rpms / sssd

Clone
Source Code
GIT

44f86b import sssd-1.16.5-10.el7_9.8

Authored and Committed by centosrcm 3 years ago
raw patch tree parent
8 files changed. 807 lines added. 1 lines removed.
SOURCES/0062-UTIL-find_domain_by_object_name_ex-changed-log-level.patch
file added
+36
SOURCES/0063-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch
file added
+122
SOURCES/0064-ldap-fix-modifytimestamp-debugging-leftovers.patch
file added
+36
SOURCES/0065-sss_domain_info-add-not_found_counter.patch
file added
+67
SOURCES/0066-AD-read-trusted-domains-from-local-domain-as-well.patch
file added
+244
SOURCES/0067-negcache-use-right-domain-in-nss_protocol_fill_initg.patch
file added
+107
SOURCES/0068-ldap-retry-ldap_install_tls-when-watchdog-interrupti.patch
file added
+180
SPECS/sssd.spec
file modified
+15 -1 
    import sssd-1.16.5-10.el7_9.8
file added
+36
SOURCES/0062-UTIL-find_domain_by_object_name_ex-changed-log-level.patch ADDED
@@ -0,0 +1,36 @@
1
+ From ba06302d262aa3571620455fafadb43aaa93139e Mon Sep 17 00:00:00 2001
2
+ From: Alexey Tikhonov <atikhono@redhat.com>
3
+ Date: Tue, 15 Dec 2020 18:47:25 +0100
4
+ Subject: [PATCH] UTIL: find_domain_by_object_name_ex() changed log level
5
+ MIME-Version: 1.0
6
+ Content-Type: text/plain; charset=UTF-8
7
+ Content-Transfer-Encoding: 8bit
8
+
9
+ It's up to user of this function to judge if fail to parse fqname is
10
+ a critical error.
11
+
12
+ Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
13
+ Reviewed-by: Sumit Bose <sbose@redhat.com>
14
+ (cherry picked from commit bd2f38abe95645b9b16b12d12dac6008b0d2a03b)
15
+
16
+ Reviewed-by: Tomáš Halman <thalman@redhat.com>
17
+ ---
18
+ src/util/domain_info_utils.c | 2 +-
19
+ 1 file changed, 1 insertion(+), 1 deletion(-)
20
+
21
+ diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
22
+ index 71dfcba02..5a374074b 100644
23
+ --- a/src/util/domain_info_utils.c
24
+ +++ b/src/util/domain_info_utils.c
25
+ @@ -207,7 +207,7 @@ find_domain_by_object_name_ex(struct sss_domain_info *domain,
26
+ ret = sss_parse_internal_fqname(tmp_ctx, object_name,
27
+ NULL, &domainname);
28
+ if (ret != EOK) {
29
+ - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s\n",
30
+ + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to parse name '%s' [%d]: %s\n",
31
+ object_name, ret, sss_strerror(ret));
32
+ goto done;
33
+ }
34
+ --
35
+ 2.26.3
36
+
file added
+122
SOURCES/0063-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch ADDED
@@ -0,0 +1,122 @@
1
+ From 73f35e5e6836c3d63cfdc4d85dfbfed99f0bcf5a Mon Sep 17 00:00:00 2001
2
+ From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
3
+ Date: Fri, 29 Jan 2021 12:41:28 +0100
4
+ Subject: [PATCH] sudo: do not search by low usn value to improve performance
5
+
6
+ This is a follow up on these two commits.
7
+
8
+ - 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
9
+ - 6815844daa7701c76e31addbbdff74656cd30bea
10
+
11
+ The first one improved the search filter little bit to achieve better
12
+ performance, however it also changed the behavior: we started to search
13
+ for `usn >= 1` in the filter if no usn number was known.
14
+
15
+ This caused issues on OpenLDAP server which was fixed by the second patch.
16
+ However, the fix was wrong and searching by this meaningfully low number
17
+ can cause performance issues depending on how the filter is optimized and
18
+ evaluated on the server.
19
+
20
+ Now we omit the usn attribute from the filter if there is no meaningful value.
21
+
22
+ How to test:
23
+ 1. Setup LDAP with no sudo rules defined
24
+ 2. Make sure that the LDAP server does not support USN or use the following diff
25
+ to enforce modifyTimestamp (last USN is always available from rootDSE)
26
+ ```diff
27
+
28
+ Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
29
+ (cherry picked from commit b100efbfabd96dcfb2825777b75b9a9dfaacb937)
30
+ ---
31
+ src/providers/ldap/sdap.c | 4 ++--
32
+ src/providers/ldap/sdap_sudo_refresh.c | 6 ++++--
33
+ src/providers/ldap/sdap_sudo_shared.c | 21 ++++++---------------
34
+ 3 files changed, 12 insertions(+), 19 deletions(-)
35
+
36
+ diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
37
+ index a1a00df56..0413930bc 100644
38
+ --- a/src/providers/ldap/sdap.c
39
+ +++ b/src/providers/ldap/sdap.c
40
+ @@ -1322,7 +1322,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
41
+ last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
42
+ entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
43
+ if (rootdse) {
44
+ - if (last_usn_name) {
45
+ + if (false) {
46
+ ret = sysdb_attrs_get_string(rootdse,
47
+ last_usn_name, &last_usn_value);
48
+ if (ret != EOK) {
49
+ @@ -1431,7 +1431,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
50
+ }
51
+ }
52
+
53
+ - if (!last_usn_name) {
54
+ + if (true) {
55
+ DEBUG(SSSDBG_FUNC_DATA,
56
+ "No known USN scheme is supported by this server!\n");
57
+ if (!entry_usn_name) {
58
+ diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c
59
+ index 5c72c6ec5..fd5deeb7a 100644
60
+ --- a/src/providers/ldap/sdap_sudo_refresh.c
61
+ +++ b/src/providers/ldap/sdap_sudo_refresh.c
62
+ @@ -181,8 +181,10 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
63
+ state->sysdb = id_ctx->be->domain->sysdb;
64
+
65
+ /* Download all rules from LDAP that are newer than usn */
66
+ - if (srv_opts == NULL || srv_opts->max_sudo_value == 0) {
67
+ - DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n");
68
+ + if (srv_opts == NULL || srv_opts->max_sudo_value == NULL
69
+ + || strcmp(srv_opts->max_sudo_value, "0") == 0) {
70
+ + DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero and "
71
+ + "omitting it from the filter.\n");
72
+ usn = "0";
73
+ search_filter = talloc_asprintf(state, "(%s=%s)",
74
+ map[SDAP_AT_SUDO_OC].name,
75
+ diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
76
+ index bd3a24da0..5f6afb1ac 100644
77
+ --- a/src/providers/ldap/sdap_sudo_shared.c
78
+ +++ b/src/providers/ldap/sdap_sudo_shared.c
79
+ @@ -127,25 +127,17 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
80
+ static char *
81
+ sdap_sudo_new_usn(TALLOC_CTX *mem_ctx,
82
+ unsigned long usn,
83
+ - const char *leftover,
84
+ - bool supports_usn)
85
+ + const char *leftover)
86
+ {
87
+ const char *str = leftover == NULL ? "" : leftover;
88
+ char *newusn;
89
+
90
+ - /* This is a fresh start and server uses modifyTimestamp. We need to
91
+ - * provide proper datetime value. */
92
+ - if (!supports_usn && usn == 0) {
93
+ - newusn = talloc_strdup(mem_ctx, "00000101000000Z");
94
+ - if (newusn == NULL) {
95
+ - DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n");
96
+ - return NULL;
97
+ - }
98
+ -
99
+ - return newusn;
100
+ + /* Current largest USN is unknown so we keep "0" to indicate it. */
101
+ + if (usn == 0) {
102
+ + return talloc_strdup(mem_ctx, "0");
103
+ }
104
+
105
+ - /* We increment USN number so that we can later use simplify filter
106
+ + /* We increment USN number so that we can later use simplified filter
107
+ * (just usn >= last+1 instead of usn >= last && usn != last).
108
+ */
109
+ usn++;
110
+ @@ -217,8 +209,7 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
111
+ srv_opts->last_usn = usn_number;
112
+ }
113
+
114
+ - newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone,
115
+ - srv_opts->supports_usn);
116
+ + newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone);
117
+ if (newusn == NULL) {
118
+ return;
119
+ }
120
+ --
121
+ 2.26.3
122
+
file added
+36
SOURCES/0064-ldap-fix-modifytimestamp-debugging-leftovers.patch ADDED
@@ -0,0 +1,36 @@
1
+ From b816fa19ec6be3c5eb183d1caa03f0153538e2ac Mon Sep 17 00:00:00 2001
2
+ From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
3
+ Date: Fri, 12 Feb 2021 15:30:59 +0100
4
+ Subject: [PATCH] ldap: fix modifytimestamp debugging leftovers
5
+
6
+ Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
7
+ (cherry picked from commit 75343ff575f05a69750a6482de9abc29d85100bf)
8
+ ---
9
+ src/providers/ldap/sdap.c | 4 ++--
10
+ 1 file changed, 2 insertions(+), 2 deletions(-)
11
+
12
+ diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
13
+ index 0413930bc..a1a00df56 100644
14
+ --- a/src/providers/ldap/sdap.c
15
+ +++ b/src/providers/ldap/sdap.c
16
+ @@ -1322,7 +1322,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
17
+ last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
18
+ entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
19
+ if (rootdse) {
20
+ - if (false) {
21
+ + if (last_usn_name) {
22
+ ret = sysdb_attrs_get_string(rootdse,
23
+ last_usn_name, &last_usn_value);
24
+ if (ret != EOK) {
25
+ @@ -1431,7 +1431,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
26
+ }
27
+ }
28
+
29
+ - if (true) {
30
+ + if (!last_usn_name) {
31
+ DEBUG(SSSDBG_FUNC_DATA,
32
+ "No known USN scheme is supported by this server!\n");
33
+ if (!entry_usn_name) {
34
+ --
35
+ 2.26.3
36
+
file added
+67
SOURCES/0065-sss_domain_info-add-not_found_counter.patch ADDED
@@ -0,0 +1,67 @@
1
+ From f511e73867f22fff9d0867b07013accb4f44cb1f Mon Sep 17 00:00:00 2001
2
+ From: Sumit Bose <sbose@redhat.com>
3
+ Date: Wed, 14 Apr 2021 17:22:06 +0200
4
+ Subject: [PATCH 65/66] sss_domain_info: add not_found_counter
5
+ MIME-Version: 1.0
6
+ Content-Type: text/plain; charset=UTF-8
7
+ Content-Transfer-Encoding: 8bit
8
+
9
+ This new counter should be used to track how often a domain could not be
10
+ found while discovering the environment so that it can be deleted after
11
+ a number of failed attempts.
12
+
13
+ Resolves: https://github.com/SSSD/sssd/issues/5528
14
+
15
+ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
16
+ (cherry picked from commit 5d65411f1aa16af929ae2271ee4d3d9101728a67 with changes)
17
+
18
+ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
19
+ ---
20
+ src/confdb/confdb.c | 1 +
21
+ src/confdb/confdb.h | 4 ++++
22
+ src/db/sysdb_subdomains.c | 2 ++
23
+ 3 files changed, 7 insertions(+)
24
+
25
+ diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
26
+ index 97de6d3b1..a33f352e7 100644
27
+ --- a/src/confdb/confdb.c
28
+ +++ b/src/confdb/confdb.c
29
+ @@ -1474,6 +1474,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
30
+ domain->view_name = NULL;
31
+
32
+ domain->state = DOM_ACTIVE;
33
+ + domain->not_found_counter = 0;
34
+
35
+ *_domain = domain;
36
+ ret = EOK;
37
+ diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
38
+ index b0d52ba49..a1ac676a6 100644
39
+ --- a/src/confdb/confdb.h
40
+ +++ b/src/confdb/confdb.h
41
+ @@ -406,6 +406,10 @@ struct sss_domain_info {
42
+ /* Do not use the _output_fqnames property directly in new code, but rather
43
+ * use sss_domain_info_{get,set}_output_fqnames(). */
44
+ bool output_fqnames;
45
+ +
46
+ + /* Counts how often the domain was not found during a refresh of the
47
+ + * domain list */
48
+ + size_t not_found_counter;
49
+ };
50
+
51
+ /**
52
+ diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
53
+ index ee3c7f1aa..cbb11342e 100644
54
+ --- a/src/db/sysdb_subdomains.c
55
+ +++ b/src/db/sysdb_subdomains.c
56
+ @@ -171,6 +171,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
57
+ dom->homedir_substr = parent->homedir_substr;
58
+ dom->override_gid = parent->override_gid;
59
+
60
+ + dom->not_found_counter = 0;
61
+ +
62
+ if (parent->sysdb == NULL) {
63
+ DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
64
+ goto fail;
65
+ --
66
+ 2.26.3
67
+
file added
+244
SOURCES/0066-AD-read-trusted-domains-from-local-domain-as-well.patch ADDED
@@ -0,0 +1,244 @@
1
+ From 2519d5ea3757862bebc17d73d74c7e5c57bdc815 Mon Sep 17 00:00:00 2001
2
+ From: Sumit Bose <sbose@redhat.com>
3
+ Date: Tue, 16 Feb 2021 14:30:55 +0100
4
+ Subject: [PATCH 66/66] AD: read trusted domains from local domain as well
5
+ MIME-Version: 1.0
6
+ Content-Type: text/plain; charset=UTF-8
7
+ Content-Transfer-Encoding: 8bit
8
+
9
+ Currently SSSD only uses information stored in a domain controller of
10
+ the forest root domain to get the names of other trusted domains in the
11
+ forest. Depending on how the forest was created the forest root might
12
+ not have LDAP objects for all domains in the forest. It looks like a
13
+ typical case are child domains of other domains in the forest.
14
+
15
+ As a start SSSD can now include trusted domains stored in the LDAP tree
16
+ of a local domain controller as well. In a long run it would make sense
17
+ to allow SSSD to explicitly search for domain by looking up DNS entries
18
+ and checking a potential domain controller with a CLDAP ping.
19
+
20
+ Resolves: https://github.com/SSSD/sssd/issues/5528
21
+
22
+ :feature: Besides trusted domains known by the forest root, trusted
23
+ domains known by the local domain are used as well.
24
+
25
+ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
26
+ (cherry picked from commit 95adf488f94f5968f6cfba9e3bef74c07c02ccff)
27
+
28
+ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
29
+ ---
30
+ src/providers/ad/ad_subdomains.c | 105 +++++++++++++++++++++++++------
31
+ 1 file changed, 86 insertions(+), 19 deletions(-)
32
+
33
+ diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
34
+ index ba4efe975..16aecbc64 100644
35
+ --- a/src/providers/ad/ad_subdomains.c
36
+ +++ b/src/providers/ad/ad_subdomains.c
37
+ @@ -45,6 +45,7 @@
38
+ #define AD_AT_TRUST_TYPE "trustType"
39
+ #define AD_AT_TRUST_PARTNER "trustPartner"
40
+ #define AD_AT_TRUST_ATTRS "trustAttributes"
41
+ +#define AD_AT_DOMAIN_NAME "cn"
42
+
43
+ /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
44
+ * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
45
+ @@ -56,7 +57,6 @@
46
+ */
47
+ #define SLAVE_DOMAIN_FILTER_BASE "(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))"
48
+ #define SLAVE_DOMAIN_FILTER "(&"SLAVE_DOMAIN_FILTER_BASE")"
49
+ -#define FOREST_ROOT_FILTER_FMT "(&"SLAVE_DOMAIN_FILTER_BASE"(cn=%s))"
50
+
51
+ /* Attributes of schema objects. See e.g.
52
+ * https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes
53
+ @@ -646,6 +646,10 @@ done:
54
+ return ret;
55
+ }
56
+
57
+ +/* How many times we keep a domain not found during searches before it will be
58
+ + * removed. */
59
+ +#define MAX_NOT_FOUND 6
60
+ +
61
+ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
62
+ struct sdap_idmap_ctx *idmap_ctx,
63
+ struct sdap_options *opts,
64
+ @@ -706,6 +710,25 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
65
+ }
66
+
67
+ if (c >= num_subdomains) {
68
+ + DEBUG(SSSDBG_CONF_SETTINGS, "Domain [%s] not in current list.\n",
69
+ + dom->name);
70
+ + /* Since the forest root might not have trustedDomain objects for
71
+ + * each domain in the forest, especially e.g. for child-domains of
72
+ + * child-domains, we cannot reliable say if a domain is still
73
+ + * present or not.
74
+ + * Maybe it would work to check the crossRef objects in
75
+ + * CN=Partitions,CN=Configuration as well to understand if a
76
+ + * domain is still known in the forest or not.
77
+ + * For the time being we use a counter, if a domain was not found
78
+ + * after multiple attempts it will be deleted. */
79
+ +
80
+ + if (dom->not_found_counter++ < MAX_NOT_FOUND) {
81
+ + DEBUG(SSSDBG_TRACE_ALL,
82
+ + "Domain [%s] was not found [%zu] times.\n", dom->name,
83
+ + dom->not_found_counter);
84
+ + continue;
85
+ + }
86
+ +
87
+ /* ok this subdomain does not exist anymore, let's clean up */
88
+ sss_domain_set_state(dom, DOM_DISABLED);
89
+
90
+ @@ -743,6 +766,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
91
+ /* terminate all requests for this subdomain so we can free it */
92
+ dp_terminate_domain_requests(be_ctx->provider, dom->name);
93
+ talloc_zfree(sdom);
94
+ +
95
+ } else {
96
+ /* ok let's try to update it */
97
+ ret = ad_subdom_enumerates(domain, subdomains[c], &enumerate);
98
+ @@ -750,6 +774,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
99
+ goto done;
100
+ }
101
+
102
+ + dom->not_found_counter = 0;
103
+ ret = ad_subdom_store(be_ctx->cdb, idmap_ctx, domain,
104
+ subdomains[c], enumerate);
105
+ if (ret) {
106
+ @@ -1310,10 +1335,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
107
+ struct tevent_req *req;
108
+ struct sdap_options *opts;
109
+ errno_t ret;
110
+ - const char *filter;
111
+ const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
112
+ AD_AT_SID, AD_AT_TRUST_TYPE,
113
+ - AD_AT_TRUST_ATTRS, NULL };
114
+ + AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL };
115
+
116
+ req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state);
117
+ if (req == NULL) {
118
+ @@ -1338,15 +1362,10 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
119
+ state->domain = domain;
120
+ state->forest = forest;
121
+
122
+ - filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest);
123
+ - if (filter == NULL) {
124
+ - ret = ENOMEM;
125
+ - goto immediately;
126
+ - }
127
+ -
128
+ subreq = sdap_search_bases_return_first_send(state, ev, opts, sh,
129
+ opts->sdom->search_bases,
130
+ - NULL, false, 0, filter, attrs,
131
+ + NULL, false, 0,
132
+ + SLAVE_DOMAIN_FILTER, attrs,
133
+ NULL);
134
+ if (subreq == NULL) {
135
+ ret = ENOMEM;
136
+ @@ -1368,11 +1387,33 @@ immediately:
137
+ return req;
138
+ }
139
+
140
+ +static struct sysdb_attrs *find_domain(size_t count, struct sysdb_attrs **reply,
141
+ + const char *dom_name)
142
+ +{
143
+ + size_t c;
144
+ + const char *name;
145
+ + int ret;
146
+ +
147
+ + for (c = 0; c < count; c++) {
148
+ + ret = sysdb_attrs_get_string(reply[c], AD_AT_DOMAIN_NAME, &name);
149
+ + if (ret != EOK) {
150
+ + DEBUG(SSSDBG_OP_FAILURE, "Failed to find domain name, skipping");
151
+ + continue;
152
+ + }
153
+ + if (strcasecmp(name, dom_name) == 0) {
154
+ + return reply[c];
155
+ + }
156
+ + }
157
+ +
158
+ + return NULL;
159
+ +}
160
+ +
161
+ static void ad_get_root_domain_done(struct tevent_req *subreq)
162
+ {
163
+ struct tevent_req *req;
164
+ struct ad_get_root_domain_state *state;
165
+ errno_t ret;
166
+ + bool has_changes = false;
167
+
168
+ req = tevent_req_callback_data(subreq, struct tevent_req);
169
+ state = tevent_req_data(req, struct ad_get_root_domain_state);
170
+ @@ -1387,7 +1428,37 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
171
+ goto done;
172
+ }
173
+
174
+ - if (state->reply_count == 0) {
175
+ + find_domain(state->reply_count, state->reply, state->forest);
176
+ +
177
+ + if (state->reply_count == 0
178
+ + || find_domain(state->reply_count, state->reply,
179
+ + state->forest) == NULL) {
180
+ +
181
+ + if (state->reply_count > 0) {
182
+ + /* refresh the other domains we have found before checking forest
183
+ + * root */
184
+ + ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx,
185
+ + state->opts,
186
+ + state->reply, state->reply_count, false,
187
+ + &state->sd_ctx->last_refreshed,
188
+ + &has_changes);
189
+ + if (ret != EOK) {
190
+ + DEBUG(SSSDBG_OP_FAILURE,
191
+ + "ad_subdomains_refresh failed [%d]: %s\n",
192
+ + ret, sss_strerror(ret));
193
+ + goto done;
194
+ + }
195
+ +
196
+ + if (has_changes) {
197
+ + ret = ad_subdom_reinit(state->sd_ctx);
198
+ + if (ret != EOK) {
199
+ + DEBUG(SSSDBG_OP_FAILURE,
200
+ + "Could not reinitialize subdomains\n");
201
+ + goto done;
202
+ + }
203
+ + }
204
+ + }
205
+ +
206
+ DEBUG(SSSDBG_OP_FAILURE,
207
+ "No information provided for root domain, trying directly.\n");
208
+ subreq = ad_check_domain_send(state, state->ev, state->be_ctx,
209
+ @@ -1400,11 +1471,6 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
210
+ }
211
+ tevent_req_set_callback(subreq, ad_check_root_domain_done, req);
212
+ return;
213
+ - } else if (state->reply_count > 1) {
214
+ - DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, "
215
+ - "domain list might be incomplete!\n");
216
+ - ret = ERR_MALFORMED_ENTRY;
217
+ - goto done;
218
+ }
219
+
220
+ ret = ad_get_root_domain_refresh(state);
221
+ @@ -1522,7 +1588,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
222
+ errno_t ret;
223
+
224
+ ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts,
225
+ - state->reply, state->reply_count, true,
226
+ + state->reply, state->reply_count, false,
227
+ &state->sd_ctx->last_refreshed,
228
+ &has_changes);
229
+ if (ret != EOK) {
230
+ @@ -1539,8 +1605,9 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
231
+ }
232
+ }
233
+
234
+ - state->root_domain_attrs = state->reply[0];
235
+ - root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]);
236
+ + state->root_domain_attrs = find_domain(state->reply_count, state->reply,
237
+ + state->forest);
238
+ + root_domain = ads_get_root_domain(state->be_ctx, state->root_domain_attrs);
239
+ if (root_domain == NULL) {
240
+ DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n");
241
+ ret = EFAULT;
242
+ --
243
+ 2.26.3
244
+
file added
+107
SOURCES/0067-negcache-use-right-domain-in-nss_protocol_fill_initg.patch ADDED
@@ -0,0 +1,107 @@
1
+ From 48f27f74c9a9d5aebf8d2be941dfb282578ba9ba Mon Sep 17 00:00:00 2001
2
+ From: Sumit Bose <sbose@redhat.com>
3
+ Date: Fri, 12 Mar 2021 14:38:54 +0100
4
+ Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr()
5
+
6
+ When checking if a group returned by an initgroups request is filtered
7
+ in the negative cache the domain of the user was used. This does not
8
+ work reliable if the user can be a member of groups from multiple
9
+ domains.
10
+
11
+ With this patch th domain the group belongs to is determined and used
12
+ while checking the negative cache.
13
+
14
+ Resolves: https://github.com/SSSD/sssd/issues/5534
15
+ (cherry picked from commit 231d1118727b989a4af9911a45a465912fe659d6 with changes)
16
+
17
+ Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
18
+ ---
19
+ src/db/sysdb.c | 22 ++++++++++++++++++++++
20
+ src/db/sysdb.h | 7 +++++++
21
+ src/responder/nss/nss_protocol_grent.c | 8 +++++---
22
+ 3 files changed, 34 insertions(+), 3 deletions(-)
23
+
24
+ diff --git a/src/db/sysdb.c b/src/db/sysdb.c
25
+ index 279bd5839..f9929c7ba 100644
26
+ --- a/src/db/sysdb.c
27
+ +++ b/src/db/sysdb.c
28
+ @@ -1978,3 +1978,25 @@ done:
29
+ talloc_free(tmp_ctx);
30
+ return differs;
31
+ }
32
+ +
33
+ +struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
34
+ + struct ldb_message *msg)
35
+ +{
36
+ + const char *name;
37
+ + struct sss_domain_info *obj_dom = NULL;
38
+ +
39
+ + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
40
+ + if (name == NULL) {
41
+ + DEBUG(SSSDBG_OP_FAILURE,
42
+ + "Object does not have a name attribute.\n");
43
+ + return dom;
44
+ + }
45
+ +
46
+ + obj_dom = find_domain_by_object_name(get_domains_head(dom), name);
47
+ + if (obj_dom == NULL) {
48
+ + DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name);
49
+ + return dom;
50
+ + }
51
+ +
52
+ + return obj_dom;
53
+ +}
54
+ diff --git a/src/db/sysdb.h b/src/db/sysdb.h
55
+ index 679763bad..d47099eff 100644
56
+ --- a/src/db/sysdb.h
57
+ +++ b/src/db/sysdb.h
58
+ @@ -1505,4 +1505,11 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
59
+ struct sysdb_attrs *dest_attrs,
60
+ const char *dest_name);
61
+
62
+ +/* Try to detect the object domain from the object's SYSDB_NAME attribute and
63
+ + * return the matching sss_domain_info. This should work reliable with user
64
+ + * and group objects since fully-qualified names are used here. If the proper
65
+ + * domain cannot be detected the given domain is returned. */
66
+ +struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
67
+ + struct ldb_message *msg);
68
+ +
69
+ #endif /* __SYS_DB_H__ */
70
+ diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
71
+ index 4c7ea9aed..e4494826a 100644
72
+ --- a/src/responder/nss/nss_protocol_grent.c
73
+ +++ b/src/responder/nss/nss_protocol_grent.c
74
+ @@ -343,6 +343,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
75
+ struct cache_req_result *result)
76
+ {
77
+ struct sss_domain_info *domain;
78
+ + struct sss_domain_info *grp_dom;
79
+ struct ldb_message *user;
80
+ struct ldb_message *msg;
81
+ struct ldb_message *primary_group_msg;
82
+ @@ -400,10 +401,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
83
+ num_results = 0;
84
+ for (i = 1; i < result->count; i++) {
85
+ msg = result->msgs[i];
86
+ - gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
87
+ + grp_dom = find_domain_by_msg(domain, msg);
88
+ + gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM,
89
+ 0);
90
+ posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
91
+ - grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
92
+ + grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME,
93
+ NULL);
94
+
95
+ if (gid == 0) {
96
+ @@ -417,7 +419,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
97
+ }
98
+ }
99
+
100
+ - if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
101
+ + if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) {
102
+ continue;
103
+ }
104
+
105
+ --
106
+ 2.26.3
107
+
file added
+180
SOURCES/0068-ldap-retry-ldap_install_tls-when-watchdog-interrupti.patch ADDED
@@ -0,0 +1,180 @@
1
+ From ee16c609497f29731c5a590821d27d0db0ffc91f Mon Sep 17 00:00:00 2001
2
+ From: Iker Pedrosa <ipedrosa@redhat.com>
3
+ Date: Wed, 3 Mar 2021 15:34:49 +0100
4
+ Subject: [PATCH] ldap: retry ldap_install_tls() when watchdog interruption
5
+ MIME-Version: 1.0
6
+ Content-Type: text/plain; charset=UTF-8
7
+ Content-Transfer-Encoding: 8bit
8
+
9
+ When the call to ldap_install_tls() fails because the watchdog
10
+ interrupted it, retry it. The watchdog interruption is detected by
11
+ checking the value of the ticks before and after the call to
12
+ ldap_install_tls().
13
+
14
+ Resolves: https://github.com/SSSD/sssd/issues/5531
15
+
16
+ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
17
+ ---
18
+ src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++++++-
19
+ src/util/sss_ldap.c | 12 ++++++++++
20
+ src/util/util.h | 1 +
21
+ src/util/util_errors.c | 3 +++
22
+ src/util/util_errors.h | 3 +++
23
+ src/util/util_watchdog.c | 5 ++++
24
+ 6 files changed, 50 insertions(+), 1 deletion(-)
25
+
26
+ diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
27
+ index afa31ea0f..db963044e 100644
28
+ --- a/src/providers/ldap/sdap_async_connection.c
29
+ +++ b/src/providers/ldap/sdap_async_connection.c
30
+ @@ -30,6 +30,8 @@
31
+ #include "providers/ldap/sdap_async_private.h"
32
+ #include "providers/ldap/ldap_common.h"
33
+
34
+ +#define MAX_RETRY_ATTEMPTS 1
35
+ +
36
+ /* ==Connect-to-LDAP-Server=============================================== */
37
+
38
+ struct sdap_rebind_proc_params {
39
+ @@ -1447,6 +1449,8 @@ struct sdap_cli_connect_state {
40
+ enum connect_tls force_tls;
41
+ bool do_auth;
42
+ bool use_tls;
43
+ +
44
+ + int retry_attempts;
45
+ };
46
+
47
+ static int sdap_cli_resolve_next(struct tevent_req *req);
48
+ @@ -1599,16 +1603,37 @@ static void sdap_cli_connect_done(struct tevent_req *subreq)
49
+ talloc_zfree(state->sh);
50
+ ret = sdap_connect_recv(subreq, state, &state->sh);
51
+ talloc_zfree(subreq);
52
+ - if (ret) {
53
+ + if (ret == ERR_TLS_HANDSHAKE_INTERRUPTED &&
54
+ + state->retry_attempts < MAX_RETRY_ATTEMPTS) {
55
+ + DEBUG(SSSDBG_OP_FAILURE,
56
+ + "TLS handshake was interruped, provider will retry\n");
57
+ + state->retry_attempts++;
58
+ + subreq = sdap_connect_send(state, state->ev, state->opts,
59
+ + state->service->uri,
60
+ + state->service->sockaddr,
61
+ + state->use_tls);
62
+ +
63
+ + if (!subreq) {
64
+ + tevent_req_error(req, ENOMEM);
65
+ + return;
66
+ + }
67
+ +
68
+ + tevent_req_set_callback(subreq, sdap_cli_connect_done, req);
69
+ + return;
70
+ + } else if (ret != EOK) {
71
+ + state->retry_attempts = 0;
72
+ /* retry another server */
73
+ be_fo_set_port_status(state->be, state->service->name,
74
+ state->srv, PORT_NOT_WORKING);
75
+ +
76
+ ret = sdap_cli_resolve_next(req);
77
+ if (ret != EOK) {
78
+ tevent_req_error(req, ret);
79
+ }
80
+ +
81
+ return;
82
+ }
83
+ + state->retry_attempts = 0;
84
+
85
+ if (state->use_rootdse) {
86
+ /* fetch the rootDSE this time */
87
+ diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c
88
+ index 9d1e95217..652b08ea7 100644
89
+ --- a/src/util/sss_ldap.c
90
+ +++ b/src/util/sss_ldap.c
91
+ @@ -234,6 +234,8 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
92
+ int ret;
93
+ int lret;
94
+ int optret;
95
+ + int ticks_before_install;
96
+ + int ticks_after_install;
97
+
98
+ ret = sssd_async_socket_init_recv(subreq, &state->sd);
99
+ talloc_zfree(subreq);
100
+ @@ -261,7 +263,9 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
101
+ }
102
+
103
+ if (ldap_is_ldaps_url(state->uri)) {
104
+ + ticks_before_install = get_watchdog_ticks();
105
+ lret = ldap_install_tls(state->ldap);
106
+ + ticks_after_install = get_watchdog_ticks();
107
+ if (lret != LDAP_SUCCESS) {
108
+ if (lret == LDAP_LOCAL_ERROR) {
109
+ DEBUG(SSSDBG_FUNC_DATA, "TLS/SSL already in place.\n");
110
+ @@ -283,6 +287,14 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
111
+ "Check for certificate issues.");
112
+ }
113
+
114
+ + if (ticks_after_install > ticks_before_install) {
115
+ + ret = ERR_TLS_HANDSHAKE_INTERRUPTED;
116
+ + DEBUG(SSSDBG_CRIT_FAILURE,
117
+ + "Assuming %s\n",
118
+ + sss_ldap_err2string(ret));
119
+ + goto fail;
120
+ + }
121
+ +
122
+ ret = EIO;
123
+ goto fail;
124
+ }
125
+ diff --git a/src/util/util.h b/src/util/util.h
126
+ index 486394448..94c2e6e3b 100644
127
+ --- a/src/util/util.h
128
+ +++ b/src/util/util.h
129
+ @@ -737,6 +737,7 @@ int sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl);
130
+ /* from util_watchdog.c */
