[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-12 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

alexey-tikhonov commented:
"""
Isn't it required to execute `sss_chain_id_setup()` in all child processes?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-967256421
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-12 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

alexey-tikhonov commented:
"""
Isn't it required to execute `sss_chain_id_setup()` in all child processes?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-967256421
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5867][comment] usertools: force local user for sssd process user

2021-11-12 Thread ikerexxe 
  URL: https://github.com/SSSD/sssd/pull/5867
Title: #5867: usertools: force local user for sssd process user

ikerexxe commented:
"""
Failure in debian is not related with my changes. From 
[logs](https://ci-jenkins-csb-sssd.apps.ocp4.prod.psi.redhat.com/job/sssd-ci-ftrivino/job/sssd/view/change-requests/job/PR-5867/lastBuild/consoleText):
```
The following additional packages will be installed:
  fuse
The following NEW packages will be installed:
  fuse sshfs
0 upgraded, 2 newly installed, 0 to remove and 14 not upgraded.
Need to get 118 kB of archives.
After this operation, 268 kB of additional disk space will be used.
Err:1 http://deb.debian.org/debian buster/main amd64 fuse amd64 2.9.9-1+deb10u1
  Temporary failure resolving 'debian.map.fastlydns.net' Temporary failure 
resolving 'deb.debian.org'
Err:2 http://deb.debian.org/debian buster/main amd64 sshfs amd64 2.10+repack-2
  Temporary failure resolving 'debian.map.fastlydns.net' Temporary failure 
resolving 'deb.debian.org'


Stderr from the command:

E: Failed to fetch 
http://deb.debian.org/debian/pool/main/f/fuse/fuse_2.9.9-1+deb10u1_amd64.deb  
Temporary failure resolving 'debian.map.fastlydns.net' Temporary failure 
resolving 'deb.debian.org'
E: Failed to fetch 
http://deb.debian.org/debian/pool/main/s/sshfs-fuse/sshfs_2.10+repack-2_amd64.deb
  Temporary failure resolving 'debian.map.fastlydns.net' Temporary failure 
resolving 'deb.debian.org'
E: Unable to fetch some archives, maybe run apt-get update or try with 
--fix-missing?
```

Moreover, I executed the CI on demand for debian and it 
[works](https://ci-jenkins-csb-sssd.apps.ocp4.prod.psi.redhat.com/job/sssd-ci-on-demand/14/).
 So, @alexey-tikhonov I think you can do another round of reviews.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5867#issuecomment-967226057
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5786][synchronized] Tests: [SSSD-3579]: Skip test test_0018_bz1734040.

2021-11-12 Thread jakub-vavra-cz 
   URL: https://github.com/SSSD/sssd/pull/5786
Author: jakub-vavra-cz
 Title: #5786: Tests: [SSSD-3579]: Skip test test_0018_bz1734040.
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5786/head:pr5786
git checkout pr5786
From 4d7189316ea7318deb4d1b1202264594afcdd89d Mon Sep 17 00:00:00 2001
From: Jakub Vavra 
Date: Wed, 15 Sep 2021 12:05:28 +0200
Subject: [PATCH] Tests: [SSSD-3579]: Skip log check in test
 test_0018_bz1734040.

The logging changed significantly in RHEL-9,
skipping log message check as it no longer works.
The test still tests that sssd does not crash on the flow.
---
 src/tests/multihost/ad/test_adparameters.py | 35 +++--
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/src/tests/multihost/ad/test_adparameters.py b/src/tests/multihost/ad/test_adparameters.py
index 2967709229..bda7fe338d 100644
--- a/src/tests/multihost/ad/test_adparameters.py
+++ b/src/tests/multihost/ad/test_adparameters.py
@@ -692,38 +692,41 @@ def test_0017_gssspnego_adjoin(self, multihost):
 multihost.client[0].run_command(remove_pcap)
 assert status == 'PASS'
 
+@staticmethod
 @pytest.mark.tier1
-def test_0018_bz1734040(self, multihost, adjoin):
+def test_0018_bz1734040(multihost, adjoin):
 """
 :title: ad_parameters: sssd crash in ad_get_account_domain_search
 :id: dcca509e-b316-4010-a173-20f541dafd52
 :customerscenario: True
 :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1734040
 """
+distro = multihost.client[0].distro
 adjoin(membersw='adcli')
 client = sssdTools(multihost.client[0])
-domain_name = client.get_domain_section_name()
 client.backup_sssd_conf()
 client.remove_sss_cache('/var/log/sssd')
-sssdcfg = multihost.client[0].get_file_contents(SSSD_DEFAULT_CONF)
-sssdcfg = re.sub(b'ad_domain = %s' % domain_name.encode('utf-8'),
- b'ad_domain = example.com \ndebug_level = 9', sssdcfg)
-multihost.client[0].put_file_contents(SSSD_DEFAULT_CONF, sssdcfg)
+domain_name = client.get_domain_section_name()
+dom_section = 'domain/%s' % domain_name
+sssd_params = {'ad_domain': 'example.com', 'debug_level': '9'}
+client.sssd_conf(dom_section, sssd_params)
+sssd_params = {'enable_files_domain': 'True',
+   'debug_level': '9'}
+client.sssd_conf('sssd', sssd_params)
 client.clear_sssd_cache()
 cmd = multihost.client[0].run_command('getent passwd 0',
   raiseonerr=True)
-if cmd.returncode != 0:
-status = 'FAIL'
-else:
-status = 'PASS'
 time.sleep(10)
 domain_log = '/var/log/sssd/sssd_%s.log' % domain_name
 log = multihost.client[0].get_file_contents(domain_log).decode('utf-8')
-msg = 'Flags\s.0x0001.'
+msg = r'AccountDomain.*Flags\s.0x0001.'
 find = re.compile(r'%s' % msg)
-if not find.search(log):
-status = 'FAIL'
-else:
-status = 'PASS'
+
 client.restore_sssd_conf()
-assert status == 'PASS'
+assert cmd.returncode == 0, "'getent passwd 0' failed!"
+if "Red Hat Enterprise Linux" in distro and " 9." in distro:
+print("Skipping this part of test as logging changed on RHEL 9.")
+# The test is still valid as sssd was crashing on the
+# "getent passwd 0" part before.
+else:
+assert find.search(log), "Expected log record is missing."
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5869][synchronized] Translations update from Weblate

2021-11-12 Thread weblate 
   URL: https://github.com/SSSD/sssd/pull/5869
Author: weblate
 Title: #5869: Translations update from Weblate
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5869/head:pr5869
git checkout pr5869
From 5addc727636f4cad4a780597b3c7cc34f82dd456 Mon Sep 17 00:00:00 2001
From: Weblate 
Date: Fri, 12 Nov 2021 13:05:18 +0100
Subject: [PATCH] po: update translations

(Ukrainian) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Korean) currently translated at 13.0% (341 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 30.7% (190 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
---
 po/ko.po |  1 +
 po/pl.po | 10 +++---
 po/uk.po | 10 +++---
 src/man/po/ko.po | 24 +---
 4 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/po/ko.po b/po/ko.po
index 2887344bd6..55e4dcf29d 100644
--- a/po/ko.po
+++ b/po/ko.po
@@ -773,6 +773,7 @@ msgid ""
 "The amount of time in seconds between lookups of the Desktop Profile rules "
 "against the IPA server"
 msgstr ""
+"IPA 서버에 대응하는 데스크탑 프로파일 규칙의 검색 사이에서 초 단위 시간의 양"
 
 #: src/config/SSSDConfig/sssdoptions.py:241
 msgid ""
diff --git a/po/pl.po b/po/pl.po
index dcc888fcf1..a7c37e8e7c 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -16,7 +16,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
 "POT-Creation-Date: 2021-11-09 16:03+0100\n"
-"PO-Revision-Date: 2021-10-19 14:46+\n"
+"PO-Revision-Date: 2021-11-11 11:34+\n"
 "Last-Translator: Piotr Drąg \n"
 "Language-Team: Polish \n"
@@ -26,7 +26,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
 "|| n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 4.8\n"
+"X-Generator: Weblate 4.8.1\n"
 
 #: src/config/SSSDConfig/sssdoptions.py:20
 #: src/config/SSSDConfig/sssdoptions.py:21
@@ -1977,7 +1977,7 @@ msgstr "Opcja -g jest niezgodna z opcją -D lub -i\n"
 #: src/monitor/monitor.c:2401
 #, c-format
 msgid "Running under %, must be root\n"
-msgstr ""
+msgstr "Uruchamianie jako %, musi być rootem\n"
 
 #: src/monitor/monitor.c:2483
 msgid "SSSD is already running\n"
@@ -2691,12 +2691,16 @@ msgstr "Podaje poziom debugowania do ustawienia"
 msgid ""
 "NOTE: Tevent chain ID support missing, request analysis will be limited.\n"
 msgstr ""
+"UWAGA: brak obsługi identyfikatora łańcucha tevent, analiza żądań będzie "
+"ograniczona.\n"
 
 #: src/tools/sssctl/sssctl_logs.c:401
 msgid ""
 "It is recommended to use the --logdir option against tevent chain ID "
 "supported SSSD logs.\n"
 msgstr ""
+"Zalecane jest używanie opcji --logdir przy dziennikach SSSD obsługujących "
+"identyfikator łańcucha tevent.\n"
 
 #: src/tools/sssctl/sssctl_user_checks.c:117
 msgid "SSSD InfoPipe user lookup result:\n"
diff --git a/po/uk.po b/po/uk.po
index c394a6418b..9e152e4399 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -16,7 +16,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
 "POT-Creation-Date: 2021-11-09 16:03+0100\n"
-"PO-Revision-Date: 2021-10-20 03:21+\n"
+"PO-Revision-Date: 2021-11-12 12:05+\n"
 "Last-Translator: Yuri Chornoivan \n"
 "Language-Team: Ukrainian \n"
@@ -26,7 +26,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
 "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 4.8\n"
+"X-Generator: Weblate 4.8.1\n"
 
 #: src/config/SSSDConfig/sssdoptions.py:20
 #: src/config/SSSDConfig/sssdoptions.py:21
@@ -2038,7 +2038,7 @@ msgstr "Параметр -g є несумісним із параметрами
 #: src/monitor/monitor.c:2401
 #, c-format
 msgid "Running under %, must be root\n"
-msgstr ""
+msgstr "Запущено від імені %, а має бути від імені root\n"
 
 #: src/monitor/monitor.c:2483
 msgid "SSSD is already running\n"
@@ -2756,12 +2756,16 @@ msgstr "Вкажіть рівень діагностики, яким ви хоч
 msgid ""
 "NOTE: Tevent chain ID support missing, request analysis will be limited.\n"
 msgstr

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-11-12 Thread ikerexxe 
   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 18e8f2a37adbeece5aa3bff671eac7b5d1e8b720 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |   3 +
 src/monitor/monitor.c |   6 +-
 src/providers/ipa/ipa_common.h|   3 +
 src/providers/ipa/ipa_subdomains_server.c |   3 +-
 src/responder/common/responder.h  |   5 +-
 src/responder/common/responder_common.c   |   6 +-
 src/responder/ifp/ifp_private.h   |   4 +
 src/responder/ifp/ifpsrv.c|   2 +-
 src/responder/nss/nss_private.h   |   4 +
 src/responder/nss/nsssrv.c|   4 +-
 src/responder/pac/pacsrv.c|   2 +-
 src/responder/pac/pacsrv.h|   4 +
 src/responder/pam/pamsrv.c|   2 +-
 src/responder/pam/pamsrv.h|   4 +
 src/tests/cwrap/Makefile.am   |   8 +-
 src/tests/cwrap/common_mock_nss_dl_load.c | 115 ++
 src/tests/cwrap/common_mock_nss_dl_load.h |  30 ++
 src/tests/cwrap/test_responder_common.c   |  22 -
 src/tests/cwrap/test_usertools.c  |  41 +++-
 src/tests/responder_socket_access-tests.c |  10 +-
 src/util/usertools.c  |  60 +--
 src/util/usertools_extra.c|  53 ++
 src/util/util.h   |   6 +-
 23 files changed, 365 insertions(+), 32 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/usertools_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..301f6b5800 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1237,6 +1238,7 @@ libsss_util_la_SOURCES = \
 src/util/server.c \
 src/util/signal.c \
 src/util/usertools.c \
+src/util/usertools_extra.c \
 src/util/backup_file.c \
 src/util/strtonum.c \
 src/util/check_and_open.c \
@@ -1265,6 +1267,7 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 55cb0838aa..86ec612600 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -173,6 +173,9 @@ struct mt_ctx {
 /* For running unprivileged services */
 uid_t uid;
 gid_t gid;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -882,7 +885,8 @@ static int get_service_user(struct mt_ctx *ctx)
 return ret;
 }
 
-ret = sss_user_by_name_or_uid(user_str, >uid, >gid);
+
+ret = sss_user_by_name_or_uid(>ops, user_str, >uid, >gid);
 talloc_free(user_str);
 if (ret != EOK) {
 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index eb0eda8eb1..034af39efc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -208,6 +208,9 @@ struct ipa_id_ctx {
 char *view_name;
 /* Only used with server mode */
 struct ipa_server_mode_ctx *server_mode;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 struct ipa_options {
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index deb2c2ceec..d355ccf25a 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -1195,7 +1195,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
 /* We need to handle keytabs created by IPA oddjob script gracefully
  * even if we're running as root and IPA creates them as the SSSD user
  */
-ret = sss_user_by_name_or_uid(SSSD_USER,
+ret = sss_user_by_name_or_uid(_ctx->ops,
+  SSSD_USER,