From 518b872a04d0e061317c2efdb92c536b9f8c48e8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 02 2016 13:54:08 +0000 Subject: import sssd-1.13.0-40.el7_2.12 --- diff --git a/SOURCES/0117-LDAP-Fix-leak-of-file-descriptors.patch b/SOURCES/0117-LDAP-Fix-leak-of-file-descriptors.patch new file mode 100644 index 0000000..0db92d2 --- /dev/null +++ b/SOURCES/0117-LDAP-Fix-leak-of-file-descriptors.patch @@ -0,0 +1,113 @@ +From bb3365aee62f616c9d0c8cc8d737ef69d46544d3 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Thu, 22 Oct 2015 10:30:12 +0200 +Subject: [PATCH 117/117] LDAP: Fix leak of file descriptors + +The state "struct sss_ldap_init_state" contains socket +created in function sss_ldap_init_send. We register callback +sdap_async_sys_connect_timeout for handling issue with connection + +The tevent request "sss_ldap_init_send" is usually (nested) subrequest +of "struct resolve_service_state" related request created in fucntion +fo_resolve_service_send. Function fo_resolve_service_send also register +timeout callback fo_resolve_service_timeout to state "struct +resolve_service_state". + +It might happen that fo_resolve_service_timeout will be called before +sss_ldap_init_send timeout and we could not handle tiemout error +for state "struct sss_ldap_init_state" and therefore created socket +was not closed. + +We tried to release resources in function sdap_handle_release. +But the structure "struct sdap_handle" had not been initialized yet +with LDAP handle and therefore associated file descriptor could not be closed. + +[fo_resolve_service_timeout] (0x0080): Service resolving timeout reached +[fo_resolve_service_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[110] +[sdap_handle_release] (0x2000): Trace: sh[0x7f6713410270], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory +[be_resolve_server_done] (0x1000): Server resolution failed: 14 +[be_resolve_server_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[14] +[check_online_callback] (0x0100): Backend returned: (1, 0, ) [Provider is Offline (Success)] + +Resolves: +https://fedorahosted.org/sssd/ticket/2792 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit a10f67d4c64f3b1243de5d86a996475361adf0ac) +(cherry picked from commit db2fdba6f3cecd0612439988e61be60d5d8576bf) +(cherry picked from commit 2136f71c94660bcdde83f80feb83734389d57674) +--- + src/util/sss_ldap.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c +index dd63b4b4f22f0aa1b540bc04ede211ac9cb88ebe..f42f9404bb9b79cdeb6a01c0a6e5025bb0370a6c 100644 +--- a/src/util/sss_ldap.c ++++ b/src/util/sss_ldap.c +@@ -304,6 +304,22 @@ struct sss_ldap_init_state { + #endif + }; + ++static int sss_ldap_init_state_destructor(void *data) ++{ ++ struct sss_ldap_init_state *state = (struct sss_ldap_init_state *)data; ++ ++ if (state->ldap) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "calling ldap_unbind_ext for ldap:[%p] sd:[%d]\n", ++ state->ldap, state->sd); ++ ldap_unbind_ext(state->ldap, NULL, NULL); ++ } else if (state->sd != -1) { ++ DEBUG(SSSDBG_TRACE_FUNC, "closing socket [%d]\n", state->sd); ++ close(state->sd); ++ } ++ ++ return 0; ++} + + struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, +@@ -321,6 +337,8 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx, + return NULL; + } + ++ talloc_set_destructor((TALLOC_CTX *)state, sss_ldap_init_state_destructor); ++ + state->ldap = NULL; + state->uri = uri; + +@@ -370,9 +388,6 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx, + return req; + + fail: +- if(state->sd >= 0) { +- close(state->sd); +- } + tevent_req_error(req, ret); + #else + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_init_fd not available, " +@@ -455,11 +470,6 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq) + return; + + fail: +- if (state->ldap) { +- ldap_unbind_ext(state->ldap, NULL, NULL); +- } else { +- close(state->sd); +- } + tevent_req_error(req, ret); + } + #endif +@@ -470,6 +480,9 @@ int sss_ldap_init_recv(struct tevent_req *req, LDAP **ldap, int *sd) + struct sss_ldap_init_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + ++ /* Everything went well therefore we do not want to release resources */ ++ talloc_set_destructor(state, NULL); ++ + *ldap = state->ldap; + *sd = state->sd; + +-- +2.4.11 + diff --git a/SOURCES/0118-libwbclient-wbcSidsToUnixIds-don-t-fail-on-errors.patch b/SOURCES/0118-libwbclient-wbcSidsToUnixIds-don-t-fail-on-errors.patch new file mode 100644 index 0000000..9bda53e --- /dev/null +++ b/SOURCES/0118-libwbclient-wbcSidsToUnixIds-don-t-fail-on-errors.patch @@ -0,0 +1,44 @@ +From 02a5b8945863755e8708b6a11954c1f398680e01 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 2 Jun 2016 21:01:11 +0200 +Subject: [PATCH 118/118] libwbclient: wbcSidsToUnixIds() don't fail on errors + +Resolves: https://fedorahosted.org/sssd/ticket/3028 + +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 52f1093ef3d7c44132ec10c57436865b2cbb19d7) +(cherry picked from commit 15ad5f603a5797c61a01f67365c2581c7bddcdfa) +--- + src/sss_client/libwbclient/wbc_idmap_sssd.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/src/sss_client/libwbclient/wbc_idmap_sssd.c b/src/sss_client/libwbclient/wbc_idmap_sssd.c +index 1b0e2e10a5ce1a0c7577d391b740ff988f920903..6b5f525f0433c948e4d570d177dc6cffd82eff40 100644 +--- a/src/sss_client/libwbclient/wbc_idmap_sssd.c ++++ b/src/sss_client/libwbclient/wbc_idmap_sssd.c +@@ -172,15 +172,14 @@ wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids, + wbcErr wbc_status; + + for (c = 0; c < num_sids; c++) { ++ type = SSS_ID_TYPE_NOT_SPECIFIED; + wbc_status = wbcSidToString(&sids[c], &sid_str); +- if (!WBC_ERROR_IS_OK(wbc_status)) { +- return wbc_status; +- } +- +- ret = sss_nss_getidbysid(sid_str, &id, &type); +- wbcFreeMemory(sid_str); +- if (ret != 0) { +- return WBC_ERR_UNKNOWN_FAILURE; ++ if (WBC_ERROR_IS_OK(wbc_status)) { ++ ret = sss_nss_getidbysid(sid_str, &id, &type); ++ wbcFreeMemory(sid_str); ++ if (ret != 0) { ++ type = SSS_ID_TYPE_NOT_SPECIFIED; ++ } + } + + switch (type) { +-- +2.4.11 + diff --git a/SOURCES/0119-IPA-ldap_group_external_member-defaults-to-ipaExtern.patch b/SOURCES/0119-IPA-ldap_group_external_member-defaults-to-ipaExtern.patch new file mode 100644 index 0000000..beab91b --- /dev/null +++ b/SOURCES/0119-IPA-ldap_group_external_member-defaults-to-ipaExtern.patch @@ -0,0 +1,26 @@ +From fe540303e8fa2000160d087da4f19df317fb7de6 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Thu, 14 Jul 2016 12:21:25 +0200 +Subject: [PATCH 119/119] IPA: ldap_group_external_member defaults to + ipaExternalMember + +--- + src/providers/ipa/ipa_opts.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h +index 81ccc42fc0c9f21c8ef16e2d1735bc06199ba747..c1bfc9fde38a9c0fbd0a464b340e644cc4835455 100644 +--- a/src/providers/ipa/ipa_opts.h ++++ b/src/providers/ipa/ipa_opts.h +@@ -221,7 +221,7 @@ struct sdap_attr_map ipa_group_map[] = { + { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, + { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL }, +- { "ldap_group_external_member", NULL, SYSDB_EXTERNAL_MEMBER, NULL }, ++ { "ldap_group_external_member", "ipaExternalMember", SYSDB_EXTERNAL_MEMBER, NULL }, + SDAP_ATTR_MAP_TERMINATOR + }; + +-- +2.4.11 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index de6504f..84381b9 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -25,7 +25,7 @@ Name: sssd Version: 1.13.0 -Release: 40%{?dist}.9 +Release: 40%{?dist}.12 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -152,6 +152,9 @@ Patch0113: 0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch Patch0114: 0114-NSS-Fix-memory-leak-netgroup.patch Patch0115: 0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch Patch0116: 0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch +Patch0117: 0117-LDAP-Fix-leak-of-file-descriptors.patch +Patch0118: 0118-libwbclient-wbcSidsToUnixIds-don-t-fail-on-errors.patch +Patch0119: 0119-IPA-ldap_group_external_member-defaults-to-ipaExtern.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1084,6 +1087,17 @@ fi /usr/bin/rm -f /var/tmp/sssd.upgrade || : %changelog +* Thu Jul 14 2016 Jakub Hrozek - 1.13.0-40.12 +- Resolves: rhbz#1356433 - ldap_group_external_member is no set for the + IPA provider + +* Fri Jul 8 2016 Jakub Hrozek - 1.13.0-40.11 +- Resolves: rhbz#1353605 - sssd-libwbclient: wbcSidsToUnixIds should not + fail on lookup errors + +* Tue Jun 21 2016 Jakub Hrozek - 1.13.0-40.10 +- Resolves: rhbz#1347723 - sssd is not closing sockets properly + * Tue May 24 2016 Jakub Hrozek - 1.13.0-40.9 - Resolves: rhbz#1339509 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup