Normal file
41
0010-sudo-document-background-activity.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From a0f79dd38cffc5ad382aae9baba76863678c26ee Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 20 Oct 2017 11:49:26 +0200
|
||||
Subject: [PATCH 10/79] sudo: document background activity
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When we introduced socket activation, we changed the internall behaviour.
|
||||
Previously we disabled sudo if it was not listed in services, with
|
||||
socket activation we removed this feature. Some users were confused
|
||||
so this change documents current behaviour.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/man/sssd.conf.5.xml | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 1e8d9537517c85c3021b9c2c4185ea272c5bfffa..b247b5ac75a82d45f29023f5f9ca24a3a7a5ce0c 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -2348,6 +2348,14 @@ pam_account_locked_message = Account locked, please contact help desk.
|
||||
<manvolnum>5</manvolnum>
|
||||
</citerefentry>.
|
||||
</para>
|
||||
+ <para>
|
||||
+ <emphasis>NOTE:</emphasis> Sudo rules are
|
||||
+ periodically downloaded in the background unless
|
||||
+ the sudo provider is explicitly disabled. Set
|
||||
+ <emphasis>sudo_provider = None</emphasis> to
|
||||
+ disable all sudo-related activity in SSSD if you do
|
||||
+ not want to use sudo with SSSD at all.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
--
|
||||
2.15.1
|
||||
|
40
0011-MAN-GPO-Security-Filtering-limitation.patch
Normal file
40
0011-MAN-GPO-Security-Filtering-limitation.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From bb20c565417a2c2ab274b254e6238657c5d8c73a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Thu, 26 Oct 2017 17:12:17 +0200
|
||||
Subject: [PATCH 11/79] MAN: GPO Security Filtering limitation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Note in the man pages that current version of SSSD does not support
|
||||
host entries in the 'Security filtering' list.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3444
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/man/sssd-ad.5.xml | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index 08c1dd09fb829c6cffb416250b9b518668ec5790..649042d587de3d3600fff59866681e302c721af8 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -345,6 +345,13 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
||||
particular user is allowed to logon to a particular
|
||||
host.
|
||||
</para>
|
||||
+ <para>
|
||||
+ NOTE: The current version of SSSD does not support
|
||||
+ host (computer) entries in the GPO 'Security
|
||||
+ Filtering' list. Only user and group entries are
|
||||
+ supported. Host entries in the list have no
|
||||
+ effect.
|
||||
+ </para>
|
||||
<para>
|
||||
NOTE: If the operation mode is set to enforcing, it
|
||||
is possible that users that were previously allowed
|
||||
--
|
||||
2.15.1
|
||||
|
55
0012-CI-Ignore-source-file-generated-by-systemtap.patch
Normal file
55
0012-CI-Ignore-source-file-generated-by-systemtap.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 5b34c650b387192282f3c2cd6211db0fd4944870 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Oct 2017 14:54:07 +0100
|
||||
Subject: [PATCH 12/79] CI: Ignore source file generated by systemtap
|
||||
|
||||
There are some changes in systemtap 3.2 which generate temporary
|
||||
source files and remove them later. We are not interested in code
|
||||
coverage in this area. Lets ignore them.
|
||||
|
||||
...
|
||||
genhtml: failure 00:00:01 ci-build-coverage/ci-genhtml.log
|
||||
FAILURE
|
||||
|
||||
sh$ cat ci-build-coverage/ci-genhtml.log
|
||||
Start: Mon Oct 30 13:43:52 UTC 2017
|
||||
+ eval 'genhtml --output-directory \
|
||||
"$coverage_report_dir" \
|
||||
--title "sssd" --show-details \
|
||||
--legend --prefix "$BASE_DIR" \
|
||||
ci.info |& tee ci-genhtml.out'
|
||||
++ genhtml --output-directory ci-report-coverage --title sssd \
|
||||
--show-details --legend --prefix /home/build/sssd ci.info
|
||||
++ tee ci-genhtml.out
|
||||
Reading data file ci.info
|
||||
Found 447 entries.
|
||||
Using user-specified filename prefix "/home/build/sssd"
|
||||
Writing .css and .png files.
|
||||
Generating output.
|
||||
genhtml: ERROR: cannot read /home/build/sssd/stap_generated_probes.o.dtrace-temp.c
|
||||
Processing file stap_generated_probes.o.dtrace-temp.c
|
||||
End: Mon Oct 30 13:43:53 UTC 2017
|
||||
|
||||
sh$ ls -l /home/build/sssd/stap_generated_probes.o.dtrace-temp.c
|
||||
ls: cannot access '/home/build/sssd/stap_generated_probes.o.dtrace-temp.c': No such file or directory
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
contrib/ci/run | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/contrib/ci/run b/contrib/ci/run
|
||||
index aa6d35abedbd24fce49651e43f4a704b2b1b9880..26cd32b3316eb9fdfd9fd07e26dd862fec7b669d 100755
|
||||
--- a/contrib/ci/run
|
||||
+++ b/contrib/ci/run
|
||||
@@ -300,6 +300,7 @@ function build_coverage()
|
||||
--output-file ci-dirty.info
|
||||
stage lcov-clean lcov --remove ci-dirty.info \
|
||||
"/usr/*" "src/tests/*" "/tmp/*" \
|
||||
+ "*dtrace-temp.c" \
|
||||
--output-file ci.info
|
||||
stage genhtml eval 'genhtml --output-directory \
|
||||
"$coverage_report_dir" \
|
||||
--
|
||||
2.15.1
|
||||
|
63
0013-sudo-always-use-srv_opts-from-id-context.patch
Normal file
63
0013-sudo-always-use-srv_opts-from-id-context.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From 25bc436bccacb7f995314465b2923c6e08f654d4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 19 Oct 2017 10:39:21 +0200
|
||||
Subject: [PATCH 13/79] sudo: always use srv_opts from id context
|
||||
|
||||
Prior this patch, we remember id_ctx->srv_opts in sudo request to switch
|
||||
the latest usn values. This works fine most of the time but it may cause
|
||||
a crash.
|
||||
|
||||
If we have two concurrent sudo refresh and one of these fails, it causes
|
||||
failover to try the next server and possibly replacing the old srv_opts
|
||||
with new one and it causes an access after free in the other refresh.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3562
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/ldap/sdap_async_sudo.c | 7 +------
|
||||
1 file changed, 1 insertion(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
|
||||
index f33d5b5fa86dc1806695482d627bd71a2b040d6e..5dc58012845b7109f0fa138e2e291b8ec3267799 100644
|
||||
--- a/src/providers/ldap/sdap_async_sudo.c
|
||||
+++ b/src/providers/ldap/sdap_async_sudo.c
|
||||
@@ -279,7 +279,6 @@ done:
|
||||
struct sdap_sudo_refresh_state {
|
||||
struct sdap_sudo_ctx *sudo_ctx;
|
||||
struct tevent_context *ev;
|
||||
- struct sdap_server_opts *srv_opts;
|
||||
struct sdap_options *opts;
|
||||
struct sdap_id_op *sdap_op;
|
||||
struct sysdb_ctx *sysdb;
|
||||
@@ -405,9 +404,6 @@ static void sdap_sudo_refresh_connect_done(struct tevent_req *subreq)
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "SUDO LDAP connection successful\n");
|
||||
|
||||
- /* Obtain srv_opts here in case of first connection. */
|
||||
- state->srv_opts = state->sudo_ctx->id_ctx->srv_opts;
|
||||
-
|
||||
/* Renew host information if needed. */
|
||||
if (state->sudo_ctx->run_hostinfo) {
|
||||
subreq = sdap_sudo_get_hostinfo_send(state, state->opts,
|
||||
@@ -586,7 +582,6 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
-
|
||||
/* start transaction */
|
||||
ret = sysdb_transaction_start(state->sysdb);
|
||||
if (ret != EOK) {
|
||||
@@ -621,7 +616,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
|
||||
/* remember new usn */
|
||||
ret = sysdb_get_highest_usn(state, rules, rules_count, &usn);
|
||||
if (ret == EOK) {
|
||||
- sdap_sudo_set_usn(state->srv_opts, usn);
|
||||
+ sdap_sudo_set_usn(state->sudo_ctx->id_ctx->srv_opts, usn);
|
||||
} else {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get highest USN [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
--
|
||||
2.15.1
|
||||
|
108
0014-AD-Remember-last-site-discovered.patch
Normal file
108
0014-AD-Remember-last-site-discovered.patch
Normal file
@ -0,0 +1,108 @@
|
||||
From ceb9cc228793551eb0fc42234ee3f9b3c9d6cb9b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 18 Oct 2017 15:20:34 +0200
|
||||
Subject: [PATCH 14/79] AD: Remember last site discovered
|
||||
|
||||
To discover Active Directory site for a client we must first contact any
|
||||
directory controller for an LDAP ping. This is done by searching
|
||||
domain-wide DNS tree which may however contain servers that are not
|
||||
reachable from current site and than we face long timeouts or failure.
|
||||
|
||||
This patch makes sssd remember the last successfuly discovered site
|
||||
and use this for DNS search to lookup a site and forest again similar
|
||||
to what we do when ad_site option is set.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3265
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_srv.c | 44 +++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 43 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
|
||||
index ff01ee95c4d2c6875a989394489f1a0495cc3003..be1ba0f237add894566ae713ce5e29fd202d414c 100644
|
||||
--- a/src/providers/ad/ad_srv.c
|
||||
+++ b/src/providers/ad/ad_srv.c
|
||||
@@ -481,6 +481,7 @@ struct ad_srv_plugin_ctx {
|
||||
const char *hostname;
|
||||
const char *ad_domain;
|
||||
const char *ad_site_override;
|
||||
+ const char *current_site;
|
||||
};
|
||||
|
||||
struct ad_srv_plugin_ctx *
|
||||
@@ -518,6 +519,11 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||
if (ctx->ad_site_override == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
+
|
||||
+ ctx->current_site = talloc_strdup(ctx, ad_site_override);
|
||||
+ if (ctx->current_site == NULL) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
}
|
||||
|
||||
return ctx;
|
||||
@@ -527,6 +533,32 @@ fail:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx,
|
||||
+ const char *new_site)
|
||||
+{
|
||||
+ const char *site;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ if (new_site == NULL) {
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ if (ctx->current_site != NULL && strcmp(ctx->current_site, new_site) == 0) {
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ site = talloc_strdup(ctx, new_site);
|
||||
+ if (site == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ talloc_zfree(ctx->current_site);
|
||||
+ ctx->current_site = site;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
struct ad_srv_plugin_state {
|
||||
struct tevent_context *ev;
|
||||
struct ad_srv_plugin_ctx *ctx;
|
||||
@@ -613,7 +645,7 @@ struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
subreq = ad_get_dc_servers_send(state, ev, ctx->be_res->resolv,
|
||||
state->discovery_domain,
|
||||
- state->ctx->ad_site_override);
|
||||
+ state->ctx->current_site);
|
||||
if (subreq == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto immediately;
|
||||
@@ -709,6 +741,16 @@ static void ad_srv_plugin_site_done(struct tevent_req *subreq)
|
||||
backup_domain = NULL;
|
||||
|
||||
if (ret == EOK) {
|
||||
+ /* Remember current site so it can be used during next lookup so
|
||||
+ * we can contact directory controllers within a known reachable
|
||||
+ * site first. */
|
||||
+ ret = ad_srv_plugin_ctx_switch_site(state->ctx, state->site);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set site [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
if (strcmp(state->service, "gc") == 0) {
|
||||
if (state->forest != NULL) {
|
||||
if (state->site != NULL) {
|
||||
--
|
||||
2.15.1
|
||||
|
205
0015-sysdb-add-functions-to-get-set-client-site.patch
Normal file
205
0015-sysdb-add-functions-to-get-set-client-site.patch
Normal file
@ -0,0 +1,205 @@
|
||||
From 8687782eb971d0fa6f8f4420a8616ba943d7252b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Oct 2017 12:09:39 +0200
|
||||
Subject: [PATCH 15/79] sysdb: add functions to get/set client site
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb.h | 10 +++
|
||||
src/db/sysdb_subdomains.c | 108 +++++++++++++++++++++++++++++++
|
||||
src/tests/cmocka/test_sysdb_subdomains.c | 28 ++++++++
|
||||
3 files changed, 146 insertions(+)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index fbbe321072385bd43353ef2f7d0e30667887d128..4192f9085d941814eccd2ac60ce8fb6d4e1bfa67 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -154,6 +154,7 @@
|
||||
#define SYSDB_SUBDOMAIN_FOREST "memberOfForest"
|
||||
#define SYSDB_SUBDOMAIN_TRUST_DIRECTION "trustDirection"
|
||||
#define SYSDB_UPN_SUFFIXES "upnSuffixes"
|
||||
+#define SYSDB_SITE "site"
|
||||
|
||||
#define SYSDB_BASE_ID "baseID"
|
||||
#define SYSDB_ID_RANGE_SIZE "idRangeSize"
|
||||
@@ -509,6 +510,15 @@ errno_t sysdb_domain_update_domain_resolution_order(
|
||||
const char *domain_name,
|
||||
const char *domain_resolution_order);
|
||||
|
||||
+errno_t
|
||||
+sysdb_get_site(TALLOC_CTX *mem_ctx,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ const char **_site);
|
||||
+
|
||||
+errno_t
|
||||
+sysdb_set_site(struct sss_domain_info *dom,
|
||||
+ const char *site);
|
||||
+
|
||||
errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
|
||||
const char *name, const char *realm,
|
||||
const char *flat_name, const char *domain_id,
|
||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
||||
index 2789cc4949fb7be9ad272d7613ed18a64fa8a20a..cb5de1afe3e8c9692789c5d2679eb3a4e6e1cdb2 100644
|
||||
--- a/src/db/sysdb_subdomains.c
|
||||
+++ b/src/db/sysdb_subdomains.c
|
||||
@@ -1284,3 +1284,111 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+errno_t
|
||||
+sysdb_get_site(TALLOC_CTX *mem_ctx,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ const char **_site)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ struct ldb_res *res;
|
||||
+ struct ldb_dn *dn;
|
||||
+ const char *attrs[] = { SYSDB_SITE, NULL };
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ dn = ldb_dn_new_fmt(tmp_ctx, dom->sysdb->ldb, SYSDB_DOM_BASE, dom->name);
|
||||
+ if (dn == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_search(dom->sysdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
|
||||
+ attrs, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (res->count == 0) {
|
||||
+ *_site = NULL;
|
||||
+ ret = EOK;
|
||||
+ goto done;
|
||||
+ } else if (res->count != 1) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Got more than one reply for base search!\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ *_site = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SITE, NULL);
|
||||
+ talloc_steal(mem_ctx, *_site);
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+errno_t
|
||||
+sysdb_set_site(struct sss_domain_info *dom,
|
||||
+ const char *site)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ struct ldb_message *msg;
|
||||
+ struct ldb_dn *dn;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ dn = ldb_dn_new_fmt(tmp_ctx, dom->sysdb->ldb, SYSDB_DOM_BASE, dom->name);
|
||||
+ if (dn == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ msg = ldb_msg_new(tmp_ctx);
|
||||
+ if (msg == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ msg->dn = dn;
|
||||
+
|
||||
+ ret = ldb_msg_add_empty(msg, SYSDB_SITE, LDB_FLAG_MOD_REPLACE, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (site != NULL) {
|
||||
+ ret = ldb_msg_add_string(msg, SYSDB_SITE, site);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_modify(dom->sysdb->ldb, msg);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "ldb_modify()_failed: [%s][%d][%s]\n",
|
||||
+ ldb_strerror(ret), ret, ldb_errstring(dom->sysdb->ldb));
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
index 84bcdc17b39dbc8822097c2006f157a09ea5e466..f8e3e1d915dba0f3a79adbf5af733980bf23a265 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
@@ -513,6 +513,31 @@ static void test_sysdb_link_ad_multidom(void **state)
|
||||
|
||||
}
|
||||
|
||||
+static void test_sysdb_set_and_get_site(void **state)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ struct subdom_test_ctx *test_ctx =
|
||||
+ talloc_get_type(*state, struct subdom_test_ctx);
|
||||
+ const char *site;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ ret = sysdb_get_site(test_ctx, test_ctx->tctx->dom, &site);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_null(site);
|
||||
+
|
||||
+ ret = sysdb_set_site(test_ctx->tctx->dom, "TestSite");
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sysdb_get_site(tmp_ctx, test_ctx->tctx->dom, &site);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_string_equal(site, "TestSite");
|
||||
+
|
||||
+ talloc_free(tmp_ctx);
|
||||
+}
|
||||
+
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int rv;
|
||||
@@ -546,6 +571,9 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_sysdb_link_ad_multidom,
|
||||
test_sysdb_subdom_setup,
|
||||
test_sysdb_subdom_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sysdb_set_and_get_site,
|
||||
+ test_sysdb_subdom_setup,
|
||||
+ test_sysdb_subdom_teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
--
|
||||
2.15.1
|
||||
|
160
0016-AD-Remember-last-site-discovered-in-sysdb.patch
Normal file
160
0016-AD-Remember-last-site-discovered-in-sysdb.patch
Normal file
@ -0,0 +1,160 @@
|
||||
From 48f58549e2b687ba405162bd5db23f1c323732f7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 1 Nov 2017 14:57:17 +0100
|
||||
Subject: [PATCH 16/79] AD: Remember last site discovered in sysdb
|
||||
|
||||
This can speed up sssd startup.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3265
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb_subdomains.c | 2 +-
|
||||
src/providers/ad/ad_init.c | 2 +-
|
||||
src/providers/ad/ad_srv.c | 21 +++++++++++++++++++++
|
||||
src/providers/ad/ad_srv.h | 1 +
|
||||
src/providers/ad/ad_subdomains.c | 2 +-
|
||||
src/providers/ipa/ipa_subdomains_server.c | 2 +-
|
||||
6 files changed, 26 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
||||
index cb5de1afe3e8c9692789c5d2679eb3a4e6e1cdb2..353561765904efe4bd698c38949a1b290ecf0b80 100644
|
||||
--- a/src/db/sysdb_subdomains.c
|
||||
+++ b/src/db/sysdb_subdomains.c
|
||||
@@ -1291,7 +1291,7 @@ sysdb_get_site(TALLOC_CTX *mem_ctx,
|
||||
const char **_site)
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
- struct ldb_res *res;
|
||||
+ struct ldb_result *res;
|
||||
struct ldb_dn *dn;
|
||||
const char *attrs[] = { SYSDB_SITE, NULL };
|
||||
errno_t ret;
|
||||
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
||||
index 131e960d4c623398506f834742400df9c786b86b..e62025d4acd24844a5c7082d00c597516f35de16 100644
|
||||
--- a/src/providers/ad/ad_init.c
|
||||
+++ b/src/providers/ad/ad_init.c
|
||||
@@ -199,7 +199,7 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
|
||||
+ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
|
||||
default_host_dbs, ad_options->id,
|
||||
hostname, ad_domain,
|
||||
ad_site_override);
|
||||
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
|
||||
index be1ba0f237add894566ae713ce5e29fd202d414c..4fa1668605e131b2e31802b1401f49fc6e00a23b 100644
|
||||
--- a/src/providers/ad/ad_srv.c
|
||||
+++ b/src/providers/ad/ad_srv.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include "providers/fail_over_srv.h"
|
||||
#include "providers/ldap/sdap.h"
|
||||
#include "providers/ldap/sdap_async.h"
|
||||
+#include "db/sysdb.h"
|
||||
|
||||
#define AD_SITE_DOMAIN_FMT "%s._sites.%s"
|
||||
|
||||
@@ -475,6 +476,7 @@ int ad_get_client_site_recv(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
struct ad_srv_plugin_ctx {
|
||||
+ struct be_ctx *be_ctx;
|
||||
struct be_resolv_ctx *be_res;
|
||||
enum host_database *host_dbs;
|
||||
struct sdap_options *opts;
|
||||
@@ -486,6 +488,7 @@ struct ad_srv_plugin_ctx {
|
||||
|
||||
struct ad_srv_plugin_ctx *
|
||||
ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||
+ struct be_ctx *be_ctx,
|
||||
struct be_resolv_ctx *be_res,
|
||||
enum host_database *host_dbs,
|
||||
struct sdap_options *opts,
|
||||
@@ -494,12 +497,14 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||
const char *ad_site_override)
|
||||
{
|
||||
struct ad_srv_plugin_ctx *ctx = NULL;
|
||||
+ errno_t ret;
|
||||
|
||||
ctx = talloc_zero(mem_ctx, struct ad_srv_plugin_ctx);
|
||||
if (ctx == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ ctx->be_ctx = be_ctx;
|
||||
ctx->be_res = be_res;
|
||||
ctx->host_dbs = host_dbs;
|
||||
ctx->opts = opts;
|
||||
@@ -524,6 +529,15 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||
if (ctx->current_site == NULL) {
|
||||
goto fail;
|
||||
}
|
||||
+ } else {
|
||||
+ ret = sysdb_get_site(ctx, be_ctx->domain, &ctx->current_site);
|
||||
+ if (ret != EOK) {
|
||||
+ /* Not fatal. */
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Unable to get current site from cache [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ ctx->current_site = NULL;
|
||||
+ }
|
||||
}
|
||||
|
||||
return ctx;
|
||||
@@ -556,6 +570,13 @@ ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx,
|
||||
talloc_zfree(ctx->current_site);
|
||||
ctx->current_site = site;
|
||||
|
||||
+ ret = sysdb_set_site(ctx->be_ctx->domain, ctx->current_site);
|
||||
+ if (ret != EOK) {
|
||||
+ /* Not fatal. */
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information "
|
||||
+ "[%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ }
|
||||
+
|
||||
return EOK;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h
|
||||
index ae5efe44755fa09f74064014cce749e35b1831da..fddef686762e57bb95d648247131d39a797aa516 100644
|
||||
--- a/src/providers/ad/ad_srv.h
|
||||
+++ b/src/providers/ad/ad_srv.h
|
||||
@@ -25,6 +25,7 @@ struct ad_srv_plugin_ctx;
|
||||
|
||||
struct ad_srv_plugin_ctx *
|
||||
ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||
+ struct be_ctx *be_ctx,
|
||||
struct be_resolv_ctx *be_res,
|
||||
enum host_database *host_dbs,
|
||||
struct sdap_options *opts,
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 280aa54c23bf61e60d23ea91bd44a39f9f43d155..3fb9b950f171d85817cce35ac92ad7c4974ccb68 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -245,7 +245,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
ad_options->id_ctx = ad_id_ctx;
|
||||
|
||||
/* use AD plugin */
|
||||
- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
|
||||
+ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
|
||||
default_host_dbs,
|
||||
ad_id_ctx->ad_options->id,
|
||||
hostname,
|
||||
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
||||
index 10166d162f746fde176e6c7c2bfbe3906b1bfddc..d670a156b37608d20d49d79131138f02e4abf82b 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains_server.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
||||
@@ -305,7 +305,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
|
||||
|
||||
/* use AD plugin */
|
||||
- srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
|
||||
+ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
|
||||
default_host_dbs,
|
||||
ad_id_ctx->ad_options->id,
|
||||
id_ctx->server_mode->hostname,
|
||||
--
|
||||
2.15.1
|
||||
|
132
0017-UTIL-Add-wrapper-function-to-configure-logger.patch
Normal file
132
0017-UTIL-Add-wrapper-function-to-configure-logger.patch
Normal file
@ -0,0 +1,132 @@
|
||||
From dad79765d9ccafb3ba5d31a20462d73af96fa058 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 23 Oct 2017 14:58:14 +0200
|
||||
Subject: [PATCH 17/79] UTIL: Add wrapper function to configure logger
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Let's use one enum for logger type instead of many integers (debug_to_file,
|
||||
debug_to_stderr plus some weird combination for journald).
|
||||
Old variable were also transformed to enum for backward compatibility
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/util/debug.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
src/util/debug.h | 18 ++++++++++++++++++
|
||||
2 files changed, 72 insertions(+)
|
||||
|
||||
diff --git a/src/util/debug.c b/src/util/debug.c
|
||||
index ca4fa4c6f5b150700a0a136d8a7ca9df30c29d73..4e469447e5ab8aa89cd57bcd6d00269875a12bc6 100644
|
||||
--- a/src/util/debug.c
|
||||
+++ b/src/util/debug.c
|
||||
@@ -43,9 +43,63 @@ int debug_timestamps = SSSDBG_TIMESTAMP_UNRESOLVED;
|
||||
int debug_microseconds = SSSDBG_MICROSECONDS_UNRESOLVED;
|
||||
int debug_to_file = 0;
|
||||
int debug_to_stderr = 0;
|
||||
+enum sss_logger_t sss_logger;
|
||||
const char *debug_log_file = "sssd";
|
||||
FILE *debug_file = NULL;
|
||||
|
||||
+const char *sss_logger_str[] = {
|
||||
+ [STDERR_LOGGER] = "stderr",
|
||||
+ [FILES_LOGGER] = "files",
|
||||
+#ifdef WITH_JOURNALD
|
||||
+ [JOURNALD_LOGGER] = "journald",
|
||||
+#endif
|
||||
+ NULL,
|
||||
+};
|
||||
+
|
||||
+#ifdef WITH_JOURNALD
|
||||
+#define JOURNALD_STR " journald,"
|
||||
+#else
|
||||
+#define JOURNALD_STR ""
|
||||
+#endif
|
||||
+
|
||||
+void sss_set_logger(const char *logger)
|
||||
+{
|
||||
+ /* use old flags */
|
||||
+ if (logger == NULL) {
|
||||
+ if (debug_to_stderr != 0) {
|
||||
+ sss_logger = STDERR_LOGGER;
|
||||
+ }
|
||||
+ /* It is never described what should be used in case of
|
||||
+ * debug_to_stderr == 1 && debug_to_file == 1. Because neither
|
||||
+ * of binaries provide both command line arguments.
|
||||
+ * Let files have higher priority.
|
||||
+ */
|
||||
+ if (debug_to_file != 0) {
|
||||
+ sss_logger = FILES_LOGGER;
|
||||
+ }
|
||||
+#ifdef WITH_JOURNALD
|
||||
+ if (debug_to_file == 0 && debug_to_stderr == 0) {
|
||||
+ sss_logger = JOURNALD_LOGGER;
|
||||
+ }
|
||||
+#endif
|
||||
+ } else {
|
||||
+ if (strcmp(logger, "stderr") == 0) {
|
||||
+ sss_logger = STDERR_LOGGER;
|
||||
+ } else if (strcmp(logger, "files") == 0) {
|
||||
+ sss_logger = FILES_LOGGER;
|
||||
+#ifdef WITH_JOURNALD
|
||||
+ } else if (strcmp(logger, "journald") == 0) {
|
||||
+ sss_logger = JOURNALD_LOGGER;
|
||||
+#endif
|
||||
+ } else {
|
||||
+ /* unexpected value */
|
||||
+ fprintf(stderr, "Unexpected logger: %s\nExpected:%s stderr, "
|
||||
+ "files\n", logger, JOURNALD_STR);
|
||||
+ sss_logger = STDERR_LOGGER;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
errno_t set_debug_file_from_fd(const int fd)
|
||||
{
|
||||
FILE *dummy;
|
||||
diff --git a/src/util/debug.h b/src/util/debug.h
|
||||
index 2a1bd4ffd30817d7128805996c21105fe40982a2..4adafb7cfc03f7381c4d03071eb44edad04bee00 100644
|
||||
--- a/src/util/debug.h
|
||||
+++ b/src/util/debug.h
|
||||
@@ -31,13 +31,26 @@
|
||||
|
||||
#define APPEND_LINE_FEED 0x1
|
||||
|
||||
+enum sss_logger_t {
|
||||
+ STDERR_LOGGER = 0,
|
||||
+ FILES_LOGGER,
|
||||
+#ifdef WITH_JOURNALD
|
||||
+ JOURNALD_LOGGER,
|
||||
+#endif
|
||||
+};
|
||||
+
|
||||
+extern const char *sss_logger_str[];
|
||||
extern const char *debug_prg_name;
|
||||
extern int debug_level;
|
||||
extern int debug_timestamps;
|
||||
extern int debug_microseconds;
|
||||
extern int debug_to_file;
|
||||
extern int debug_to_stderr;
|
||||
+extern enum sss_logger_t sss_logger;
|
||||
extern const char *debug_log_file;
|
||||
+
|
||||
+void sss_set_logger(const char *logger);
|
||||
+
|
||||
void sss_vdebug_fn(const char *file,
|
||||
long line,
|
||||
const char *function,
|
||||
@@ -80,6 +93,11 @@ int get_fd_from_debug_file(void);
|
||||
#define SSSDBG_MICROSECONDS_UNRESOLVED -1
|
||||
#define SSSDBG_MICROSECONDS_DEFAULT 0
|
||||
|
||||
+#define SSSD_LOGGER_OPTS \
|
||||
+ {"logger", '\0', POPT_ARG_STRING, &opt_logger, 0, \
|
||||
+ _("Set logger"), "stderr|files|journald"},
|
||||
+
|
||||
+
|
||||
#define SSSD_DEBUG_OPTS \
|
||||
{"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, \
|
||||
_("Debug level"), NULL}, \
|
||||
--
|
||||
2.15.1
|
||||
|
829
0018-Add-parameter-logger-to-daemons.patch
Normal file
829
0018-Add-parameter-logger-to-daemons.patch
Normal file
@ -0,0 +1,829 @@
|
||||
From 0256b7734738302da9752db5297a3d41fccd40ac Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 23 Oct 2017 15:18:47 +0200
|
||||
Subject: [PATCH 18/79] Add parameter --logger to daemons
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Different binary handled information about logging differently
|
||||
e,g, --debug-to-files --debug-to-stderr
|
||||
And logging to journald was a special case of previous options
|
||||
(!debug_file && !debug_to_stderr). It was also tied to the monitor option
|
||||
"--daemon" and therefore loggind to stderr was used in interactive mode
|
||||
+ systemd Type=notify.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3433
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/man/sssd.8.xml | 31 +++++++++++++++++++++++++
|
||||
src/monitor/monitor.c | 48 ++++++++++++---------------------------
|
||||
src/p11_child/p11_child_nss.c | 3 +++
|
||||
src/providers/ad/ad_gpo_child.c | 4 ++++
|
||||
src/providers/data_provider_be.c | 4 ++++
|
||||
src/providers/ipa/selinux_child.c | 4 ++++
|
||||
src/providers/krb5/krb5_child.c | 4 ++++
|
||||
src/providers/ldap/ldap_child.c | 4 ++++
|
||||
src/providers/proxy/proxy_auth.c | 4 ++--
|
||||
src/providers/proxy/proxy_child.c | 4 ++++
|
||||
src/responder/autofs/autofssrv.c | 4 ++++
|
||||
src/responder/ifp/ifpsrv.c | 4 ++++
|
||||
src/responder/kcm/kcm.c | 4 ++++
|
||||
src/responder/nss/nsssrv.c | 4 ++++
|
||||
src/responder/pac/pacsrv.c | 4 ++++
|
||||
src/responder/pam/pamsrv.c | 4 ++++
|
||||
src/responder/secrets/secsrv.c | 4 ++++
|
||||
src/responder/ssh/sshsrv.c | 4 ++++
|
||||
src/responder/sudo/sudosrv.c | 4 ++++
|
||||
src/tests/cmocka/dummy_child.c | 4 ++++
|
||||
src/tests/debug-tests.c | 10 ++++++++
|
||||
src/util/child_common.c | 2 +-
|
||||
src/util/debug.c | 4 ++--
|
||||
src/util/server.c | 12 ++++++----
|
||||
24 files changed, 135 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
|
||||
index 923da6824907f0d2d140d9ca83f87338e7664f83..0b725628ff93f48f832140dd5dc15b040a8b179f 100644
|
||||
--- a/src/man/sssd.8.xml
|
||||
+++ b/src/man/sssd.8.xml
|
||||
@@ -92,6 +92,37 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>--logger=</option><replaceable>value</replaceable>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Location where SSSD will send log messages. This option
|
||||
+ overrides the value of the deprecated option
|
||||
+ <option>--debug-to-files</option>. The deprecated
|
||||
+ option will still work if the <option>--logger</option>
|
||||
+ is not used.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ <emphasis>stderr</emphasis>: Redirect debug messages to
|
||||
+ standard error output.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ <emphasis>files</emphasis>: Redirect debug messages to
|
||||
+ the log files. By default, the log files are stored in
|
||||
+ <filename>/var/log/sssd</filename> and there are
|
||||
+ separate log files for every SSSD service and domain.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ <emphasis>journald</emphasis>: Redirect debug messages
|
||||
+ to systemd-journald
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: not set
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
<varlistentry>
|
||||
<term>
|
||||
<option>-D</option>,<option>--daemon</option>
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index 7726548bbb666bb189667efc1de2295f8a001105..3c0b7ab2dac10fe15a8a5b807cb68ea4b7ab8461 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -1211,22 +1211,11 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
|
||||
}
|
||||
}
|
||||
|
||||
- if (debug_to_file) {
|
||||
- svc->command = talloc_strdup_append(
|
||||
- svc->command, " --debug-to-files"
|
||||
- );
|
||||
- if (!svc->command) {
|
||||
- talloc_free(svc);
|
||||
- return ENOMEM;
|
||||
- }
|
||||
- } else if (ctx->is_daemon == false) {
|
||||
- svc->command = talloc_strdup_append(
|
||||
- svc->command, " --debug-to-stderr"
|
||||
- );
|
||||
- if (!svc->command) {
|
||||
- talloc_free(svc);
|
||||
- return ENOMEM;
|
||||
- }
|
||||
+ svc->command = talloc_asprintf_append(
|
||||
+ svc->command, " --logger=%s", sss_logger_str[sss_logger]);
|
||||
+ if (!svc->command) {
|
||||
+ talloc_free(svc);
|
||||
+ return ENOMEM;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1374,22 +1363,11 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name,
|
||||
}
|
||||
}
|
||||
|
||||
- if (debug_to_file) {
|
||||
- svc->command = talloc_strdup_append(
|
||||
- svc->command, " --debug-to-files"
|
||||
- );
|
||||
- if (!svc->command) {
|
||||
- talloc_free(svc);
|
||||
- return ENOMEM;
|
||||
- }
|
||||
- } else if (ctx->is_daemon == false) {
|
||||
- svc->command = talloc_strdup_append(
|
||||
- svc->command, " --debug-to-stderr"
|
||||
- );
|
||||
- if (!svc->command) {
|
||||
- talloc_free(svc);
|
||||
- return ENOMEM;
|
||||
- }
|
||||
+ svc->command = talloc_asprintf_append(
|
||||
+ svc->command, " --logger=%s", sss_logger_str[sss_logger]);
|
||||
+ if (!svc->command) {
|
||||
+ talloc_free(svc);
|
||||
+ return ENOMEM;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2454,6 +2432,7 @@ int main(int argc, const char *argv[])
|
||||
int opt_version = 0;
|
||||
int opt_netlinkoff = 0;
|
||||
char *opt_config_file = NULL;
|
||||
+ char *opt_logger = NULL;
|
||||
char *config_file = NULL;
|
||||
int flags = 0;
|
||||
struct main_context *main_ctx;
|
||||
@@ -2465,6 +2444,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
{"daemon", 'D', POPT_ARG_NONE, &opt_daemon, 0, \
|
||||
_("Become a daemon (default)"), NULL }, \
|
||||
{"interactive", 'i', POPT_ARG_NONE, &opt_interactive, 0, \
|
||||
@@ -2551,6 +2531,8 @@ int main(int argc, const char *argv[])
|
||||
debug_to_stderr = 1;
|
||||
}
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
if (opt_config_file) {
|
||||
config_file = talloc_strdup(tmp_ctx, opt_config_file);
|
||||
} else {
|
||||
@@ -2575,7 +2557,7 @@ int main(int argc, const char *argv[])
|
||||
|
||||
/* Open before server_setup() does to have logging
|
||||
* during configuration checking */
|
||||
- if (debug_to_file) {
|
||||
+ if (sss_logger == FILES_LOGGER) {
|
||||
ret = open_debug_file();
|
||||
if (ret) {
|
||||
return 7;
|
||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
||||
index f165b58e63d2b8a6f26acf8bd89e7b41713e7359..e7dbcb689220d1cd2585fbde5f26e84f8fa15cc2 100644
|
||||
--- a/src/p11_child/p11_child_nss.c
|
||||
+++ b/src/p11_child/p11_child_nss.c
|
||||
@@ -537,6 +537,7 @@ int main(int argc, const char *argv[])
|
||||
int opt;
|
||||
poptContext pc;
|
||||
int debug_fd = -1;
|
||||
+ char *opt_logger = NULL;
|
||||
errno_t ret;
|
||||
TALLOC_CTX *main_ctx = NULL;
|
||||
char *cert;
|
||||
@@ -564,6 +565,7 @@ int main(int argc, const char *argv[])
|
||||
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
|
||||
&debug_to_stderr, 0,
|
||||
_("Send the debug output to stderr directly."), NULL },
|
||||
+ SSSD_LOGGER_OPTS
|
||||
{"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL},
|
||||
{"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL},
|
||||
{"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL},
|
||||
@@ -672,6 +674,7 @@ int main(int argc, const char *argv[])
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
|
||||
}
|
||||
}
|
||||
+ sss_set_logger(opt_logger);
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "p11_child started.\n");
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c
|
||||
index 8e5e062547721567cb450f9d0f72f1ec8cb99f96..5375cc691e8649c289672b74c4bfe5266c8222c9 100644
|
||||
--- a/src/providers/ad/ad_gpo_child.c
|
||||
+++ b/src/providers/ad/ad_gpo_child.c
|
||||
@@ -687,6 +687,7 @@ main(int argc, const char *argv[])
|
||||
int opt;
|
||||
poptContext pc;
|
||||
int debug_fd = -1;
|
||||
+ char *opt_logger = NULL;
|
||||
errno_t ret;
|
||||
int sysvol_gpt_version;
|
||||
int result;
|
||||
@@ -710,6 +711,7 @@ main(int argc, const char *argv[])
|
||||
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
|
||||
&debug_to_stderr, 0,
|
||||
_("Send the debug output to stderr directly."), NULL },
|
||||
+ SSSD_LOGGER_OPTS
|
||||
POPT_TABLEEND
|
||||
};
|
||||
|
||||
@@ -744,6 +746,8 @@ main(int argc, const char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "gpo_child started.\n");
|
||||
|
||||
main_ctx = talloc_new(NULL);
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index 2e55dc4e3fe9ba1aa8c1c51c426efee00b9ae91d..56ddac112a209b6937313d3d3c94a73d2067331f 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -537,6 +537,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
char *be_domain = NULL;
|
||||
char *srv_name = NULL;
|
||||
struct main_context *main_ctx;
|
||||
@@ -548,6 +549,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
{"domain", 0, POPT_ARG_STRING, &be_domain, 0,
|
||||
_("Domain of the information provider (mandatory)"), NULL },
|
||||
@@ -582,6 +584,8 @@ int main(int argc, const char *argv[])
|
||||
debug_log_file = talloc_asprintf(NULL, "sssd_%s", be_domain);
|
||||
if (!debug_log_file) return 2;
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
srv_name = talloc_asprintf(NULL, "sssd[be[%s]]", be_domain);
|
||||
if (!srv_name) return 2;
|
||||
|
||||
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
||||
index 073475094ee491bd5453898c6ba65214fa14fe59..120492686963241b7e419413f489cc38953e32f2 100644
|
||||
--- a/src/providers/ipa/selinux_child.c
|
||||
+++ b/src/providers/ipa/selinux_child.c
|
||||
@@ -206,6 +206,7 @@ int main(int argc, const char *argv[])
|
||||
struct response *resp = NULL;
|
||||
ssize_t written;
|
||||
bool needs_update;
|
||||
+ char *opt_logger = NULL;
|
||||
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
@@ -220,6 +221,7 @@ int main(int argc, const char *argv[])
|
||||
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
|
||||
&debug_to_stderr, 0,
|
||||
_("Send the debug output to stderr directly."), NULL },
|
||||
+ SSSD_LOGGER_OPTS
|
||||
POPT_TABLEEND
|
||||
};
|
||||
|
||||
@@ -254,6 +256,8 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n");
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
"Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n",
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index b8ee497728b4b70fae89e528172e9d5bd42239c0..b44f3a20f1c0725304a37620d36f8872cf9ca5d7 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -3020,6 +3020,7 @@ int main(int argc, const char *argv[])
|
||||
int opt;
|
||||
poptContext pc;
|
||||
int debug_fd = -1;
|
||||
+ char *opt_logger = NULL;
|
||||
errno_t ret;
|
||||
krb5_error_code kerr;
|
||||
uid_t fast_uid;
|
||||
@@ -3039,6 +3040,7 @@ int main(int argc, const char *argv[])
|
||||
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
|
||||
&debug_to_stderr, 0,
|
||||
_("Send the debug output to stderr directly."), NULL },
|
||||
+ SSSD_LOGGER_OPTS
|
||||
{CHILD_OPT_FAST_CCACHE_UID, 0, POPT_ARG_INT, &fast_uid, 0,
|
||||
_("The user to create FAST ccache as"), NULL},
|
||||
{CHILD_OPT_FAST_CCACHE_GID, 0, POPT_ARG_INT, &fast_gid, 0,
|
||||
@@ -3097,6 +3099,8 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "krb5_child started.\n");
|
||||
|
||||
kr = talloc_zero(NULL, struct krb5_req);
|
||||
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
||||
index b796e5cae01517c85c2fc1605b1e5877454691dc..baeed239db5dc7ffa482edcbc155f25f718c8249 100644
|
||||
--- a/src/providers/ldap/ldap_child.c
|
||||
+++ b/src/providers/ldap/ldap_child.c
|
||||
@@ -599,6 +599,7 @@ int main(int argc, const char *argv[])
|
||||
int kerr;
|
||||
int opt;
|
||||
int debug_fd = -1;
|
||||
+ char *opt_logger = NULL;
|
||||
poptContext pc;
|
||||
TALLOC_CTX *main_ctx = NULL;
|
||||
uint8_t *buf = NULL;
|
||||
@@ -622,6 +623,7 @@ int main(int argc, const char *argv[])
|
||||
_("An open file descriptor for the debug logs"), NULL},
|
||||
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \
|
||||
_("Send the debug output to stderr directly."), NULL }, \
|
||||
+ SSSD_LOGGER_OPTS
|
||||
POPT_TABLEEND
|
||||
};
|
||||
|
||||
@@ -657,6 +659,8 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
BlockSignals(false, SIGTERM);
|
||||
CatchSignal(SIGTERM, sig_term_handler);
|
||||
|
||||
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
|
||||
index a05586e60b6ef894b0fcf1b8b3f30fdbf51a808d..665a29cf779290b8d35973245a36a1b5224bca78 100644
|
||||
--- a/src/providers/proxy/proxy_auth.c
|
||||
+++ b/src/providers/proxy/proxy_auth.c
|
||||
@@ -178,9 +178,9 @@ static struct tevent_req *proxy_child_init_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
state->command = talloc_asprintf(req,
|
||||
"%s/proxy_child -d %#.4x --debug-timestamps=%d "
|
||||
- "--debug-microseconds=%d%s --domain %s --id %d",
|
||||
+ "--debug-microseconds=%d --logger=%s --domain %s --id %d",
|
||||
SSSD_LIBEXEC_PATH, debug_level, debug_timestamps,
|
||||
- debug_microseconds, (debug_to_file ? " --debug-to-files" : ""),
|
||||
+ debug_microseconds, sss_logger_str[sss_logger],
|
||||
auth_ctx->be->domain->name,
|
||||
child_ctx->id);
|
||||
if (state->command == NULL) {
|
||||
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
|
||||
index be58622eb8b26231eeb6699976d51f57dc44de98..ae4855adeb5cc68f1a19003355a5d94f5b1bb378 100644
|
||||
--- a/src/providers/proxy/proxy_child.c
|
||||
+++ b/src/providers/proxy/proxy_child.c
|
||||
@@ -504,6 +504,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
char *domain = NULL;
|
||||
char *srv_name = NULL;
|
||||
char *conf_entry = NULL;
|
||||
@@ -517,6 +518,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
{"domain", 0, POPT_ARG_STRING, &domain, 0,
|
||||
_("Domain of the information provider (mandatory)"), NULL },
|
||||
@@ -561,6 +563,8 @@ int main(int argc, const char *argv[])
|
||||
debug_log_file = talloc_asprintf(NULL, "proxy_child_%s", domain);
|
||||
if (!debug_log_file) return 2;
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
srv_name = talloc_asprintf(NULL, "sssd[proxy_child[%s]]", domain);
|
||||
if (!srv_name) return 2;
|
||||
|
||||
diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
|
||||
index cfb2233fdfc346bf27b128ee8c4261f4c73e3470..b0762a2b685a7c5ab3abfa281f0906ad8bfe1c88 100644
|
||||
--- a/src/responder/autofs/autofssrv.c
|
||||
+++ b/src/responder/autofs/autofssrv.c
|
||||
@@ -185,6 +185,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -193,6 +194,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
SSSD_RESPONDER_OPTS
|
||||
POPT_TABLEEND
|
||||
@@ -221,6 +223,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_autofs";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
ret = server_setup("sssd[autofs]", 0, uid, gid,
|
||||
CONFDB_AUTOFS_CONF_ENTRY, &main_ctx);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
|
||||
index 0dc61a42200cc79fc6f12515a8f581ad0201a043..85dfbacc217e2870dd7517e36a1d39e7f2054a8b 100644
|
||||
--- a/src/responder/ifp/ifpsrv.c
|
||||
+++ b/src/responder/ifp/ifpsrv.c
|
||||
@@ -355,6 +355,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -363,6 +364,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
SSSD_RESPONDER_OPTS
|
||||
POPT_TABLEEND
|
||||
@@ -391,6 +393,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_ifp";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
ret = server_setup("sssd[ifp]", 0, 0, 0,
|
||||
CONFDB_IFP_CONF_ENTRY, &main_ctx);
|
||||
if (ret != EOK) return 2;
|
||||
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
|
||||
index 2202f96381a2622a2c5433e281172287b325f960..358fcc18165dec7b41a7389a3ef22660ac04b4a8 100644
|
||||
--- a/src/responder/kcm/kcm.c
|
||||
+++ b/src/responder/kcm/kcm.c
|
||||
@@ -258,6 +258,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -266,6 +267,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
POPT_TABLEEND
|
||||
};
|
||||
@@ -293,6 +295,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_kcm";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
ret = server_setup("sssd[kcm]", 0, uid, gid, CONFDB_KCM_CONF_ENTRY,
|
||||
&main_ctx);
|
||||
if (ret != EOK) return 2;
|
||||
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
|
||||
index d67b9fac8d770d113560e41b259e2d5edd219343..1559c314e5353d41c61c83ecc712311ac18a7202 100644
|
||||
--- a/src/responder/nss/nsssrv.c
|
||||
+++ b/src/responder/nss/nsssrv.c
|
||||
@@ -405,6 +405,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -413,6 +414,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
SSSD_RESPONDER_OPTS
|
||||
POPT_TABLEEND
|
||||
@@ -441,6 +443,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_nss";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
ret = server_setup("sssd[nss]", 0, uid, gid, CONFDB_NSS_CONF_ENTRY,
|
||||
&main_ctx);
|
||||
if (ret != EOK) return 2;
|
||||
diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
|
||||
index 1f820c07f5c55fe8df75cce05b403c41075d9f94..b72e5c8d2a42bc85f0974dcb81a1290d3f740986 100644
|
||||
--- a/src/responder/pac/pacsrv.c
|
||||
+++ b/src/responder/pac/pacsrv.c
|
||||
@@ -209,6 +209,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -217,6 +218,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
SSSD_RESPONDER_OPTS
|
||||
POPT_TABLEEND
|
||||
@@ -245,6 +247,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_pac";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
ret = server_setup("sssd[pac]", 0, uid, gid,
|
||||
CONFDB_PAC_CONF_ENTRY, &main_ctx);
|
||||
if (ret != EOK) return 2;
|
||||
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
||||
index 79470823d18138da6ef9235e6336a3220ead1797..cc0e4bddcdbecfadabea78a6d2815d0ac6d651b6 100644
|
||||
--- a/src/responder/pam/pamsrv.c
|
||||
+++ b/src/responder/pam/pamsrv.c
|
||||
@@ -355,6 +355,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -365,6 +366,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
SSSD_RESPONDER_OPTS
|
||||
POPT_TABLEEND
|
||||
@@ -393,6 +395,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_pam";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
if (!is_socket_activated()) {
|
||||
/* Crate pipe file descriptors here before privileges are dropped
|
||||
* in server_setup() */
|
||||
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
|
||||
index 2b661b165ef0c174557f53012b2dbaa236a6e359..59c0f3a56040a6fc0c092247fbd124a069f97153 100644
|
||||
--- a/src/responder/secrets/secsrv.c
|
||||
+++ b/src/responder/secrets/secsrv.c
|
||||
@@ -324,6 +324,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -332,6 +333,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
POPT_TABLEEND
|
||||
};
|
||||
@@ -359,6 +361,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_secrets";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
ret = server_setup("sssd[secrets]", 0, uid, gid, CONFDB_SEC_CONF_ENTRY,
|
||||
&main_ctx);
|
||||
if (ret != EOK) return 2;
|
||||
diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
|
||||
index 440f0e2b9dc06e3dc52ff96d7207b8a3727865c0..8b0e7cc2d71044d7ab3bd2439041f678ddedb4cd 100644
|
||||
--- a/src/responder/ssh/sshsrv.c
|
||||
+++ b/src/responder/ssh/sshsrv.c
|
||||
@@ -177,6 +177,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -185,6 +186,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
SSSD_RESPONDER_OPTS
|
||||
POPT_TABLEEND
|
||||
@@ -213,6 +215,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_ssh";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
ret = server_setup("sssd[ssh]", 0, uid, gid,
|
||||
CONFDB_SSH_CONF_ENTRY, &main_ctx);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
||||
index dca70ea4afc0e6df6d1b1864338c7b1091a98fee..19058321a25022d7704556ec0ef79729db3ac1f2 100644
|
||||
--- a/src/responder/sudo/sudosrv.c
|
||||
+++ b/src/responder/sudo/sudosrv.c
|
||||
@@ -178,6 +178,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
poptContext pc;
|
||||
+ char *opt_logger = NULL;
|
||||
struct main_context *main_ctx;
|
||||
int ret;
|
||||
uid_t uid;
|
||||
@@ -186,6 +187,7 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
SSSD_MAIN_OPTS
|
||||
+ SSSD_LOGGER_OPTS
|
||||
SSSD_SERVER_OPTS(uid, gid)
|
||||
SSSD_RESPONDER_OPTS
|
||||
POPT_TABLEEND
|
||||
@@ -214,6 +216,8 @@ int main(int argc, const char *argv[])
|
||||
/* set up things like debug, signals, daemonization, etc... */
|
||||
debug_log_file = "sssd_sudo";
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
ret = server_setup("sssd[sudo]", 0, uid, gid, CONFDB_SUDO_CONF_ENTRY,
|
||||
&main_ctx);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/tests/cmocka/dummy_child.c b/src/tests/cmocka/dummy_child.c
|
||||
index bcaa9455037a0604422750bf7cc719a25cef4a99..811cb40490c89c4250401e0d8d3e9d1c277f57af 100644
|
||||
--- a/src/tests/cmocka/dummy_child.c
|
||||
+++ b/src/tests/cmocka/dummy_child.c
|
||||
@@ -34,6 +34,7 @@ int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
int debug_fd = -1;
|
||||
+ char *opt_logger = NULL;
|
||||
poptContext pc;
|
||||
ssize_t len;
|
||||
ssize_t written;
|
||||
@@ -55,6 +56,7 @@ int main(int argc, const char *argv[])
|
||||
_("An open file descriptor for the debug logs"), NULL},
|
||||
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \
|
||||
_("Send the debug output to stderr directly."), NULL },
|
||||
+ SSSD_LOGGER_OPTS
|
||||
{"guitar", 0, POPT_ARG_STRING, &guitar, 0, _("Who plays guitar"), NULL },
|
||||
{"drums", 0, POPT_ARG_STRING, &drums, 0, _("Who plays drums"), NULL },
|
||||
POPT_TABLEEND
|
||||
@@ -76,6 +78,8 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
poptFreeContext(pc);
|
||||
|
||||
+ sss_set_logger(opt_logger);
|
||||
+
|
||||
action = getenv("TEST_CHILD_ACTION");
|
||||
if (action) {
|
||||
if (strcasecmp(action, "check_extra_args") == 0) {
|
||||
diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c
|
||||
index d904d7eb8b5418608023faca0d62067f3106d23b..1446ec0474ab4bf72e66b58831fef59defd7be76 100644
|
||||
--- a/src/tests/debug-tests.c
|
||||
+++ b/src/tests/debug-tests.c
|
||||
@@ -343,6 +343,7 @@ START_TEST(test_debug_is_set_single_no_timestamp)
|
||||
debug_microseconds = 0;
|
||||
debug_to_file = 1;
|
||||
debug_prg_name = "sssd";
|
||||
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
|
||||
|
||||
for (i = 0; i <= 9; i++) {
|
||||
debug_level = levels[i];
|
||||
@@ -385,6 +386,8 @@ START_TEST(test_debug_is_set_single_timestamp)
|
||||
debug_microseconds = 0;
|
||||
debug_to_file = 1;
|
||||
debug_prg_name = "sssd";
|
||||
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
|
||||
+
|
||||
|
||||
for (i = 0; i <= 9; i++) {
|
||||
debug_level = levels[i];
|
||||
@@ -432,6 +435,8 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
|
||||
debug_microseconds = 1;
|
||||
debug_to_file = 1;
|
||||
debug_prg_name = "sssd";
|
||||
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
|
||||
+
|
||||
|
||||
for (i = 0; i <= 9; i++) {
|
||||
debug_level = levels[i];
|
||||
@@ -480,6 +485,8 @@ START_TEST(test_debug_is_notset_no_timestamp)
|
||||
debug_microseconds = 0;
|
||||
debug_to_file = 1;
|
||||
debug_prg_name = "sssd";
|
||||
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
|
||||
+
|
||||
|
||||
for (i = 0; i <= 9; i++) {
|
||||
debug_level = all_set & ~levels[i];
|
||||
@@ -525,6 +532,8 @@ START_TEST(test_debug_is_notset_timestamp)
|
||||
debug_microseconds = 0;
|
||||
debug_to_file = 1;
|
||||
debug_prg_name = "sssd";
|
||||
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
|
||||
+
|
||||
|
||||
for (i = 0; i <= 9; i++) {
|
||||
debug_level = all_set & ~levels[i];
|
||||
@@ -570,6 +579,7 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
|
||||
debug_microseconds = 1;
|
||||
debug_to_file = 1;
|
||||
debug_prg_name = "sssd";
|
||||
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
|
||||
|
||||
for (i = 0; i <= 9; i++) {
|
||||
debug_level = all_set & ~levels[i];
|
||||
diff --git a/src/util/child_common.c b/src/util/child_common.c
|
||||
index b300d84bf432608db96de36e04637b5fb115212e..dc070f26446305e07cbb34edd1e4d72db72aedc5 100644
|
||||
--- a/src/util/child_common.c
|
||||
+++ b/src/util/child_common.c
|
||||
@@ -676,7 +676,7 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
if (child_debug_stderr) {
|
||||
- argv[--argc] = talloc_strdup(argv, "--debug-to-stderr");
|
||||
+ argv[--argc] = talloc_strdup(argv, "--logger=stderr");
|
||||
if (argv[argc] == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto fail;
|
||||
diff --git a/src/util/debug.c b/src/util/debug.c
|
||||
index 4e469447e5ab8aa89cd57bcd6d00269875a12bc6..30801fce7c27b115d1cafd4ed826a57c7d444a72 100644
|
||||
--- a/src/util/debug.c
|
||||
+++ b/src/util/debug.c
|
||||
@@ -277,7 +277,7 @@ void sss_vdebug_fn(const char *file,
|
||||
errno_t ret;
|
||||
va_list ap_fallback;
|
||||
|
||||
- if (!debug_file && !debug_to_stderr) {
|
||||
+ if (sss_logger == JOURNALD_LOGGER) {
|
||||
/* If we are not outputting logs to files, we should be sending them
|
||||
* to journald.
|
||||
* NOTE: on modern systems, this is where stdout/stderr will end up
|
||||
@@ -470,7 +470,7 @@ int rotate_debug_files(void)
|
||||
int ret;
|
||||
errno_t error;
|
||||
|
||||
- if (!debug_to_file) return EOK;
|
||||
+ if (sss_logger != FILES_LOGGER) return EOK;
|
||||
|
||||
do {
|
||||
error = 0;
|
||||
diff --git a/src/util/server.c b/src/util/server.c
|
||||
index 4e65cc66c01ba020b13a88df8e017765ac97f76e..f76cb6a0838324d4fc3ed376eb425fee2412a817 100644
|
||||
--- a/src/util/server.c
|
||||
+++ b/src/util/server.c
|
||||
@@ -455,7 +455,7 @@ int server_setup(const char *name, int flags,
|
||||
char *conf_db;
|
||||
int ret = EOK;
|
||||
bool dt;
|
||||
- bool dl;
|
||||
+ bool dl = false;
|
||||
bool dm;
|
||||
struct tevent_signal *tes;
|
||||
struct logrotate_ctx *lctx;
|
||||
@@ -637,16 +637,18 @@ int server_setup(const char *name, int flags,
|
||||
}
|
||||
|
||||
/* same for debug to file */
|
||||
- dl = (debug_to_file != 0);
|
||||
ret = confdb_get_bool(ctx->confdb_ctx, conf_entry,
|
||||
CONFDB_SERVICE_DEBUG_TO_FILES,
|
||||
- dl, &dl);
|
||||
+ false, &dl);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n",
|
||||
ret, strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
- if (dl) debug_to_file = 1;
|
||||
+ if (dl) {
|
||||
+ debug_to_file = 1;
|
||||
+ sss_set_logger(sss_logger_str[FILES_LOGGER]);
|
||||
+ }
|
||||
|
||||
/* before opening the log file set up log rotation */
|
||||
lctx = talloc_zero(ctx, struct logrotate_ctx);
|
||||
@@ -662,7 +664,7 @@ int server_setup(const char *name, int flags,
|
||||
}
|
||||
|
||||
/* open log file if told so */
|
||||
- if (debug_to_file) {
|
||||
+ if (sss_logger == FILES_LOGGER) {
|
||||
ret = open_debug_file();
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) "
|
||||
--
|
||||
2.15.1
|
||||
|
258
0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch
Normal file
258
0019-SYSTEMD-Replace-parameter-debug-to-files-with-DEBUG_.patch
Normal file
@ -0,0 +1,258 @@
|
||||
From e2c0eecb49af621de77426cb46fff9bbb9a3f220 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 23 Oct 2017 18:03:46 +0200
|
||||
Subject: [PATCH 19/79] SYSTEMD: Replace parameter --debug-to-files with
|
||||
${DEBUG_LOGGER}
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Users can set variable DEBUG_LOGGER in environment files
|
||||
(/etc/sysconfig/sssd or /etc/default/sssd; depending on the distribution)
|
||||
to override default logging to files.
|
||||
|
||||
e.g.
|
||||
DEBUG_LOGGER=--logger=stderr
|
||||
DEBUG_LOGGER=--logger=journald
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3433
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
Makefile.am | 12 +-----------
|
||||
contrib/sssd.spec.in | 4 ----
|
||||
src/sysv/systemd/journal.conf.in | 7 -------
|
||||
src/sysv/systemd/sssd-autofs.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd-ifp.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd-kcm.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd-nss.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd-pac.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd-pam.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd-secrets.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd-ssh.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd-sudo.service.in | 3 ++-
|
||||
src/sysv/systemd/sssd.service.in | 3 ++-
|
||||
13 files changed, 21 insertions(+), 32 deletions(-)
|
||||
delete mode 100644 src/sysv/systemd/journal.conf.in
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 41a8f32f4e76fdcbd09ad833161f0bdada19e389..5483375167d99568e8313c9a0488900419be6ec3 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -91,7 +91,7 @@ sssdkcmdatadir = $(datadir)/sssd-kcm
|
||||
deskprofilepath = $(sss_statedir)/deskprofile
|
||||
|
||||
if HAVE_SYSTEMD_UNIT
|
||||
-ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --debug-to-files --dbus-activated
|
||||
+ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated
|
||||
ifp_systemdservice = SystemdService=sssd-ifp.service
|
||||
ifp_restart = Restart=on-failure
|
||||
else
|
||||
@@ -4483,10 +4483,6 @@ if BUILD_KCM
|
||||
src/sysv/systemd/sssd-kcm.service \
|
||||
$(NULL)
|
||||
endif
|
||||
-if WITH_JOURNALD
|
||||
- systemdconf_DATA += \
|
||||
- src/sysv/systemd/journal.conf
|
||||
-endif
|
||||
else
|
||||
if HAVE_SUSE
|
||||
init_SCRIPTS += \
|
||||
@@ -4535,7 +4531,6 @@ replace_script = \
|
||||
|
||||
EXTRA_DIST += \
|
||||
src/sysv/systemd/sssd.service.in \
|
||||
- src/sysv/systemd/journal.conf.in \
|
||||
src/sysv/systemd/sssd-nss.socket.in \
|
||||
src/sysv/systemd/sssd-nss.service.in \
|
||||
src/sysv/systemd/sssd-pam.socket.in \
|
||||
@@ -4585,10 +4580,6 @@ src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile
|
||||
@$(MKDIR_P) src/sysv/systemd/
|
||||
$(replace_script)
|
||||
|
||||
-src/sysv/systemd/journal.conf: src/sysv/systemd/journal.conf.in Makefile
|
||||
- @$(MKDIR_P) src/sysv/systemd/
|
||||
- $(replace_script)
|
||||
-
|
||||
src/sysv/systemd/sssd-nss.socket: src/sysv/systemd/sssd-nss.socket.in Makefile
|
||||
@$(MKDIR_P) src/sysv/systemd/
|
||||
$(replace_script)
|
||||
@@ -4924,7 +4915,6 @@ endif
|
||||
rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service
|
||||
rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket
|
||||
rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service
|
||||
- rm -f $(builddir)/src/sysv/systemd/journal.conf
|
||||
rm -f $(builddir)/src/tools/wrappers/sss_debuglevel
|
||||
|
||||
CLEANFILES += *.X */*.X */*/*.X
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index d6ab73e60863316cbf239d34242959fdfe8d4b1b..4aafd1832b67161ff1c25a4e9ad689586a227a25 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -971,10 +971,6 @@ done
|
||||
%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd
|
||||
%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d
|
||||
%ghost %attr(0600,sssd,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
||||
-%if (0%{?use_systemd} == 1)
|
||||
-%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/sssd.service.d
|
||||
-%config(noreplace) %{_sysconfdir}/systemd/system/sssd.service.d/journal.conf
|
||||
-%endif
|
||||
%dir %{_sysconfdir}/logrotate.d
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
|
||||
%dir %{_sysconfdir}/rwtab.d
|
||||
diff --git a/src/sysv/systemd/journal.conf.in b/src/sysv/systemd/journal.conf.in
|
||||
deleted file mode 100644
|
||||
index 9ce170b4893629792516aab41573adea1fb741f0..0000000000000000000000000000000000000000
|
||||
--- a/src/sysv/systemd/journal.conf.in
|
||||
+++ /dev/null
|
||||
@@ -1,7 +0,0 @@
|
||||
-[Service]
|
||||
-# Uncomment *both* of the following lines to enable debug logging
|
||||
-# to go to journald instead of /var/log/sssd. You will need to
|
||||
-# run 'systemctl daemon-reload' and then restart the SSSD service
|
||||
-# for this to take effect
|
||||
-#ExecStart=
|
||||
-#ExecStart=@sbindir@/sssd -i
|
||||
diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in
|
||||
index 32ea6e19ca7f9aa65599c0cf296a8c5e73362271..c2dc254c8f3f56cb6ae4dc481781688aa702b102 100644
|
||||
--- a/src/sysv/systemd/sssd-autofs.service.in
|
||||
+++ b/src/sysv/systemd/sssd-autofs.service.in
|
||||
@@ -9,8 +9,9 @@ RefuseManualStart=true
|
||||
Also=sssd-autofs.socket
|
||||
|
||||
[Service]
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log
|
||||
-ExecStart=@libexecdir@/sssd/sssd_autofs --debug-to-files --socket-activated
|
||||
+ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
User=@SSSD_USER@
|
||||
Group=@SSSD_USER@
|
||||
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
|
||||
index 8e7abdb0e8c5ec83f9423c688daf845a16c57e7e..05a9a602b2d27c54a4faa79c58e0ecba90267100 100644
|
||||
--- a/src/sysv/systemd/sssd-ifp.service.in
|
||||
+++ b/src/sysv/systemd/sssd-ifp.service.in
|
||||
@@ -5,7 +5,8 @@ After=sssd.service
|
||||
BindsTo=sssd.service
|
||||
|
||||
[Service]
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
Type=dbus
|
||||
BusName=org.freedesktop.sssd.infopipe
|
||||
-ExecStart=@ifp_exec_cmd@
|
||||
+ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
|
||||
@ifp_restart@
|
||||
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
|
||||
index 1e2bee12dc3bedd17d41b86f91c9b2b52d985c40..92306f97ec73a775739bfdb4454df14956e5e133 100644
|
||||
--- a/src/sysv/systemd/sssd-kcm.service.in
|
||||
+++ b/src/sysv/systemd/sssd-kcm.service.in
|
||||
@@ -6,4 +6,5 @@ Documentation=man:sssd-kcm(5)
|
||||
Also=sssd-kcm.socket
|
||||
|
||||
[Service]
|
||||
-ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 --debug-to-files
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
+ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
|
||||
diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in
|
||||
index 6a29078d5a36dff229e47bf7ce953e46443ce023..fe771ad0fa99968bb1d42037abf2f960271589b1 100644
|
||||
--- a/src/sysv/systemd/sssd-nss.service.in
|
||||
+++ b/src/sysv/systemd/sssd-nss.service.in
|
||||
@@ -9,5 +9,6 @@ RefuseManualStart=true
|
||||
Also=sssd-nss.socket
|
||||
|
||||
[Service]
|
||||
-ExecStart=@libexecdir@/sssd/sssd_nss --debug-to-files --socket-activated
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
+ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in
|
||||
index ffbfdec030ba6d5cf75c989854c27bc46b6983a5..dbd25abc476f579c9d8cce171fdeafa06e567610 100644
|
||||
--- a/src/sysv/systemd/sssd-pac.service.in
|
||||
+++ b/src/sysv/systemd/sssd-pac.service.in
|
||||
@@ -9,8 +9,9 @@ RefuseManualStart=true
|
||||
Also=sssd-pac.socket
|
||||
|
||||
[Service]
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log
|
||||
-ExecStart=@libexecdir@/sssd/sssd_pac --debug-to-files --socket-activated
|
||||
+ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
User=@SSSD_USER@
|
||||
Group=@SSSD_USER@
|
||||
diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in
|
||||
index 6dec46f0c5d384c500268dafcd00af894088e0b6..df722d1f3014bf62cc60114c30331424d14f411b 100644
|
||||
--- a/src/sysv/systemd/sssd-pam.service.in
|
||||
+++ b/src/sysv/systemd/sssd-pam.service.in
|
||||
@@ -9,8 +9,9 @@ RefuseManualStart=true
|
||||
Also=sssd-pam.socket sssd-pam-priv.socket
|
||||
|
||||
[Service]
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log
|
||||
-ExecStart=@libexecdir@/sssd/sssd_pam --debug-to-files --socket-activated
|
||||
+ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
User=@SSSD_USER@
|
||||
Group=@SSSD_USER@
|
||||
diff --git a/src/sysv/systemd/sssd-secrets.service.in b/src/sysv/systemd/sssd-secrets.service.in
|
||||
index f45d647677a62900c01c7eb103597f2b1387498c..a7b41e0b16a5fa882546b41047e616fd2140329f 100644
|
||||
--- a/src/sysv/systemd/sssd-secrets.service.in
|
||||
+++ b/src/sysv/systemd/sssd-secrets.service.in
|
||||
@@ -6,4 +6,5 @@ Documentation=man:sssd-secrets(5)
|
||||
Also=sssd-secrets.socket
|
||||
|
||||
[Service]
|
||||
-ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 --debug-to-files
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
+ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 ${DEBUG_LOGGER}
|
||||
diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in
|
||||
index 6f233b4854018d79cc0ad9d67d53ebd67a49f7b7..f41249ea0fe19e5044d5d06ba195ab604d8e6a29 100644
|
||||
--- a/src/sysv/systemd/sssd-ssh.service.in
|
||||
+++ b/src/sysv/systemd/sssd-ssh.service.in
|
||||
@@ -9,8 +9,9 @@ RefuseManualStart=true
|
||||
Also=sssd-ssh.socket
|
||||
|
||||
[Service]
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log
|
||||
-ExecStart=@libexecdir@/sssd/sssd_ssh --debug-to-files --socket-activated
|
||||
+ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
User=@SSSD_USER@
|
||||
Group=@SSSD_USER@
|
||||
diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in
|
||||
index b59bcbcd817c3986d7ee245b1083f90ff5a3775a..da022f768af91e360182fad0ff885fad43ecfdc0 100644
|
||||
--- a/src/sysv/systemd/sssd-sudo.service.in
|
||||
+++ b/src/sysv/systemd/sssd-sudo.service.in
|
||||
@@ -9,8 +9,9 @@ RefuseManualStart=true
|
||||
Also=sssd-sudo.socket
|
||||
|
||||
[Service]
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log
|
||||
-ExecStart=@libexecdir@/sssd/sssd_sudo --debug-to-files --socket-activated
|
||||
+ExecStart=@libexecdir@/sssd/sssd_sudo --socket-activated
|
||||
Restart=on-failure
|
||||
User=@SSSD_USER@
|
||||
Group=@SSSD_USER@
|
||||
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
|
||||
index 05cfd3705084dbff8b46fb07e736612612c58b70..cea848fac80303d6fae12dd84316a91dbc60072d 100644
|
||||
--- a/src/sysv/systemd/sssd.service.in
|
||||
+++ b/src/sysv/systemd/sssd.service.in
|
||||
@@ -5,8 +5,9 @@ Before=systemd-user-sessions.service nss-user-lookup.target
|
||||
Wants=nss-user-lookup.target
|
||||
|
||||
[Service]
|
||||
+Environment=DEBUG_LOGGER=--logger=files
|
||||
EnvironmentFile=-@environment_file@
|
||||
-ExecStart=@sbindir@/sssd -i -f
|
||||
+ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
|
||||
Type=notify
|
||||
NotifyAccess=main
|
||||
|
||||
--
|
||||
2.15.1
|
||||
|
106
0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch
Normal file
106
0020-SYSTEMD-Add-environment-file-to-responder-service-fi.patch
Normal file
@ -0,0 +1,106 @@
|
||||
From 536c8687921a0afe072bf81fca0bbb618a4c92fc Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 24 Oct 2017 12:15:48 +0200
|
||||
Subject: [PATCH 20/79] SYSTEMD: Add environment file to responder service
|
||||
files
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sysv/systemd/sssd-autofs.service.in | 1 +
|
||||
src/sysv/systemd/sssd-ifp.service.in | 1 +
|
||||
src/sysv/systemd/sssd-nss.service.in | 1 +
|
||||
src/sysv/systemd/sssd-pac.service.in | 1 +
|
||||
src/sysv/systemd/sssd-pam.service.in | 1 +
|
||||
src/sysv/systemd/sssd-ssh.service.in | 1 +
|
||||
src/sysv/systemd/sssd-sudo.service.in | 1 +
|
||||
7 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in
|
||||
index c2dc254c8f3f56cb6ae4dc481781688aa702b102..7f920ad66a46bb0785c3f947bc26c15d0e370259 100644
|
||||
--- a/src/sysv/systemd/sssd-autofs.service.in
|
||||
+++ b/src/sysv/systemd/sssd-autofs.service.in
|
||||
@@ -10,6 +10,7 @@ Also=sssd-autofs.socket
|
||||
|
||||
[Service]
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
+EnvironmentFile=-@environment_file@
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log
|
||||
ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
|
||||
index 05a9a602b2d27c54a4faa79c58e0ecba90267100..f3bf92223ce8847858f57c2bb04b97c858be0ead 100644
|
||||
--- a/src/sysv/systemd/sssd-ifp.service.in
|
||||
+++ b/src/sysv/systemd/sssd-ifp.service.in
|
||||
@@ -6,6 +6,7 @@ BindsTo=sssd.service
|
||||
|
||||
[Service]
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
+EnvironmentFile=-@environment_file@
|
||||
Type=dbus
|
||||
BusName=org.freedesktop.sssd.infopipe
|
||||
ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
|
||||
diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in
|
||||
index fe771ad0fa99968bb1d42037abf2f960271589b1..c671280f2c8a7f85fd09a72983a21db0c30df3b9 100644
|
||||
--- a/src/sysv/systemd/sssd-nss.service.in
|
||||
+++ b/src/sysv/systemd/sssd-nss.service.in
|
||||
@@ -10,5 +10,6 @@ Also=sssd-nss.socket
|
||||
|
||||
[Service]
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
+EnvironmentFile=-@environment_file@
|
||||
ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in
|
||||
index dbd25abc476f579c9d8cce171fdeafa06e567610..590449b01223fe799eebb12b63229dfb8f2438f9 100644
|
||||
--- a/src/sysv/systemd/sssd-pac.service.in
|
||||
+++ b/src/sysv/systemd/sssd-pac.service.in
|
||||
@@ -10,6 +10,7 @@ Also=sssd-pac.socket
|
||||
|
||||
[Service]
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
+EnvironmentFile=-@environment_file@
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log
|
||||
ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in
|
||||
index df722d1f3014bf62cc60114c30331424d14f411b..f2e938579c7ef4254bb2e05231bfe83d7e20f395 100644
|
||||
--- a/src/sysv/systemd/sssd-pam.service.in
|
||||
+++ b/src/sysv/systemd/sssd-pam.service.in
|
||||
@@ -10,6 +10,7 @@ Also=sssd-pam.socket sssd-pam-priv.socket
|
||||
|
||||
[Service]
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
+EnvironmentFile=-@environment_file@
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log
|
||||
ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in
|
||||
index f41249ea0fe19e5044d5d06ba195ab604d8e6a29..1c185466dfa8c13804cc980bbbdbc997d4ebe955 100644
|
||||
--- a/src/sysv/systemd/sssd-ssh.service.in
|
||||
+++ b/src/sysv/systemd/sssd-ssh.service.in
|
||||
@@ -10,6 +10,7 @@ Also=sssd-ssh.socket
|
||||
|
||||
[Service]
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
+EnvironmentFile=-@environment_file@
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log
|
||||
ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated
|
||||
Restart=on-failure
|
||||
diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in
|
||||
index da022f768af91e360182fad0ff885fad43ecfdc0..f13d88107eccd9e80447390c9c0f8940ae933106 100644
|
||||
--- a/src/sysv/systemd/sssd-sudo.service.in
|
||||
+++ b/src/sysv/systemd/sssd-sudo.service.in
|
||||
@@ -10,6 +10,7 @@ Also=sssd-sudo.socket
|
||||
|
||||
[Service]
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
+EnvironmentFile=-@environment_file@
|
||||
ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log
|
||||
ExecStart=@libexecdir@/sssd/sssd_sudo --socket-activated
|
||||
Restart=on-failure
|
||||
--
|
||||
2.15.1
|
||||
|
46
0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch
Normal file
46
0021-UTIL-Hide-and-deprecate-parameter-debug-to-files.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From d344095ece6000e7641a9c867c8e00335b8d1ab0 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 24 Oct 2017 12:07:46 +0200
|
||||
Subject: [PATCH 21/79] UTIL: Hide and deprecate parameter --debug-to-files
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/man/sssd.8.xml | 4 ++++
|
||||
src/util/debug.h | 2 +-
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
|
||||
index 0b725628ff93f48f832140dd5dc15b040a8b179f..f2cbe015b844579af98aebd864770bc651dcf4b1 100644
|
||||
--- a/src/man/sssd.8.xml
|
||||
+++ b/src/man/sssd.8.xml
|
||||
@@ -90,6 +90,10 @@
|
||||
log files are stored in <filename>/var/log/sssd</filename> and
|
||||
there are separate log files for every SSSD service and domain.
|
||||
</para>
|
||||
+ <para>
|
||||
+ This option is deprecated. It is replaced by
|
||||
+ <option>--logger=files</option>.
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
diff --git a/src/util/debug.h b/src/util/debug.h
|
||||
index 4adafb7cfc03f7381c4d03071eb44edad04bee00..09f50cc9f3122f02d8ba2092dfb7ee633332de9b 100644
|
||||
--- a/src/util/debug.h
|
||||
+++ b/src/util/debug.h
|
||||
@@ -101,7 +101,7 @@ int get_fd_from_debug_file(void);
|
||||
#define SSSD_DEBUG_OPTS \
|
||||
{"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, \
|
||||
_("Debug level"), NULL}, \
|
||||
- {"debug-to-files", 'f', POPT_ARG_NONE, &debug_to_file, 0, \
|
||||
+ {"debug-to-files", 'f', POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_file, 0, \
|
||||
_("Send the debug output to files instead of stderr"), NULL }, \
|
||||
{"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \
|
||||
_("Send the debug output to stderr directly."), NULL }, \
|
||||
--
|
||||
2.15.1
|
||||
|
212
0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch
Normal file
212
0023-LDAP-Bind-to-the-LDAP-server-also-in-the-auth.patch
Normal file
@ -0,0 +1,212 @@
|
||||
From eafe5f3e981a951c0ff20807a0486cfa62dcc3ad Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Wed, 25 Oct 2017 11:25:09 +0200
|
||||
Subject: [PATCH 23/79] LDAP: Bind to the LDAP server also in the auth
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When dealing with id_provider not being the same as auth_provider, SSSD
|
||||
has to bind the DN of the user which wants to authenticate with the
|
||||
ldap_default_bind_dn and the password provided by the user.
|
||||
|
||||
In order to do so, the least intrusive way is just by replacing
|
||||
sdap_connect*() functions by sdap_cli_connect*() functions in the LDAP's
|
||||
auth module.
|
||||
|
||||
The simple change also allowed us to remove some code that is already
|
||||
executed as part of sdap_cli_connect*() and some functions had their
|
||||
names adapted to reflect better their new purpose.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3451
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/providers/ldap/ldap_auth.c | 114 +++++++++--------------------------------
|
||||
1 file changed, 25 insertions(+), 89 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index 00ddd889b6294e457c13218491547b84f1468266..a3b1480aae4272d2e10f105a1eaf3a5816c3487c 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -619,14 +619,11 @@ struct auth_state {
|
||||
char *dn;
|
||||
enum pwexpire pw_expire_type;
|
||||
void *pw_expire_data;
|
||||
-
|
||||
- struct fo_server *srv;
|
||||
};
|
||||
|
||||
-static struct tevent_req *auth_get_server(struct tevent_req *req);
|
||||
+static struct tevent_req *auth_connect_send(struct tevent_req *req);
|
||||
static void auth_get_dn_done(struct tevent_req *subreq);
|
||||
static void auth_do_bind(struct tevent_req *req);
|
||||
-static void auth_resolve_done(struct tevent_req *subreq);
|
||||
static void auth_connect_done(struct tevent_req *subreq);
|
||||
static void auth_bind_user_done(struct tevent_req *subreq);
|
||||
|
||||
@@ -659,7 +656,6 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
|
||||
state->ctx = ctx;
|
||||
state->username = username;
|
||||
state->authtok = authtok;
|
||||
- state->srv = NULL;
|
||||
if (try_chpass_service && ctx->chpass_service != NULL &&
|
||||
ctx->chpass_service->name != NULL) {
|
||||
state->sdap_service = ctx->chpass_service;
|
||||
@@ -667,7 +663,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
|
||||
state->sdap_service = ctx->service;
|
||||
}
|
||||
|
||||
- if (!auth_get_server(req)) goto fail;
|
||||
+ if (!auth_connect_send(req)) goto fail;
|
||||
|
||||
return req;
|
||||
|
||||
@@ -676,75 +672,37 @@ fail:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-static struct tevent_req *auth_get_server(struct tevent_req *req)
|
||||
+static struct tevent_req *auth_connect_send(struct tevent_req *req)
|
||||
{
|
||||
- struct tevent_req *next_req;
|
||||
+ struct tevent_req *subreq;
|
||||
struct auth_state *state = tevent_req_data(req,
|
||||
struct auth_state);
|
||||
-
|
||||
- /* NOTE: this call may cause service->uri to be refreshed
|
||||
- * with a new valid server. Do not use service->uri before */
|
||||
- next_req = be_resolve_server_send(state,
|
||||
- state->ev,
|
||||
- state->ctx->be,
|
||||
- state->sdap_service->name,
|
||||
- state->srv == NULL ? true : false);
|
||||
- if (!next_req) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n");
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
- tevent_req_set_callback(next_req, auth_resolve_done, req);
|
||||
- return next_req;
|
||||
-}
|
||||
-
|
||||
-static void auth_resolve_done(struct tevent_req *subreq)
|
||||
-{
|
||||
- struct tevent_req *req = tevent_req_callback_data(subreq,
|
||||
- struct tevent_req);
|
||||
- struct auth_state *state = tevent_req_data(req,
|
||||
- struct auth_state);
|
||||
- int ret;
|
||||
bool use_tls;
|
||||
|
||||
- ret = be_resolve_server_recv(subreq, state, &state->srv);
|
||||
- talloc_zfree(subreq);
|
||||
- if (ret) {
|
||||
- /* all servers have been tried and none
|
||||
- * was found good, go offline */
|
||||
- tevent_req_error(req, ETIMEDOUT);
|
||||
- return;
|
||||
+ /* Check for undocumented debugging feature to disable TLS
|
||||
+ * for authentication. This should never be used in production
|
||||
+ * for obvious reasons.
|
||||
+ */
|
||||
+ use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
|
||||
+ if (!use_tls) {
|
||||
+ sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
|
||||
+ "insecure connection. This should be done "
|
||||
+ "for debugging purposes only.");
|
||||
}
|
||||
|
||||
- /* Determine whether we need to use TLS */
|
||||
- if (sdap_is_secure_uri(state->ctx->service->uri)) {
|
||||
- DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
- "[%s] is a secure channel. No need to run START_TLS\n",
|
||||
- state->ctx->service->uri);
|
||||
- use_tls = false;
|
||||
- } else {
|
||||
+ subreq = sdap_cli_connect_send(state, state->ev, state->ctx->opts,
|
||||
+ state->ctx->be,
|
||||
+ state->sdap_service, false,
|
||||
+ use_tls ? CON_TLS_ON : CON_TLS_OFF, false);
|
||||
|
||||
- /* Check for undocumented debugging feature to disable TLS
|
||||
- * for authentication. This should never be used in production
|
||||
- * for obvious reasons.
|
||||
- */
|
||||
- use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
|
||||
- if (!use_tls) {
|
||||
- sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
|
||||
- "insecure connection. This should be done "
|
||||
- "for debugging purposes only.");
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- subreq = sdap_connect_send(state, state->ev, state->ctx->opts,
|
||||
- state->sdap_service->uri,
|
||||
- state->sdap_service->sockaddr, use_tls);
|
||||
- if (!subreq) {
|
||||
+ if (subreq == NULL) {
|
||||
tevent_req_error(req, ENOMEM);
|
||||
- return;
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
tevent_req_set_callback(subreq, auth_connect_done, req);
|
||||
+
|
||||
+ return subreq;
|
||||
}
|
||||
|
||||
static void auth_connect_done(struct tevent_req *subreq)
|
||||
@@ -755,35 +713,13 @@ static void auth_connect_done(struct tevent_req *subreq)
|
||||
struct auth_state);
|
||||
int ret;
|
||||
|
||||
- ret = sdap_connect_recv(subreq, state, &state->sh);
|
||||
+ ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
|
||||
talloc_zfree(subreq);
|
||||
- if (ret) {
|
||||
- if (state->srv) {
|
||||
- /* mark this server as bad if connection failed */
|
||||
- be_fo_set_port_status(state->ctx->be,
|
||||
- state->sdap_service->name,
|
||||
- state->srv, PORT_NOT_WORKING);
|
||||
- }
|
||||
-
|
||||
- if (auth_get_server(req) == NULL) {
|
||||
+ if (ret != EOK) {
|
||||
+ if (auth_connect_send(req) == NULL) {
|
||||
tevent_req_error(req, ENOMEM);
|
||||
}
|
||||
return;
|
||||
- } else if (state->srv) {
|
||||
- be_fo_set_port_status(state->ctx->be, state->sdap_service->name,
|
||||
- state->srv, PORT_WORKING);
|
||||
- }
|
||||
-
|
||||
- /* In case the ID provider is set to proxy, this might be the first
|
||||
- * LDAP operation at all, so we need to set the connection status
|
||||
- */
|
||||
- if (state->sh->connected == false) {
|
||||
- ret = sdap_set_connected(state->sh, state->ev);
|
||||
- if (ret) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot set connected status\n");
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
- }
|
||||
}
|
||||
|
||||
ret = get_user_dn(state, state->ctx->be->domain,
|
||||
@@ -870,7 +806,7 @@ static void auth_bind_user_done(struct tevent_req *subreq)
|
||||
break;
|
||||
case ETIMEDOUT:
|
||||
case ERR_NETWORK_IO:
|
||||
- if (auth_get_server(req) == NULL) {
|
||||
+ if (auth_connect_send(req) == NULL) {
|
||||
tevent_req_error(req, ENOMEM);
|
||||
}
|
||||
return;
|
||||
--
|
||||
2.15.1
|
||||
|
55
0024-KCM-Fix-restart-during-after-upgrade.patch
Normal file
55
0024-KCM-Fix-restart-during-after-upgrade.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 6010476f08fb52bfcea9c2b10461b0d53ce0860c Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Fri, 3 Nov 2017 11:43:18 +0100
|
||||
Subject: [PATCH 24/79] KCM: Fix restart during/after upgrade
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Oct 02 12:26:57 host systemd[1]: Closed SSSD Kerberos Cache Manager responder socket.
|
||||
Oct 02 12:26:57 host systemd[1]: Stopping SSSD Kerberos Cache Manager responder socket.
|
||||
Oct 02 12:26:57 host systemd[1]: sssd-kcm.socket: Socket service sssd-kcm.service already active, refusing.
|
||||
Oct 02 12:26:57 host systemd[1]: Failed to listen on SSSD Kerberos Cache Manager responder socket.
|
||||
Oct 02 12:26:57 host systemd[1]: Stopping SSSD Kerberos Cache Manager...
|
||||
Oct 02 12:26:57 host sssd[kcm][21492]: Shutting down
|
||||
Oct 02 12:26:57 host systemd[1]: Stopped SSSD Kerberos Cache Manager.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3529
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sysv/systemd/sssd-kcm.service.in | 2 ++
|
||||
src/sysv/systemd/sssd-secrets.service.in | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
|
||||
index 92306f97ec73a775739bfdb4454df14956e5e133..8d689bfd7e7ea720c97b5df2571289fd777e1547 100644
|
||||
--- a/src/sysv/systemd/sssd-kcm.service.in
|
||||
+++ b/src/sysv/systemd/sssd-kcm.service.in
|
||||
@@ -1,6 +1,8 @@
|
||||
[Unit]
|
||||
Description=SSSD Kerberos Cache Manager
|
||||
Documentation=man:sssd-kcm(5)
|
||||
+Requires=sssd-kcm.socket
|
||||
+After=sssd-kcm.socket
|
||||
|
||||
[Install]
|
||||
Also=sssd-kcm.socket
|
||||
diff --git a/src/sysv/systemd/sssd-secrets.service.in b/src/sysv/systemd/sssd-secrets.service.in
|
||||
index a7b41e0b16a5fa882546b41047e616fd2140329f..a9756acf8a3c71e861b443259c0713380ac005f3 100644
|
||||
--- a/src/sysv/systemd/sssd-secrets.service.in
|
||||
+++ b/src/sysv/systemd/sssd-secrets.service.in
|
||||
@@ -1,6 +1,8 @@
|
||||
[Unit]
|
||||
Description=SSSD Secrets Service responder
|
||||
Documentation=man:sssd-secrets(5)
|
||||
+Requires=sssd-secrets.socket
|
||||
+After=sssd-secrets.socket
|
||||
|
||||
[Install]
|
||||
Also=sssd-secrets.socket
|
||||
--
|
||||
2.15.1
|
||||
|
79
0035-RESP-Add-some-missing-NULL-checks.patch
Normal file
79
0035-RESP-Add-some-missing-NULL-checks.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From 6e4b53c819d2cbc0a4e25b9813e24c47ad12febb Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 9 Nov 2017 13:24:47 +0100
|
||||
Subject: [PATCH 35/79] RESP: Add some missing NULL checks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/responder/autofs/autofssrv_dp.c | 4 ++++
|
||||
src/responder/common/responder_dp.c | 4 ++++
|
||||
src/responder/common/responder_dp_ssh.c | 4 ++++
|
||||
src/responder/sudo/sudosrv_dp.c | 4 ++++
|
||||
4 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/responder/autofs/autofssrv_dp.c b/src/responder/autofs/autofssrv_dp.c
|
||||
index a323d83d9deb4e51180da9ff291044f1b9f64f76..bb8c2a42899b163b7727af778e554a5f55ca2d56 100644
|
||||
--- a/src/responder/autofs/autofssrv_dp.c
|
||||
+++ b/src/responder/autofs/autofssrv_dp.c
|
||||
@@ -65,6 +65,10 @@ sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
info = talloc_zero(state, struct sss_dp_get_autofs_info);
|
||||
+ if (info == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto error;
|
||||
+ }
|
||||
info->fast_reply = fast_reply;
|
||||
info->type = type;
|
||||
info->name = name;
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index a75a611960801f5f5bdc95f00aea9ab921e8e293..935a36d28d15d1074a0971fe9781474072578b8f 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -536,6 +536,10 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
info = talloc_zero(state, struct sss_dp_account_info);
|
||||
+ if (info == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto error;
|
||||
+ }
|
||||
info->fast_reply = fast_reply;
|
||||
info->type = type;
|
||||
info->opt_name = opt_name;
|
||||
diff --git a/src/responder/common/responder_dp_ssh.c b/src/responder/common/responder_dp_ssh.c
|
||||
index 303ba1568b6230b0d4dfa718e4a7c024ae84d4e9..f78052296f07d3e21d8d4841a58c85fcf178fa1a 100644
|
||||
--- a/src/responder/common/responder_dp_ssh.c
|
||||
+++ b/src/responder/common/responder_dp_ssh.c
|
||||
@@ -64,6 +64,10 @@ sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
info = talloc_zero(state, struct sss_dp_get_ssh_host_info);
|
||||
+ if (info == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto error;
|
||||
+ }
|
||||
info->fast_reply = fast_reply;
|
||||
info->name = name;
|
||||
info->alias = alias;
|
||||
diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c
|
||||
index 3a4a79473ff9915b3845643505d63411585aa262..f8ec8abc26d9710a2bccaadc4f807f963fe35f89 100644
|
||||
--- a/src/responder/sudo/sudosrv_dp.c
|
||||
+++ b/src/responder/sudo/sudosrv_dp.c
|
||||
@@ -72,6 +72,10 @@ sss_dp_get_sudoers_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
info = talloc_zero(state, struct sss_dp_get_sudoers_info);
|
||||
+ if (info == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto error;
|
||||
+ }
|
||||
info->fast_reply = fast_reply;
|
||||
info->type = type;
|
||||
info->name = name;
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,50 @@
|
||||
From c514089df0e3c357bb8465bca297806b253569e9 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 7 Nov 2017 17:11:52 +0100
|
||||
Subject: [PATCH 36/79] BUILD: Properly expand variables in sssd-ifp.service
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
systemd[1]: [/usr/lib/systemd/system/sssd-ifp.service:9]
|
||||
Path '-@environment_file@' is not absolute, ignoring.
|
||||
|
||||
sh-4.2# systemctl cat sssd-ifp.service
|
||||
# /usr/lib/systemd/system/sssd-ifp.service
|
||||
[Unit]
|
||||
Description=SSSD IFP Service responder
|
||||
Documentation=man:sssd-ifp(5)
|
||||
After=sssd.service
|
||||
BindsTo=sssd.service
|
||||
|
||||
[Service]
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
EnvironmentFile=-@environment_file@
|
||||
Type=dbus
|
||||
BusName=org.freedesktop.sssd.infopipe
|
||||
ExecStart=/usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --dbus-activated ${DEBUG_LOGGER}
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3433
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 286ba47e3c421864362717be5258de960efca9f2..bbc90d9bad4d22ca0284ea95281a487d42399c05 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1491,7 +1491,7 @@ EXTRA_DIST += \
|
||||
src/responder/ifp/org.freedesktop.sssd.infopipe.service.in \
|
||||
$(NULL)
|
||||
|
||||
-ifp_edit_cmd = $(SED) \
|
||||
+ifp_edit_cmd = $(edit_cmd) \
|
||||
-e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \
|
||||
-e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \
|
||||
-e 's|@ifp_restart[@]|$(ifp_restart)|g'
|
||||
--
|
||||
2.15.1
|
||||
|
38
0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch
Normal file
38
0037-SYSTEMD-Clean-pid-file-in-corner-cases.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 8d1779240b4b193ecdc7ff8601def88a95cd7d47 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 8 Nov 2017 14:09:36 +0100
|
||||
Subject: [PATCH 37/79] SYSTEMD: Clean pid file in corner cases
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
SSSD can cleanup pid file in case of standard stopping of daemon.
|
||||
It's done in function monitor_cleanup. However monitor does not have a
|
||||
change to cleanup file in case of OOM or sending SIGKILL to monitor.
|
||||
|
||||
Even though PIDFile is not necessary for services with Type notify
|
||||
we should let systemd to clean this file in unexpected situations.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3528
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sysv/systemd/sssd.service.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
|
||||
index cea848fac80303d6fae12dd84316a91dbc60072d..0c515d34caaa3ea397c4c7e95eef0188df170840 100644
|
||||
--- a/src/sysv/systemd/sssd.service.in
|
||||
+++ b/src/sysv/systemd/sssd.service.in
|
||||
@@ -10,6 +10,7 @@ EnvironmentFile=-@environment_file@
|
||||
ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
|
||||
Type=notify
|
||||
NotifyAccess=main
|
||||
+PIDFile=@localstatedir@/run/sssd.pid
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
--
|
||||
2.15.1
|
||||
|
197
0038-CHILD-Pass-information-about-logger-to-children.patch
Normal file
197
0038-CHILD-Pass-information-about-logger-to-children.patch
Normal file
@ -0,0 +1,197 @@
|
||||
From 9ff9b0e5f6599d178d374753d7fbc99e7258ca4c Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 8 Nov 2017 08:13:02 +0100
|
||||
Subject: [PATCH 38/79] CHILD: Pass information about logger to children
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Variables debug_to_file or debug_to_stderr were not set
|
||||
because back-end already user parameter --logger=%s.
|
||||
And therefore logs were not sent to files.
|
||||
|
||||
It could only work in case of direct usage of --debug-to-files in back-end via
|
||||
command configuration option.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3433
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/p11_child/p11_child_nss.c | 4 +++-
|
||||
src/providers/ad/ad_gpo_child.c | 3 ++-
|
||||
src/providers/ipa/selinux_child.c | 3 ++-
|
||||
src/providers/krb5/krb5_child.c | 3 ++-
|
||||
src/providers/ldap/ldap_child.c | 3 ++-
|
||||
src/util/child_common.c | 24 ++++++++++--------------
|
||||
6 files changed, 21 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
||||
index e7dbcb689220d1cd2585fbde5f26e84f8fa15cc2..b0ec69be321c4b4186ce851c07bfcc3e1afe9694 100644
|
||||
--- a/src/p11_child/p11_child_nss.c
|
||||
+++ b/src/p11_child/p11_child_nss.c
|
||||
@@ -537,7 +537,7 @@ int main(int argc, const char *argv[])
|
||||
int opt;
|
||||
poptContext pc;
|
||||
int debug_fd = -1;
|
||||
- char *opt_logger = NULL;
|
||||
+ const char *opt_logger = NULL;
|
||||
errno_t ret;
|
||||
TALLOC_CTX *main_ctx = NULL;
|
||||
char *cert;
|
||||
@@ -673,7 +673,9 @@ int main(int argc, const char *argv[])
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
|
||||
}
|
||||
+ opt_logger = sss_logger_str[FILES_LOGGER];
|
||||
}
|
||||
+
|
||||
sss_set_logger(opt_logger);
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "p11_child started.\n");
|
||||
diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c
|
||||
index 5375cc691e8649c289672b74c4bfe5266c8222c9..a0bd6e13a31fe0f92924d49302d1b8b17bac4d67 100644
|
||||
--- a/src/providers/ad/ad_gpo_child.c
|
||||
+++ b/src/providers/ad/ad_gpo_child.c
|
||||
@@ -687,7 +687,7 @@ main(int argc, const char *argv[])
|
||||
int opt;
|
||||
poptContext pc;
|
||||
int debug_fd = -1;
|
||||
- char *opt_logger = NULL;
|
||||
+ const char *opt_logger = NULL;
|
||||
errno_t ret;
|
||||
int sysvol_gpt_version;
|
||||
int result;
|
||||
@@ -744,6 +744,7 @@ main(int argc, const char *argv[])
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
|
||||
}
|
||||
+ opt_logger = sss_logger_str[FILES_LOGGER];
|
||||
}
|
||||
|
||||
sss_set_logger(opt_logger);
|
||||
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
||||
index 120492686963241b7e419413f489cc38953e32f2..a7e20f715626d0f3ecef7cc06f3de5d44b6a15c1 100644
|
||||
--- a/src/providers/ipa/selinux_child.c
|
||||
+++ b/src/providers/ipa/selinux_child.c
|
||||
@@ -206,7 +206,7 @@ int main(int argc, const char *argv[])
|
||||
struct response *resp = NULL;
|
||||
ssize_t written;
|
||||
bool needs_update;
|
||||
- char *opt_logger = NULL;
|
||||
+ const char *opt_logger = NULL;
|
||||
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
@@ -254,6 +254,7 @@ int main(int argc, const char *argv[])
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
|
||||
}
|
||||
+ opt_logger = sss_logger_str[FILES_LOGGER];
|
||||
}
|
||||
|
||||
sss_set_logger(opt_logger);
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index b44f3a20f1c0725304a37620d36f8872cf9ca5d7..7ee6c34eb1f8b78d5a6fd7b6f87996e3c9572d4f 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -3020,7 +3020,7 @@ int main(int argc, const char *argv[])
|
||||
int opt;
|
||||
poptContext pc;
|
||||
int debug_fd = -1;
|
||||
- char *opt_logger = NULL;
|
||||
+ const char *opt_logger = NULL;
|
||||
errno_t ret;
|
||||
krb5_error_code kerr;
|
||||
uid_t fast_uid;
|
||||
@@ -3097,6 +3097,7 @@ int main(int argc, const char *argv[])
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
|
||||
}
|
||||
+ opt_logger = sss_logger_str[FILES_LOGGER];
|
||||
}
|
||||
|
||||
sss_set_logger(opt_logger);
|
||||
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
||||
index baeed239db5dc7ffa482edcbc155f25f718c8249..c0618d6d8828f102c32cf56731995e2b370590e7 100644
|
||||
--- a/src/providers/ldap/ldap_child.c
|
||||
+++ b/src/providers/ldap/ldap_child.c
|
||||
@@ -599,7 +599,7 @@ int main(int argc, const char *argv[])
|
||||
int kerr;
|
||||
int opt;
|
||||
int debug_fd = -1;
|
||||
- char *opt_logger = NULL;
|
||||
+ const char *opt_logger = NULL;
|
||||
poptContext pc;
|
||||
TALLOC_CTX *main_ctx = NULL;
|
||||
uint8_t *buf = NULL;
|
||||
@@ -657,6 +657,7 @@ int main(int argc, const char *argv[])
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
|
||||
}
|
||||
+ opt_logger = sss_logger_str[FILES_LOGGER];
|
||||
}
|
||||
|
||||
sss_set_logger(opt_logger);
|
||||
diff --git a/src/util/child_common.c b/src/util/child_common.c
|
||||
index dc070f26446305e07cbb34edd1e4d72db72aedc5..203c115f9e7c4ecc2178b5660473d4f960fbbb6d 100644
|
||||
--- a/src/util/child_common.c
|
||||
+++ b/src/util/child_common.c
|
||||
@@ -630,14 +630,11 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
/* Save the current state in case an interrupt changes it */
|
||||
- bool child_debug_to_file = debug_to_file;
|
||||
bool child_debug_timestamps = debug_timestamps;
|
||||
bool child_debug_microseconds = debug_microseconds;
|
||||
- bool child_debug_stderr = debug_to_stderr;
|
||||
|
||||
if (!extra_args_only) {
|
||||
- if (child_debug_to_file) argc++;
|
||||
- if (child_debug_stderr) argc++;
|
||||
+ argc++;
|
||||
}
|
||||
|
||||
if (extra_argv) {
|
||||
@@ -675,21 +672,20 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx,
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- if (child_debug_stderr) {
|
||||
- argv[--argc] = talloc_strdup(argv, "--logger=stderr");
|
||||
- if (argv[argc] == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto fail;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (child_debug_to_file) {
|
||||
+ if (sss_logger == FILES_LOGGER) {
|
||||
argv[--argc] = talloc_asprintf(argv, "--debug-fd=%d",
|
||||
child_debug_fd);
|
||||
if (argv[argc] == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto fail;
|
||||
}
|
||||
+ } else {
|
||||
+ argv[--argc] = talloc_asprintf(argv, "--logger=%s",
|
||||
+ sss_logger_str[sss_logger]);
|
||||
+ if (argv[argc] == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto fail;
|
||||
+ }
|
||||
}
|
||||
|
||||
argv[--argc] = talloc_asprintf(argv, "--debug-timestamps=%d",
|
||||
@@ -816,7 +812,7 @@ errno_t child_debug_init(const char *logfile, int *debug_fd)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
- if (debug_to_file != 0 && *debug_fd == -1) {
|
||||
+ if (sss_logger == FILES_LOGGER && *debug_fd == -1) {
|
||||
ret = open_debug_file_ex(logfile, &debug_filep, false);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) [%s]\n",
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,33 @@
|
||||
From 6d15db05c0975fed2b18cc52056fa29aedec823c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Tue, 7 Nov 2017 09:09:55 +0100
|
||||
Subject: [PATCH 39/79] TOOLS: Double quote array expansions in sss_debuglevel
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Otherwise they're like $* and break on spaces.
|
||||
|
||||
This issue has been caught by coverity:
|
||||
Defect type: SHELLCHECK_WARNING
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/tools/wrappers/sss_debuglevel.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tools/wrappers/sss_debuglevel.in b/src/tools/wrappers/sss_debuglevel.in
|
||||
index 4deeafff6bf472dbe63578f57bfacee7b774d09f..aa19f790a26c67186123c87675d527f403b06264 100644
|
||||
--- a/src/tools/wrappers/sss_debuglevel.in
|
||||
+++ b/src/tools/wrappers/sss_debuglevel.in
|
||||
@@ -1,4 +1,4 @@
|
||||
#!/bin/sh
|
||||
sbindir=@sbindir@
|
||||
echo "Redirecting to $sbindir/sssctl debug-level" >&2
|
||||
-$sbindir/sssctl debug-level $@
|
||||
+$sbindir/sssctl debug-level "$@"
|
||||
--
|
||||
2.15.1
|
||||
|
31
0040-TOOLS-Call-exec-for-sss_debuglevel.patch
Normal file
31
0040-TOOLS-Call-exec-for-sss_debuglevel.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 58932b42802c93fdfc3eea8cdcdcca4534293941 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Wed, 8 Nov 2017 17:59:15 +0100
|
||||
Subject: [PATCH 40/79] TOOLS: Call "exec" for sss_debuglevel
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This suggestion came from Lukáš Slebodník. The advantage of calling
|
||||
"exec" is to avoid forking another child of the process.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/tools/wrappers/sss_debuglevel.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tools/wrappers/sss_debuglevel.in b/src/tools/wrappers/sss_debuglevel.in
|
||||
index aa19f790a26c67186123c87675d527f403b06264..a55afcddc547dfda4ac0a7e22da5f9f9407fe45f 100644
|
||||
--- a/src/tools/wrappers/sss_debuglevel.in
|
||||
+++ b/src/tools/wrappers/sss_debuglevel.in
|
||||
@@ -1,4 +1,4 @@
|
||||
#!/bin/sh
|
||||
sbindir=@sbindir@
|
||||
echo "Redirecting to $sbindir/sssctl debug-level" >&2
|
||||
-$sbindir/sssctl debug-level "$@"
|
||||
+exec $sbindir/sssctl debug-level "$@"
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,57 @@
|
||||
From 1e50148c7eadeff96b96811ede747399628a06c6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Tue, 7 Nov 2017 23:34:42 +0100
|
||||
Subject: [PATCH 41/79] LDAP: Improve error treatment from sdap_cli_connect()
|
||||
in ldap_auth
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Because we weren't treating the errors coming from
|
||||
sdap_cli_connect_recv() properly we ended up introducing a regression in
|
||||
the commit add72860c7, related to offline authentication.
|
||||
|
||||
From now on, let's properly treat errors coming from auth_connect_send(),
|
||||
which were treated before by going offline when be_resolve_server_recv()
|
||||
failed, and propagate ETIMEDOUT to the request, thus going offline and
|
||||
allowing offline authentication on those cases.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/3451
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/providers/ldap/ldap_auth.c | 16 ++++++++++++++--
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index a3b1480aae4272d2e10f105a1eaf3a5816c3487c..2e0e2cfd6f8af2bf0c9ad15bd956a55a34777a3c 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -716,8 +716,20 @@ static void auth_connect_done(struct tevent_req *subreq)
|
||||
ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
- if (auth_connect_send(req) == NULL) {
|
||||
- tevent_req_error(req, ENOMEM);
|
||||
+ /* As sdap_cli_connect_recv() returns EIO in case all the servers are
|
||||
+ * down and we have to go offline, let's treat it accordingly here and
|
||||
+ * allow the PAM responder to with to offline authentication.
|
||||
+ *
|
||||
+ * Unfortunately, there's not much pattern within our code and the way
|
||||
+ * to indicate we're going down in this part of the code is returning
|
||||
+ * an ETIMEDOUT.
|
||||
+ */
|
||||
+ if (ret == EIO) {
|
||||
+ tevent_req_error(req, ETIMEDOUT);
|
||||
+ } else {
|
||||
+ if (auth_connect_send(req) == NULL) {
|
||||
+ tevent_req_error(req, ENOMEM);
|
||||
+ }
|
||||
}
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,38 @@
|
||||
From 22cc09e379710b29520d5bbc6fdf6ad84473cd43 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 6 Nov 2017 17:03:19 +0100
|
||||
Subject: [PATCH 53/79] NSS: Use enum_ctx as memory_context in
|
||||
_setnetgrent_set_timeout()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We've noticed some crashes that happened because enum_ctx is already
|
||||
freed, but the timeout handler is still called. In order to avoid that,
|
||||
let's remove the timeout handler when enum_ctx is freed at other places.
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/3523
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/nss/nss_enum.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
|
||||
index aa7d8428f37e943a6b5904495c40ad4b8011b767..da844fbced529f606a3e98669fb7b95e0696ce00 100644
|
||||
--- a/src/responder/nss/nss_enum.c
|
||||
+++ b/src/responder/nss/nss_enum.c
|
||||
@@ -283,7 +283,7 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev,
|
||||
timeout = enum_ctx->result[0]->domain->netgroup_timeout;
|
||||
|
||||
tv = tevent_timeval_current_ofs(timeout, 0);
|
||||
- te = tevent_add_timer(ev, nss_ctx, tv, nss_setnetgrent_timeout, enum_ctx);
|
||||
+ te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx);
|
||||
if (te == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Could not set up life timer for enumeration object.\n");
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,67 @@
|
||||
From 5fb2959852b53c6015cbf1cea653365708b379e9 Mon Sep 17 00:00:00 2001
|
||||
From: amitkuma <amitkuma@redhat.com>
|
||||
Date: Tue, 14 Nov 2017 13:59:12 +0530
|
||||
Subject: [PATCH 54/79] cache_req: Correction of cache_req debug string ID
|
||||
format
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The cache-req debug string representation uses a wrong format
|
||||
specifier for by-ID requests.
|
||||
data->id (uint32_t) should be replaced with %"PRIu32"
|
||||
in cache_req_group_by_id.c, cache_req_object_by_id.c &
|
||||
cache_req_user_by_id.c.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3570
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/plugins/cache_req_group_by_id.c | 2 +-
|
||||
src/responder/common/cache_req/plugins/cache_req_object_by_id.c | 2 +-
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_id.c | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
index 5ca64283a781318bc4e4d6920fff989c3f3919b4..121f95abe86d2466aaea69f0fe68dfb33b1fee9e 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
@@ -31,7 +31,7 @@ cache_req_group_by_id_create_debug_name(TALLOC_CTX *mem_ctx,
|
||||
struct cache_req_data *data,
|
||||
struct sss_domain_info *domain)
|
||||
{
|
||||
- return talloc_asprintf(mem_ctx, "GID:%d@%s", data->id, domain->name);
|
||||
+ return talloc_asprintf(mem_ctx, "GID:%"PRIu32"@%s", data->id, domain->name);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
index 339bd4f5fef827acc1aa3c123d041e426d9e4782..4c88e1035b41969703c1c38d740e15516ac0d622 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
@@ -31,7 +31,7 @@ cache_req_object_by_id_create_debug_name(TALLOC_CTX *mem_ctx,
|
||||
struct cache_req_data *data,
|
||||
struct sss_domain_info *domain)
|
||||
{
|
||||
- return talloc_asprintf(mem_ctx, "ID:%d@%s", data->id, domain->name);
|
||||
+ return talloc_asprintf(mem_ctx, "ID:%"PRIu32"@%s", data->id, domain->name);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
index 913f9be5bcc2dfd074b52cb3b15fb6948826e831..3c25c7631b3da4a829ab577629334a7ee97980da 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
@@ -31,7 +31,7 @@ cache_req_user_by_id_create_debug_name(TALLOC_CTX *mem_ctx,
|
||||
struct cache_req_data *data,
|
||||
struct sss_domain_info *domain)
|
||||
{
|
||||
- return talloc_asprintf(mem_ctx, "UID:%d@%s", data->id, domain->name);
|
||||
+ return talloc_asprintf(mem_ctx, "UID:%"PRIu32"@%s", data->id, domain->name);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
--
|
||||
2.15.1
|
||||
|
171
0055-TESTS-Order-list-of-entries-in-some-lists.patch
Normal file
171
0055-TESTS-Order-list-of-entries-in-some-lists.patch
Normal file
@ -0,0 +1,171 @@
|
||||
From 0e73859e68b8dc348c2ee1e00a45646d9ac2c63c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Mon, 13 Nov 2017 16:15:21 +0100
|
||||
Subject: [PATCH 55/79] TESTS: Order list of entries in some lists
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some tests started to fail because we depended on specific
|
||||
order of users in groups or messages in ldb results to be
|
||||
returned and that order changed.
|
||||
|
||||
This patch adds a simple helper functions into these tests
|
||||
that order the entries before comparison with expected results.
|
||||
more deterministic.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3563
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_nss_srv.c | 22 +++++++++++++++++++
|
||||
src/tests/cmocka/test_sysdb_views.c | 42 ++++++++++++++++++++++++++++++++-----
|
||||
2 files changed, 59 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
||||
index 6aa726153183b5a871a75d398727ea7132358ca6..21bd80fb7f6562f6a31452bac6a26c109fef4cb1 100644
|
||||
--- a/src/tests/cmocka/test_nss_srv.c
|
||||
+++ b/src/tests/cmocka/test_nss_srv.c
|
||||
@@ -585,6 +585,25 @@ static errno_t delete_group(struct nss_test_ctx *ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int cmp_func(const void *a, const void *b)
|
||||
+{
|
||||
+ char *str1 = *(char **)discard_const(a);
|
||||
+ char *str2 = *(char **)discard_const(b);
|
||||
+
|
||||
+ return strcmp(str1, str2);
|
||||
+}
|
||||
+
|
||||
+static void order_string_array(char **_list, int size)
|
||||
+{
|
||||
+ if (size < 2 || _list == NULL || *_list == NULL) {
|
||||
+ /* Nothing to do */
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ qsort(_list, size, sizeof(char *), cmp_func);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
static void assert_groups_equal(struct group *expected,
|
||||
struct group *gr, const int nmem)
|
||||
{
|
||||
@@ -594,6 +613,9 @@ static void assert_groups_equal(struct group *expected,
|
||||
assert_string_equal(gr->gr_name, expected->gr_name);
|
||||
assert_string_equal(gr->gr_passwd, expected->gr_passwd);
|
||||
|
||||
+ order_string_array(gr->gr_mem, nmem);
|
||||
+ order_string_array(expected->gr_mem, nmem);
|
||||
+
|
||||
for (i = 0; i < nmem; i++) {
|
||||
assert_string_equal(gr->gr_mem[i], expected->gr_mem[i]);
|
||||
}
|
||||
diff --git a/src/tests/cmocka/test_sysdb_views.c b/src/tests/cmocka/test_sysdb_views.c
|
||||
index 0378254b4440b29c3182faf2adde8c3db8a4ce97..dd3eb50f9310ff925734dcf51a669d08a638aefd 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_views.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_views.c
|
||||
@@ -22,6 +22,7 @@
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
+#include <stdlib.h>
|
||||
#include <stdarg.h>
|
||||
#include <stddef.h>
|
||||
#include <setjmp.h>
|
||||
@@ -612,6 +613,31 @@ static int test_enum_users_setup(void **state)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int cmp_func(const void *a, const void *b)
|
||||
+{
|
||||
+ const char *str1;
|
||||
+ const char *str2;
|
||||
+ struct ldb_message *msg1 = *(struct ldb_message **)discard_const(a);
|
||||
+ struct ldb_message *msg2 = *(struct ldb_message **)discard_const(b);
|
||||
+
|
||||
+ str1 = ldb_msg_find_attr_as_string(msg1, SYSDB_NAME, NULL);
|
||||
+ str2 = ldb_msg_find_attr_as_string(msg2, SYSDB_NAME, NULL);
|
||||
+
|
||||
+ return strcmp(str1, str2);
|
||||
+}
|
||||
+
|
||||
+/* Make the order of ldb results deterministic */
|
||||
+static void order_ldb_res_msgs(struct ldb_result *res)
|
||||
+{
|
||||
+ if (res == NULL || res->count < 2) {
|
||||
+ /* Nothing to do */
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ qsort(res->msgs, res->count, sizeof(struct ldb_message *), cmp_func);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
static void assert_user_attrs(struct ldb_message *msg,
|
||||
struct sss_domain_info *dom,
|
||||
const char *shortname,
|
||||
@@ -660,8 +686,9 @@ static void check_enumpwent(int ret, struct sss_domain_info *dom,
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_int_equal(res->count, N_ELEMENTS(users)-1);
|
||||
|
||||
- assert_user_attrs(res->msgs[0], dom, "barney", views);
|
||||
- assert_user_attrs(res->msgs[1], dom, "alice", views);
|
||||
+ order_ldb_res_msgs(res);
|
||||
+ assert_user_attrs(res->msgs[0], dom, "alice", views);
|
||||
+ assert_user_attrs(res->msgs[1], dom, "barney", views);
|
||||
assert_user_attrs(res->msgs[2], dom, "bob", views);
|
||||
}
|
||||
|
||||
@@ -703,6 +730,7 @@ static void test_sysdb_enumpwent_filter(void **state)
|
||||
ret = sysdb_enumpwent_filter(test_ctx, test_ctx->domain, "b*", 0, &res);
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_int_equal(res->count, 2);
|
||||
+ order_ldb_res_msgs(res);
|
||||
assert_user_attrs(res->msgs[0], test_ctx->domain, "barney", false);
|
||||
assert_user_attrs(res->msgs[1], test_ctx->domain, "bob", false);
|
||||
|
||||
@@ -749,6 +777,7 @@ static void test_sysdb_enumpwent_filter_views(void **state)
|
||||
"b*", NULL, &res);
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_int_equal(res->count, 2);
|
||||
+ order_ldb_res_msgs(res);
|
||||
assert_user_attrs(res->msgs[0], test_ctx->domain, "barney", true);
|
||||
assert_user_attrs(res->msgs[1], test_ctx->domain, "bob", true);
|
||||
|
||||
@@ -896,10 +925,11 @@ static void check_enumgrent(int ret, struct sss_domain_info *dom,
|
||||
{
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_int_equal(res->count, N_ELEMENTS(groups)-1);
|
||||
- assert_group_attrs(res->msgs[0], dom, "three",
|
||||
- views ? TEST_GID_OVERRIDE_BASE + 2 : 0);
|
||||
- assert_group_attrs(res->msgs[1], dom, "one",
|
||||
+ order_ldb_res_msgs(res);
|
||||
+ assert_group_attrs(res->msgs[0], dom, "one",
|
||||
views ? TEST_GID_OVERRIDE_BASE : 0);
|
||||
+ assert_group_attrs(res->msgs[1], dom, "three",
|
||||
+ views ? TEST_GID_OVERRIDE_BASE + 2 : 0);
|
||||
assert_group_attrs(res->msgs[2], dom, "two",
|
||||
views ? TEST_GID_OVERRIDE_BASE + 1 : 0);
|
||||
}
|
||||
@@ -942,6 +972,7 @@ static void test_sysdb_enumgrent_filter(void **state)
|
||||
ret = sysdb_enumgrent_filter(test_ctx, test_ctx->domain, "t*", 0, &res);
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_int_equal(res->count, 2);
|
||||
+ order_ldb_res_msgs(res);
|
||||
assert_group_attrs(res->msgs[0], test_ctx->domain, "three", 0);
|
||||
assert_group_attrs(res->msgs[1], test_ctx->domain, "two", 0);
|
||||
|
||||
@@ -988,6 +1019,7 @@ static void test_sysdb_enumgrent_filter_views(void **state)
|
||||
"t*", NULL, &res);
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_int_equal(res->count, 2);
|
||||
+ order_ldb_res_msgs(res);
|
||||
assert_group_attrs(res->msgs[0], test_ctx->domain,
|
||||
"three", TEST_GID_OVERRIDE_BASE + 2);
|
||||
assert_group_attrs(res->msgs[1], test_ctx->domain, "two",
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,42 @@
|
||||
From 97b56f1ec15a3270cc2e85c9b367e4d38f91ae1a Mon Sep 17 00:00:00 2001
|
||||
From: Victor Tapia <victor.tapia@canonical.com>
|
||||
Date: Mon, 16 Oct 2017 09:45:24 +0200
|
||||
Subject: [PATCH 63/79] WATCHDOG: Restart providers with SIGUSR2 after time
|
||||
drift
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Restarting the providers using the already implemented SIGUSR2 (for
|
||||
method .resetOffline, used after netlink detects an interface change)
|
||||
when a time drift is detected, ensures that affected connection retries
|
||||
(e.g. LDAP) will be rescheduled immediately instead of having to wait
|
||||
the time shifted to return to its normal execution.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3285
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/util/util_watchdog.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
|
||||
index 59293db60e4ffbe566f8b17f3f289503e8d9aee6..20a8b896791118c1ae9b5bfe101a539b213497a4 100644
|
||||
--- a/src/util/util_watchdog.c
|
||||
+++ b/src/util/util_watchdog.c
|
||||
@@ -160,6 +160,10 @@ static void watchdog_fd_read_handler(struct tevent_context *ev,
|
||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
||||
orderly_shutdown(1);
|
||||
}
|
||||
+ if (strncmp(debug_prg_name, "sssd[be[", sizeof("sssd[be[") - 1) == 0) {
|
||||
+ kill(getpid(), SIGUSR2);
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO, "SIGUSR2 sent to %s\n", debug_prg_name);
|
||||
+ }
|
||||
}
|
||||
|
||||
int setup_watchdog(struct tevent_context *ev, int interval)
|
||||
--
|
||||
2.15.1
|
||||
|
168
0064-mmap_cache-make-checks-independent-of-input-size.patch
Normal file
168
0064-mmap_cache-make-checks-independent-of-input-size.patch
Normal file
@ -0,0 +1,168 @@
|
||||
From b70b4099b049b6a2bd85e773dbd81974dee24e05 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 17 Nov 2017 10:51:44 +0100
|
||||
Subject: [PATCH 64/79] mmap_cache: make checks independent of input size
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently the consistency checks for the mmap_cache payload data on the
|
||||
client and the responder side include the length of the input string of
|
||||
the current request. Since there might be hash collisions which other
|
||||
much longer or much shorter names those checks might fail although there
|
||||
is no data corruption.
|
||||
|
||||
This patch removes the checks using the length of the input and adds a
|
||||
check if the name found in the payload is zero-terminated inside of the
|
||||
payload data.
|
||||
|
||||
Resolves https://pagure.io/SSSD/sssd/issue/3571
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/responder/nss/nsssrv_mmap_cache.c | 34 ++++++++++++++++++++++++----------
|
||||
src/sss_client/nss_mc_group.c | 12 ++++++------
|
||||
src/sss_client/nss_mc_initgr.c | 12 +++++++-----
|
||||
src/sss_client/nss_mc_passwd.c | 12 ++++++------
|
||||
4 files changed, 43 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
index a87ad646f9b741db3eb18680678697032fc420ba..ad5adbce15e50c065d4d16e626be97fd23d06643 100644
|
||||
--- a/src/responder/nss/nsssrv_mmap_cache.c
|
||||
+++ b/src/responder/nss/nsssrv_mmap_cache.c
|
||||
@@ -547,18 +547,32 @@ static struct sss_mc_rec *sss_mc_find_record(struct sss_mc_ctx *mcc,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ if (key->len > strs_len) {
|
||||
+ /* The string cannot be in current record */
|
||||
+ slot = sss_mc_next_slot_with_hash(rec, hash);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
safealign_memcpy(&name_ptr, rec->data, sizeof(rel_ptr_t), NULL);
|
||||
- if (key->len > strs_len
|
||||
- || (name_ptr + key->len) > (strs_offset + strs_len)
|
||||
- || (uint8_t *)rec->data + strs_offset + strs_len > max_addr) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Corrupted fastcache. name_ptr value is %u.\n", name_ptr);
|
||||
- sss_mc_save_corrupted(mcc);
|
||||
- sss_mmap_cache_reset(mcc);
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
t_key = (char *)rec->data + name_ptr;
|
||||
+ /* name_ptr must point to some data in the strs/gids area of the data
|
||||
+ * payload. Since it is a pointer relative to rec->data it must larger
|
||||
+ * equal strs_offset and must be smaller then strs_offset + strs_len.
|
||||
+ * Additionally the area must not end outside of the data table and
|
||||
+ * t_key must be a zero-terminates string. */
|
||||
+ if (name_ptr < strs_offset
|
||||
+ || name_ptr >= strs_offset + strs_len
|
||||
+ || (uint8_t *)rec->data > max_addr
|
||||
+ || strs_offset > max_addr - (uint8_t *)rec->data
|
||||
+ || strs_len > max_addr - (uint8_t *)rec->data - strs_offset) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Corrupted fastcache entry at slot %u. "
|
||||
+ "name_ptr value is %u.\n", slot, name_ptr);
|
||||
+ sss_mc_save_corrupted(mcc);
|
||||
+ sss_mmap_cache_reset(mcc);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
if (strcmp(key->str, t_key) == 0) {
|
||||
break;
|
||||
}
|
||||
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
|
||||
index ce88d42fdaf4f19e78fc43e187bc28651cdc3c4e..ba582fe55cf3abf90d8e016c82a0bee48608ce78 100644
|
||||
--- a/src/sss_client/nss_mc_group.c
|
||||
+++ b/src/sss_client/nss_mc_group.c
|
||||
@@ -148,20 +148,20 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
|
||||
}
|
||||
|
||||
data = (struct sss_mc_grp_data *)rec->data;
|
||||
+ rec_name = (char *)data + data->name;
|
||||
/* Integrity check
|
||||
- * - name_len cannot be longer than all strings
|
||||
* - data->name cannot point outside strings
|
||||
* - all strings must be within copy of record
|
||||
- * - size of record must be lower that data table size */
|
||||
- if (name_len > data->strs_len
|
||||
- || (data->name + name_len) > (strs_offset + data->strs_len)
|
||||
+ * - record must not end outside data table
|
||||
+ * - rec_name is a zero-terminated string */
|
||||
+ if (data->name < strs_offset
|
||||
+ || data->name >= strs_offset + data->strs_len
|
||||
|| data->strs_len > rec->len
|
||||
- || rec->len > data_size) {
|
||||
+ || (uint8_t *) rec + rec->len > gr_mc_ctx.data_table + data_size ) {
|
||||
ret = ENOENT;
|
||||
goto done;
|
||||
}
|
||||
|
||||
- rec_name = (char *)data + data->name;
|
||||
if (strcmp(name, rec_name) == 0) {
|
||||
break;
|
||||
}
|
||||
diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c
|
||||
index a77088d849ad3601cb3edb55fc5ea4ae4c52fe38..606f1c7ee2526a15378831d4512e943bac214d0e 100644
|
||||
--- a/src/sss_client/nss_mc_initgr.c
|
||||
+++ b/src/sss_client/nss_mc_initgr.c
|
||||
@@ -131,15 +131,17 @@ errno_t sss_nss_mc_initgroups_dyn(const char *name, size_t name_len,
|
||||
data = (struct sss_mc_initgr_data *)rec->data;
|
||||
rec_name = (char *)data + data->name;
|
||||
/* Integrity check
|
||||
- * - name_len cannot be longer than all strings or data
|
||||
+ * - data->name cannot point outside all strings or data
|
||||
* - all data must be within copy of record
|
||||
* - size of record must be lower that data table size
|
||||
- * - data->strs cannot point outside strings */
|
||||
- if (name_len > data->strs_len
|
||||
+ * - data->strs cannot point outside strings
|
||||
+ * - rec_name is a zero-terminated string */
|
||||
+ if (data->name < data_offset
|
||||
+ || data->name >= data_offset + data->data_len
|
||||
|| data->strs_len > data->data_len
|
||||
|| data->data_len > rec->len
|
||||
- || rec->len > data_size
|
||||
- || (data->strs + name_len) > (data_offset + data->data_len)) {
|
||||
+ || (uint8_t *) rec + rec->len
|
||||
+ > initgr_mc_ctx.data_table + data_size ) {
|
||||
ret = ENOENT;
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
|
||||
index 0da7ad0aeece7d38ca34bb3fde64adc898eaf0ae..0bc1237446d3691c8c83aa0fc0cf692d4b336f9e 100644
|
||||
--- a/src/sss_client/nss_mc_passwd.c
|
||||
+++ b/src/sss_client/nss_mc_passwd.c
|
||||
@@ -141,20 +141,20 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
|
||||
}
|
||||
|
||||
data = (struct sss_mc_pwd_data *)rec->data;
|
||||
+ rec_name = (char *)data + data->name;
|
||||
/* Integrity check
|
||||
- * - name_len cannot be longer than all strings
|
||||
* - data->name cannot point outside strings
|
||||
* - all strings must be within copy of record
|
||||
- * - size of record must be lower that data table size */
|
||||
- if (name_len > data->strs_len
|
||||
- || (data->name + name_len) > (strs_offset + data->strs_len)
|
||||
+ * - record must not end outside data table
|
||||
+ * - rec_name is a zero-terminated string */
|
||||
+ if (data->name < strs_offset
|
||||
+ || data->name >= strs_offset + data->strs_len
|
||||
|| data->strs_len > rec->len
|
||||
- || rec->len > data_size) {
|
||||
+ || (uint8_t *) rec + rec->len > pw_mc_ctx.data_table + data_size ) {
|
||||
ret = ENOENT;
|
||||
goto done;
|
||||
}
|
||||
|
||||
- rec_name = (char *)data + data->name;
|
||||
if (strcmp(name, rec_name) == 0) {
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.15.1
|
||||
|
187
0066-krb5-show-error-message-for-krb5_init_context-failur.patch
Normal file
187
0066-krb5-show-error-message-for-krb5_init_context-failur.patch
Normal file
@ -0,0 +1,187 @@
|
||||
From 209caaad9d545aeb601f64854a2ffb978b77c4b1 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 27 Nov 2017 13:45:14 +0100
|
||||
Subject: [PATCH 66/79] krb5: show error message for krb5_init_context()
|
||||
failures
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If there are typos in /etc/krb5.conf (or one of the included config
|
||||
snippets) krb5_init_context(), the initial call always needed to do any
|
||||
other operation with libkrb5, fails because /etc/krb5.conf cannot be
|
||||
parsed.
|
||||
|
||||
Currently the related debug/syslog messages might be misleading, e.g.
|
||||
failed to read keytab. This is because SSSD does not use a global krb5
|
||||
context but creates a fresh one for every new request or operation (to
|
||||
always use the latest settings from /etc/krb5.conf) and typically there
|
||||
is an error message indicating that the related operation failed but not
|
||||
giving more details.
|
||||
|
||||
Since krb5_init_context() is fundamental for Kerberos support this patch
|
||||
tries to add as much details as libkrb5 provides in the logs if the call
|
||||
fails.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3586
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/providers/krb5/krb5_ccache.c | 6 +++---
|
||||
src/providers/krb5/krb5_common.c | 2 +-
|
||||
src/providers/ldap/ldap_child.c | 2 +-
|
||||
src/providers/ldap/ldap_common.c | 2 +-
|
||||
src/responder/kcm/kcm.c | 3 ++-
|
||||
src/util/sss_krb5.c | 25 ++++++++++++++++++++++---
|
||||
src/util/sss_krb5.h | 2 ++
|
||||
7 files changed, 32 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
|
||||
index f9bb25efd4ca3257845c3b157667d21d24299f4a..2e28276b72b6d5961de33c0ceb61774074a92d11 100644
|
||||
--- a/src/providers/krb5/krb5_ccache.c
|
||||
+++ b/src/providers/krb5/krb5_ccache.c
|
||||
@@ -299,7 +299,7 @@ static errno_t sss_open_ccache_as_user(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- kerr = krb5_init_context(&cc->context);
|
||||
+ kerr = sss_krb5_init_context(&cc->context);
|
||||
if (kerr) {
|
||||
ret = EIO;
|
||||
goto done;
|
||||
@@ -565,9 +565,9 @@ errno_t get_ccache_file_data(const char *ccache_file, const char *client_name,
|
||||
const char *realm_name;
|
||||
int realm_length;
|
||||
|
||||
- kerr = krb5_init_context(&ctx);
|
||||
+ kerr = sss_krb5_init_context(&ctx);
|
||||
if (kerr != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "krb5_init_context failed.\n");
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_init_context failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||
index 0b32da94dd8320d51708e2b7e827b94c472642a6..520e7591ce1b37b4a8dea357b6dd0ec7afd76f58 100644
|
||||
--- a/src/providers/krb5/krb5_common.c
|
||||
+++ b/src/providers/krb5/krb5_common.c
|
||||
@@ -106,7 +106,7 @@ static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
|
||||
|
||||
*ccname = NULL;
|
||||
|
||||
- ret = krb5_init_context(&ctx);
|
||||
+ ret = sss_krb5_init_context(&ctx);
|
||||
if (ret) return ret;
|
||||
|
||||
ret = krb5_get_profile(ctx, &p);
|
||||
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
||||
index c0618d6d8828f102c32cf56731995e2b370590e7..4558fd7c42be03c4472dbf3092ce8044e8ae89d9 100644
|
||||
--- a/src/providers/ldap/ldap_child.c
|
||||
+++ b/src/providers/ldap/ldap_child.c
|
||||
@@ -574,7 +574,7 @@ static krb5_error_code privileged_krb5_setup(struct input_buffer *ibuf)
|
||||
krb5_error_code kerr;
|
||||
char *keytab_name;
|
||||
|
||||
- kerr = krb5_init_context(&ibuf->context);
|
||||
+ kerr = sss_krb5_init_context(&ibuf->context);
|
||||
if (kerr != 0) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to init kerberos context\n");
|
||||
return kerr;
|
||||
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
|
||||
index 0597e91f7fade47aeb34565597c730ac406e0cfc..4ec36584ad5acc52cf442b015caec80a6a8936da 100644
|
||||
--- a/src/providers/ldap/ldap_common.c
|
||||
+++ b/src/providers/ldap/ldap_common.c
|
||||
@@ -364,7 +364,7 @@ sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
|
||||
krb5_error_code krberr;
|
||||
krb5_context context = NULL;
|
||||
|
||||
- krberr = krb5_init_context(&context);
|
||||
+ krberr = sss_krb5_init_context(&context);
|
||||
if (krberr) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n");
|
||||
goto done;
|
||||
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
|
||||
index 358fcc18165dec7b41a7389a3ef22660ac04b4a8..0fc09376888544570ca1bcf8c1ff1ba1d72d5906 100644
|
||||
--- a/src/responder/kcm/kcm.c
|
||||
+++ b/src/responder/kcm/kcm.c
|
||||
@@ -28,6 +28,7 @@
|
||||
#include "responder/kcm/kcmsrv_pvt.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_krb5.h"
|
||||
|
||||
#define DEFAULT_KCM_FD_LIMIT 2048
|
||||
|
||||
@@ -183,7 +184,7 @@ static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- kret = krb5_init_context(&kcm_data->k5c);
|
||||
+ kret = sss_krb5_init_context(&kcm_data->k5c);
|
||||
if (kret != EOK) {
|
||||
talloc_free(kcm_data);
|
||||
return NULL;
|
||||
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
|
||||
index a702a8b57c55bdb4215edf73731ddeaba156a84f..12660b0dd2e9170108afd54492e7ce30415741cb 100644
|
||||
--- a/src/util/sss_krb5.c
|
||||
+++ b/src/util/sss_krb5.c
|
||||
@@ -113,7 +113,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- kerr = krb5_init_context(&krb_ctx);
|
||||
+ kerr = sss_krb5_init_context(&krb_ctx);
|
||||
if (kerr) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n");
|
||||
ret = EFAULT;
|
||||
@@ -1096,9 +1096,9 @@ bool sss_krb5_realm_has_proxy(const char *realm)
|
||||
return false;
|
||||
}
|
||||
|
||||
- kerr = krb5_init_context(&context);
|
||||
+ kerr = sss_krb5_init_context(&context);
|
||||
if (kerr != 0) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "krb5_init_context failed.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_krb5_init_context failed.\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -1330,3 +1330,22 @@ krb5_error_code sss_krb5_marshal_princ(krb5_principal princ,
|
||||
}
|
||||
return EOK;
|
||||
}
|
||||
+
|
||||
+krb5_error_code sss_krb5_init_context(krb5_context *context)
|
||||
+{
|
||||
+ krb5_error_code kerr;
|
||||
+ const char *msg;
|
||||
+
|
||||
+ kerr = krb5_init_context(context);
|
||||
+ if (kerr != 0) {
|
||||
+ /* It is safe to call (sss_)krb5_get_error_message() with NULL as first
|
||||
+ * argument. */
|
||||
+ msg = sss_krb5_get_error_message(NULL, kerr);
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Failed to init kerberos context [%s]\n", msg);
|
||||
+ sss_log(SSS_LOG_CRIT, "Failed to init kerberos context [%s]\n", msg);
|
||||
+ sss_krb5_free_error_message(NULL, msg);
|
||||
+ }
|
||||
+
|
||||
+ return kerr;
|
||||
+}
|
||||
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
|
||||
index 0d9043be98749b1a21a1b74c68f07298fa27f230..423951443c8c512211b1e894c41f1c8891be479f 100644
|
||||
--- a/src/util/sss_krb5.h
|
||||
+++ b/src/util/sss_krb5.h
|
||||
@@ -195,4 +195,6 @@ krb5_error_code sss_krb5_unmarshal_princ(TALLOC_CTX *mem_ctx,
|
||||
struct sss_iobuf *iobuf,
|
||||
krb5_principal *_princ);
|
||||
|
||||
+krb5_error_code sss_krb5_init_context(krb5_context *context);
|
||||
+
|
||||
#endif /* __SSS_KRB5_H__ */
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,58 @@
|
||||
From ddff278e709a2aa882f2d8d64c263cddc3a93a2c Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 28 Nov 2017 12:19:54 +0100
|
||||
Subject: [PATCH 67/79] responder: Fix talloc hierarchy in sized_output_name
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
sized_output_name was a called with NULL context in
|
||||
memcache_delete_entry but returned data from sized_output_name
|
||||
didn't have proper talloc hierarchy and we could not release all
|
||||
all returned data.
|
||||
|
||||
==00:01:01:29.871 10088== 934,414 bytes in 8,731 blocks are definitely lost in loss record 121 of 121
|
||||
==00:01:01:29.871 10088== at 0x4C29BE3: malloc (vg_replace_malloc.c:299)
|
||||
==00:01:01:29.871 10088== by 0x8FF4EAB: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.9)
|
||||
==00:01:01:29.871 10088== by 0x52933B9: sss_output_name (usertools.c:808)
|
||||
==00:01:01:29.871 10088== by 0x5293550: sss_output_fqname (usertools.c:863)
|
||||
==00:01:01:29.871 10088== by 0x1211F9: sized_output_name (responder_common.c:1708)
|
||||
==00:01:01:29.871 10088== by 0x1137E6: memcache_delete_entry (nss_get_object.c:112)
|
||||
==00:01:01:29.871 10088== by 0x113BB6: nss_get_object_done (nss_get_object.c:245)
|
||||
==00:01:01:29.871 10088== by 0x8DE5291: _tevent_req_error (in /usr/lib64/libtevent.so.0.9.31)
|
||||
==00:01:01:29.871 10088== by 0x1276CE: cache_req_done (cache_req.c:1047)
|
||||
==00:01:01:29.871 10088== by 0x8DE5291: _tevent_req_error (in /usr/lib64/libtevent.so.0.9.31)
|
||||
==00:01:01:29.871 10088== by 0x126AF6: cache_req_search_domains_done (cache_req.c:607)
|
||||
==00:01:01:29.871 10088== by 0x8DE4AB9: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.31)
|
||||
==00:01:01:29.871 10088== by 0x8DE9C9C: ??? (in /usr/lib64/libtevent.so.0.9.31)
|
||||
==00:01:01:29.871 10088== by 0x8DE82A6: ??? (in /usr/lib64/libtevent.so.0.9.31)
|
||||
==00:01:01:29.871 10088== by 0x8DE40CC: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.31)
|
||||
==00:01:01:29.871 10088== by 0x8DE42FA: tevent_common_loop_wait (in /usr/lib64/libtevent.so.0.9.31)
|
||||
==00:01:01:29.871 10088== by 0x8DE8246: ??? (in /usr/lib64/libtevent.so.0.9.31)
|
||||
==00:01:01:29.871 10088== by 0x5291B32: server_loop (server.c:718)
|
||||
==00:01:01:29.871 10088== by 0x11004C: main (nsssrv.c:560)
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3588
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/responder/common/responder_common.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
|
||||
index 6b4d2d9e5936c79944b6f883e9fe46fd03ff32f6..e1100ce4b1eaae8bc561246699dc9bacc96133c8 100644
|
||||
--- a/src/responder/common/responder_common.c
|
||||
+++ b/src/responder/common/responder_common.c
|
||||
@@ -1815,7 +1815,7 @@ int sized_output_name(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sss_output_fqname(mem_ctx, name_dom, orig_name,
|
||||
+ ret = sss_output_fqname(name, name_dom, orig_name,
|
||||
rctx->override_space, &name_str);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,57 @@
|
||||
From 878fa7d0d4a3c9de1e813a550c5968153faae0a9 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 28 Nov 2017 12:20:26 +0100
|
||||
Subject: [PATCH 68/79] test_responder: Check memory leak in sized_output_name
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3588
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_responder_common.c | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
|
||||
index fb7e4ee500570319999e6e85ee14a05cddea8de3..5441167caeb284982ee76926117da029966ec997 100644
|
||||
--- a/src/tests/cmocka/test_responder_common.c
|
||||
+++ b/src/tests/cmocka/test_responder_common.c
|
||||
@@ -316,6 +316,23 @@ void test_schedule_get_domains_task(void **state)
|
||||
talloc_free(dummy_ncache_ptr);
|
||||
}
|
||||
|
||||
+void test_sss_output_fqname(void **state)
|
||||
+{
|
||||
+ struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state,
|
||||
+ struct parse_inp_test_ctx);
|
||||
+ errno_t ret;
|
||||
+ struct sized_string *res = NULL;
|
||||
+
|
||||
+ ret = sized_output_name(parse_inp_ctx, parse_inp_ctx->rctx, "dummy",
|
||||
+ parse_inp_ctx->tctx->dom, &res);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_non_null(res);
|
||||
+ assert_string_equal("dummy", res->str);
|
||||
+ assert_int_equal(6, res->len);
|
||||
+
|
||||
+ talloc_zfree(res);
|
||||
+}
|
||||
+
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int rv;
|
||||
@@ -346,6 +363,9 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_schedule_get_domains_task,
|
||||
parse_inp_test_setup,
|
||||
parse_inp_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_output_fqname,
|
||||
+ parse_inp_test_setup,
|
||||
+ parse_inp_test_teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
--
|
||||
2.15.1
|
||||
|
81
0069-UTIL-add-find_domain_by_object_name_ex.patch
Normal file
81
0069-UTIL-add-find_domain_by_object_name_ex.patch
Normal file
@ -0,0 +1,81 @@
|
||||
From 8b98ab849993ddd2bddbe475f443fbee24081c1a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 20 Nov 2017 12:08:30 +0100
|
||||
Subject: [PATCH 69/79] UTIL: add find_domain_by_object_name_ex()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The _ex version of find_domain_by_object_name() has a additional option
|
||||
'strict'. If set to 'true' NULL is return instead to domain from the
|
||||
first argument. This way the caller can see if the provider object name
|
||||
really contains a known domain.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3579
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/util/domain_info_utils.c | 17 ++++++++++++++---
|
||||
src/util/util.h | 4 ++++
|
||||
2 files changed, 18 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||||
index 3a3f5130a32e2c5fe4b81819bf2de697a4474111..66077092a40111967a98b0937506d9e4472f50d5 100644
|
||||
--- a/src/util/domain_info_utils.c
|
||||
+++ b/src/util/domain_info_utils.c
|
||||
@@ -174,8 +174,8 @@ sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain,
|
||||
}
|
||||
|
||||
struct sss_domain_info *
|
||||
-find_domain_by_object_name(struct sss_domain_info *domain,
|
||||
- const char *object_name)
|
||||
+find_domain_by_object_name_ex(struct sss_domain_info *domain,
|
||||
+ const char *object_name, bool strict)
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
struct sss_domain_info *dom = NULL;
|
||||
@@ -197,7 +197,11 @@ find_domain_by_object_name(struct sss_domain_info *domain,
|
||||
}
|
||||
|
||||
if (domainname == NULL) {
|
||||
- dom = domain;
|
||||
+ if (strict) {
|
||||
+ dom = NULL;
|
||||
+ } else {
|
||||
+ dom = domain;
|
||||
+ }
|
||||
} else {
|
||||
dom = find_domain_by_name(domain, domainname, true);
|
||||
}
|
||||
@@ -207,6 +211,13 @@ done:
|
||||
return dom;
|
||||
}
|
||||
|
||||
+struct sss_domain_info *
|
||||
+find_domain_by_object_name(struct sss_domain_info *domain,
|
||||
+ const char *object_name)
|
||||
+{
|
||||
+ return find_domain_by_object_name_ex(domain, object_name, false);
|
||||
+}
|
||||
+
|
||||
errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *domain_name,
|
||||
diff --git a/src/util/util.h b/src/util/util.h
|
||||
index 37383011763a9a2a3c2c066215e3ed94aca77308..2521b1789b0b8701b1fbcce33890eedb7fe18d5e 100644
|
||||
--- a/src/util/util.h
|
||||
+++ b/src/util/util.h
|
||||
@@ -551,6 +551,10 @@ struct sss_domain_info *
|
||||
find_domain_by_object_name(struct sss_domain_info *domain,
|
||||
const char *object_name);
|
||||
|
||||
+struct sss_domain_info *
|
||||
+find_domain_by_object_name_ex(struct sss_domain_info *domain,
|
||||
+ const char *object_name, bool strict);
|
||||
+
|
||||
bool subdomain_enumerates(struct sss_domain_info *parent,
|
||||
const char *sd_name);
|
||||
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,75 @@
|
||||
From 2029b7b32c868dd5ad33dcc9b078d362ee9bb602 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 20 Nov 2017 12:04:50 +0100
|
||||
Subject: [PATCH 70/79] ipa: handle users from different domains in
|
||||
ipa_resolve_user_list_send()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Instead of assuming that all users in the list can be found in the
|
||||
provided domain with this patch the domain name part of the user name is
|
||||
preferred. The provided domain name is used as a fallback.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3579
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_id.c | 20 ++++++++++++++++----
|
||||
1 file changed, 16 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
|
||||
index 5044577f0faa95b19de9233240e92aa60f029774..9a092bc837f762af8d229ff5a7eb4c4ba4b78f2f 100644
|
||||
--- a/src/providers/ipa/ipa_id.c
|
||||
+++ b/src/providers/ipa/ipa_id.c
|
||||
@@ -63,6 +63,8 @@ struct ipa_resolve_user_list_state {
|
||||
struct ipa_id_ctx *ipa_ctx;
|
||||
struct ldb_message_element *users;
|
||||
const char *domain_name;
|
||||
+ struct sss_domain_info *domain;
|
||||
+ struct sss_domain_info *user_domain;
|
||||
size_t user_idx;
|
||||
|
||||
int dp_error;
|
||||
@@ -91,6 +93,8 @@ ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev,
|
||||
state->ev = ev;
|
||||
state->ipa_ctx = ipa_ctx;
|
||||
state->domain_name = domain_name;
|
||||
+ state->domain = find_domain_by_name(state->ipa_ctx->sdap_id_ctx->be->domain,
|
||||
+ state->domain_name, true);
|
||||
state->users = users;
|
||||
state->user_idx = 0;
|
||||
state->dp_error = DP_ERR_FATAL;
|
||||
@@ -132,8 +136,17 @@ static errno_t ipa_resolve_user_list_get_user_step(struct tevent_req *req)
|
||||
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Trying to resolve user [%s].\n", ar->filter_value);
|
||||
|
||||
- if (strcasecmp(state->domain_name,
|
||||
- state->ipa_ctx->sdap_id_ctx->be->domain->name) != 0) {
|
||||
+ state->user_domain = find_domain_by_object_name_ex(
|
||||
+ state->ipa_ctx->sdap_id_ctx->be->domain,
|
||||
+ ar->filter_value, true);
|
||||
+ /* Use provided domain as as fallback is no known domain was found in the
|
||||
+ * user name. */
|
||||
+ if (state->user_domain == NULL) {
|
||||
+ state->user_domain = state->domain;
|
||||
+ }
|
||||
+ ar->domain = state->user_domain->name;
|
||||
+
|
||||
+ if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) {
|
||||
subreq = ipa_subdomain_account_send(state, state->ev, state->ipa_ctx,
|
||||
ar);
|
||||
} else {
|
||||
@@ -158,8 +171,7 @@ static void ipa_resolve_user_list_get_user_done(struct tevent_req *subreq)
|
||||
struct ipa_resolve_user_list_state);
|
||||
int ret;
|
||||
|
||||
- if (strcasecmp(state->domain_name,
|
||||
- state->ipa_ctx->sdap_id_ctx->be->domain->name) != 0) {
|
||||
+ if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) {
|
||||
ret = ipa_subdomain_account_recv(subreq, &state->dp_error);
|
||||
} else {
|
||||
ret = ipa_id_get_account_info_recv(subreq, &state->dp_error);
|
||||
--
|
||||
2.15.1
|
||||
|
202
0071-overrides-fixes-for-sysdb_invalidate_overrides.patch
Normal file
202
0071-overrides-fixes-for-sysdb_invalidate_overrides.patch
Normal file
@ -0,0 +1,202 @@
|
||||
From 3edca52d650154bcd784674d631a76512c6c4004 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 20 Nov 2017 15:51:27 +0100
|
||||
Subject: [PATCH 71/79] overrides: fixes for sysdb_invalidate_overrides()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There were two issues in sysdb_invalidate_overrides().
|
||||
|
||||
First, SYSDB_CACHE_EXPIRE was only reset for the entry in the data cache
|
||||
but not in the timestamp cache.
|
||||
|
||||
Second, if one of the steps in the combined replace and delete operation
|
||||
failed no change was committed to the cache. If, for whatever reasons,
|
||||
a user or group object didn't had SYSDB_OVERRIDE_DN set the delete
|
||||
failed and hence SYSDB_CACHE_EXPIRE wasn't reset as well. To make sure
|
||||
the cache is in a consistent state after a view change the replace and
|
||||
the delete operations are don in two steps.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3579
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/db/sysdb_views.c | 111 +++++++++++++++++++++++++++++++++++++--------------
|
||||
1 file changed, 80 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
|
||||
index f640c813acf4deafe98eb15708d3a94790502dcb..bcd7dd46168aecdf808ad315175a12cef9ee03dd 100644
|
||||
--- a/src/db/sysdb_views.c
|
||||
+++ b/src/db/sysdb_views.c
|
||||
@@ -279,6 +279,45 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t invalidate_entry_override(struct sysdb_ctx *sysdb,
|
||||
+ struct ldb_dn *dn,
|
||||
+ struct ldb_message *msg_del,
|
||||
+ struct ldb_message *msg_repl)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ msg_del->dn = dn;
|
||||
+ msg_repl->dn = dn;
|
||||
+
|
||||
+ ret = ldb_modify(sysdb->ldb, msg_del);
|
||||
+ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "ldb_modify failed: [%s](%d)[%s]\n",
|
||||
+ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb));
|
||||
+ return sysdb_error_to_errno(ret);
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_modify(sysdb->ldb, msg_repl);
|
||||
+ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "ldb_modify failed: [%s](%d)[%s]\n",
|
||||
+ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb));
|
||||
+ return sysdb_error_to_errno(ret);
|
||||
+ }
|
||||
+
|
||||
+ if (sysdb->ldb_ts != NULL) {
|
||||
+ ret = ldb_modify(sysdb->ldb_ts, msg_repl);
|
||||
+ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "ldb_modify failed: [%s](%d)[%s]\n",
|
||||
+ ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb_ts));
|
||||
+ return sysdb_error_to_errno(ret);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
|
||||
{
|
||||
int ret;
|
||||
@@ -287,22 +326,23 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
|
||||
bool in_transaction = false;
|
||||
struct ldb_result *res;
|
||||
size_t c;
|
||||
- struct ldb_message *msg;
|
||||
+ struct ldb_message *msg_del;
|
||||
+ struct ldb_message *msg_repl;
|
||||
struct ldb_dn *base_dn;
|
||||
|
||||
+ if (sysdb->ldb_ts == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Timestamp cache context not available, cache might not be "
|
||||
+ "invalidated completely. Please call 'sss_cache -E' or remove "
|
||||
+ "the cache file if there are issues after a view name change.\n");
|
||||
+ }
|
||||
+
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- msg = ldb_msg_new(tmp_ctx);
|
||||
- if (msg == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
base_dn = ldb_dn_new(tmp_ctx, sysdb->ldb, SYSDB_BASE);
|
||||
if (base_dn == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed\n");
|
||||
@@ -310,27 +350,40 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = ldb_msg_add_empty(msg, SYSDB_CACHE_EXPIRE, LDB_FLAG_MOD_REPLACE,
|
||||
+ msg_del = ldb_msg_new(tmp_ctx);
|
||||
+ if (msg_del == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ret = ldb_msg_add_empty(msg_del, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE,
|
||||
NULL);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n");
|
||||
ret = sysdb_error_to_errno(ret);
|
||||
goto done;
|
||||
}
|
||||
- ret = ldb_msg_add_string(msg, SYSDB_CACHE_EXPIRE, "1");
|
||||
+
|
||||
+ msg_repl = ldb_msg_new(tmp_ctx);
|
||||
+ if (msg_repl == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_new failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ret = ldb_msg_add_empty(msg_repl, SYSDB_CACHE_EXPIRE,
|
||||
+ LDB_FLAG_MOD_REPLACE, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n");
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ret = ldb_msg_add_string(msg_repl, SYSDB_CACHE_EXPIRE, "1");
|
||||
if (ret != LDB_SUCCESS) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
|
||||
ret = sysdb_error_to_errno(ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, NULL);
|
||||
- if (ret != LDB_SUCCESS) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n");
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
ret = sysdb_transaction_start(sysdb);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "sysdb_transaction_start failed.\n");
|
||||
@@ -347,14 +400,12 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
|
||||
}
|
||||
|
||||
for (c = 0; c < res->count; c++) {
|
||||
- msg->dn = res->msgs[c]->dn;
|
||||
-
|
||||
- ret = ldb_modify(sysdb->ldb, msg);
|
||||
- if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
|
||||
+ ret = invalidate_entry_override(sysdb, res->msgs[c]->dn, msg_del,
|
||||
+ msg_repl);
|
||||
+ if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "ldb_modify failed: [%s](%d)[%s]\n",
|
||||
- ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb));
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ "invalidate_entry_override failed [%d][%s].\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -370,14 +421,12 @@ errno_t sysdb_invalidate_overrides(struct sysdb_ctx *sysdb)
|
||||
}
|
||||
|
||||
for (c = 0; c < res->count; c++) {
|
||||
- msg->dn = res->msgs[c]->dn;
|
||||
-
|
||||
- ret = ldb_modify(sysdb->ldb, msg);
|
||||
- if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) {
|
||||
+ ret = invalidate_entry_override(sysdb, res->msgs[c]->dn, msg_del,
|
||||
+ msg_repl);
|
||||
+ if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "ldb_modify failed: [%s](%d)[%s]\n",
|
||||
- ldb_strerror(ret), ret, ldb_errstring(sysdb->ldb));
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ "invalidate_entry_override failed [%d][%s].\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.15.1
|
||||
|
253
0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch
Normal file
253
0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch
Normal file
@ -0,0 +1,253 @@
|
||||
From afa3e5d8401c529dad9fb6f2e3a3f4c2aa79a977 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 20 Nov 2017 16:12:58 +0100
|
||||
Subject: [PATCH 72/79] ipa: check for SYSDB_OVERRIDE_DN in process_members and
|
||||
get_group_dn_list
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
process_members() and get_group_dn_list() are used on an IPA client to
|
||||
determine a list of users or groups which are missing in the cache and
|
||||
are needed to properly add a group or user object to the cache
|
||||
respectively.
|
||||
|
||||
If a non-default view is assigned to the client the SYSDB_OVERRIDE_DN
|
||||
must be set for all user and group objects to indicate that it was
|
||||
already checked if there is an id-override defined for the object or
|
||||
not. There a circumstances were SYSDB_OVERRIDE_DN is not set, e.g. after
|
||||
a view name change. To make sure the cache is in a consistent state with
|
||||
this patch user and group entries without SYSDB_OVERRIDE_DN are
|
||||
considered as missing is a non-default view is assigned to the client.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3579
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++-----------------
|
||||
1 file changed, 83 insertions(+), 62 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
||||
index 39ed17cbf0e8c523212084197e9f2963fed88dc8..c6132f509dcc8e7af84e03e8bfe20701107d1392 100644
|
||||
--- a/src/providers/ipa/ipa_s2n_exop.c
|
||||
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
||||
@@ -1523,6 +1523,7 @@ fail:
|
||||
}
|
||||
|
||||
static errno_t process_members(struct sss_domain_info *domain,
|
||||
+ bool is_default_view,
|
||||
struct sysdb_attrs *group_attrs,
|
||||
char **members,
|
||||
TALLOC_CTX *mem_ctx, char ***_missing_members)
|
||||
@@ -1536,6 +1537,7 @@ static errno_t process_members(struct sss_domain_info *domain,
|
||||
struct sss_domain_info *parent_domain;
|
||||
char **missing_members = NULL;
|
||||
size_t miss_count = 0;
|
||||
+ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
|
||||
|
||||
if (members == NULL) {
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n");
|
||||
@@ -1572,53 +1574,59 @@ static errno_t process_members(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], NULL,
|
||||
+ ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,
|
||||
&msg);
|
||||
- if (ret == EOK) {
|
||||
- if (group_attrs != NULL) {
|
||||
- dn_str = ldb_dn_get_linearized(msg->dn);
|
||||
- if (dn_str == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
|
||||
- members[c], dn_str);
|
||||
+ if (ret == EOK || ret == ENOENT) {
|
||||
+ if (ret == ENOENT
|
||||
+ || (!is_default_view
|
||||
+ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
|
||||
+ NULL) == NULL)) {
|
||||
+ /* only add ghost if the member is really missing */
|
||||
+ if (group_attrs != NULL && ret == ENOENT) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
|
||||
+ members[c]);
|
||||
|
||||
- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
|
||||
- dn_str);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "sysdb_attrs_add_string_safe failed.\n");
|
||||
- goto done;
|
||||
+ /* There were cases where the server returned the same user
|
||||
+ * multiple times */
|
||||
+ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
|
||||
+ members[c]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_attrs_add_string failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
}
|
||||
- }
|
||||
- } else if (ret == ENOENT) {
|
||||
- if (group_attrs != NULL) {
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
|
||||
- members[c]);
|
||||
|
||||
- /* There were cases where the server returned the same user
|
||||
- * multiple times */
|
||||
- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
|
||||
- members[c]);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "sysdb_attrs_add_string failed.\n");
|
||||
- goto done;
|
||||
+ if (missing_members != NULL) {
|
||||
+ missing_members[miss_count] = talloc_strdup(missing_members,
|
||||
+ members[c]);
|
||||
+ if (missing_members[miss_count] == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ miss_count++;
|
||||
}
|
||||
- }
|
||||
+ } else {
|
||||
+ if (group_attrs != NULL) {
|
||||
+ dn_str = ldb_dn_get_linearized(msg->dn);
|
||||
+ if (dn_str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
|
||||
+ members[c], dn_str);
|
||||
|
||||
- if (missing_members != NULL) {
|
||||
- missing_members[miss_count] = talloc_strdup(missing_members,
|
||||
- members[c]);
|
||||
- if (missing_members[miss_count] == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
|
||||
+ dn_str);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_attrs_add_string_safe failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
}
|
||||
- miss_count++;
|
||||
}
|
||||
} else {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
|
||||
@@ -1649,6 +1657,7 @@ done:
|
||||
}
|
||||
|
||||
static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
|
||||
+ bool is_default_view,
|
||||
struct sss_domain_info *dom,
|
||||
size_t ngroups, char **groups,
|
||||
struct ldb_dn ***_dn_list,
|
||||
@@ -1664,6 +1673,7 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
|
||||
size_t n_missing = 0;
|
||||
struct sss_domain_info *obj_domain;
|
||||
struct sss_domain_info *parent_domain;
|
||||
+ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -1689,25 +1699,31 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], NULL,
|
||||
+ ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], attrs,
|
||||
&msg);
|
||||
- if (ret == EOK) {
|
||||
- dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
|
||||
- if (dn_list[n_dns] == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ if (ret == EOK || ret == ENOENT) {
|
||||
+ if (ret == ENOENT
|
||||
+ || (!is_default_view
|
||||
+ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
|
||||
+ NULL) == NULL)) {
|
||||
+ missing_groups[n_missing] = talloc_strdup(missing_groups,
|
||||
+ groups[c]);
|
||||
+ if (missing_groups[n_missing] == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ n_missing++;
|
||||
+
|
||||
+ } else {
|
||||
+ dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
|
||||
+ if (dn_list[n_dns] == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ n_dns++;
|
||||
}
|
||||
- n_dns++;
|
||||
- } else if (ret == ENOENT) {
|
||||
- missing_groups[n_missing] = talloc_strdup(missing_groups,
|
||||
- groups[c]);
|
||||
- if (missing_groups[n_missing] == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
- n_missing++;
|
||||
} else {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_group_by_name failed.\n");
|
||||
goto done;
|
||||
@@ -1803,7 +1819,9 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
|
||||
- ret = get_group_dn_list(state, state->dom,
|
||||
+ ret = get_group_dn_list(state,
|
||||
+ is_default_view(state->ipa_ctx->view_name),
|
||||
+ state->dom,
|
||||
attrs->ngroups, attrs->groups,
|
||||
&group_dn_list, &missing_list);
|
||||
if (ret != EOK) {
|
||||
@@ -1832,8 +1850,10 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
|
||||
}
|
||||
break;
|
||||
} else if (attrs->response_type == RESP_GROUP_MEMBERS) {
|
||||
- ret = process_members(state->dom, NULL, attrs->a.group.gr_mem,
|
||||
- state, &missing_list);
|
||||
+ ret = process_members(state->dom,
|
||||
+ is_default_view(state->ipa_ctx->view_name),
|
||||
+ NULL, attrs->a.group.gr_mem, state,
|
||||
+ &missing_list);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
|
||||
goto done;
|
||||
@@ -2572,8 +2592,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
}
|
||||
}
|
||||
|
||||
- ret = process_members(dom, attrs->sysdb_attrs,
|
||||
- attrs->a.group.gr_mem, NULL, NULL);
|
||||
+ ret = process_members(dom, is_default_view(view_name),
|
||||
+ attrs->sysdb_attrs, attrs->a.group.gr_mem,
|
||||
+ NULL, NULL);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
|
||||
goto done;
|
||||
--
|
||||
2.15.1
|
||||
|
69
0073-IPA-use-cache-searches-in-get_groups_dns.patch
Normal file
69
0073-IPA-use-cache-searches-in-get_groups_dns.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From d1d62630e1d1c6a88fe4bf8612cb4f9a2fff7181 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 20 Nov 2017 16:41:29 +0100
|
||||
Subject: [PATCH 73/79] IPA: use cache searches in get_groups_dns()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the group name is overridden in the default view we have to search
|
||||
for the name and cannot construct it because the extdom plugin will
|
||||
return the overridden name but the DN of the related group object in the
|
||||
cache will contain the original name.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3579
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_s2n_exop.c | 27 +++++++++++++++++++--------
|
||||
1 file changed, 19 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
||||
index c6132f509dcc8e7af84e03e8bfe20701107d1392..49c393e9a1eb19ab683949cf633a6838274bc0fe 100644
|
||||
--- a/src/providers/ipa/ipa_s2n_exop.c
|
||||
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
||||
@@ -2038,6 +2038,7 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
|
||||
int c;
|
||||
struct sss_domain_info *root_domain;
|
||||
char **dn_list;
|
||||
+ struct ldb_message *msg;
|
||||
|
||||
if (name_list == NULL) {
|
||||
*_dn_list = NULL;
|
||||
@@ -2082,15 +2083,25 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* This might fail if some unexpected cases are used. But current
|
||||
- * sysdb code which handles group membership constructs DNs this way
|
||||
- * as well, IPA names are lowercased and AD names by default will be
|
||||
- * lowercased as well. If there are really use-cases which cause an
|
||||
- * issue here, sysdb_group_strdn() has to be replaced by a proper
|
||||
- * search. */
|
||||
- dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
|
||||
+ /* If the group name is overridden in the default view we have to
|
||||
+ * search for the name and cannot construct it because the extdom
|
||||
+ * plugin will return the overridden name but the DN of the related
|
||||
+ * group object in the cache will contain the original name. */
|
||||
+
|
||||
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name_list[c], NULL,
|
||||
+ &msg);
|
||||
+ if (ret == EOK) {
|
||||
+ dn_list[c] = ldb_dn_alloc_linearized(dn_list, msg->dn);
|
||||
+ } else {
|
||||
+ /* best effort, try to construct the DN */
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "sysdb_search_group_by_name failed with [%d], "
|
||||
+ "generating DN for [%s] in domain [%s].\n",
|
||||
+ ret, name_list[c], dom->name);
|
||||
+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
|
||||
+ }
|
||||
if (dn_list[c] == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_alloc_linearized failed.\n");
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,85 @@
|
||||
From 97becd502f5d8aa74b94eee78a949825222b6933 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 20 Nov 2017 16:45:45 +0100
|
||||
Subject: [PATCH 74/79] ipa: compare DNs instead of group names in
|
||||
ipa_s2n_save_objects()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If group names are used to compare the current list of group memberships
|
||||
returned by the server with the one from the cache some groups might end
|
||||
up in the wrong result list if group names are overridden. This
|
||||
ambiguity can be resolved by using the DNs of the cached objects.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3579
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_s2n_exop.c | 31 ++++++++++++-------------------
|
||||
1 file changed, 12 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
||||
index 49c393e9a1eb19ab683949cf633a6838274bc0fe..8b97f78620f19b0708e8a480cb72fd7f12d96dfb 100644
|
||||
--- a/src/providers/ipa/ipa_s2n_exop.c
|
||||
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
||||
@@ -2185,10 +2185,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
struct ldb_result *res;
|
||||
enum sysdb_member_type type;
|
||||
char **sysdb_grouplist;
|
||||
- char **add_groups;
|
||||
char **add_groups_dns;
|
||||
- char **del_groups;
|
||||
char **del_groups_dns;
|
||||
+ char **groups_dns;
|
||||
bool in_transaction = false;
|
||||
int tret;
|
||||
struct sysdb_attrs *gid_override_attrs = NULL;
|
||||
@@ -2514,33 +2513,27 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
}
|
||||
|
||||
if (attrs->response_type == RESP_USER_GROUPLIST) {
|
||||
- ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,
|
||||
- &sysdb_grouplist);
|
||||
+ ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name,
|
||||
+ &sysdb_grouplist);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = diff_string_lists(tmp_ctx, attrs->groups,
|
||||
- sysdb_grouplist, &add_groups,
|
||||
- &del_groups, NULL);
|
||||
+ ret = get_groups_dns(tmp_ctx, dom, attrs->groups, &groups_dns);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = diff_string_lists(tmp_ctx, groups_dns,
|
||||
+ sysdb_grouplist, &add_groups_dns,
|
||||
+ &del_groups_dns, NULL);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",
|
||||
name);
|
||||
ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,
|
||||
--
|
||||
2.15.1
|
||||
|
150
0075-nss-Fix-invalid-enum-nss_status-return-values.patch
Normal file
150
0075-nss-Fix-invalid-enum-nss_status-return-values.patch
Normal file
@ -0,0 +1,150 @@
|
||||
From fd0fb14e613f15a7d1fbde86bf371a72d8dfe3b8 Mon Sep 17 00:00:00 2001
|
||||
From: Carlos O'Donell <carlos@systemhalted.org>
|
||||
Date: Wed, 29 Nov 2017 22:36:39 -0800
|
||||
Subject: [PATCH 75/79] nss: Fix invalid enum nss_status return values.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The upstream glibc test nss/bug17079 covers several cases where the
|
||||
NSS infrastructure passes invalid pointers to NSS plugins. The plugins
|
||||
should return correct results for the invalid values e.g. ERANGE,
|
||||
but it should do so by setting *errnop to the error and returning
|
||||
NSS_STATUS_TRYAGAIN. This commit fixes the group, netgroup, passwd
|
||||
and service handling code to correctly return ERANGE in *errnop
|
||||
and NSS_TATUS_TRYAGAIN in the case of invalid buffer (NULL) or
|
||||
zero sized buffer length. This fixes the nss/bug17079 regression test
|
||||
when run in a test configuration with sss enabled for any of the
|
||||
above mentioned services.
|
||||
|
||||
Upstream glibc bug:
|
||||
Bug 22530 - FAIL: nss/bug17079 due to _nss_sss_getpwuid_r
|
||||
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3561
|
||||
|
||||
Signed-off-by: Carlos O'Donell <carlos@redhat.com>
|
||||
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/sss_client/nss_group.c | 10 ++++++++--
|
||||
src/sss_client/nss_netgroup.c | 5 ++++-
|
||||
src/sss_client/nss_passwd.c | 10 ++++++++--
|
||||
src/sss_client/nss_services.c | 15 ++++++++++++---
|
||||
4 files changed, 32 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c
|
||||
index 42fba6242d23fc1d52cfd7be10cf10383010f091..054f30e13f8d5f8300a3e63c9035b98d30473c0e 100644
|
||||
--- a/src/sss_client/nss_group.c
|
||||
+++ b/src/sss_client/nss_group.c
|
||||
@@ -522,7 +522,10 @@ enum nss_status _nss_sss_getgrgid_r(gid_t gid, struct group *result,
|
||||
int ret;
|
||||
|
||||
/* Caught once glibc passing in buffer == 0x0 */
|
||||
- if (!buffer || !buflen) return ERANGE;
|
||||
+ if (!buffer || !buflen) {
|
||||
+ *errnop = ERANGE;
|
||||
+ return NSS_STATUS_TRYAGAIN;
|
||||
+ }
|
||||
|
||||
ret = sss_nss_mc_getgrgid(gid, result, buffer, buflen);
|
||||
switch (ret) {
|
||||
@@ -655,7 +658,10 @@ static enum nss_status internal_getgrent_r(struct group *result,
|
||||
int ret;
|
||||
|
||||
/* Caught once glibc passing in buffer == 0x0 */
|
||||
- if (!buffer || !buflen) return ERANGE;
|
||||
+ if (!buffer || !buflen) {
|
||||
+ *errnop = ERANGE;
|
||||
+ return NSS_STATUS_TRYAGAIN;
|
||||
+ }
|
||||
|
||||
/* if there are leftovers return the next one */
|
||||
if (sss_nss_getgrent_data.data != NULL &&
|
||||
diff --git a/src/sss_client/nss_netgroup.c b/src/sss_client/nss_netgroup.c
|
||||
index 8594fc460514d6f92e786605168fa7d15c7ee913..3a1834a311e6658c6160b5f95a01434fed69ad1c 100644
|
||||
--- a/src/sss_client/nss_netgroup.c
|
||||
+++ b/src/sss_client/nss_netgroup.c
|
||||
@@ -231,7 +231,10 @@ static enum nss_status internal_getnetgrent_r(struct __netgrent *result,
|
||||
int ret;
|
||||
|
||||
/* Caught once glibc passing in buffer == 0x0 */
|
||||
- if (!buffer || !buflen) return ERANGE;
|
||||
+ if (!buffer || !buflen) {
|
||||
+ *errnop = ERANGE;
|
||||
+ return NSS_STATUS_TRYAGAIN;
|
||||
+ }
|
||||
|
||||
/* If we're already processing result data, continue to
|
||||
* return it.
|
||||
diff --git a/src/sss_client/nss_passwd.c b/src/sss_client/nss_passwd.c
|
||||
index 61e2a567e684fbc7664b5d425e81cfa28a98e845..5b1c2ce66b0954bc304dfb458f509defa8eed889 100644
|
||||
--- a/src/sss_client/nss_passwd.c
|
||||
+++ b/src/sss_client/nss_passwd.c
|
||||
@@ -251,7 +251,10 @@ enum nss_status _nss_sss_getpwuid_r(uid_t uid, struct passwd *result,
|
||||
int ret;
|
||||
|
||||
/* Caught once glibc passing in buffer == 0x0 */
|
||||
- if (!buffer || !buflen) return ERANGE;
|
||||
+ if (!buffer || !buflen) {
|
||||
+ *errnop = ERANGE;
|
||||
+ return NSS_STATUS_TRYAGAIN;
|
||||
+ }
|
||||
|
||||
ret = sss_nss_mc_getpwuid(uid, result, buffer, buflen);
|
||||
switch (ret) {
|
||||
@@ -376,7 +379,10 @@ static enum nss_status internal_getpwent_r(struct passwd *result,
|
||||
int ret;
|
||||
|
||||
/* Caught once glibc passing in buffer == 0x0 */
|
||||
- if (!buffer || !buflen) return ERANGE;
|
||||
+ if (!buffer || !buflen) {
|
||||
+ *errnop = ERANGE;
|
||||
+ return NSS_STATUS_TRYAGAIN;
|
||||
+ }
|
||||
|
||||
/* if there are leftovers return the next one */
|
||||
if (sss_nss_getpwent_data.data != NULL &&
|
||||
diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c
|
||||
index 64e0b43e1643e4e76d2381a6b062335c3d513a21..161dad9ae27f822b40af8368e5af38b020d6549a 100644
|
||||
--- a/src/sss_client/nss_services.c
|
||||
+++ b/src/sss_client/nss_services.c
|
||||
@@ -177,7 +177,10 @@ _nss_sss_getservbyname_r(const char *name,
|
||||
int ret;
|
||||
|
||||
/* Caught once glibc passing in buffer == 0x0 */
|
||||
- if (!buffer || !buflen) return ERANGE;
|
||||
+ if (!buffer || !buflen) {
|
||||
+ *errnop = ERANGE;
|
||||
+ return NSS_STATUS_TRYAGAIN;
|
||||
+ }
|
||||
|
||||
ret = sss_strnlen(name, SSS_NAME_MAX, &name_len);
|
||||
if (ret != 0) {
|
||||
@@ -278,7 +281,10 @@ _nss_sss_getservbyport_r(int port, const char *protocol,
|
||||
int ret;
|
||||
|
||||
/* Caught once glibc passing in buffer == 0x0 */
|
||||
- if (!buffer || !buflen) return ERANGE;
|
||||
+ if (!buffer || !buflen) {
|
||||
+ *errnop = ERANGE;
|
||||
+ return NSS_STATUS_TRYAGAIN;
|
||||
+ }
|
||||
|
||||
if (protocol) {
|
||||
ret = sss_strnlen(protocol, SSS_NAME_MAX, &proto_len);
|
||||
@@ -411,7 +417,10 @@ static enum nss_status internal_getservent_r(struct servent *result,
|
||||
int ret;
|
||||
|
||||
/* Caught once glibc passing in buffer == 0x0 */
|
||||
- if (!buffer || !buflen) return ERANGE;
|
||||
+ if (!buffer || !buflen) {
|
||||
+ *errnop = ERANGE;
|
||||
+ return NSS_STATUS_TRYAGAIN;
|
||||
+ }
|
||||
|
||||
/* if there are leftovers return the next one */
|
||||
if (sss_nss_getservent_data.data != NULL &&
|
||||
--
|
||||
2.15.1
|
||||
|
110
0076-confdb-Move-detection-files-to-separate-function.patch
Normal file
110
0076-confdb-Move-detection-files-to-separate-function.patch
Normal file
@ -0,0 +1,110 @@
|
||||
From 5af7dcbba7a54c9a017a7d317f74453254125eb7 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 29 Nov 2017 17:57:56 +0100
|
||||
Subject: [PATCH 76/79] confdb: Move detection files to separate function
|
||||
|
||||
---
|
||||
src/confdb/confdb.c | 73 ++++++++++++++++++++++++++++++-----------------------
|
||||
1 file changed, 41 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index a028224817f12ace2a0c4165d7b9cb0bb80ce5a1..c41bd5087592ba15d8956e0279aaf72ba86936ed 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -1718,52 +1718,61 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static int confdb_has_files_domain(struct confdb_ctx *cdb)
|
||||
+static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx,
|
||||
+ struct ldb_result *doms)
|
||||
{
|
||||
- TALLOC_CTX *tmp_ctx = NULL;
|
||||
- struct ldb_dn *dn = NULL;
|
||||
- struct ldb_result *res = NULL;
|
||||
- static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
|
||||
const char *id_provider = NULL;
|
||||
- int ret;
|
||||
unsigned int i;
|
||||
|
||||
- tmp_ctx = talloc_new(NULL);
|
||||
- if (tmp_ctx == NULL) {
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
|
||||
- if (dn == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
|
||||
- attrs, NULL);
|
||||
- if (ret != LDB_SUCCESS) {
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- for (i = 0; i < res->count; i++) {
|
||||
- id_provider = ldb_msg_find_attr_as_string(res->msgs[i],
|
||||
+ for (i = 0; i < doms->count; i++) {
|
||||
+ id_provider = ldb_msg_find_attr_as_string(doms->msgs[i],
|
||||
CONFDB_DOMAIN_ID_PROVIDER,
|
||||
NULL);
|
||||
if (id_provider == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
"The object [%s] doesn't have a id_provider\n",
|
||||
- ldb_dn_get_linearized(res->msgs[i]->dn));
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
+ ldb_dn_get_linearized(doms->msgs[i]->dn));
|
||||
+ continue;
|
||||
}
|
||||
|
||||
if (strcasecmp(id_provider, "files") == 0) {
|
||||
- break;
|
||||
+ return false;
|
||||
}
|
||||
}
|
||||
|
||||
- ret = i < res->count ? EOK : ENOENT;
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+static int confdb_has_files_domain(struct confdb_ctx *cdb)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
||||
+ struct ldb_dn *dn = NULL;
|
||||
+ struct ldb_result *res = NULL;
|
||||
+ static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
|
||||
+ int ret;
|
||||
+ bool need_files_dom;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
|
||||
+ if (dn == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
|
||||
+ attrs, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ need_files_dom = need_implicit_files_domain(tmp_ctx, res);
|
||||
+
|
||||
+ ret = need_files_dom ? ENOENT : EOK;
|
||||
done:
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
--
|
||||
2.15.1
|
||||
|
96
0077-confdb-Fix-starting-of-implicit-files-domain.patch
Normal file
96
0077-confdb-Fix-starting-of-implicit-files-domain.patch
Normal file
@ -0,0 +1,96 @@
|
||||
From 57720f0d0945262a13d9ab7d1ec8220837ab618f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 29 Nov 2017 20:02:35 +0100
|
||||
Subject: [PATCH 77/79] confdb: Fix starting of implicit files domain
|
||||
|
||||
We did not start implicit_files domain when sssd configuration
|
||||
contains files domain which was disabled.
|
||||
---
|
||||
src/confdb/confdb.c | 36 +++++++++++++++++++++++++++++++++--
|
||||
src/tests/intg/test_files_provider.py | 3 +++
|
||||
2 files changed, 37 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index c41bd5087592ba15d8956e0279aaf72ba86936ed..ef1be4a6e6daee2644d535e561fac7735eb6a0b2 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -1719,12 +1719,43 @@ done:
|
||||
}
|
||||
|
||||
static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx,
|
||||
+ struct confdb_ctx *cdb,
|
||||
struct ldb_result *doms)
|
||||
{
|
||||
const char *id_provider = NULL;
|
||||
unsigned int i;
|
||||
+ errno_t ret;
|
||||
+ char **domlist;
|
||||
+ const char *val;
|
||||
+
|
||||
+ ret = confdb_get_string_as_list(cdb, tmp_ctx,
|
||||
+ CONFDB_MONITOR_CONF_ENTRY,
|
||||
+ CONFDB_MONITOR_ACTIVE_DOMAINS,
|
||||
+ &domlist);
|
||||
+ if (ret == ENOENT) {
|
||||
+ return true;
|
||||
+ } else if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot get active domains %d[%s]\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ return false;
|
||||
+ }
|
||||
|
||||
for (i = 0; i < doms->count; i++) {
|
||||
+ val = ldb_msg_find_attr_as_string(doms->msgs[i], CONFDB_DOMAIN_ATTR,
|
||||
+ NULL);
|
||||
+ if (val == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "The object [%s] doesn't have a name\n",
|
||||
+ ldb_dn_get_linearized(doms->msgs[i]->dn));
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ /* skip disabled domain */
|
||||
+ if (!string_in_list(val, domlist, false)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
id_provider = ldb_msg_find_attr_as_string(doms->msgs[i],
|
||||
CONFDB_DOMAIN_ID_PROVIDER,
|
||||
NULL);
|
||||
@@ -1748,7 +1779,8 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb)
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
struct ldb_dn *dn = NULL;
|
||||
struct ldb_result *res = NULL;
|
||||
- static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
|
||||
+ static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER,
|
||||
+ CONFDB_DOMAIN_ATTR, NULL };
|
||||
int ret;
|
||||
bool need_files_dom;
|
||||
|
||||
@@ -1770,7 +1802,7 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- need_files_dom = need_implicit_files_domain(tmp_ctx, res);
|
||||
+ need_files_dom = need_implicit_files_domain(tmp_ctx, cdb, res);
|
||||
|
||||
ret = need_files_dom ? ENOENT : EOK;
|
||||
done:
|
||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
||||
index e507ea10d78b9b35ee57178e78f4621372d0c2e5..169da713767b6495e117d805b29d8d6346237ebc 100644
|
||||
--- a/src/tests/intg/test_files_provider.py
|
||||
+++ b/src/tests/intg/test_files_provider.py
|
||||
@@ -167,6 +167,9 @@ def no_files_domain(request):
|
||||
|
||||
[domain/local]
|
||||
id_provider = local
|
||||
+
|
||||
+ [domain/disabled.files]
|
||||
+ id_provider = files
|
||||
""").format(**locals())
|
||||
create_conf_fixture(request, conf)
|
||||
create_sssd_fixture(request)
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,59 @@
|
||||
From 8cf5e390b38f0be4f88b0ebbbd1b14f52d35cd02 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Thu, 30 Nov 2017 07:59:33 +0100
|
||||
Subject: [PATCH 78/79] confdb: Do not start implicit_files with proxy domain
|
||||
|
||||
id_provider = proxy + proxy_lib_name = files is equivalent
|
||||
to id_provider = files. But requests to user hit implicit_files
|
||||
domain instead of proxy domain and therefore it broke usage
|
||||
of proxy domain with auth_provider = krb5.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3590
|
||||
---
|
||||
src/confdb/confdb.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index ef1be4a6e6daee2644d535e561fac7735eb6a0b2..0a4be57e08791f8a9eb5fc143a56352cd4ef4b5e 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -1769,6 +1769,25 @@ static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx,
|
||||
if (strcasecmp(id_provider, "files") == 0) {
|
||||
return false;
|
||||
}
|
||||
+
|
||||
+ if (strcasecmp(id_provider, "proxy") == 0) {
|
||||
+ val = ldb_msg_find_attr_as_string(doms->msgs[i],
|
||||
+ CONFDB_PROXY_LIBNAME, NULL);
|
||||
+ if (val == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "The object [%s] doesn't have proxy_lib_name with "
|
||||
+ "id_provider proxy\n",
|
||||
+ ldb_dn_get_linearized(doms->msgs[i]->dn));
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ /* id_provider = proxy + proxy_lib_name = files is equivalent
|
||||
+ * to id_provider = files
|
||||
+ */
|
||||
+ if (strcmp(val, "files") == 0) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
return true;
|
||||
@@ -1780,7 +1799,8 @@ static int confdb_has_files_domain(struct confdb_ctx *cdb)
|
||||
struct ldb_dn *dn = NULL;
|
||||
struct ldb_result *res = NULL;
|
||||
static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER,
|
||||
- CONFDB_DOMAIN_ATTR, NULL };
|
||||
+ CONFDB_DOMAIN_ATTR,
|
||||
+ CONFDB_PROXY_LIBNAME, NULL };
|
||||
int ret;
|
||||
bool need_files_dom;
|
||||
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,73 @@
|
||||
From f9518dce861a1fe9a3a5c5c63ac45f67fdbc5e68 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Thu, 30 Nov 2017 10:21:17 +0100
|
||||
Subject: [PATCH 79/79] test_files_provider: Regression test for implicit_files
|
||||
+ proxy
|
||||
|
||||
Related to:
|
||||
https://pagure.io/SSSD/sssd/issue/3590
|
||||
---
|
||||
src/tests/intg/test_files_provider.py | 40 +++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 40 insertions(+)
|
||||
|
||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
||||
index 169da713767b6495e117d805b29d8d6346237ebc..ea4e5b70a3626cb43217b59488cf186e3325ae8d 100644
|
||||
--- a/src/tests/intg/test_files_provider.py
|
||||
+++ b/src/tests/intg/test_files_provider.py
|
||||
@@ -145,6 +145,26 @@ def files_domain_only(request):
|
||||
return None
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def proxy_to_files_domain_only(request):
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ domains = proxy, local
|
||||
+ services = nss
|
||||
+
|
||||
+ [domain/local]
|
||||
+ id_provider = local
|
||||
+
|
||||
+ [domain/proxy]
|
||||
+ id_provider = proxy
|
||||
+ proxy_lib_name = files
|
||||
+ auth_provider = none
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def no_sssd_domain(request):
|
||||
conf = unindent("""\
|
||||
@@ -980,6 +1000,26 @@ def test_no_sssd_domain(add_user_with_canary, no_sssd_domain):
|
||||
assert user == USER1
|
||||
|
||||
|
||||
+def test_proxy_to_files_domain_only(add_user_with_canary,
|
||||
+ proxy_to_files_domain_only):
|
||||
+ """
|
||||
+ Test that implicit_files domain is not started together with proxy to files
|
||||
+ """
|
||||
+ local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009,
|
||||
+ gecos='user1', dir='/home/user1', shell='/bin/bash')
|
||||
+
|
||||
+ # Add a user with a different UID than the one in files
|
||||
+ subprocess.check_call(
|
||||
+ ["sss_useradd", "-u", "10009", "-M", USER1["name"]])
|
||||
+
|
||||
+ res, user = call_sssd_getpwnam(USER1["name"])
|
||||
+ assert res == NssReturnCode.SUCCESS
|
||||
+ assert user == local_user1
|
||||
+
|
||||
+ res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"]))
|
||||
+ assert res == NssReturnCode.NOTFOUND
|
||||
+
|
||||
+
|
||||
def test_no_files_domain(add_user_with_canary, no_files_domain):
|
||||
"""
|
||||
Test that if no files domain is configured, sssd will add the implicit one
|
||||
--
|
||||
2.15.1
|
||||
|
@ -0,0 +1,86 @@
|
||||
From ec91a059a774a30af83927f114e7c4fa0d2b7623 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Fri, 20 Oct 2017 18:09:42 +0200
|
||||
Subject: [PATCH] Revert "libwbclient-sssd: update interface to version 0.14"
|
||||
|
||||
This reverts commit d1b2a3394e496f749151ccd5aca29507ca69214b.
|
||||
---
|
||||
src/conf_macros.m4 | 4 ++--
|
||||
src/sss_client/libwbclient/wbclient.exports | 3 ---
|
||||
src/sss_client/libwbclient/wbclient_sssd.h | 9 ++-------
|
||||
3 files changed, 4 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
||||
index 323830b4246cb94cba74042f0169f78b09087f17..2fa7ae9c4dec1007924f44a8d043909e378a6dd3 100644
|
||||
--- a/src/conf_macros.m4
|
||||
+++ b/src/conf_macros.m4
|
||||
@@ -743,10 +743,10 @@ AC_DEFUN([WITH_LIBWBCLIENT],
|
||||
if test x"$with_libwbclient" = xyes; then
|
||||
AC_DEFINE(BUILD_LIBWBCLIENT, 1, [whether to build SSSD implementation of libwbclient])
|
||||
|
||||
- libwbclient_version="0.14"
|
||||
+ libwbclient_version="0.13"
|
||||
AC_SUBST(libwbclient_version)
|
||||
|
||||
- libwbclient_version_info="14:0:14"
|
||||
+ libwbclient_version_info="13:0:13"
|
||||
AC_SUBST(libwbclient_version_info)
|
||||
fi
|
||||
AM_CONDITIONAL([BUILD_LIBWBCLIENT], [test x"$with_libwbclient" = xyes])
|
||||
diff --git a/src/sss_client/libwbclient/wbclient.exports b/src/sss_client/libwbclient/wbclient.exports
|
||||
index 7abbaba6036c604177f247521e877c86720a1b4d..9d3c2040e7d393c0057d44864826cefc2e3f7a31 100644
|
||||
--- a/src/sss_client/libwbclient/wbclient.exports
|
||||
+++ b/src/sss_client/libwbclient/wbclient.exports
|
||||
@@ -150,6 +150,3 @@ WBCLIENT_0.13 {
|
||||
wbcUnixIdsToSids;
|
||||
wbcCtxUnixIdsToSids;
|
||||
} WBCLIENT_0.12;
|
||||
-
|
||||
-WBCLIENT_0.14 {
|
||||
-} WBCLIENT_0.13;
|
||||
diff --git a/src/sss_client/libwbclient/wbclient_sssd.h b/src/sss_client/libwbclient/wbclient_sssd.h
|
||||
index f2fe8fe60e2ff55399e408056ccfbbfff044b88b..50ba7f84304df5f24a31cbbad857f22d1c70964d 100644
|
||||
--- a/src/sss_client/libwbclient/wbclient_sssd.h
|
||||
+++ b/src/sss_client/libwbclient/wbclient_sssd.h
|
||||
@@ -74,11 +74,9 @@ const char *wbcErrorString(wbcErr error);
|
||||
* 0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
|
||||
* 0.12: Added wbcCtxCreate and friends
|
||||
* 0.13: Added wbcCtxUnixIdsToSids and wbcUnixIdsToSids
|
||||
- * 0.14: Added "authoritative" to wbcAuthErrorInfo
|
||||
- * Added WBC_SID_NAME_LABEL
|
||||
**/
|
||||
#define WBCLIENT_MAJOR_VERSION 0
|
||||
-#define WBCLIENT_MINOR_VERSION 14
|
||||
+#define WBCLIENT_MINOR_VERSION 13
|
||||
#define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
|
||||
struct wbcLibraryDetails {
|
||||
uint16_t major_version;
|
||||
@@ -140,8 +138,7 @@ enum wbcSidType {
|
||||
WBC_SID_NAME_DELETED=6,
|
||||
WBC_SID_NAME_INVALID=7,
|
||||
WBC_SID_NAME_UNKNOWN=8,
|
||||
- WBC_SID_NAME_COMPUTER=9,
|
||||
- WBC_SID_NAME_LABEL=10
|
||||
+ WBC_SID_NAME_COMPUTER=9
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -319,7 +316,6 @@ struct wbcChangePasswordParams {
|
||||
#define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0x00000020
|
||||
#define WBC_MSV1_0_RETURN_PROFILE_PATH 0x00000200
|
||||
#define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0x00000800
|
||||
-#define WBC_MSV1_0_ALLOW_MSVCHAPV2 0x00010000
|
||||
|
||||
/* wbcAuthUserParams->flags */
|
||||
|
||||
@@ -422,7 +418,6 @@ struct wbcAuthErrorInfo {
|
||||
char *nt_string;
|
||||
int32_t pam_error;
|
||||
char *display_string;
|
||||
- uint8_t authoritative;
|
||||
};
|
||||
|
||||
/**
|
||||
--
|
||||
2.14.2
|
||||
|
25
0502-SYSTEMD-Use-capabilities.patch
Normal file
25
0502-SYSTEMD-Use-capabilities.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Mon, 12 Dec 2016 21:56:16 +0100
|
||||
Subject: [PATCH] SYSTEMD: Use capabilities
|
||||
|
||||
copied from selinux policy
|
||||
---
|
||||
src/sysv/systemd/sssd.service.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
|
||||
index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
|
||||
--- a/src/sysv/systemd/sssd.service.in
|
||||
+++ b/src/sysv/systemd/sssd.service.in
|
||||
@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
|
||||
Type=notify
|
||||
NotifyAccess=main
|
||||
PIDFile=@localstatedir@/run/sssd.pid
|
||||
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
--
|
||||
2.15.1
|
||||
|
39
0503-Disable-stopping-idle-socket-activated-responders.patch
Normal file
39
0503-Disable-stopping-idle-socket-activated-responders.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Fri, 3 Nov 2017 16:18:14 +0100
|
||||
Subject: [PATCH] Disable stopping idle socket activated responders
|
||||
|
||||
---
|
||||
src/confdb/confdb.h | 2 +-
|
||||
src/man/sssd.conf.5.xml | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -85,7 +85,7 @@
|
||||
/* Responders */
|
||||
#define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
|
||||
#define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
|
||||
-#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
|
||||
+#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
|
||||
#define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
|
||||
#define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
|
||||
#define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -706,7 +706,7 @@
|
||||
or dbus activated.
|
||||
</para>
|
||||
<para>
|
||||
- Default: 300
|
||||
+ Default: 0
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.14.3
|
||||
|
41
0504-KCM-temporary-increase-hardcoded-buffers.patch
Normal file
41
0504-KCM-temporary-increase-hardcoded-buffers.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 3f2845f98ad28e57cf6a2a3ce33ff01d417c4a45 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Tue, 21 Nov 2017 17:48:16 +0100
|
||||
Subject: [PATCH] KCM: temporary increase hardcoded buffers
|
||||
|
||||
Temporary workaround:
|
||||
https://pagure.io/SSSD/sssd/issue/3386
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ops.c | 2 +-
|
||||
src/util/tev_curl.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
|
||||
index 7a78e9d6b36b4aa3d31ad467216244f733f4a57b..5af567c0d19d347e28cdeada22d15807fb8bc0d5 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ops.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ops.c
|
||||
@@ -31,7 +31,7 @@
|
||||
#include "responder/kcm/kcmsrv_ops.h"
|
||||
#include "responder/kcm/kcmsrv_ccache.h"
|
||||
|
||||
-#define KCM_REPLY_MAX 16384
|
||||
+#define KCM_REPLY_MAX 131072
|
||||
|
||||
struct kcm_op_ctx {
|
||||
struct kcm_resp_ctx *kcm_data;
|
||||
diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
|
||||
index 4c2f1ec9ff0127ccfd72010460ed75dad43e9ce3..a51003f4118d4dc0dcb697469b861d277cd1b917 100644
|
||||
--- a/src/util/tev_curl.c
|
||||
+++ b/src/util/tev_curl.c
|
||||
@@ -35,7 +35,7 @@
|
||||
#include "util/tev_curl.h"
|
||||
|
||||
#define TCURL_IOBUF_CHUNK 1024
|
||||
-#define TCURL_IOBUF_MAX 16384
|
||||
+#define TCURL_IOBUF_MAX 131072
|
||||
|
||||
static bool global_is_curl_initialized;
|
||||
|
||||
--
|
||||
2.15.0
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55
|
||||
SHA512 (sssd-1.16.0.tar.gz) = 4c11fe9c6d6a7de1294a18227e6776d3432150963f511143279507666f949ad5fe2a6a17f8deb79888a0243ed6a1e9c794527b80f4931f08ab1e757e0db83448
|
||||
|
Loading…
Reference in New Issue
Block a user