Hello community, here is the log from the commit of package sssd.14918 for openSUSE:Leap:15.1:Update checked in at 2020-11-09 18:24:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/sssd.14918 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.sssd.14918.new.11331 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sssd.14918" Mon Nov 9 18:24:55 2020 rev:1 rq:846498 version:1.16.1 Changes: -------- New Changes file: --- /dev/null 2020-10-22 01:51:33.322291705 +0200 +++ /work/SRC/openSUSE:Leap:15.1:Update/.sssd.14918.new.11331/sssd.changes 2020-11-09 18:24:57.345289979 +0100 @@ -0,0 +1,1430 @@ +------------------------------------------------------------------- +Tue Sep 22 08:52:43 UTC 2020 - Samuel Cabrero <[email protected]> + +- Update samba secrets after changing machine password; (jsc#ECO-2613); + Add 0028-ad-Add-support-for-passing-add-samba-data-to-adcli.patch + +------------------------------------------------------------------- +Fri Mar 27 16:50:25 UTC 2020 - Samuel Cabrero <[email protected]> + +- Fix dynamic DNS updates not using FQDN (bsc#1160587); Add + 0027-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch + +------------------------------------------------------------------- +Thu Jan 9 13:16:11 UTC 2020 - Samuel Cabrero <[email protected]> + +- Install infopipe dbus service (bsc#1106598) + +------------------------------------------------------------------- +Wed Nov 6 11:41:23 UTC 2019 - Samuel Cabrero <[email protected]> + +- Update winbind idmap plugin to support interface version 6 + (bsc#1156856) +- Added patches: + * 0019-winbind-idmap-plugin-support-inferface-version-6.patch + * 0020-winbind-idmap-plugin-fix-detection.patch + * 0021-nss-imap-add-sss_nss_getsidbyuid-and-sss_nss_getsidb.patch + * 0022-cifs-idmap-plugin-use-new-sss_nss_idmap-calls.patch + * 0023-winbind-idmap-plugin-use-new-sss_nss_idmap-calls.patch + * 0024-libwbclient-sssd-use-new-sss_nss_idmap-calls.patch + * 0025-pysss_nss_idmap-add-python-bindings-for-new-sss_nss_.patch + * 0026-winbind-idmap-plugin-update-struct-idmap_domain-to-l.patch + +------------------------------------------------------------------- +Tue Oct 22 11:49:32 UTC 2019 - Samuel Cabrero <[email protected]> + +- Delete linked local user overrides when deleting a user + (bsc#1133168) +- Added patches: + * 0018-SYSDB-Delete-linked-local-user-overrides-when-deleti.patch + +------------------------------------------------------------------- +Tue Oct 22 11:48:26 UTC 2019 - Samuel Cabrero <[email protected]> + +- Fix domain offline after first boot when resolv.conf is a symlink + (bsc#1136139) +- Added patches: + * 0015-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch + * 0016-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch + * 0017-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch + +------------------------------------------------------------------- +Tue Oct 22 11:44:57 UTC 2019 - Samuel Cabrero <[email protected]> + +- Fix login not possible when email address is duplicated in ldap + attributes (bsc#1149597) +- Added patches: + * 0013-Revert-LDAP-IPA-add-local-email-address-to-aliases.patch + * 0014-util-Remove-the-unused-function-is_email_from_domain.patch + +------------------------------------------------------------------- +Thu Jul 4 15:26:36 UTC 2019 - Samuel Cabrero <[email protected]> + +- Fix memory leak in nss netgroup enumeration (bsc#1139247); +- Added patches: + * 0012-nss-use-enumeration-context-as-talloc-parent-for-cac.patch + +------------------------------------------------------------------- +Thu May 23 09:13:37 UTC 2019 - Samuel Cabrero <[email protected]> + +- Allow defaults sudoRole without sudoUser attribute (bsc#1135247) +- Added an option to skip GPOs that have groupPolicyContainers, + unreadable by SSSD (bsc#1124194) (CVE-2018-16838) +- Added patches: + * 0010-SUDO-Allow-defaults-sudoRole-without-sudoUser-attrib.patch + * 0011-GPO-Add-option-ad_gpo_ignore_unreadable.patch + +------------------------------------------------------------------- +Wed May 8 12:18:30 UTC 2019 - Samuel Cabrero <[email protected]> + +- Create directory to download and cache GPOs (bsc#1132879) +- Add a netgroup counter to struct nss_enum_index (bsc#1132657) +- Added patches: + * 0007-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch + * 0008-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch + * 0009-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch + +------------------------------------------------------------------- +Wed Mar 20 11:14:33 UTC 2019 - Samuel Cabrero <[email protected]> + +- Rotate child debug file descriptors on SIGHUP (bsc#1080156) +- Added patches: + * 0006-Rotate-child-log-files.patch + +------------------------------------------------------------------- +Wed Feb 20 17:07:29 UTC 2019 - Samuel Cabrero <[email protected]> + +- Fix fallback_homedir returning '/' for empty home directories + (CVE-2019-3811) (bsc#1121759) +- Install logrotate configuration (bsc#1004220) +- Strip whitespaces in netgroup triples (bsc#1087320) +- Align systemd service file with upstream + * Run interactive and change service type to notify (bsc#1120852) + * Replace deprecated '-f' and use '--logger' +- Fix sssd not starting in foreground mode (bsc#1125277) +- Added patches: + * 0003-MONITOR-Do-not-use-two-configuration-databases.patch + * 0004-Strip-whitespaces-in-netgroup-triple.patch + * 0005-nss-sssd-returns-for-emtpy-home-directories.patch + +------------------------------------------------------------------- +Wed Sep 26 09:49:15 UTC 2018 - [email protected] + +- Added dependency to adcli for sssd-ad (fate#326619, bsc#1109849) + +------------------------------------------------------------------- +Wed Jun 20 10:44:30 UTC 2018 - [email protected] + +- Introduce patches: + * Create sockets with right permissions: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch + (bsc#1098377, CVE-2018-10852) + * Fix for sssd upstream integration tests + 0002-intg-Do-not-hardcode-nsslibdir.patch + (bsc#1098163) + +------------------------------------------------------------------- +Fri Apr 27 14:43:58 UTC 2018 - [email protected] + +- Update to new minor upstream release 1.16.1 (fate#323340): + +New Features: + * A new option auto_private_groups was added. If this option is + enabled, SSSD will automatically create user private groups based + on user’s UID number. The GID number is ignored in this case. + * The SSSD smart card integration now supports a special type of PAM + conversation implemented by GDM which allows the user to select + the appropriate smrt card certificate in GDM. + * A new API for accessing user and group information was added. + This API is similar to the tradiional Name Service Switch API, but + allows the consumer to talk to SSSD directly as well as to + fine-tune the query with e.g. how cache should be evaluated. + * The sssctl command line tool gained a new command access-report, + which can generate who can access the client machine. Currently + only generating the report on an IPA client based on HBAC rules + is supported. + * The hostid provider was moved from the IPA specific code to + the generic LDAP code. This allows SSH host keys to be access by + the generic LDAP provider as well. See the ldap_host_* options in + the sssd-ldap manual page for more details. + * Setting the memcache_timeout option to 0 disabled creating + the memory cache files altogether. This can be useful in cases + there is a bug in the memory cache that needs working around. + +------------------------------------------------------------------- +Tue Apr 24 13:09:35 UTC 2018 - [email protected] + +- Updated sssd.spec: + The IPA provider depends on AD provider's PAC executable, hence + introducing the package dependency. (bsc#1021441, bsc#1062124) + +------------------------------------------------------------------- +Tue Feb 27 09:24:46 UTC 2018 - [email protected] + +- Remove package descriptions for the python 2 packages that are + no longer distributed: + * python-ipa_hbac + * python-sss-murmur + * python-sss_nss_idmap + * python-sssd-config +- Correct python version dependency of tools package. (bsc#1082108) + +------------------------------------------------------------------- +Mon Dec 4 10:03:59 UTC 2017 - [email protected] + +- Correct dependency of sss_obfuscate command line program. + +------------------------------------------------------------------- +Fri Dec 1 14:35:08 UTC 2017 - [email protected] + +- In an ongoing effort to reduce dependency on python version 2, + the following python libraries are no longer built. Nevertheless + their python3 counterparts remain in place: + * python-ipa_hbac + * python-sss-murmur + * python-sss_nss_idmap + * python-sssd-config + +------------------------------------------------------------------- +Mon Oct 23 16:31:54 UTC 2017 - [email protected] + +- Update to new upstream release 1.16.0 + +Security fixes + * This release fixes CVE-2017-12173: Unsanitized input when searching in + local cache database. SSSD stores its cached data in an LDAP like local + database file using libldb. To lookup cached data LDAP search filters + like (objectClass=user)(name=user_name) are used. However, in ++++ 1233 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.1:Update/.sssd.14918.new.11331/sssd.changes New: ---- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch 0002-intg-Do-not-hardcode-nsslibdir.patch 0003-MONITOR-Do-not-use-two-configuration-databases.patch 0004-Strip-whitespaces-in-netgroup-triple.patch 0005-nss-sssd-returns-for-emtpy-home-directories.patch 0006-Rotate-child-log-files.patch 0007-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch 0008-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch 0009-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch 0010-SUDO-Allow-defaults-sudoRole-without-sudoUser-attrib.patch 0011-GPO-Add-option-ad_gpo_ignore_unreadable.patch 0012-nss-use-enumeration-context-as-talloc-parent-for-cac.patch 0013-Revert-LDAP-IPA-add-local-email-address-to-aliases.patch 0014-util-Remove-the-unused-function-is_email_from_domain.patch 0015-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch 0016-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch 0017-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch 0018-SYSDB-Delete-linked-local-user-overrides-when-deleti.patch 0019-winbind-idmap-plugin-support-inferface-version-6.patch 0020-winbind-idmap-plugin-fix-detection.patch 0021-nss-imap-add-sss_nss_getsidbyuid-and-sss_nss_getsidb.patch 0022-cifs-idmap-plugin-use-new-sss_nss_idmap-calls.patch 0023-winbind-idmap-plugin-use-new-sss_nss_idmap-calls.patch 0024-libwbclient-sssd-use-new-sss_nss_idmap-calls.patch 0025-pysss_nss_idmap-add-python-bindings-for-new-sss_nss_.patch 0026-winbind-idmap-plugin-update-struct-idmap_domain-to-l.patch 0027-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch 0028-ad-Add-support-for-passing-add-samba-data-to-adcli.patch baselibs.conf sssd-1.16.1.tar.gz sssd-1.16.1.tar.gz.asc sssd.changes sssd.keyring sssd.service sssd.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sssd.spec ++++++ ++++ 787 lines (skipped) ++++++ 0001-SUDO-Create-the-socket-with-stricter-permissions.patch ++++++ >From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Fri, 15 Jun 2018 22:29:34 +0200 Subject: [PATCH] SUDO: Create the socket with stricter permissions This patch switches the sudo responder from being created as a public responder where the permissions are open and not checked by the sssd deaamon to a private socket. In this case, sssd creates the pipes with strict permissions (see the umask in the call to create_pipe_fd() in set_unix_socket()) and additionaly checks the permissions with every read via the tevent integrations (see accept_fd_handler()). --- src/responder/sudo/sudosrv.c | 3 ++- src/sysv/systemd/sssd-sudo.socket.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, sudo_cmds = get_sudo_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, sudo_cmds, - SSS_SUDO_SOCKET_NAME, -1, NULL, -1, + NULL, -1, /* No public socket */ + SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */ CONFDB_SUDO_CONF_ENTRY, SSS_SUDO_SBUS_SERVICE_NAME, SSS_SUDO_SBUS_SERVICE_VERSION, diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo ListenStream=@pipepath@/sudo SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ +SocketMode=0600 [Install] WantedBy=sssd.service -- 2.14.3 ++++++ 0002-intg-Do-not-hardcode-nsslibdir.patch ++++++ >From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <[email protected]> Date: Tue, 12 Jun 2018 19:07:52 +0200 Subject: [PATCH] intg: Do not hardcode nsslibdir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This change is needed in order to have make intgcheck-run properly running on opensuse systems. Signed-off-by: Fabiano Fidêncio <[email protected]> Reviewed-by: Chris Kowalczyk <[email protected]> Reviewed-by: Michal Židek <[email protected]> --- src/tests/intg/Makefile.am | 1 + src/tests/intg/config.py.m4 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am index 9c5338261..4bd427669 100644 --- a/src/tests/intg/Makefile.am +++ b/src/tests/intg/Makefile.am @@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile config.py: config.py.m4 m4 -D "prefix=\`$(prefix)'" \ -D "sysconfdir=\`$(sysconfdir)'" \ + -D "nsslibdir=\`$(nsslibdir)'" \ -D "dbpath=\`$(dbpath)'" \ -D "pidpath=\`$(pidpath)'" \ -D "logpath=\`$(logpath)'" \ diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4 index 6e011b692..04f78d869 100644 --- a/src/tests/intg/config.py.m4 +++ b/src/tests/intg/config.py.m4 @@ -4,7 +4,7 @@ Build configuration variables. PREFIX = "prefix" SYSCONFDIR = "sysconfdir" -NSS_MODULE_DIR = PREFIX + "/lib" +NSS_MODULE_DIR = "nsslibdir" SSSDCONFDIR = SYSCONFDIR + "/sssd" CONF_PATH = SSSDCONFDIR + "/sssd.conf" DB_PATH = "dbpath" ++++++ 0003-MONITOR-Do-not-use-two-configuration-databases.patch ++++++ >From 548a46c1166c17ec856c9604675eee369c5349e9 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <[email protected]> Date: Wed, 30 May 2018 22:17:16 +0200 Subject: [PATCH 3/3] MONITOR: Do not use two configuration databases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit confdb was initialized twice in monitor. The 1st time in load_configuration and the 2nd time in server_setup. libldb-1.4.0 contains stricter checking of PID which created db. ldb_tdb: Prevent ldb_tdb reuse after a fork() We may relax this restriction in the future, but for now do not assume that the caller has done a tdb_reopen_all() at the right time. Signed-off-by: Andrew Bartlett <[email protected]> It did not cause any problem when sssd was stared in interactive mode (used by systemd) But it causes failures in daemon mode which is used in cwrap integration [sssd] [ldb] (0x4000): Destroying timer event 0x5555557b1d30 "ltdb_timeout" [sssd] [ldb] (0x4000): Ending timer event 0x5555557cbdd0 "ltdb_callback" [sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb [sssd] [ldb] (0x0010): Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 28889 in process 28893 / Protocol error [sssd] [confdb_get_param] (0x0020): Failed to get [krb5_rcache_dir] from [config/sssd], error [5] (Input/output error) [sssd] [confdb_get_string] (0x0020): Failed to get [krb5_rcache_dir] from [config/sssd], error [5] (Input/output error) Reviewed-by: Fabiano Fidêncio <[email protected]> (cherry picked from commit a887e33fbd02bc9ef987fc1bd2a487a04aff9980) --- src/monitor/monitor.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index a08087038..ca5c79924 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -2663,6 +2663,20 @@ int main(int argc, const char *argv[]) monitor->conf_path, &main_ctx); if (ret != EOK) return 2; + /* Use confd initialized in server_setup. ldb_tdb module (1.4.0) check PID + * of process which initialized db for locking purposes. + * Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: + * Reusing ldb opened by pid 28889 in process 28893 + */ + talloc_zfree(monitor->cdb); + monitor->cdb = main_ctx->confdb_ctx; + + ret = confdb_get_domains(monitor->cdb, &monitor->domains); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n"); + return 4; + } + monitor->is_daemon = !opt_interactive; monitor->parent_pid = main_ctx->parent_pid; monitor->ev = main_ctx->event_ctx; -- 2.20.1 ++++++ 0004-Strip-whitespaces-in-netgroup-triple.patch ++++++ >From 084489ce001eb84a3bb53131f09771d637a03da4 Mon Sep 17 00:00:00 2001 From: Josef Cejka <[email protected]> Date: Mon, 7 May 2018 16:11:25 +0200 Subject: [PATCH] Strip whitespaces in netgroup triple. Strip leading and trailing whitespaces from netgroup three-tuple strings to be compatible with nss_ldap. Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit dbb1abae6eaa9df24f61e3a9f855e2461a66a197) --- src/db/sysdb_search.c | 116 +++++++++++++++++++----------------------- 1 file changed, 53 insertions(+), 63 deletions(-) diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index dc0bd4f2c..4cc755496 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -1684,10 +1684,54 @@ done: return ret; } + +/* Get string until the first delimiter and strip out + * leading and trailing whitespaces. + */ +static errno_t sysdb_netgr_split_triple_string(TALLOC_CTX *mem_ctx, + const char **in, + const char delimiter, + char **out) +{ + size_t len; + const char *p = *in; + const char *begin; + + /* Remove any leading whitespace */ + while (*p && isspace(*p)) p++; + begin = p; + + /* Find the delimiter */ + while (*p && *p != delimiter) p++; + + if (!*p) { + /* No delimiter was found: parse error */ + return EINVAL; + } + + len = p - begin; + /* Remove trailing spaces */ + while (len > 0 && isspace(begin[len - 1])) len--; + + *out = NULL; + if (len > 0) { + /* Copy the output string */ + *out = talloc_strndup(mem_ctx, begin, len); + if (!*out) { + return ENOMEM; + } + } + p++; + + *in = p; + return EOK; +} + + + /* This function splits a three-tuple into three strings - * It assumes that any whitespace between the parentheses - * and commas are intentional and does not attempt to - * strip them out. Leading and trailing whitespace is + * It strips out any whitespace between the parentheses + * and commas. Leading and trailing whitespace is * ignored. * * This behavior is compatible with nss_ldap's @@ -1702,10 +1746,6 @@ static errno_t sysdb_netgr_split_triple(TALLOC_CTX *mem_ctx, errno_t ret; TALLOC_CTX *tmp_ctx; const char *p = triple; - const char *p_host; - const char *p_user; - const char *p_domain; - size_t len; char *host = NULL; char *user = NULL; @@ -1732,72 +1772,22 @@ static errno_t sysdb_netgr_split_triple(TALLOC_CTX *mem_ctx, goto done; } p++; - p_host = p; - /* Find the first comma */ - while (*p && *p != ',') p++; - - if (!*p) { - /* No comma was found: parse error */ - ret = EINVAL; + ret = sysdb_netgr_split_triple_string(tmp_ctx, &p, ',', &host); + if (ret != EOK) { goto done; } - len = p - p_host; - - if (len > 0) { - /* Copy the host string */ - host = talloc_strndup(tmp_ctx, p_host, len); - if (!host) { - ret = ENOMEM; - goto done; - } - } - p++; - p_user = p; - - /* Find the second comma */ - while (*p && *p != ',') p++; - - if (!*p) { - /* No comma was found: parse error */ - ret = EINVAL; + ret = sysdb_netgr_split_triple_string(tmp_ctx, &p, ',', &user); + if (ret != EOK) { goto done; } - len = p - p_user; - - if (len > 0) { - /* Copy the user string */ - user = talloc_strndup(tmp_ctx, p_user, len); - if (!user) { - ret = ENOMEM; - goto done; - } - } - p++; - p_domain = p; - - /* Find the closing parenthesis */ - while (*p && *p != ')') p++; - if (*p != ')') { - /* No trailing parenthesis: parse error */ - ret = EINVAL; + ret = sysdb_netgr_split_triple_string(tmp_ctx, &p, ')', &domain); + if (ret != EOK) { goto done; } - len = p - p_domain; - - if (len > 0) { - /* Copy the domain string */ - domain = talloc_strndup(tmp_ctx, p_domain, len); - if (!domain) { - ret = ENOMEM; - goto done; - } - } - p++; - /* skip trailing whitespace */ while (*p && isspace(*p)) p++; -- 2.20.1 ++++++ 0005-nss-sssd-returns-for-emtpy-home-directories.patch ++++++ >From 34ad98db1883958e20b096eca0f3d2f65f55bd26 Mon Sep 17 00:00:00 2001 From: Tomas Halman <[email protected]> Date: Mon, 3 Dec 2018 14:11:31 +0100 Subject: [PATCH 5/5] nss: sssd returns '/' for emtpy home directories For empty home directory in passwd file sssd returns "/". Sssd should respect system behaviour and return the same as nsswitch "files" module - return empty string. Resolves: https://pagure.io/SSSD/sssd/issue/3901 Reviewed-by: Simo Sorce <[email protected]> Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit 90f32399b4100ce39cf665649fde82d215e5eb49) (cherry picked from commit 28792523a01a7d21bcc8931794164f253e691a68) --- src/confdb/confdb.c | 9 +++++++++ src/man/include/ad_modified_defaults.xml | 19 +++++++++++++++++++ src/responder/nss/nss_protocol_pwent.c | 2 +- src/tests/intg/test_files_provider.py | 2 +- 4 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 5b4cbec8e..c3990d4ca 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1299,6 +1299,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, ret = ENOMEM; goto done; } + } else { + if (strcasecmp(domain->provider, "ad") == 0) { + /* ad provider default */ + domain->fallback_homedir = talloc_strdup(domain, "/home/%d/%u"); + if (!domain->fallback_homedir) { + ret = ENOMEM; + goto done; + } + } } tmp = ldb_msg_find_attr_as_string(res->msgs[0], diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml index c41b454f8..416463230 100644 --- a/src/man/include/ad_modified_defaults.xml +++ b/src/man/include/ad_modified_defaults.xml @@ -60,4 +60,23 @@ </listitem> </itemizedlist> </refsect2> + <refsect2 id='nss_modifications'> + <title>NSS configuration</title> + <itemizedlist> + <listitem> + <para> + fallback_homedir = /home/%d/%u + </para> + <para> + The AD provider automatically sets + "fallback_homedir = /home/%d/%u" to provide personal + home directories for users without the homeDirectory + attribute. If your AD Domain is properly + populated with Posix attributes, and you want to avoid + this fallback behavior, you can explicitly + set "fallback_homedir = %o". + </para> + </listitem> + </itemizedlist> + </refsect2> </refsect1> diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index f449ec69b..dbf3904b8 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -113,7 +113,7 @@ nss_get_homedir(TALLOC_CTX *mem_ctx, homedir = nss_get_homedir_override(mem_ctx, msg, nss_ctx, domain, &hd_ctx); if (homedir == NULL) { - return "/"; + return ""; } return homedir; diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py index 41bfd8844..fe279a926 100644 --- a/src/tests/intg/test_files_provider.py +++ b/src/tests/intg/test_files_provider.py @@ -560,7 +560,7 @@ def test_user_no_dir(setup_pw_with_canary, files_domain_only): Test that resolving a user without a homedir defined works and returns a fallback value """ - check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/')) + check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '')) def test_user_no_gecos(setup_pw_with_canary, files_domain_only): -- 2.20.1 ++++++ 0006-Rotate-child-log-files.patch ++++++ >From 57406881fe6efd0369d07429ce48afe254a94bf7 Mon Sep 17 00:00:00 2001 From: Josef Cejka <[email protected]> Date: Mon, 24 Dec 2018 10:32:14 +0100 Subject: [PATCH] Rotate child log files Registers child debug file descriptors of all loaded modules and rotate them on SIGHUP. --- src/providers/ad/ad_gpo.c | 11 ++++---- src/providers/ipa/ipa_selinux.c | 9 ++++--- src/providers/krb5/krb5_child_handler.c | 2 +- src/providers/krb5/krb5_common.h | 3 ++- src/providers/krb5/krb5_init_shared.c | 6 ++--- src/providers/ldap/ldap_common.c | 5 +++- src/providers/ldap/ldap_common.h | 2 +- src/providers/ldap/sdap_child_helpers.c | 4 +-- src/responder/pam/pamsrv.c | 1 - src/responder/pam/pamsrv.h | 3 ++- src/responder/pam/pamsrv_cmd.c | 2 +- src/responder/pam/pamsrv_p11.c | 4 ++- src/util/child_common.c | 22 +++++++++++----- src/util/child_common.h | 12 ++++++++- src/util/debug.c | 17 ++++++++---- src/util/server.c | 35 +++++++++++++++++++++++++ src/util/util.h | 1 + 17 files changed, 105 insertions(+), 34 deletions(-) diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index d9ea31141..877ea994b 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -104,7 +104,10 @@ #endif /* fd used by the gpo_child process for logging */ -int gpo_child_debug_fd = -1; +struct child_debug gpo_child_debug = { + .fd = -1, + .filename = "gpo_child" +}; /* == common data structures and declarations ============================= */ @@ -1419,11 +1422,9 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, return ret; } -#define GPO_CHILD_LOG_FILE "gpo_child" - static errno_t gpo_child_init(void) { - return child_debug_init(GPO_CHILD_LOG_FILE, &gpo_child_debug_fd); + return child_debug_init(&gpo_child_debug); } /* @@ -4287,7 +4288,7 @@ gpo_fork_child(struct tevent_req *req) if (pid == 0) { /* child */ exec_child_ex(state, pipefd_to_child, pipefd_from_child, - GPO_CHILD, gpo_child_debug_fd, NULL, false, + GPO_CHILD, gpo_child_debug.fd, NULL, false, STDIN_FILENO, AD_GPO_CHILD_OUT_FILENO); /* We should never get here */ diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 630f68ad5..4f3f54f1a 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -52,7 +52,10 @@ #include <selinux/selinux.h> /* fd used by the selinux_child process for logging */ -int selinux_child_debug_fd = -1; +struct child_debug selinux_child_debug = { + .fd = -1, + .filename = SELINUX_CHILD_LOG_FILE +}; static struct tevent_req * ipa_get_selinux_send(TALLOC_CTX *mem_ctx, @@ -640,7 +643,7 @@ immediately: static errno_t selinux_child_init(void) { - return child_debug_init(SELINUX_CHILD_LOG_FILE, &selinux_child_debug_fd); + return child_debug_init(&selinux_child_debug); } static errno_t selinux_child_create_buffer(struct selinux_child_state *state) @@ -712,7 +715,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) if (pid == 0) { /* child */ exec_child(state, pipefd_to_child, pipefd_from_child, - SELINUX_CHILD, selinux_child_debug_fd); + SELINUX_CHILD, selinux_child_debug.fd); DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n", ret, sss_strerror(ret)); return ret; diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 352ff980d..3f5437656 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -461,7 +461,7 @@ static errno_t fork_child(struct tevent_req *req) if (pid == 0) { /* child */ exec_child_ex(state, pipefd_to_child, pipefd_from_child, - KRB5_CHILD, state->kr->krb5_ctx->child_debug_fd, + KRB5_CHILD, state->kr->krb5_ctx->child_debug.fd, krb5_child_extra_args, false, STDIN_FILENO, STDOUT_FILENO); diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 48368a528..3e7b62422 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -31,6 +31,7 @@ #include "providers/backend.h" #include "util/util.h" +#include "util/child_common.h" #include "util/sss_krb5.h" #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s" @@ -117,7 +118,7 @@ struct krb5_ctx { struct dp_option *opts; struct krb5_service *service; struct krb5_service *kpasswd_service; - int child_debug_fd; + struct child_debug child_debug; pcre *illegal_path_re; diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c index 3901b7272..92f722deb 100644 --- a/src/providers/krb5/krb5_init_shared.c +++ b/src/providers/krb5/krb5_init_shared.c @@ -83,9 +83,9 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, goto done; } - krb5_auth_ctx->child_debug_fd = -1; /* -1 means not initialized */ - ret = child_debug_init(KRB5_CHILD_LOG_FILE, - &krb5_auth_ctx->child_debug_fd); + krb5_auth_ctx->child_debug.fd = -1; /* -1 means not initialized */ + krb5_auth_ctx->child_debug.filename = KRB5_CHILD_LOG_FILE; + ret = child_debug_init(&krb5_auth_ctx->child_debug); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not set krb5_child debugging!\n"); goto done; diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 91e229243..70c5429e8 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -38,7 +38,10 @@ #include "providers/ldap/sdap_idmap.h" /* a fd the child process would log into */ -int ldap_child_debug_fd = -1; +struct child_debug ldap_child_debug = { + .fd = -1, + .filename = LDAP_CHILD_LOG_FILE +}; int ldap_id_setup_tasks(struct sdap_id_ctx *ctx) { diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index 44dbc3fb0..288d72673 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -43,7 +43,7 @@ #define LDAP_ALLOWED_WILDCARDS "*" /* a fd the child process would log into */ -extern int ldap_child_debug_fd; +extern struct child_debug ldap_child_debug; struct sdap_id_ctx; diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c index a03d28c9c..69a9c9e0b 100644 --- a/src/providers/ldap/sdap_child_helpers.c +++ b/src/providers/ldap/sdap_child_helpers.c @@ -111,7 +111,7 @@ static errno_t sdap_fork_child(struct tevent_context *ev, if (pid == 0) { /* child */ exec_child(child, pipefd_to_child, pipefd_from_child, - LDAP_CHILD, ldap_child_debug_fd); + LDAP_CHILD, ldap_child_debug.fd); /* We should never get here */ DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec LDAP child\n"); @@ -518,5 +518,5 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req, /* Setup child logging */ int sdap_setup_child(void) { - return child_debug_init(LDAP_CHILD_LOG_FILE, &ldap_child_debug_fd); + return child_debug_init(&ldap_child_debug); } diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 5791686b9..86d04e400 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -321,7 +321,6 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, goto done; } - pctx->p11_child_debug_fd = -1; if (pctx->cert_auth) { ret = p11_child_init(pctx); if (ret != EOK) { diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index dfd982178..f53082f83 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -24,6 +24,7 @@ #include <security/pam_appl.h> #include "util/util.h" +#include "util/child_common.h" #include "sbus/sssd_dbus.h" #include "responder/common/responder.h" #include "responder/common/cache_req/cache_req.h" @@ -48,7 +49,7 @@ struct pam_ctx { char **app_services; bool cert_auth; - int p11_child_debug_fd; + struct child_debug p11_child_debug; char *nss_db; struct sss_certmap_ctx *sss_certmap_ctx; }; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 8610b6b80..e1ff8e8c7 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1334,7 +1334,7 @@ static errno_t check_cert(TALLOC_CTX *mctx, return ret; } - req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd, + req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug.fd, pctx->nss_db, p11_child_timeout, cert_verification_opts, pctx->sss_certmap_ctx, pd); diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c index 0c9822fe9..b6f4ba4ad 100644 --- a/src/responder/pam/pamsrv_p11.c +++ b/src/responder/pam/pamsrv_p11.c @@ -227,7 +227,9 @@ errno_t p11_child_init(struct pam_ctx *pctx) return ret; } - return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd); + pctx->p11_child_debug.filename = P11_CHILD_LOG_FILE; + pctx->p11_child_debug.fd = -1; + return child_debug_init(&pctx->p11_child_debug); } bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) diff --git a/src/util/child_common.c b/src/util/child_common.c index 203c115f9..3420d6ad2 100644 --- a/src/util/child_common.c +++ b/src/util/child_common.c @@ -47,6 +47,8 @@ struct sss_child_ctx { struct sss_sigchild_ctx *sigchld_ctx; }; +struct child_debug *child_debug_list = NULL; + static void sss_child_handler(struct tevent_context *ev, struct tevent_signal *se, int signum, @@ -803,30 +805,36 @@ int child_io_destructor(void *ptr) return EOK; } -errno_t child_debug_init(const char *logfile, int *debug_fd) +errno_t child_debug_init(struct child_debug *cd) { int ret; - FILE *debug_filep; - if (debug_fd == NULL) { + if (cd == NULL) { return EOK; } - if (sss_logger == FILES_LOGGER && *debug_fd == -1) { - ret = open_debug_file_ex(logfile, &debug_filep, false); + if (sss_logger == FILES_LOGGER && cd->fd == -1) { + cd->filep = NULL; + cd->prev = NULL; + cd->next = NULL; + ret = open_debug_file_ex(cd->filename, &cd->filep, false); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) [%s]\n", ret, sss_strerror(ret)); return ret; } - *debug_fd = fileno(debug_filep); - if (*debug_fd == -1) { + cd->fd = fileno(cd->filep); + if (cd->fd == -1) { DEBUG(SSSDBG_FATAL_FAILURE, "fileno failed [%d][%s]\n", errno, strerror(errno)); ret = errno; + fclose(cd->filep); + cd->filep = NULL; return ret; } + + DLIST_ADD(child_debug_list, cd); } return EOK; diff --git a/src/util/child_common.h b/src/util/child_common.h index 37116e2a7..cddc7161b 100644 --- a/src/util/child_common.h +++ b/src/util/child_common.h @@ -53,6 +53,16 @@ struct child_io_fds { int write_to_child_fd; }; +struct child_debug { + const char *filename; + int fd; + FILE *filep; + struct child_debug *prev; + struct child_debug *next; +}; + +extern struct child_debug *child_debug_list; + /* COMMON SIGCHLD HANDLING */ typedef void (*sss_child_fn_t)(int pid, int wait_status, void *pvt); @@ -119,6 +129,6 @@ void exec_child(TALLOC_CTX *mem_ctx, int child_io_destructor(void *ptr); -errno_t child_debug_init(const char *logfile, int *debug_fd); +errno_t child_debug_init(struct child_debug *child_debug); #endif /* __CHILD_COMMON_H__ */ diff --git a/src/util/debug.c b/src/util/debug.c index 30801fce7..001445e5a 100644 --- a/src/util/debug.c +++ b/src/util/debug.c @@ -465,16 +465,18 @@ int open_debug_file(void) return open_debug_file_ex(NULL, NULL, true); } -int rotate_debug_files(void) +int rotate_debug_file(const char *filename, FILE **filep) { int ret; errno_t error; if (sss_logger != FILES_LOGGER) return EOK; + if (filep == NULL) return EOK; + do { error = 0; - ret = fclose(debug_file); + ret = fclose(*filep); if (ret != 0) { error = errno; } @@ -494,14 +496,19 @@ int rotate_debug_files(void) * leak and then proceed with opening the new file. */ sss_log(SSS_LOG_ALERT, "Could not close debug file [%s]. [%d][%s]\n", - debug_log_file, error, strerror(error)); + filename, error, strerror(error)); sss_log(SSS_LOG_ALERT, "Attempting to open new file anyway. " "Be aware that this is a resource leak\n"); } - debug_file = NULL; + *filep = NULL; + + return open_debug_file_ex(filename, filep, false); +} - return open_debug_file(); +int rotate_debug_files(void) +{ + return rotate_debug_file(debug_log_file, &debug_file); } void talloc_log_fn(const char *message) diff --git a/src/util/server.c b/src/util/server.c index 62e09314c..8bd07b810 100644 --- a/src/util/server.c +++ b/src/util/server.c @@ -31,6 +31,7 @@ #include <signal.h> #include <ldb.h> #include "util/util.h" +#include "util/child_common.h" #include "confdb/confdb.h" #include "monitor/monitor_interfaces.h" @@ -384,6 +385,33 @@ static void te_server_hup(struct tevent_context *ev, } } +static int rotate_child_debug_files(void) +{ + struct child_debug *cd; + int ret; + int final_ret = EOK; + + DLIST_FOR_EACH(cd, child_debug_list) { + ret = rotate_debug_file(cd->filename, &cd->filep); + if (ret == EOK) { + cd->fd = fileno(cd->filep); + if (cd->fd != -1) continue; + + DEBUG(SSSDBG_FATAL_FAILURE, + "fileno failed [%d][%s]\n", errno, strerror(errno)); + ret = errno; + fclose(cd->filep); + cd->filep = NULL; + } + /* save the first error and try to rotate remaining files */ + if (final_ret == EOK) { + final_ret = ret; + } + } + + return final_ret; +} + errno_t server_common_rotate_logs(struct confdb_ctx *confdb, const char *conf_path) { @@ -397,6 +425,13 @@ errno_t server_common_rotate_logs(struct confdb_ctx *confdb, return ret; } + ret = rotate_child_debug_files(); + if (ret) { + sss_log(SSS_LOG_ALERT, "Could not rotate child debug files! [%d][%s]\n", + ret, strerror(ret)); + return ret; + } + /* Get new debug level from the confdb */ ret = confdb_get_int(confdb, conf_path, CONFDB_SERVICE_DEBUG_LEVEL, diff --git a/src/util/util.h b/src/util/util.h index ef8ef7f57..78ab02dce 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -151,6 +151,7 @@ int chown_debug_file(const char *filename, uid_t uid, gid_t gid); int open_debug_file_ex(const char *filename, FILE **filep, bool want_cloexec); int open_debug_file(void); int rotate_debug_files(void); +int rotate_debug_file(const char *filename, FILE **filep); void talloc_log_fn(const char *msg); /* From sss_log.c */ -- 2.21.0 ++++++ 0007-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch ++++++ >From 08db22b1b1a2e742edbca92e35087294d963adda Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Thu, 15 Mar 2018 12:50:20 +0100 Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index Netgroups are not looked up with the help of a single request but by calling setnetgrent(), getnetgrent() and endnetgrent() where getnetgrent() might be called multiple times depending on the number of netgroup elements. Since the caller does not provide a state the state has to be maintained by the SSSD nss responder. Besides the netgroup name this is mainly the number of elements already returned. This number is used to select the next element to return and currently it is assumed that there are not changes to the netgroup while the client is requesting the individual elements. But if e.g. the 3 nss calls are not used correctly or the netgroup is modified while the client is sending getnetgrent() calls the stored number might be out of range. To be on the safe side the stored number should be always compared with the current number of netgroup elements. Related to https://pagure.io/SSSD/sssd/issue/3679 Reviewed-by: Jakub Hrozek <[email protected]> --- src/db/sysdb.h | 3 ++- src/db/sysdb_search.c | 5 ++++- src/responder/nss/nss_enum.c | 3 ++- src/responder/nss/nss_private.h | 1 + src/responder/nss/nss_protocol_netgr.c | 7 +++++++ 5 files changed, 16 insertions(+), 3 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index fd18ecefe..2660314a7 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx, errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, struct ldb_result *res, - struct sysdb_netgroup_ctx ***entries); + struct sysdb_netgroup_ctx ***entries, + size_t *netgroup_count); errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input, char **sanitized); diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index dc0bd4f2c..b7ceb6e59 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -1831,7 +1831,8 @@ done: errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, struct ldb_result *res, - struct sysdb_netgroup_ctx ***entries) + struct sysdb_netgroup_ctx ***entries, + size_t *netgroup_count) { errno_t ret; size_t size = 0; @@ -1935,6 +1936,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, tmp_entry[c] = NULL; *entries = talloc_steal(mem_ctx, tmp_entry); + *netgroup_count = c; + ret = EOK; done: diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c index 031db9f2e..a45b65233 100644 --- a/src/responder/nss/nss_enum.c +++ b/src/responder/nss/nss_enum.c @@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq) /* We need to expand the netgroup into triples and members. */ ret = sysdb_netgr_to_entries(state->enum_ctx, result[0]->ldb_result, - &state->enum_ctx->netgroup); + &state->enum_ctx->netgroup, + &state->enum_ctx->netgroup_count); if (ret != EOK) { goto done; } diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h index 5fc19d26b..aa8d8e9cd 100644 --- a/src/responder/nss/nss_private.h +++ b/src/responder/nss/nss_private.h @@ -41,6 +41,7 @@ struct nss_enum_index { struct nss_enum_ctx { struct cache_req_result **result; struct sysdb_netgroup_ctx **netgroup; + size_t netgroup_count; /* Ongoing cache request that is constructing enumeration result. */ struct tevent_req *ongoing; diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c index 099485fa3..575171d6f 100644 --- a/src/responder/nss/nss_protocol_netgr.c +++ b/src/responder/nss/nss_protocol_netgr.c @@ -120,6 +120,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx, idx = cmd_ctx->enum_index; entries = cmd_ctx->enum_ctx->netgroup; + if (idx->result > cmd_ctx->enum_ctx->netgroup_count) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unconsistent state while processing netgroups.\n"); + ret = EINVAL; + goto done; + } + /* First two fields (length and reserved), filled up later. */ ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); if (ret != EOK) { -- 2.13.7 ++++++ 0008-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch ++++++ >From 37a84285aeb497ed4909d16916bbf934af3f68b3 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Thu, 15 Mar 2018 12:43:34 +0100 Subject: [PATCH] nss: initialize nss_enum_index in nss_setnetgrent() setnetgrent() is the first call when looking up a netgroup and sets the netgroup name for upcoming getnetgrent() and endnetgrent() calls. Currently the state is reset by calling endnetgrent() but it would be more robust to unconditionally reset the state in setnetgrent() as well in case calling endnetgrent() was forgotten. Related to https://pagure.io/SSSD/sssd/issue/3679 Reviewed-by: Jakub Hrozek <[email protected]> --- src/responder/nss/nss_cmd.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c index 956ee53cb..9f8479b7b 100644 --- a/src/responder/nss/nss_cmd.c +++ b/src/responder/nss/nss_cmd.c @@ -756,6 +756,9 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, goto done; } + state_ctx->netgrent.domain = 0; + state_ctx->netgrent.result = 0; + talloc_zfree(state_ctx->netgroup); state_ctx->netgroup = talloc_strdup(state_ctx, netgroup); if (state_ctx->netgroup == NULL) { -- 2.13.7 ++++++ 0009-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch ++++++ >From b13cc2d1413a0d5bbe36e06e5ffd87dbf5c0cb9f Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 4 May 2018 17:00:55 +0200 Subject: [PATCH] NSS: nss_clear_netgroup_hash_table() do not free data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit nss_clear_netgroup_hash_table() is called during the clearEnumCache SBUS request, which is e.g. used during 'sss_cache -E', to remove netgroup data cached in the memory of the NSS responder. Currently nss_clear_netgroup_hash_table() calls 'sss_ptr_hash_delete_all(nss_ctx->netgrent, true);' which not only removes all entries in the 'netgerent' hash table but frees them as well. The second step is not needed because nss_setnetgrent_set_timeout() takes care that the data is freed after a timeout. Additionally freeing the data in nss_clear_netgroup_hash_table() can even do harm when the request is received by the NSS responder while waiting for the backend to acquire the netgroup data. Because if the backend is done the NSS responder tries do use enum_ctx which might have been freed in the meantime. Because of this nss_clear_netgroup_hash_table() should only remove the data from the hash table but not free it. Related to https://pagure.io/SSSD/sssd/issue/3731 Reviewed-by: Pavel Březina <[email protected]> --- src/responder/nss/nsssrv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index 171c2a5ca..004e6c1a1 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -142,7 +142,7 @@ static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *da DEBUG(SSSDBG_TRACE_FUNC, "Invalidating netgroup hash table\n"); - sss_ptr_hash_delete_all(nss_ctx->netgrent, true); + sss_ptr_hash_delete_all(nss_ctx->netgrent, false); return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); } -- 2.16.4 ++++++ 0010-SUDO-Allow-defaults-sudoRole-without-sudoUser-attrib.patch ++++++ >From 2cbee33b203b03eb5baa9f61a0d847cfb6175f50 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Fri, 17 May 2019 12:34:41 +0200 Subject: [PATCH 1/2] SUDO: Allow defaults sudoRole without sudoUser attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Samuel Cabrero <[email protected]> Reviewed-by: Pavel Březina <[email protected]> (cherry picked from commit 10170fe683add7a71b3f03d11e485ea102c677bd) (cherry picked from commit 2173201b5c998715e67e85beb96167e5ab6c2822) --- src/db/sysdb_sudo.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index ff8c95105..174b99b46 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -882,7 +882,8 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, } static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, - struct sysdb_attrs *rule) + struct sysdb_attrs *rule, + const char *name) { TALLOC_CTX *tmp_ctx; const char **users = NULL; @@ -900,10 +901,13 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, &users); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", - SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); - ret = ERR_MALFORMED_ENTRY; - goto done; + /* Allow "defaults" sudoRole without sudoUser attribute */ + if (name != NULL && !sss_string_equal(false, "defaults", name)) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); + ret = ERR_MALFORMED_ENTRY; + goto done; + } } if (users == NULL) { @@ -946,7 +950,7 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); - ret = sysdb_sudo_add_lowered_users(domain, rule); + ret = sysdb_sudo_add_lowered_users(domain, rule, name); if (ret != EOK) { return ret; } -- 2.21.0 ++++++ 0011-GPO-Add-option-ad_gpo_ignore_unreadable.patch ++++++ >From c450737dafe65a7bcebe8d5386a93932302c9929 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <[email protected]> Date: Wed, 17 Oct 2018 16:57:20 +0200 Subject: [PATCH 2/2] GPO: Add option ad_gpo_ignore_unreadable Add option to ignore group policy containers in AD with unreadable or missing attributes. This is for the case when server contains GPOs that have very strict permissions on their attributes in AD but are unrelated to access control. Rather then using this option it is better to change the permissions on the AD objects but that may not be always possible (company policy, not access to server etc.). Resolves: https://pagure.io/SSSD/sssd/issue/3867 CVE-2018-16838 Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit 2f27dd9f05c2d3ed1c190ba387bc97738988efb0) (cherry picked from commit ad058011b6b75b15c674be46a3ae9b3cc5228175) --- src/config/cfg_rules.ini | 1 + src/man/sssd-ad.5.xml | 18 ++++++++++ src/providers/ad/ad_common.h | 1 + src/providers/ad/ad_gpo.c | 67 +++++++++++++++++++++++++++++++++--- src/providers/ad/ad_opts.c | 1 + 5 files changed, 84 insertions(+), 4 deletions(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 4e70bf7b6..2f63942b7 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -433,6 +433,7 @@ option = ad_enable_dns_sites option = ad_enabled_domains option = ad_enable_gc option = ad_gpo_access_control +option = ad_gpo_ignore_unreadable option = ad_gpo_cache_timeout option = ad_gpo_default_right option = ad_gpo_map_batch diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index be2593dca..77d7f948b 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -414,6 +414,24 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example, </listitem> </varlistentry> + <varlistentry> + <term>ad_gpo_ignore_unreadable (boolean)</term> + <listitem> + <para> + Normally when some group policy containers (AD + object) of applicable group policy objects are + not readable by SSSD then users are denied access. + This option allows to ignore group policy + containers and with them associated policies + if their attributes in group policy containers + are not readable for SSSD. + </para> + <para> + Default: False + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ad_gpo_cache_timeout (integer)</term> <listitem> diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 931aafc6c..8f6bc3597 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -52,6 +52,7 @@ enum ad_basic_opt { AD_ACCESS_FILTER, AD_ENABLE_GC, AD_GPO_ACCESS_CONTROL, + AD_GPO_IGNORE_UNREADABLE, AD_GPO_CACHE_TIMEOUT, AD_GPO_MAP_INTERACTIVE, AD_GPO_MAP_REMOTE_INTERACTIVE, diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 877ea994b..a6e35c26e 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -3526,6 +3526,7 @@ struct ad_gpo_process_gpo_state { struct ad_access_ctx *access_ctx; struct tevent_context *ev; struct sdap_id_op *sdap_op; + struct dp_option *ad_options; struct sdap_options *opts; char *server_hostname; struct sss_domain_info *host_domain; @@ -3570,6 +3571,7 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->sdap_op = sdap_op; + state->ad_options = access_ctx->ad_options; state->opts = opts; state->server_hostname = server_hostname; state->host_domain = host_domain; @@ -3794,6 +3796,54 @@ static bool machine_ext_names_is_blank(char *attr_value) return true; } +static errno_t +ad_gpo_missing_or_unreadable_attr(struct ad_gpo_process_gpo_state *state, + struct tevent_req *req) +{ + bool ignore_unreadable = dp_opt_get_bool(state->ad_options, + AD_GPO_IGNORE_UNREADABLE); + + if (ignore_unreadable) { + /* If admins decided to skip GPOs with unreadable + * attributes just log the SID of skipped GPO */ + DEBUG(SSSDBG_TRACE_FUNC, + "Group Policy Container with DN [%s] has unreadable or missing " + "attributes -> skipping this GPO " + "(ad_gpo_ignore_unreadable = True)\n", + state->candidate_gpos[state->gpo_index]->gpo_dn); + state->gpo_index++; + return ad_gpo_get_gpo_attrs_step(req); + } else { + /* Inform in logs and syslog that this GPO can + * not be processed due to unreadable or missing + * attributes and point to possible server side + * and client side solutions. */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Group Policy Container with DN [%s] is unreadable or has " + "unreadable or missing attributes. In order to fix this " + "make sure that this AD object has following attributes " + "readable: nTSecurityDescriptor, cn, gPCFileSysPath, " + "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. " + "Alternatively if you do not have access to the server or can " + "not change permissions on this object, you can use option " + "ad_gpo_ignore_unreadable = True which will skip this GPO." + "See 'man ad_gpo_ignore_unreadable for details.'\n", + state->candidate_gpos[state->gpo_index]->gpo_dn); + sss_log(SSSDBG_CRIT_FAILURE, + "Group Policy Container with DN [%s] is unreadable or has " + "unreadable or missing attributes. In order to fix this " + "make sure that this AD object has following attributes " + "readable: nTSecurityDescriptor, cn, gPCFileSysPath, " + "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. " + "Alternatively if you do not have access to the server or can " + "not change permissions on this object, you can use option " + "ad_gpo_ignore_unreadable = True which will skip this GPO." + "See 'man ad_gpo_ignore_unreadable for details.'\n", + state->candidate_gpos[state->gpo_index]->gpo_dn); + return EFAULT; + } +} + static errno_t ad_gpo_sd_process_attrs(struct tevent_req *req, char *smb_host, @@ -3813,7 +3863,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, /* retrieve AD_AT_CN */ ret = sysdb_attrs_get_string(result, AD_AT_CN, &gpo_guid); - if (ret != EOK) { + if (ret == ENOENT) { + ret = ad_gpo_missing_or_unreadable_attr(state, req); + goto done; + } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed: [%d](%s)\n", ret, sss_strerror(ret)); @@ -3834,7 +3887,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, AD_AT_FILE_SYS_PATH, &raw_file_sys_path); - if (ret != EOK) { + if (ret == ENOENT) { + ret = ad_gpo_missing_or_unreadable_attr(state, req); + goto done; + } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed: [%d](%s)\n", ret, sss_strerror(ret)); @@ -3882,7 +3938,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, /* retrieve AD_AT_FLAGS */ ret = sysdb_attrs_get_int32_t(result, AD_AT_FLAGS, &gp_gpo->gpo_flags); - if (ret != EOK) { + if (ret == ENOENT) { + ret = ad_gpo_missing_or_unreadable_attr(state, req); + goto done; + } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed: [%d](%s)\n", ret, sss_strerror(ret)); @@ -3900,7 +3959,7 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, if ((ret == ENOENT) || (el->num_values == 0)) { DEBUG(SSSDBG_OP_FAILURE, "nt_sec_desc attribute not found or has no value\n"); - ret = ENOENT; + ret = ad_gpo_missing_or_unreadable_attr(state, req); goto done; } diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index afcfa3773..9e09991fd 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = { { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING }, + { "ad_gpo_ignore_unreadable", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, -- 2.21.0 ++++++ 0012-nss-use-enumeration-context-as-talloc-parent-for-cac.patch ++++++ >From 935a151822cfe10bdb21753373a413920949a637 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <[email protected]> Date: Tue, 30 Oct 2018 13:21:28 +0100 Subject: [PATCH] nss: use enumeration context as talloc parent for cache req result Otherwise we end up with memory leak since the result is never freed. We need to convert nctx->*ent structures into talloc pointer so we can use enum_ctx as parent. Resolves: https://pagure.io/SSSD/sssd/issue/3870 Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit 406b731ddfbeb62623640cc37a7adc76af0a4b22) --- src/responder/nss/nss_cmd.c | 12 ++++++------ src/responder/nss/nss_enum.c | 2 +- src/responder/nss/nss_private.h | 6 +++--- src/responder/nss/nsssrv.c | 21 +++++++++++++++++++++ 4 files changed, 31 insertions(+), 10 deletions(-) diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c index 9f8479b7b..7b2fc9d83 100644 --- a/src/responder/nss/nss_cmd.c +++ b/src/responder/nss/nss_cmd.c @@ -942,7 +942,7 @@ static errno_t nss_cmd_setpwent(struct cli_ctx *cli_ctx) nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); - return nss_setent(cli_ctx, CACHE_REQ_ENUM_USERS, &nss_ctx->pwent); + return nss_setent(cli_ctx, CACHE_REQ_ENUM_USERS, nss_ctx->pwent); } static errno_t nss_cmd_getpwent(struct cli_ctx *cli_ctx) @@ -955,7 +955,7 @@ static errno_t nss_cmd_getpwent(struct cli_ctx *cli_ctx) return nss_getent(cli_ctx, CACHE_REQ_ENUM_USERS, &state_ctx->pwent, nss_protocol_fill_pwent, - &nss_ctx->pwent); + nss_ctx->pwent); } static errno_t nss_cmd_endpwent(struct cli_ctx *cli_ctx) @@ -998,7 +998,7 @@ static errno_t nss_cmd_setgrent(struct cli_ctx *cli_ctx) nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); - return nss_setent(cli_ctx, CACHE_REQ_ENUM_GROUPS, &nss_ctx->grent); + return nss_setent(cli_ctx, CACHE_REQ_ENUM_GROUPS, nss_ctx->grent); } static errno_t nss_cmd_getgrent(struct cli_ctx *cli_ctx) @@ -1011,7 +1011,7 @@ static errno_t nss_cmd_getgrent(struct cli_ctx *cli_ctx) return nss_getent(cli_ctx, CACHE_REQ_ENUM_GROUPS, &state_ctx->grent, nss_protocol_fill_grent, - &nss_ctx->grent); + nss_ctx->grent); } static errno_t nss_cmd_endgrent(struct cli_ctx *cli_ctx) @@ -1093,7 +1093,7 @@ static errno_t nss_cmd_setservent(struct cli_ctx *cli_ctx) nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); - return nss_setent(cli_ctx, CACHE_REQ_ENUM_SVC, &nss_ctx->svcent); + return nss_setent(cli_ctx, CACHE_REQ_ENUM_SVC, nss_ctx->svcent); } static errno_t nss_cmd_getservent(struct cli_ctx *cli_ctx) @@ -1106,7 +1106,7 @@ static errno_t nss_cmd_getservent(struct cli_ctx *cli_ctx) return nss_getent(cli_ctx, CACHE_REQ_ENUM_SVC, &state_ctx->svcent, nss_protocol_fill_svcent, - &nss_ctx->svcent); + nss_ctx->svcent); } static errno_t nss_cmd_endservent(struct cli_ctx *cli_ctx) diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c index b2b22bbae..9ea265217 100644 --- a/src/responder/nss/nss_enum.c +++ b/src/responder/nss/nss_enum.c @@ -138,7 +138,7 @@ static void nss_setent_internal_done(struct tevent_req *subreq) switch (ret) { case EOK: talloc_zfree(state->enum_ctx->result); - state->enum_ctx->result = talloc_steal(state->nss_ctx, result); + state->enum_ctx->result = talloc_steal(state->enum_ctx, result); if (state->type == CACHE_REQ_NETGROUP_BY_NAME) { /* We need to expand the netgroup into triples and members. */ diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h index aa8d8e9cd..cd0d35517 100644 --- a/src/responder/nss/nss_private.h +++ b/src/responder/nss/nss_private.h @@ -78,9 +78,9 @@ struct nss_ctx { const char **extra_attributes; /* Enumeration. */ - struct nss_enum_ctx pwent; - struct nss_enum_ctx grent; - struct nss_enum_ctx svcent; + struct nss_enum_ctx *pwent; + struct nss_enum_ctx *grent; + struct nss_enum_ctx *svcent; hash_table_t *netgrent; /* Memory cache. */ diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index 004e6c1a1..d6c5a08a9 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -378,6 +378,27 @@ int nss_process_init(TALLOC_CTX *mem_ctx, goto fail; } + nctx->pwent = talloc_zero(nctx, struct nss_enum_ctx); + if (nctx->pwent == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize pwent context!\n"); + ret = ENOMEM; + goto fail; + } + + nctx->grent = talloc_zero(nctx, struct nss_enum_ctx); + if (nctx->grent == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize grent context!\n"); + ret = ENOMEM; + goto fail; + } + + nctx->svcent = talloc_zero(nctx, struct nss_enum_ctx); + if (nctx->svcent == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize svcent context!\n"); + ret = ENOMEM; + goto fail; + } + nctx->netgrent = sss_ptr_hash_create(nctx, NULL, NULL); if (nctx->netgrent == NULL) { DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize netgroups table!\n"); -- 2.22.0 ++++++ 0013-Revert-LDAP-IPA-add-local-email-address-to-aliases.patch ++++++ >From bc561347f789cd05d6430b3af9bcac604238c8fc Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Thu, 21 Jun 2018 12:27:32 +0200 Subject: [PATCH 13/18] Revert "LDAP/IPA: add local email address to aliases" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 9a310913d696d190db14c625080678db853a33fd. Storing the e-mail address as a nameAlias was a performance optimization to avoid having to fall back to the UPN lookup, but had the disadvantage of returning multiple results for cases where an e-mail address is the same as a user's fully qualified name. Since the e-mail lookups would still work without this optimization, just after one more lookup, let's revert the patch. Resolves: https://pagure.io/SSSD/sssd/issue/3607 Reviewed-by: Fabiano Fidêncio <[email protected]> (cherry picked from commit 9d953f6e109da5ccd3e3709ac6ffe68daa9f8157) --- src/providers/ipa/ipa_s2n_exop.c | 49 -------------------------------- src/providers/ldap/sdap_utils.c | 22 -------------- 2 files changed, 71 deletions(-) diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index 9cb735526..6f3974637 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -2118,49 +2118,6 @@ done: return ret; } -static errno_t add_emails_to_aliases(struct sysdb_attrs *attrs, - struct sss_domain_info *dom) -{ - int ret; - const char **emails; - size_t c; - TALLOC_CTX *tmp_ctx; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); - return ENOMEM; - } - - ret = sysdb_attrs_get_string_array(attrs, SYSDB_USER_EMAIL, tmp_ctx, - &emails); - if (ret == EOK) { - for (c = 0; emails[c] != NULL; c++) { - if (is_email_from_domain(emails[c], dom)) { - ret = sysdb_attrs_add_lc_name_alias_safe(attrs, emails[c]); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Failed to add lower-cased version of email [%s] " - "into the alias list\n", emails[c]); - goto done; - } - } - } - } else if (ret == ENOENT) { - DEBUG(SSSDBG_TRACE_ALL, "No email addresses available.\n"); - } else { - DEBUG(SSSDBG_OP_FAILURE, - "sysdb_attrs_get_string_array failed, skipping ...\n"); - } - - ret = EOK; - -done: - talloc_free(tmp_ctx); - - return ret; -} - static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, struct req_input *req_input, struct resp_attrs *attrs, @@ -2314,12 +2271,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, goto done; } - ret = add_emails_to_aliases(attrs->sysdb_attrs, dom); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "add_emails_to_aliases failed, skipping ...\n"); - } - if (upn == NULL) { /* We also have to store a fake UPN here, because otherwise the * krb5 child later won't be able to properly construct one as diff --git a/src/providers/ldap/sdap_utils.c b/src/providers/ldap/sdap_utils.c index 0ac3ab2e4..6d543101f 100644 --- a/src/providers/ldap/sdap_utils.c +++ b/src/providers/ldap/sdap_utils.c @@ -87,7 +87,6 @@ sdap_save_all_names(const char *name, int i; bool lowercase = !dom->case_sensitive; bool store_as_fqdn; - const char **emails; switch (entry_type) { case SYSDB_MEMBER_USER: @@ -144,27 +143,6 @@ sdap_save_all_names(const char *name, } - ret = sysdb_attrs_get_string_array(ldap_attrs, SYSDB_USER_EMAIL, tmp_ctx, - &emails); - if (ret == EOK) { - for (i = 0; emails[i] != NULL; i++) { - if (is_email_from_domain(emails[i], dom)) { - ret = sysdb_attrs_add_lc_name_alias_safe(attrs, emails[i]); - if (ret) { - DEBUG(SSSDBG_OP_FAILURE, - "Failed to add lower-cased version of email [%s] " - "into the alias list\n", emails[i]); - goto done; - } - } - } - } else if (ret == ENOENT) { - DEBUG(SSSDBG_TRACE_ALL, "No email addresses available.\n"); - } else { - DEBUG(SSSDBG_OP_FAILURE, - "sysdb_attrs_get_string_array failed, skipping ...\n"); - } - ret = EOK; done: talloc_free(tmp_ctx); -- 2.23.0 ++++++ 0014-util-Remove-the-unused-function-is_email_from_domain.patch ++++++ >From b1b2f55a8fdb1aaa81417136c52439334f054a70 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Thu, 21 Jun 2018 12:40:44 +0200 Subject: [PATCH 14/18] util: Remove the unused function is_email_from_domain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit pretty much reverts commit 04d4c4d45f3942a813b7f772737f801f877f4e64, it's just coded manually, because "git revert 04d4c4d45f3942a813b7f772737f801f877f4e64" resulted in conflicts. It's easier to just remove the single function. Related: https://pagure.io/SSSD/sssd/issue/3607 Reviewed-by: Fabiano Fidêncio <[email protected]> (cherry picked from commit 5b8d6794091e59419e677c055deb7be5dc44fd34) --- src/tests/cmocka/test_utils.c | 21 --------------------- src/util/domain_info_utils.c | 27 --------------------------- src/util/util.h | 1 - 3 files changed, 49 deletions(-) diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c index cf314abe2..1a8699a2a 100644 --- a/src/tests/cmocka/test_utils.c +++ b/src/tests/cmocka/test_utils.c @@ -1849,25 +1849,6 @@ static void test_sss_get_domain_mappings_content(void **state) * capaths might not be as expected. */ } -static void test_is_email_from_domain(void **state) -{ - struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, - struct dom_list_test_ctx); - struct sss_domain_info *d; - - d = find_domain_by_name(test_ctx->dom_list, "name_0.dom", false); - assert_non_null(d); - - assert_false(is_email_from_domain(NULL, NULL)); - assert_false(is_email_from_domain("hello", NULL)); - assert_false(is_email_from_domain(NULL, d)); - assert_false(is_email_from_domain("hello", d)); - assert_false(is_email_from_domain("hello@hello", d)); - - assert_true(is_email_from_domain("hello@name_0.dom", d)); - assert_true(is_email_from_domain("hello@NaMe_0.DoM", d)); -} - int main(int argc, const char *argv[]) { poptContext pc; @@ -1896,8 +1877,6 @@ int main(int argc, const char *argv[]) setup_dom_list, teardown_dom_list), cmocka_unit_test_setup_teardown(test_find_domain_by_name_disabled, setup_dom_list, teardown_dom_list), - cmocka_unit_test_setup_teardown(test_is_email_from_domain, - setup_dom_list, teardown_dom_list), cmocka_unit_test_setup_teardown(test_sss_names_init, confdb_test_setup, diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 66077092a..9d608ef20 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -889,33 +889,6 @@ bool sss_domain_is_forest_root(struct sss_domain_info *dom) return (dom->forest_root == dom); } -bool is_email_from_domain(const char *email, struct sss_domain_info *dom) -{ - const char *p; - - if (email == NULL || dom == NULL) { - return false; - } - - p = strchr(email, '@'); - if (p == NULL) { - DEBUG(SSSDBG_TRACE_ALL, - "Input [%s] does not look like an email address.\n", email); - return false; - } - - if (strcasecmp(p+1, dom->name) == 0) { - DEBUG(SSSDBG_TRACE_ALL, "Email [%s] is from domain [%s].\n", email, - dom->name); - return true; - } - - DEBUG(SSSDBG_TRACE_ALL, "Email [%s] is not from domain [%s].\n", email, - dom->name); - - return false; -} - char *subdomain_create_conf_path(TALLOC_CTX *mem_ctx, struct sss_domain_info *subdomain) { diff --git a/src/util/util.h b/src/util/util.h index 78ab02dce..3bd4bd696 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -540,7 +540,6 @@ struct sss_domain_info *find_domain_by_sid(struct sss_domain_info *domain, enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom); void sss_domain_set_state(struct sss_domain_info *dom, enum sss_domain_state state); -bool is_email_from_domain(const char *email, struct sss_domain_info *dom); bool sss_domain_is_forest_root(struct sss_domain_info *dom); const char *sss_domain_type_str(struct sss_domain_info *dom); -- 2.23.0 ++++++ 0015-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch ++++++ >From a90dde3b505840bfd58a1cf8885d402085d9a54e Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Fri, 19 Jul 2019 12:19:53 +0200 Subject: [PATCH 15/18] MONITOR: Propagate error when resolv.conf does not exists in polling mode Return ENOENT when resolv.conf is missing after falling back to polling mode. This way missing_resolv_conf will schedule a timer to check again after some seconds. Signed-off-by: Samuel Cabrero <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit d20a7f9d5e56d1e9af273d97c7fd42fe8b2eda47) --- src/monitor/monitor.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index ca5c79924..f41cfad92 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -1888,18 +1888,14 @@ static errno_t monitor_config_file_fallback(TALLOC_CTX *parent_ctx, if (ret < 0) { err = errno; if (err == ENOENT) { - DEBUG(SSSDBG_MINOR_FAILURE, - "file [%s] is missing. Will not update online status " - "based on watching the file\n", file); - return EOK; - + DEBUG(SSSDBG_CRIT_FAILURE, + "file [%s] is missing. Will try again later.\n", file); } else { DEBUG(SSSDBG_FATAL_FAILURE, "Could not stat file [%s]. Error [%d:%s]\n", file, err, strerror(err)); - - return err; } + return err; } file_ctx->poll_check.parent_ctx = parent_ctx; -- 2.23.0 ++++++ 0016-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch ++++++ >From 5b1434630b52399902e1ff72815c36bc6fedfbfd Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 2 Sep 2019 15:31:09 +0200 Subject: [PATCH 16/18] MONITOR: Add a new option to control resolv.conf monitoring For those use-cases where resolv.conf will never exist the new 'monitor_resolv_conf' option can be set to false to skip the retry loop which tries to set the inotify watcher. Signed-off-by: Samuel Cabrero <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit 9b6323d8e99c3edb16b64ef60a769efbc3a292aa) --- src/confdb/confdb.h | 1 + src/config/SSSDConfigTest.py | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 23 ++++++++++++----- src/monitor/monitor.c | 49 ++++++++++++++++++++++++++++-------- 6 files changed, 59 insertions(+), 17 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index c97a9b804..3f07c1a91 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -66,6 +66,7 @@ #define CONFDB_MONITOR_SBUS_TIMEOUT "sbus_timeout" #define CONFDB_MONITOR_ACTIVE_SERVICES "services" #define CONFDB_MONITOR_ACTIVE_DOMAINS "domains" +#define CONFDB_MONITOR_RESOLV_CONF "monitor_resolv_conf" #define CONFDB_MONITOR_TRY_INOTIFY "try_inotify" #define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir" #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix" diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 87d1f6e64..488ae5da4 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -373,6 +373,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase): 'enable_files_domain', 'domain_resolution_order', 'try_inotify', + 'monitor_resolv_conf', ] self.assertTrue(type(options) == dict, diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 2f63942b7..c8d63d5f6 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -51,6 +51,7 @@ option = disable_netlink option = enable_files_domain option = domain_resolution_order option = try_inotify +option = monitor_resolv_conf [rule/allowed_nss_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 2be2e3e68..69beec875 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -34,6 +34,7 @@ disable_netlink = bool, None, false enable_files_domain = str, None, false domain_resolution_order = list, str, false try_inotify = bool, None, false +monitor_resolv_conf = bool, None, false [nss] # Name service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index dc6a3c941..21a62fb55 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -318,16 +318,27 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>monitor_resolv_conf (boolean)</term> + <listitem> + <para> + Controls if SSSD should monitor the state of + resolv.conf to identify when it needs to + update its internal DNS resolver. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> <varlistentry> <term>try_inotify (boolean)</term> <listitem> <para> - SSSD monitors the state of resolv.conf to - identify when it needs to update its internal - DNS resolver. By default, we will attempt to - use inotify for this, and will fall back to - polling resolv.conf every five seconds if - inotify cannot be used. + By default, SSSD will attempt to use inotify + to monitor configuration files changes and + will fall back to polling every five seconds + if inotify cannot be used. </para> <para> There are some limited situations where it is diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index f41cfad92..7d1c1c79b 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -1951,13 +1951,46 @@ static void missing_resolv_conf(struct tevent_context *ev, } } +static int monitor_config_files(struct mt_ctx *ctx) +{ + int ret; + bool monitor_resolv_conf; + struct timeval tv; + struct tevent_timer *te; + + /* Watch for changes to the DNS resolv.conf */ + ret = confdb_get_bool(ctx->cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_RESOLV_CONF, + true, &monitor_resolv_conf); + if (ret != EOK) { + return ret; + } + + if (monitor_resolv_conf) { + ret = monitor_config_file(ctx, ctx, monitor_update_resolv, + RESOLV_CONF_PATH); + if (ret == ENOENT) { + tv = tevent_timeval_current_ofs(MISSING_RESOLV_CONF_POLL_TIME, 0); + te = tevent_add_timer(ctx->ev, ctx, tv, missing_resolv_conf, ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "resolv.conf will be ignored\n"); + } + } else if (ret != EOK) { + return ret; + } + } else { + DEBUG(SSS_LOG_NOTICE, "%s monitoring is disabled\n", RESOLV_CONF_PATH); + } + + return EOK; +} + static int monitor_process_init(struct mt_ctx *ctx, const char *config_file) { TALLOC_CTX *tmp_ctx; struct tevent_signal *tes; - struct timeval tv; - struct tevent_timer *te; struct sss_domain_info *dom; char *rcachedir; int num_providers; @@ -2032,15 +2065,9 @@ static int monitor_process_init(struct mt_ctx *ctx, ret = sss_sigchld_init(ctx, ctx->ev, &ctx->sigchld_ctx); if (ret != EOK) return ret; - /* Watch for changes to the DNS resolv.conf */ - ret = monitor_config_file(ctx, ctx, monitor_update_resolv, RESOLV_CONF_PATH); - if (ret == ENOENT) { - tv = tevent_timeval_current_ofs(MISSING_RESOLV_CONF_POLL_TIME, 0); - te = tevent_add_timer(ctx->ev, ctx, tv, missing_resolv_conf, ctx); - if (te == NULL) { - DEBUG(SSSDBG_FATAL_FAILURE, "resolv.conf will be ignored\n"); - } - } else if (ret != EOK) { + /* Set up watchers for system config files */ + ret = monitor_config_files(ctx); + if (ret != EOK) { return ret; } -- 2.23.0 ++++++ 0017-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch ++++++ >From 6c419ce13bb80766f8c7ef15adbf496f65e61fb9 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Fri, 19 Jul 2019 12:24:56 +0200 Subject: [PATCH 17/18] MONITOR: Resolve symlinks setting the inotify watchers If resolv.conf is a symlink and sssd starts before getting an address from dhcp the data provider will remain forever offline, as the watched parent directory is the directory containing the symlink. Signed-off-by: Samuel Cabrero <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit d57c67e4efc64a16b874b46eb9670fdc9c73a39f) --- src/util/inotify.c | 55 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 3 deletions(-) diff --git a/src/util/inotify.c b/src/util/inotify.c index 2e2dc1a6e..ffc15ad4d 100644 --- a/src/util/inotify.c +++ b/src/util/inotify.c @@ -381,13 +381,62 @@ static int watch_ctx_destructor(void *memptr) return 0; } +static errno_t resolve_filename(struct snotify_ctx *snctx, + const char *filename, + char *resolved, + size_t resolved_size) +{ + /* NOTE: The code below relies in the GNU extensions for realpath, + * which will store in 'resolved' the prefix of 'filename' that does + * not exists if realpath call fails and errno is set to ENOENT */ + if (realpath(filename, resolved) == NULL) { + char fcopy[PATH_MAX + 1]; + char *p; + struct stat st; + + if (errno != ENOENT) { + return errno; + } + + /* Check if the unique missing component is the basename. The + * dirname must exist to be notified watching the parent dir. */ + strncpy(fcopy, filename, sizeof(fcopy) - 1); + fcopy[PATH_MAX] = '\0'; + + p = dirname(fcopy); + if (p == NULL) { + return EIO; + } + + if (stat(p, &st) == -1) { + return errno; + } + + /* The basedir exist, check the caller requested to watch it. + * Otherwise return error as never will be notified. */ + + if ((snctx->snotify_flags & SNOTIFY_WATCH_DIR) == 0) { + return ENOENT; + } + } + + return EOK; +} + static errno_t copy_filenames(struct snotify_ctx *snctx, const char *filename) { char *p; + char resolved[PATH_MAX + 1]; char fcopy[PATH_MAX + 1]; + errno_t ret; + + ret = resolve_filename(snctx, filename, resolved, sizeof(resolved)); + if (ret != EOK) { + return ret; + } - strncpy(fcopy, filename, sizeof(fcopy) - 1); + strncpy(fcopy, resolved, sizeof(fcopy) - 1); fcopy[PATH_MAX] = '\0'; p = dirname(fcopy); @@ -400,7 +449,7 @@ static errno_t copy_filenames(struct snotify_ctx *snctx, return ENOMEM; } - strncpy(fcopy, filename, sizeof(fcopy) - 1); + strncpy(fcopy, resolved, sizeof(fcopy) - 1); fcopy[PATH_MAX] = '\0'; p = basename(fcopy); @@ -413,7 +462,7 @@ static errno_t copy_filenames(struct snotify_ctx *snctx, return ENOMEM; } - snctx->filename = talloc_strdup(snctx, filename); + snctx->filename = talloc_strdup(snctx, resolved); if (snctx->filename == NULL) { return ENOMEM; } -- 2.23.0 ++++++ 0018-SYSDB-Delete-linked-local-user-overrides-when-deleti.patch ++++++ >From 1c8bbc30a7e209b979f65c85598f8622db6346a3 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 24 Jun 2019 14:51:01 +0200 Subject: [PATCH 18/18] SYSDB: Delete linked local user overrides when deleting a user If a cached user having a linked userOverride is deleted from the LDAP server, at some point it will be deleted from cache too but its linked userOverride object will not. This causes the command sss_override to fail: [sssd] [append_name] (0x0020): sysdb_search_entry() failed [2]: No such file or directory [sssd] [list_overrides] (0x0020): Unable to append name [2]: No such file or directory [sssd] [user_export] (0x0020): Unable to get override objects [sssd] [override_user_find] (0x0020): Unable to export users Signed-off-by: Samuel Cabrero <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit f67109c46cec6eacbfa94aa20bfe6f8a930ba9b9) --- src/db/sysdb_ops.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 15915101e..1537abf02 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -3767,6 +3767,41 @@ int sysdb_search_ts_users(TALLOC_CTX *mem_ctx, /* =Delete-User-by-Name-OR-uid============================================ */ +static errno_t sysdb_user_local_override_dn(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_dn *obj_dn, + struct ldb_dn **out_dn) +{ + struct ldb_context *ldb = sysdb_ctx_get_ldb(domain->sysdb); + struct ldb_dn *override_dn; + char *anchor; + char *dn; + errno_t ret; + + ret = sysdb_dn_sanitize(mem_ctx, ldb_dn_get_linearized(obj_dn), &dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_dn_sanitize() failed\n"); + return ret; + } + + anchor = talloc_asprintf(mem_ctx, ":%s:%s", SYSDB_LOCAL_VIEW_NAME, dn); + talloc_free(dn); + if (anchor == NULL) { + return ENOMEM; + } + + override_dn = ldb_dn_new_fmt(mem_ctx, ldb, SYSDB_TMPL_OVERRIDE, + anchor, SYSDB_LOCAL_VIEW_NAME); + talloc_free(anchor); + if (override_dn == NULL) { + return ENOMEM; + } + + *out_dn = override_dn; + + return EOK; +} + int sysdb_delete_user(struct sss_domain_info *domain, const char *name, uid_t uid) { @@ -3779,6 +3814,9 @@ int sysdb_delete_user(struct sss_domain_info *domain, int ret; int i; char *sanitized_name; + struct ldb_dn *override_dn = NULL; + bool in_transaction = false; + errno_t sret; tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { @@ -3811,10 +3849,46 @@ int sysdb_delete_user(struct sss_domain_info *domain, } } + /* If user has a linked userOverride delete it */ + ret = sysdb_user_local_override_dn(tmp_ctx, domain, msg->dn, + &override_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to build local override DN: %s\n", + strerror(ret)); + goto fail; + } + + ret = sysdb_transaction_start(domain->sysdb); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + goto fail; + } + in_transaction = true; + + ret = sysdb_delete_entry(domain->sysdb, override_dn, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Error deleting linked override DN: %s\n", + strerror(ret)); + goto fail; + } + ret = sysdb_delete_entry(domain->sysdb, msg->dn, false); if (ret) { goto fail; } + + ret = sysdb_transaction_commit(domain->sysdb); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to commit ldb transaction [%d]: %s\n", + ret, sss_strerror(ret)); + goto fail; + } + in_transaction = false; + } else if (ret == ENOENT && name != NULL) { /* Perhaps a ghost user? */ ret = sss_filter_sanitize(tmp_ctx, name, &sanitized_name); @@ -3869,6 +3943,15 @@ int sysdb_delete_user(struct sss_domain_info *domain, return EOK; fail: + if (in_transaction) { + sret = sysdb_transaction_cancel(domain->sysdb); + if (sret != LDB_SUCCESS) { + sret = sysdb_error_to_errno(sret); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to cancel ldb transaction [%d]: %s\n", + sret, sss_strerror(sret)); + } + } DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, strerror(ret)); talloc_zfree(tmp_ctx); return ret; -- 2.23.0 ++++++ 0019-winbind-idmap-plugin-support-inferface-version-6.patch ++++++ >From eec2e553b00274d00bf192e7f376e05c08bc5b98 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Tue, 15 May 2018 11:55:35 +0200 Subject: [PATCH 1/8] winbind idmap plugin: support inferface version 6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With Samba 4.7 the interface version of the idmap plugin was updated to 6. The patch adds support for this new version but can be complied with the older version as well. A configure option is added to select the version, if no version is given configure tries to detect the version with the help of an internal Samba library libidmap-samba4.so. To make sure that always the right version is used configure will fail if Samba is used (--with-samba, default) and no version can be determined. Resolves https://pagure.io/SSSD/sssd/issue/3741 Reviewed-by: Alexander Bokovoy <[email protected]> Reviewed-by: Fabiano Fidêncio <[email protected]> (cherry picked from commit c6b99b070268c3807833e9f894d9a36304014417) --- contrib/ci/configure.sh | 9 ++ contrib/sssd.spec.in | 12 +++ src/external/samba.m4 | 82 +++++++++++++++++++ src/lib/winbind_idmap_sss/winbind_idmap_sss.c | 6 ++ src/lib/winbind_idmap_sss/winbind_idmap_sss.h | 6 +- 5 files changed, 114 insertions(+), 1 deletion(-) diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh index 9d18d0c18..09da5b4e7 100644 --- a/contrib/ci/configure.sh +++ b/contrib/ci/configure.sh @@ -35,6 +35,7 @@ declare -a CONFIGURE_ARG_LIST=( if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- || "$DISTRO_BRANCH" == -redhat-centos-6.*- ]]; then CONFIGURE_ARG_LIST+=( + "--with-smb-idmap-interface-version=5" "--disable-cifs-idmap-plugin" "--with-syslog=syslog" "--without-python3-bindings" @@ -56,6 +57,14 @@ if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-7.*- || ) fi +# Different versions of Debian might need different versions here but this is +# sufficient to make the CI work +if [[ "$DISTRO_BRANCH" == -debian-* ]]; then + CONFIGURE_ARG_LIST+=( + "--with-smb-idmap-interface-version=5" + ) +fi + declare -r -a CONFIGURE_ARG_LIST fi # _CONFIGURE_SH diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index f69f192fe..651bc5ecd 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -127,6 +127,14 @@ %global with_gdm_pam_extensions 0 %endif +# Do not try to detect the idmap version on RHEL6 to avoid conflicts between +# samba and samba4 package +%if (0%{?fedora} || 0%{?rhel} >= 7) + %global detect_idmap_version 1 +%else + %global with_idmap_version --with-smb-idmap-interface-version=5 +%endif + Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ Release: 0@PRERELEASE_VERSION@%{?dist} @@ -226,6 +234,9 @@ BuildRequires: nfs-utils-lib-devel BuildRequires: samba4-devel BuildRequires: libsmbclient-devel +%if (0%{?detect_idmap_version} == 1) +BuildRequires: samba-winbind +%endif %if (0%{?enable_systemtap} == 1) BuildRequires: systemtap-sdt-devel @@ -748,6 +759,7 @@ autoreconf -ivf %{?enable_systemtap_opt} \ %{?with_secret_responder} \ %{?with_kcm_option} \ + %{?with_idmap_version} \ %{?experimental} make %{?_smp_mflags} all diff --git a/src/external/samba.m4 b/src/external/samba.m4 index 91a583a0d..610831bf0 100644 --- a/src/external/samba.m4 +++ b/src/external/samba.m4 @@ -39,4 +39,86 @@ them. In this case, you will need to execute configure script with argument --without-samba ]]) fi + + AC_ARG_WITH([smb-idmap-interface-version], + [AC_HELP_STRING([--with-smb-idmap-interface-version=[5|6]], + [Idmap interface version of installed Samba] + ) + ] + ) + + if test x"$with_smb_idmap_interface_version" != x; then + if test x"$with_smb_idmap_interface_version" = x5 -o x"$with_smb_idmap_interface_version" = x6; then + idmap_test_result=$with_smb_idmap_interface_version + else + AC_MSG_ERROR([Illegal value -$with_smb_idmap_interface_version- for option --with-smb-idmap-interface-version]) + fi + else + + AC_MSG_CHECKING([Samba's idmap plugin interface version]) + sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba + SAVE_CFLAGS=$CFLAGS + SAVE_LIBS=$LIBS + CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS -I/usr/include/samba-4.0" + LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}" + AC_RUN_IFELSE( + [AC_LANG_SOURCE([ +#include <stdlib.h> +#include <stdint.h> +#include <stdbool.h> +#include <tevent.h> +#include <core/ntstatus.h> + +struct winbindd_domain; + +/* overwrite some winbind internal functions */ +struct winbindd_domain *find_domain_from_name(const char *domain_name) +{ + return NULL; +} + +bool get_global_winbindd_state_offline(void) { + return false; +} + +struct tevent_context *winbind_event_context(void) +{ + return NULL; +} + +struct idmap_methods; + +NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods); + +int main(void) +{ + int v; + NTSTATUS ret; + + /* Check the versions we know about */ + for (v = 5; v <= 6; v++) { + ret = smb_register_idmap(v, NULL, NULL); + if (ret != NT_STATUS_OBJECT_TYPE_MISMATCH) { + return v; + } + } + + return -1; +}])], + [AC_MSG_ERROR([idmap version test program is not expected to return 0])], + [idmap_test_result=$?; AC_MSG_RESULT([idmap test result is: $idmap_test_result])] + ) + fi + + CFLAGS=$SAVE_CFLAGS + LIBS=$SAVE_LIBS + + if test $idmap_test_result -eq 5 -o $idmap_test_result -eq 6 ; then + idmap_version=$idmap_test_result + else + AC_MSG_ERROR([Cannot determine Samba's idmap interface version, please use --with-smb-idmap-interface-version]) + fi + AC_MSG_NOTICE([Samba's idmap interface version: $idmap_version]) + AC_DEFINE_UNQUOTED(SMB_IDMAP_INTERFACE_VERSION, $idmap_version, + [Detected version of Samba's idmap plugin interface]) fi diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c index 26f753708..ea5e727c3 100644 --- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c @@ -190,7 +190,13 @@ static struct idmap_methods sss_methods = { .sids_to_unixids = idmap_sss_sids_to_unixids, }; +#if SMB_IDMAP_INTERFACE_VERSION == 5 NTSTATUS idmap_sss_init(void) +#elif SMB_IDMAP_INTERFACE_VERSION == 6 +NTSTATUS idmap_sss_init(TALLOC_CTX *ctx) +#else +#error Unexpected Samba idmpa inferface version +#endif { return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods); } diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h index 0f27c8561..868049fff 100644 --- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h @@ -32,6 +32,8 @@ #include <ndr.h> #include <gen_ndr/security.h> +#include "config.h" + /* The following definitions are taken from the Samba header files * - winbindd/idmap_proto.h * - idmap.d @@ -64,7 +66,9 @@ struct id_map { enum id_mapping status; }; -#define SMB_IDMAP_INTERFACE_VERSION 5 +#ifndef SMB_IDMAP_INTERFACE_VERSION +#error Missing Samba idmap interface version +#endif struct idmap_domain { const char *name; -- 2.23.0 ++++++ 0020-winbind-idmap-plugin-fix-detection.patch ++++++ >From 70dda07ce1dab6d02249b012e43b87fa9b2b9b86 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 18 May 2018 21:34:44 +0200 Subject: [PATCH 2/8] winbind idmap plugin: fix detection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently when compiling the detection code for the idmap interface version only SMBCLIENT_CFLAGS are used. Since libsmbclient does not use NTSTATUS the cflags do not contain '-DHAVE_IMMEDIATE_STRUCTURES=1' which make NTSTATUS to a struct instead of an integer. Since Samba itself might be complied with this define (it typically is) we have to make sure we use it as well. Otherwise the test program might crash on platforms where this change changes the calling convention as well. Related to https://pagure.io/SSSD/sssd/issue/3741 Reviewed-by: Fabiano Fidêncio <[email protected]> (cherry picked from commit 095bbe17b25369b967e97162d945cb001a13029e) --- src/external/samba.m4 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/external/samba.m4 b/src/external/samba.m4 index 610831bf0..794cac246 100644 --- a/src/external/samba.m4 +++ b/src/external/samba.m4 @@ -59,7 +59,7 @@ them. In this case, you will need to execute configure script with argument sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba SAVE_CFLAGS=$CFLAGS SAVE_LIBS=$LIBS - CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS -I/usr/include/samba-4.0" + CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS -I/usr/include/samba-4.0" LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}" AC_RUN_IFELSE( [AC_LANG_SOURCE([ @@ -98,7 +98,7 @@ int main(void) /* Check the versions we know about */ for (v = 5; v <= 6; v++) { ret = smb_register_idmap(v, NULL, NULL); - if (ret != NT_STATUS_OBJECT_TYPE_MISMATCH) { + if (!NT_STATUS_EQUAL(ret, NT_STATUS_OBJECT_TYPE_MISMATCH)) { return v; } } -- 2.23.0 ++++++ 0021-nss-imap-add-sss_nss_getsidbyuid-and-sss_nss_getsidb.patch ++++++ ++++ 684 lines (skipped) ++++++ 0022-cifs-idmap-plugin-use-new-sss_nss_idmap-calls.patch ++++++ >From ad5a5dc7ca1074e1727ab0e92d9a0cf8ef558975 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 25 May 2018 18:44:08 +0200 Subject: [PATCH 4/8] cifs idmap plugin: use new sss_nss_idmap calls Related to https://pagure.io/SSSD/sssd/issue/3629 Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit 2571accdefe0999129910b3532be129812598857) --- src/lib/cifs_idmap_sss/cifs_idmap_sss.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/lib/cifs_idmap_sss/cifs_idmap_sss.c b/src/lib/cifs_idmap_sss/cifs_idmap_sss.c index fd8b194c5..e7a0b8370 100644 --- a/src/lib/cifs_idmap_sss/cifs_idmap_sss.c +++ b/src/lib/cifs_idmap_sss/cifs_idmap_sss.c @@ -304,7 +304,18 @@ int cifs_idmap_ids_to_sids(void *handle, const struct cifs_uxid *cuxid, } for (i = 0; i < num; ++i) { - err = sss_nss_getsidbyid((uint32_t)cuxid[i].id.uid, &sid, &id_type); + switch (cuxid[i].type) { + case CIFS_UXID_TYPE_UID: + err = sss_nss_getsidbyuid((uint32_t)cuxid[i].id.uid, + &sid, &id_type); + break; + case CIFS_UXID_TYPE_GID: + err = sss_nss_getsidbygid((uint32_t)cuxid[i].id.gid, + &sid, &id_type); + break; + default: + err = sss_nss_getsidbyid((uint32_t)cuxid[i].id.uid, &sid, &id_type); + } if (err != 0) { ctx_set_error(ctx, strerror(err)); csid[i].revision = 0; -- 2.23.0 ++++++ 0023-winbind-idmap-plugin-use-new-sss_nss_idmap-calls.patch ++++++ >From b05fafa824a337c74e2e337116732779e1c2d8de Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 25 May 2018 18:37:42 +0200 Subject: [PATCH 5/8] winbind idmap plugin: use new sss_nss_idmap calls Related to https://pagure.io/SSSD/sssd/issue/3629 Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit 8ae68aa27d3e4d3a42ebfa3cb165dc4d9f289c61) --- src/lib/winbind_idmap_sss/winbind_idmap_sss.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c index ea5e727c3..0d9109455 100644 --- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c @@ -85,7 +85,16 @@ static NTSTATUS idmap_sss_unixids_to_sids(struct idmap_domain *dom, } for (c = 0; map[c]; c++) { - ret = sss_nss_getsidbyid(map[c]->xid.id, &sid_str, &id_type); + switch (map[c]->xid.type) { + case ID_TYPE_UID: + ret = sss_nss_getsidbyuid(map[c]->xid.id, &sid_str, &id_type); + break; + case ID_TYPE_GID: + ret = sss_nss_getsidbygid(map[c]->xid.id, &sid_str, &id_type); + break; + default: + ret = sss_nss_getsidbyid(map[c]->xid.id, &sid_str, &id_type); + } if (ret != 0) { if (ret == ENOENT) { map[c]->status = ID_UNMAPPED; -- 2.23.0 ++++++ 0024-libwbclient-sssd-use-new-sss_nss_idmap-calls.patch ++++++ >From fbe43f1bfb299ec57eca999410070ec178400e25 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 25 May 2018 18:38:33 +0200 Subject: [PATCH 6/8] libwbclient-sssd: use new sss_nss_idmap calls Related to https://pagure.io/SSSD/sssd/issue/3629 Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit 54c040cb4ea120771954d5882b756e9300b7b673) --- src/sss_client/libwbclient/wbc_idmap_sssd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/sss_client/libwbclient/wbc_idmap_sssd.c b/src/sss_client/libwbclient/wbc_idmap_sssd.c index c8da97542..dd2cbb4d6 100644 --- a/src/sss_client/libwbclient/wbc_idmap_sssd.c +++ b/src/sss_client/libwbclient/wbc_idmap_sssd.c @@ -63,7 +63,7 @@ wbcErr wbcUidToSid(uid_t uid, struct wbcDomainSid *sid) enum sss_id_type type; wbcErr wbc_status; - ret = sss_nss_getsidbyid(uid, &str_sid, &type); + ret = sss_nss_getsidbyuid(uid, &str_sid, &type); if (ret != 0) { return WBC_ERR_UNKNOWN_FAILURE; } @@ -127,7 +127,7 @@ wbcErr wbcGidToSid(gid_t gid, struct wbcDomainSid *sid) enum sss_id_type type; wbcErr wbc_status; - ret = sss_nss_getsidbyid(gid, &str_sid, &type); + ret = sss_nss_getsidbygid(gid, &str_sid, &type); if (ret != 0) { return WBC_ERR_UNKNOWN_FAILURE; } -- 2.23.0 ++++++ 0025-pysss_nss_idmap-add-python-bindings-for-new-sss_nss_.patch ++++++ >From 5cb8daac9f22d0a944c2aa5c6a9f00663b5c756b Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 25 May 2018 21:34:24 +0200 Subject: [PATCH 7/8] pysss_nss_idmap: add python bindings for new sss_nss_idmap calls Related to https://pagure.io/SSSD/sssd/issue/3629 Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit b8da03b4234ea5536dc08c1627c710f0b64afc64) --- src/python/pysss_nss_idmap.c | 65 ++++++++++++++++++++++++-- src/tests/intg/test_pysss_nss_idmap.py | 21 +++++++++ 2 files changed, 81 insertions(+), 5 deletions(-) diff --git a/src/python/pysss_nss_idmap.c b/src/python/pysss_nss_idmap.c index 66d6dcc93..2bbec7d5e 100644 --- a/src/python/pysss_nss_idmap.c +++ b/src/python/pysss_nss_idmap.c @@ -34,6 +34,8 @@ enum lookup_type { SIDBYNAME, SIDBYID, + SIDBYUID, + SIDBYGID, NAMEBYSID, IDBYSID, NAMEBYCERT, @@ -155,7 +157,8 @@ static int do_getnamebysid(PyObject *py_result, PyObject *py_sid) return ret; } -static int do_getsidbyid(PyObject *py_result, PyObject *py_id) +static int do_getsidbyid(enum lookup_type type, PyObject *py_result, + PyObject *py_id) { long id; const char *id_str; @@ -187,7 +190,19 @@ static int do_getsidbyid(PyObject *py_result, PyObject *py_id) return EINVAL; } - ret = sss_nss_getsidbyid((uint32_t) id, &sid, &id_type); + switch (type) { + case SIDBYID: + ret = sss_nss_getsidbyid((uint32_t) id, &sid, &id_type); + break; + case SIDBYUID: + ret = sss_nss_getsidbyuid((uint32_t) id, &sid, &id_type); + break; + case SIDBYGID: + ret = sss_nss_getsidbygid((uint32_t) id, &sid, &id_type); + break; + default: + return EINVAL; + } if (ret == 0) { ret = add_dict(py_result, py_id, PyUnicode_FromString(SSS_SID_KEY), PyUnicode_FromString(sid), PYNUMBER_FROMLONG(id_type)); @@ -302,7 +317,9 @@ static int do_lookup(enum lookup_type type, PyObject *py_result, return do_getnamebysid(py_result, py_inp); break; case SIDBYID: - return do_getsidbyid(py_result, py_inp); + case SIDBYUID: + case SIDBYGID: + return do_getsidbyid(type, py_result, py_inp); break; case IDBYSID: return do_getidbysid(py_result, py_inp); @@ -334,7 +351,9 @@ static PyObject *check_args(enum lookup_type type, PyObject *args) if (!(PyList_Check(obj) || PyTuple_Check(obj) || PyBytes_Check(obj) || PyUnicode_Check(obj) || - (type == SIDBYID && (PYNUMBER_CHECK(obj))))) { + ((type == SIDBYID + || type == SIDBYUID + || type == SIDBYGID) && (PYNUMBER_CHECK(obj))))) { PyErr_Format(PyExc_ValueError, "Only string, long or list or tuples of them " \ "are accepted\n"); @@ -355,7 +374,9 @@ static PyObject *check_args(enum lookup_type type, PyObject *args) py_value = PySequence_GetItem(obj, i); if ((py_value != NULL) && (PyBytes_Check(py_value) || PyUnicode_Check(py_value) || - (type == SIDBYID && PYNUMBER_CHECK(py_value)))) { + ((type == SIDBYID + || type == SIDBYUID + || type == SIDBYGID) && PYNUMBER_CHECK(py_value)))) { ret = do_lookup(type, py_result, py_value); if (ret != 0) { /* Skip this name */ @@ -418,6 +439,36 @@ static PyObject * py_getsidbyid(PyObject *module, PyObject *args) return check_args(SIDBYID, args); } +PyDoc_STRVAR(getsidbyuid_doc, +"getsidbyuid(uid or list/tuple of uid) -> dict(uid => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given POSIX UID.\n\ +The result dictionary contain the SID and the type of the object which can be\n\ +accessed with the key constants SID_KEY and TYPE_KEY, respectively. Since \n\ +given ID is assumed to be a user ID is is not expected that group objects are\n\ +returned." +); + +static PyObject * py_getsidbyuid(PyObject *module, PyObject *args) +{ + return check_args(SIDBYUID, args); +} + +PyDoc_STRVAR(getsidbygid_doc, +"getsidbygid(gid or list/tuple of gid) -> dict(gid => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given POSIX GID.\n\ +The result dictionary contain the SID and the type of the object which can be\n\ +accessed with the key constants SID_KEY and TYPE_KEY, respectively. Since \n\ +given ID is assumed to be a group ID is is not expected that user objects are\n\ +returned." +); + +static PyObject * py_getsidbygid(PyObject *module, PyObject *args) +{ + return check_args(SIDBYGID, args); +} + PyDoc_STRVAR(getnamebysid_doc, "getnamebysid(sid or list/tuple of sid) -> dict(sid => dict(results))\n\ \n\ @@ -484,6 +535,10 @@ static PyMethodDef methods[] = { METH_VARARGS, getsidbyname_doc }, { sss_py_const_p(char, "getsidbyid"), (PyCFunction) py_getsidbyid, METH_VARARGS, getsidbyid_doc }, + { sss_py_const_p(char, "getsidbyuid"), (PyCFunction) py_getsidbyuid, + METH_VARARGS, getsidbyuid_doc }, + { sss_py_const_p(char, "getsidbygid"), (PyCFunction) py_getsidbygid, + METH_VARARGS, getsidbygid_doc }, { sss_py_const_p(char, "getnamebysid"), (PyCFunction) py_getnamebysid, METH_VARARGS, getnamebysid_doc }, { sss_py_const_p(char, "getidbysid"), (PyCFunction) py_getidbysid, diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py index aed2a8cf9..8d0d9b794 100644 --- a/src/tests/intg/test_pysss_nss_idmap.py +++ b/src/tests/intg/test_pysss_nss_idmap.py @@ -215,6 +215,13 @@ def test_user_operations(ldap_conn, simple_ad): assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.SID_KEY] == user_sid + output = pysss_nss_idmap.getsidbyuid(user_id)[user_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER + assert output[pysss_nss_idmap.SID_KEY] == user_sid + + output = pysss_nss_idmap.getsidbygid(user_id) + assert len(output) == 0 + output = pysss_nss_idmap.getidbysid(user_sid)[user_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER assert output[pysss_nss_idmap.ID_KEY] == user_id @@ -237,6 +244,13 @@ def test_group_operations(ldap_conn, simple_ad): assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid + output = pysss_nss_idmap.getsidbygid(group_id)[group_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbyuid(group_id) + assert len(output) == 0 + output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id @@ -260,6 +274,13 @@ def test_case_insensitive(ldap_conn, simple_ad): assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.SID_KEY] == group_sid + output = pysss_nss_idmap.getsidbygid(group_id)[group_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbyuid(group_id) + assert len(output) == 0 + output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP assert output[pysss_nss_idmap.ID_KEY] == group_id -- 2.23.0 ++++++ 0026-winbind-idmap-plugin-update-struct-idmap_domain-to-l.patch ++++++ >From 87bd630fa2a10439c46bcaf1a9bb30649c5e3839 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 5 Apr 2019 18:05:08 +0200 Subject: [PATCH 8/8] winbind idmap plugin: update struct idmap_domain to latest version While updating to interface version 6 we forgot to add the query_user member. Recent version of Samba added a new member dom_sid. Unfortunately the interface version was not update for this change so we have to enable the member based on the Samba version. Related to https://pagure.io/SSSD/sssd/issue/4005 Reviewed-by: Jakub Hrozek <[email protected]> (cherry picked from commit 30734e5f213f4bd2984e632d497d7cbfc16495db) (cherry picked from commit e6734785fd1970c4b63d0dd021074003e35d7137) --- src/external/samba.m4 | 13 +++++++++++++ src/lib/winbind_idmap_sss/winbind_idmap_sss.c | 4 ++++ src/lib/winbind_idmap_sss/winbind_idmap_sss.h | 15 +++++++++++++++ 3 files changed, 32 insertions(+) diff --git a/src/external/samba.m4 b/src/external/samba.m4 index 794cac246..f4c8056cd 100644 --- a/src/external/samba.m4 +++ b/src/external/samba.m4 @@ -121,4 +121,17 @@ int main(void) AC_MSG_NOTICE([Samba's idmap interface version: $idmap_version]) AC_DEFINE_UNQUOTED(SMB_IDMAP_INTERFACE_VERSION, $idmap_version, [Detected version of Samba's idmap plugin interface]) + + samba_major_version=`echo -e '#include <samba/version.h>\nSAMBA_VERSION_MAJOR' | $CPP $SMBCLIENT_CFLAGS -P -` + samba_minor_version=`echo -e '#include <samba/version.h>\nSAMBA_VERSION_MINOR' | $CPP $SMBCLIENT_CFLAGS -P -` + samba_release_version=`echo -e '#include <samba/version.h>\nSAMBA_VERSION_RELEASE' | $CPP $SMBCLIENT_CFLAGS -P -` + AC_MSG_NOTICE([Samba version: $samba_major_version $samba_minor_version $samba_release_version]) + if test $samba_major_version -ge 4 -a $samba_minor_version -ge 8 ; then + AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1, + [Samba's struct idmap_domain has dom_sid member]) + AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member]) + else + AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member]) + fi + fi diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c index 0d9109455..58375322a 100644 --- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c @@ -55,6 +55,10 @@ static NTSTATUS idmap_sss_initialize(struct idmap_domain *dom) return NT_STATUS_NO_MEMORY; } +#if SMB_IDMAP_INTERFACE_VERSION == 6 + dom->query_user = NULL; +#endif + dom->private_data = ctx; return NT_STATUS_OK; diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h index 868049fff..78800838e 100644 --- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h @@ -70,9 +70,24 @@ struct id_map { #error Missing Samba idmap interface version #endif +#if SMB_IDMAP_INTERFACE_VERSION == 6 +struct wbint_userinfo; +#endif + struct idmap_domain { const char *name; +#if SMB_IDMAP_INTERFACE_VERSION == 6 && defined(SMB_IDMAP_DOMAIN_HAS_DOM_SID) + /* + * dom_sid is currently only initialized in the unixids_to_sids request, + * so don't rely on this being filled out everywhere! + */ + struct dom_sid dom_sid; +#endif struct idmap_methods *methods; +#if SMB_IDMAP_INTERFACE_VERSION == 6 + NTSTATUS (*query_user)(struct idmap_domain *domain, + struct wbint_userinfo *info); +#endif uint32_t low_id; uint32_t high_id; bool read_only; -- 2.23.0 ++++++ 0027-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch ++++++ >From ff3390db7529a1ad76e25263b80463e37f555dae Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Mon, 13 Jan 2020 13:52:34 +0100 Subject: [PATCH] AD: use getaddrinfo with AI_CANONNAME to find the FQDN In systems where gethostbyname() does not return the FQDN try calling getaddrinfo(). Signed-off-by: Samuel Cabrero <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit 2143c7276c7603520e2575ef6c9d93a5fc031256) --- src/man/sssd-ad.5.xml | 14 ++++++------ src/providers/ad/ad_common.c | 42 ++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 77d7f948b..b7f312204 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -190,15 +190,17 @@ ad_enabled_domains = sales.example.com, eng.example.com <term>ad_hostname (string)</term> <listitem> <para> - Optional. May be set on machines where the - hostname(5) does not reflect the fully qualified - name used in the Active Directory domain to - identify this host. + Optional. On machines where the hostname(5) does + not reflect the fully qualified name, sssd will try + to expand the short name. If it is not possible or + the short name should be really used instead, set + this parameter explicitly. </para> <para> This field is used to determine the host principal - in use in the keytab. It must match the hostname - for which the keytab was issued. + in use in the keytab and to perform dynamic DNS + updates. It must match the hostname for which the + keytab was issued. </para> </listitem> </varlistentry> diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 2a1647173..1708ca01f 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -398,6 +398,34 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, return ad_options; } +static errno_t +ad_try_to_get_fqdn(const char *hostname, + char *buf, + size_t buflen) +{ + int ret; + struct addrinfo *res; + struct addrinfo hints; + + memset(&hints, 0, sizeof(struct addrinfo)); + hints.ai_socktype = SOCK_DGRAM; + hints.ai_flags = AI_CANONNAME; + + ret = getaddrinfo(hostname, NULL, &hints, &res); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "getaddrinfo failed: %s\n", + gai_strerror(ret)); + return ret; + } + + strncpy(buf, res->ai_canonname, buflen); + + freeaddrinfo(res); + + return EOK; +} + errno_t ad_get_common_options(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, @@ -413,6 +441,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, char *realm; char *ad_hostname; char hostname[HOST_NAME_MAX + 1]; + char fqdn[HOST_NAME_MAX + 1]; char *case_sensitive_opt; const char *opt_override; @@ -460,6 +489,19 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, goto done; } hostname[HOST_NAME_MAX] = '\0'; + + if (strchr(hostname, '.') == NULL) { + ret = ad_try_to_get_fqdn(hostname, fqdn, sizeof(fqdn)); + if (ret == EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, + "The hostname [%s] has been expanded to FQDN [%s]. " + "If sssd should really use the short hostname, please " + "set ad_hostname explicitly.\n", hostname, fqdn); + strncpy(hostname, fqdn, sizeof(hostname)); + hostname[HOST_NAME_MAX] = '\0'; + } + } + DEBUG(SSSDBG_CONF_SETTINGS, "Setting ad_hostname to [%s].\n", hostname); ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname); -- 2.25.1 ++++++ 0028-ad-Add-support-for-passing-add-samba-data-to-adcli.patch ++++++ >From 74a32b1add9d8fd5591e319bc26667b6abb4e5c8 Mon Sep 17 00:00:00 2001 From: Andrew Gunnerson <[email protected]> Date: Sat, 30 Nov 2019 20:49:10 -0500 Subject: [PATCH] ad: Add support for passing --add-samba-data to adcli This adds a new option named `ad_update_samba_machine_account_password`, which when enabled, will pass `--add-samba-data` to the adcli command for updating the machine account password in Samba's secrets.tdb database. This option is necessary when Samba is configured to use AD for authentication. For Kerberos auth, Samba can use the system keytab, but for NTLM, Samba uses its own copy of the machine account password in its secrets.tdb database. See: https://pagure.io/SSSD/sssd/issue/3920 Signed-off-by: Andrew Gunnerson <[email protected]> Reviewed-by: Sumit Bose <[email protected]> (cherry picked from commit 1cdd43140e6069a10d59af0ba80d1c4e9427a0b4) --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/man/sssd-ad.5.xml | 16 ++++++++++++++++ src/providers/ad/ad_common.h | 1 + src/providers/ad/ad_machine_pw_renewal.c | 11 +++++++++-- src/providers/ad/ad_opts.c | 1 + 7 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 857d56cb5..6e6073f1c 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -246,6 +246,7 @@ option_strings = { 'ad_site' : _('a particular site to be used by the client'), 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), + 'ad_update_samba_machine_account_password' : _('Whether to update the machine account password in the Samba database'), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 1f1113a1b..22c8781ef 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -450,6 +450,7 @@ option = ad_machine_account_password_renewal_opts option = ad_maximum_machine_account_password_age option = ad_server option = ad_site +option = ad_update_samba_machine_account_password # IPA provider specific options option = ipa_anchor_uuid diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 8d97a416c..9c6c6daad 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false ad_site = str, None, false ad_maximum_machine_account_password_age = int, None, false ad_machine_account_password_renewal_opts = str, None, false +ad_update_samba_machine_account_password = bool, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index ebcc00639..4618a35bd 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -870,6 +870,22 @@ ad_gpo_map_deny = +my_pam_service </listitem> </varlistentry> + <varlistentry> + <term>ad_update_samba_machine_account_password (boolean)</term> + <listitem> + <para> + If enabled, when SSSD renews the machine account + password, it will also be updated in Samba's + database. This prevents Samba's copy of the machine + account password from getting out of date when it is + set up to use AD for authentication. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + <varlistentry> <term>dyndns_update (boolean)</term> <listitem> diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 8f6bc3597..cba693d65 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -66,6 +66,7 @@ enum ad_basic_opt { AD_KRB5_CONFD_PATH, AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD, AD_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c index 5b6ba26b7..7b5b5302e 100644 --- a/src/providers/ad/ad_machine_pw_renewal.c +++ b/src/providers/ad/ad_machine_pw_renewal.c @@ -40,6 +40,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, const char *ad_hostname, const char *ad_keytab, size_t pw_lifetime_in_days, + bool add_samba_data, size_t period, size_t initial_delay, struct renewal_data *renewal_data) @@ -58,7 +59,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, return ENOMEM; } - args = talloc_array(renewal_data, const char *, 8); + args = talloc_array(renewal_data, const char *, 9); if (args == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); return ENOMEM; @@ -70,6 +71,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain, args[c++] = NULL; args[c++] = talloc_asprintf(args, "--computer-password-lifetime=%zu", pw_lifetime_in_days); + if (add_samba_data) { + args[c++] = talloc_strdup(args, "--add-samba-data"); + } args[c++] = talloc_asprintf(args, "--host-fqdn=%s", ad_hostname); if (ad_keytab != NULL) { args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab); @@ -375,7 +379,10 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME), dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic, SDAP_KRB5_KEYTAB), - lifetime, period, initial_delay, renewal_data); + lifetime, + dp_opt_get_bool(ad_opts->basic, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD), + period, initial_delay, renewal_data); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "get_adcli_extra_args failed.\n"); goto done; diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 9e09991fd..d4fc811d9 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -52,6 +52,7 @@ struct dp_option ad_basic_opts[] = { { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, + { "ad_update_samba_machine_account_password", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; -- 2.25.1 ++++++ baselibs.conf ++++++ sssd supplements "packageand(sssd:pam-<targettype>)" supplements "packageand(sssd:glibc-<targettype>)" -/usr/lib(64)?/* ++++++ sssd.keyring ++++++ pub 1024D/32E7BC25 2007-02-02 uid Jakub Hrozek <[email protected]> sub 2048g/132DCA21 2007-02-02 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.19 (GNU/Linux) mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MU XQDAKJM7MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0 R+OiWh8d7ChCG6riv/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWX qZoZrm4lPlBZQltfhzdmvn8D/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjg q9Knn4sE9lnGjtG4RCYMT2Sideognk9Ah5nWOGynwta6cluCEqlF6ORJPKpAeqG1 a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/XtMoHSSyPi/Xum6R+jwISv7n TMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlSB6tAqN0G7VL6AFcs iOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KNtbnCrhS+ Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iF8EExECACAFAkXDdfUCGwMGCwkIBwMC BBUCCAMEFgIDAQIeAQIXgAAKCRAexqt1Mue8JSHBAKCjYF/HshYkJ8pSZTilLO0y bMWOFwCYlOqF7icGVDFT42W3CoqLfgajCrkCDQRFw3YAEAgAuqo0FxH1XtdOi/qW 6v+tWdqYHLj/f0Voqj1cbpS+cODNTaX1/Xf4Jnv6vm4lOG5gIkqD1e5UCpG5pDJv MkrpY0lYRr5RGoC29tHZYXfEBVEkdhuU7ZTSQRaoitK5TSwjOj5aKvFSHEjMrCWc GSUajECQkRHwZb3HK2wqqBWrJjjjPtj+5cQg+sKp7Zp6xU3iZlMoVfdYi/zGenum Cp5SMm8CZZ5gcsNZhjItkTww5K//N6Kz41oMYyHlgh029JD0LHPgKacP3KeEEDzS DEx/SSEF4zD/EfLDHehga/n0ZisNmxdxue/BI2Lm7qqGNDtV+qa17pIJ6fPfafbS AKYatwAECwf/SuMkZN36UDsoOn06qIrYi5JBss3sOfheJEnqUIEO0JCpyb+fqisd qoTJM0G5gFpCvuZOACpzzVv0WjhlMIyPl/7UuP4KYI6LGqAARqNxsHT7FNxT0Uv6 QR8fGPQqVdFLFBd66EBL9PnOt3RDYwtJlD9cMNUNpzWEXjJ3RCk0lZF2eljpPlu0 Or53OuiommnhmcmjxR5gvMf4pLqURhEZ2U0ylRiTiTIk0YyIASsDnAf0BClFXz4i 4qSD6jJloKorRC7Mu87xi1DG4ML+FYC/2d53I8OqHBRhtNUt/GbcthsHDxFq5iVp NxwDAX1vr65PWv98pvTMnJmjIDhfgwJMdIhJBBgRAgAJBQJFw3YAAhsMAAoJEB7G q3Uy57wllOcAoKkHB3lDFWlUNcSLdRCQxfsCCy7zAJ9GLSU2G0HR+hQVMi2ONorE i/EyTA== =nO6v -----END PGP PUBLIC KEY BLOCK----- ++++++ sssd.service ++++++ [Unit] Description=System Security Services Daemon # SSSD must be running before we permit user sessions Before=systemd-user-sessions.service nss-user-lookup.target Wants=nss-user-lookup.target [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-/etc/sysconfig/sssd ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main PIDFile=/var/run/sssd.pid [Install] WantedBy=multi-user.target