131
+ int setup_watchdog(struct tevent_context *ev, int interval);
132
+ void teardown_watchdog(void);
133
+ +int get_watchdog_ticks(void);
134
+
135
+ /* from files.c */
136
+ int sss_remove_tree(const char *root);
137
+ diff --git a/src/util/util_errors.c b/src/util/util_errors.c
138
+ index c35a99a54..0eeaa346c 100644
139
+ --- a/src/util/util_errors.c
140
+ +++ b/src/util/util_errors.c
141
+ @@ -121,6 +121,9 @@ struct err_string error_to_str[] = {
142
+ { "The last GetAccountDomain() result is still valid" }, /* ERR_GET_ACCT_DOM_CACHED */
143
+ { "ID is outside the allowed range" }, /* ERR_ID_OUTSIDE_RANGE */
144
+ { "Group ID is duplicated" }, /* ERR_GID_DUPLICATED */
145
+ +
146
+ + { "TLS handshake was interrupted"}, /* ERR_TLS_HANDSHAKE_INTERRUPTED */
147
+ +
148
+ { "ERR_LAST" } /* ERR_LAST */
149
+ };
150
+
151
+ diff --git a/src/util/util_errors.h b/src/util/util_errors.h
152
+ index 470f62f9e..366b75650 100644
153
+ --- a/src/util/util_errors.h
154
+ +++ b/src/util/util_errors.h
155
+ @@ -143,6 +143,9 @@ enum sssd_errors {
156
+ ERR_GET_ACCT_DOM_CACHED,
157
+ ERR_ID_OUTSIDE_RANGE,
158
+ ERR_GID_DUPLICATED,
159
+ +
160
+ + ERR_TLS_HANDSHAKE_INTERRUPTED,
161
+ +
162
+ ERR_LAST /* ALWAYS LAST */
163
+ };
164
+
165
+ diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
166
+ index 69160fbdf..7642bfd53 100644
167
+ --- a/src/util/util_watchdog.c
168
+ +++ b/src/util/util_watchdog.c
169
+ @@ -259,3 +259,8 @@ void teardown_watchdog(void)
170
+ /* and kill the watchdog event */
171
+ talloc_free(watchdog_ctx.te);
172
+ }
173
+ +
174
+ +int get_watchdog_ticks(void)
175
+ +{
176
+ + return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
177
+ +}
178
+ --
179
+ 2.26.3
180
+
file modified
+15 -1
SPECS/sssd.spec CHANGED
@@ -50,7 +50,7 @@
50
50
51
51
Name: sssd
52
52
Version: 1.16.5
53
- Release: 10%{?dist}.7
53
+ Release: 10%{?dist}.8
54
54
Group: Applications/System
55
55
Summary: System Security Services Daemon
56
56
License: GPLv3+
@@ -120,6 +120,13 @@ Patch0058: 0058-nss-check-if-groups-are-filtered-during-initgroups.patch
120
120
Patch0059: 0059-CACHE-Create-timestamp-if-missing.patch
121
121
Patch0060: 0060-TESTS-Add-test-for-recreating-cache-timestamp.patch
122
122
Patch0061: 0061-cert-matching.patch
123
+ Patch0062: 0062-UTIL-find_domain_by_object_name_ex-changed-log-level.patch
124
+ Patch0063: 0063-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch
125
+ Patch0064: 0064-ldap-fix-modifytimestamp-debugging-leftovers.patch
126
+ Patch0065: 0065-sss_domain_info-add-not_found_counter.patch
127
+ Patch0066: 0066-AD-read-trusted-domains-from-local-domain-as-well.patch
128
+ Patch0067: 0067-negcache-use-right-domain-in-nss_protocol_fill_initg.patch
129
+ Patch0068: 0068-ldap-retry-ldap_install_tls-when-watchdog-interrupti.patch
123
130
124
131
#Those patches should not be removed in RHEL-7
125
132
Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1295,6 +1302,13 @@ systemctl try-restart sssd >/dev/null 2>&1 || :
1295
1302
}
1296
1303
1297
1304
%changelog
1305
+ * Mon Apr 26 2021 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.8
1306
+ - Resolves: rhbz#1910131 - sssd throwing error " Unable to parse name test' [1432158283]: The internal name format cannot be parsed" at debug_level 2 [rhel-7.9.z]
1307
+ - Resolves: rhbz#1922244 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. [rhel-7.9.z]
1308
+ - Resolves: rhbz#1935685 - SSSD not detecting subdomain from AD forest (7.9z)
1309
+ - Resolves: rhbz#1945552 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-7.9.z]
1310
+ - Resolves: rhbz#1839972 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR [rhel-7.9.z]
1311
+
1298
1312
* Thu Dec 10 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.7
1299
1313
- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z]
1300
1314
- Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z]

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation