From 5a92aed693bec23aad7dd3f3586ebca745fb2484 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 22 2022 14:38:06 +0000 Subject: import sssd-1.16.5-10.el7_9.12 --- diff --git a/SOURCES/0077-SSSD-man-man_dns_resolver_parameter_modification.patch b/SOURCES/0077-SSSD-man-man_dns_resolver_parameter_modification.patch new file mode 100644 index 0000000..fb7c497 --- /dev/null +++ b/SOURCES/0077-SSSD-man-man_dns_resolver_parameter_modification.patch @@ -0,0 +1,75 @@ +From 4b02c9632c44265124e4fa130170bc86de369b8c Mon Sep 17 00:00:00 2001 +From: Deepak Das +Date: Thu, 20 May 2021 20:30:33 +0530 +Subject: [PATCH 77/83] SSSD man: man_dns_resolver_parameter_modification +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Adding parameter dns_resolver_server_timeout +and dns_resolver_op_timeout in sssd.conf + +Resolves: https://github.com/SSSD/sssd/issues/5616 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Justin Stephenson +(cherry picked from commit 43b9b0922aa24a03ea466c673646d5e3079403fe) + +Reviewed-by: Pavel Březina +--- + src/man/sssd.conf.5.xml | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index 8adbb8de9..a597828ca 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -2809,6 +2809,45 @@ pam_p11_allowed_services = +my_pam_service, -login + + + ++ ++ dns_resolver_server_timeout (integer) ++ ++ ++ Defines the amount of time (in milliseconds) ++ SSSD would try to talk to DNS server before ++ trying next DNS server. ++ ++ ++ Please see the section FAILOVER ++ for more information about the service ++ resolution. ++ ++ ++ Default: 1000 ++ ++ ++ ++ ++ ++ dns_resolver_op_timeout (integer) ++ ++ ++ Defines the amount of time (in seconds) to ++ wait to resolve single DNS query ++ (e.g. resolution of a hostname or an SRV record) ++ before try next hostname or DNS discovery. ++ ++ ++ Please see the section FAILOVER ++ for more information about the service ++ resolution. ++ ++ ++ Default: 3 ++ ++ ++ ++ + + dns_resolver_timeout (integer) + +-- +2.26.3 + diff --git a/SOURCES/0078-ad-require-name-when-looking-up-root-domain.patch b/SOURCES/0078-ad-require-name-when-looking-up-root-domain.patch new file mode 100644 index 0000000..d976074 --- /dev/null +++ b/SOURCES/0078-ad-require-name-when-looking-up-root-domain.patch @@ -0,0 +1,45 @@ +From 4b59b0af3d97b2a6b0acc08fa80377a5f59e5bfe Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 8 Oct 2021 12:44:37 +0200 +Subject: [PATCH 78/83] ad: require name when looking up root domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To properly identify the forest root domain the name of this domain is +needed. It is discovered with a cldap-ping requesting the netlogon +attribute. If the name is missing it does not make sense to proceed +further because there is currently no other way to determine the forest +root domain. + +Resolves: https://github.com/SSSD/sssd/issues/5820 + +Reviewed-by: Pavel Březina +(cherry picked from commit b37e2713a9b86936f5b82a17e47757562900b911) + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_subdomains.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 6b98cdf1d..5be7c2003 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -1431,7 +1431,12 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, + return NULL; + } + +- if (forest != NULL && strcasecmp(domain, forest) == 0) { ++ if (forest == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Name of forest root domain not available, l" ++ "using cached data, if available.\n"); ++ ret = EINVAL; ++ goto immediately; ++ } else if (strcasecmp(domain, forest) == 0) { + state->root_id_ctx = sd_ctx->ad_id_ctx; + state->root_domain_attrs = NULL; + ret = EOK; +-- +2.26.3 + diff --git a/SOURCES/0079-ad-move-current-site-and-forest-name-to-a-more-globa.patch b/SOURCES/0079-ad-move-current-site-and-forest-name-to-a-more-globa.patch new file mode 100644 index 0000000..ac95c95 --- /dev/null +++ b/SOURCES/0079-ad-move-current-site-and-forest-name-to-a-more-globa.patch @@ -0,0 +1,234 @@ +From ecfb7df52fd3b0edf8549d42cfa6b378407fb982 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 8 Oct 2021 13:14:30 +0200 +Subject: [PATCH 79/83] ad: move current site and forest name to a more global + context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently only during the DNS discovery steps the stored forest and site +name are reused to avoid redundant lookups. Since those names are needed +in other areas of the code as well it would be good to make them +available in a more global context. + +Resolves: https://github.com/SSSD/sssd/issues/5820 + +Reviewed-by: Pavel Březina +(cherry picked from commit 4508ef5f7183c640191393605ea163044d9ac267) + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_cldap_ping.c | 15 ++++++----- + src/providers/ad/ad_common.h | 4 +++ + src/providers/ad/ad_init.c | 1 + + src/providers/ad/ad_srv.c | 33 +++++++++++++---------- + src/providers/ad/ad_srv.h | 4 +-- + src/providers/ad/ad_subdomains.c | 1 + + src/providers/ipa/ipa_subdomains_server.c | 1 + + 7 files changed, 37 insertions(+), 22 deletions(-) + +diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c +index ab234f4d7..100d448f5 100644 +--- a/src/providers/ad/ad_cldap_ping.c ++++ b/src/providers/ad/ad_cldap_ping.c +@@ -601,10 +601,12 @@ struct tevent_req *ad_cldap_ping_send(TALLOC_CTX *mem_ctx, + } + + if (!srv_ctx->renew_site) { +- state->site = talloc_strdup(state, srv_ctx->current_site); +- state->forest = talloc_strdup(state, srv_ctx->current_forest); +- if ((srv_ctx->current_site != NULL && state->site == NULL) +- || (srv_ctx->current_forest != NULL && state->forest == NULL)) { ++ state->site = talloc_strdup(state, srv_ctx->ad_options->current_site); ++ state->forest = talloc_strdup(state, ++ srv_ctx->ad_options->current_forest); ++ if ((srv_ctx->ad_options->current_site != NULL && state->site == NULL) ++ || (srv_ctx->ad_options->current_forest != NULL ++ && state->forest == NULL)) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to copy current site or forest name.\n"); + ret = ENOMEM; +@@ -629,9 +631,10 @@ struct tevent_req *ad_cldap_ping_send(TALLOC_CTX *mem_ctx, + state->discovery_domain = discovery_domain; + + /* If possible, lookup the information in the current site first. */ +- if (srv_ctx->current_site != NULL) { ++ if (srv_ctx->ad_options->current_site != NULL) { + state->all_tried = false; +- domain = ad_site_dns_discovery_domain(state, srv_ctx->current_site, ++ domain = ad_site_dns_discovery_domain(state, ++ srv_ctx->ad_options->current_site, + discovery_domain); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!"); +diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h +index 815b41419..311b84f4c 100644 +--- a/src/providers/ad/ad_common.h ++++ b/src/providers/ad/ad_common.h +@@ -105,6 +105,10 @@ struct ad_options { + /* Dynamic DNS updates */ + struct be_resolv_ctx *be_res; + struct be_nsupdate_ctx *dyndns_ctx; ++ ++ /* Discovered site and forest names */ ++ const char *current_site; ++ const char *current_forest; + }; + + errno_t +diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c +index 5abd28b7c..9f258e2bd 100644 +--- a/src/providers/ad/ad_init.c ++++ b/src/providers/ad/ad_init.c +@@ -206,6 +206,7 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx, + + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, ad_options->id, ++ ad_options, + hostname, ad_domain, + ad_site_override); + if (srv_ctx == NULL) { +diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c +index e58c19aac..a10c6a247 100644 +--- a/src/providers/ad/ad_srv.c ++++ b/src/providers/ad/ad_srv.c +@@ -130,6 +130,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + struct be_resolv_ctx *be_res, + enum host_database *host_dbs, + struct sdap_options *opts, ++ struct ad_options *ad_options, + const char *hostname, + const char *ad_domain, + const char *ad_site_override) +@@ -147,6 +148,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + ctx->host_dbs = host_dbs; + ctx->opts = opts; + ctx->renew_site = true; ++ ctx->ad_options = ad_options; + + ctx->hostname = talloc_strdup(ctx, hostname); + if (ctx->hostname == NULL) { +@@ -164,18 +166,20 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ctx->current_site = talloc_strdup(ctx, ad_site_override); +- if (ctx->current_site == NULL) { ++ ctx->ad_options->current_site = talloc_strdup(ctx->ad_options, ++ ad_site_override); ++ if (ctx->ad_options->current_site == NULL) { + goto fail; + } + } else { +- ret = sysdb_get_site(ctx, be_ctx->domain, &ctx->current_site); ++ ret = sysdb_get_site(ctx->ad_options, be_ctx->domain, ++ &ctx->ad_options->current_site); + if (ret != EOK) { + /* Not fatal. */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to get current site from cache [%d]: %s\n", + ret, sss_strerror(ret)); +- ctx->current_site = NULL; ++ ctx->ad_options->current_site = NULL; + } + } + +@@ -203,34 +207,35 @@ ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx, + + /* Switch forest. */ + if (new_forest != NULL +- && (ctx->current_forest == NULL +- || strcmp(ctx->current_forest, new_forest) != 0)) { +- forest = talloc_strdup(ctx, new_forest); ++ && (ctx->ad_options->current_forest == NULL ++ || strcmp(ctx->ad_options->current_forest, new_forest) != 0)) { ++ forest = talloc_strdup(ctx->ad_options, new_forest); + if (forest == NULL) { + return ENOMEM; + } + +- talloc_zfree(ctx->current_forest); +- ctx->current_forest = forest; ++ talloc_zfree(ctx->ad_options->current_forest); ++ ctx->ad_options->current_forest = forest; + } + + if (new_site == NULL) { + return EOK; + } + +- if (ctx->current_site != NULL && strcmp(ctx->current_site, new_site) == 0) { ++ if (ctx->ad_options->current_site != NULL ++ && strcmp(ctx->ad_options->current_site, new_site) == 0) { + return EOK; + } + +- site = talloc_strdup(ctx, new_site); ++ site = talloc_strdup(ctx->ad_options, new_site); + if (site == NULL) { + return ENOMEM; + } + +- talloc_zfree(ctx->current_site); +- ctx->current_site = site; ++ talloc_zfree(ctx->ad_options->current_site); ++ ctx->ad_options->current_site = site; + +- ret = sysdb_set_site(ctx->be_ctx->domain, ctx->current_site); ++ ret = sysdb_set_site(ctx->be_ctx->domain, ctx->ad_options->current_site); + if (ret != EOK) { + /* Not fatal. */ + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information " +diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h +index 3c6a779ea..fd70f15a8 100644 +--- a/src/providers/ad/ad_srv.h ++++ b/src/providers/ad/ad_srv.h +@@ -26,11 +26,10 @@ struct ad_srv_plugin_ctx { + struct be_resolv_ctx *be_res; + enum host_database *host_dbs; + struct sdap_options *opts; ++ struct ad_options *ad_options; + const char *hostname; + const char *ad_domain; + const char *ad_site_override; +- const char *current_site; +- const char *current_forest; + + bool renew_site; + }; +@@ -41,6 +40,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + struct be_resolv_ctx *be_res, + enum host_database *host_dbs, + struct sdap_options *opts, ++ struct ad_options *ad_options, + const char *hostname, + const char *ad_domain, + const char *ad_site_override); +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 5be7c2003..8a331c503 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -416,6 +416,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, + ad_id_ctx->ad_options->id, ++ ad_id_ctx->ad_options, + hostname, + ad_domain, + ad_site_override); +diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c +index f0d8a6a20..ed363c22f 100644 +--- a/src/providers/ipa/ipa_subdomains_server.c ++++ b/src/providers/ipa/ipa_subdomains_server.c +@@ -342,6 +342,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, + ad_id_ctx->ad_options->id, ++ ad_id_ctx->ad_options, + id_ctx->server_mode->hostname, + ad_domain, + ad_site_override); +-- +2.26.3 + diff --git a/SOURCES/0080-ad-use-already-discovered-forest-name.patch b/SOURCES/0080-ad-use-already-discovered-forest-name.patch new file mode 100644 index 0000000..35c48d7 --- /dev/null +++ b/SOURCES/0080-ad-use-already-discovered-forest-name.patch @@ -0,0 +1,53 @@ +From f60a6fc682646a8c16fa8875456300c61cf3e979 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 8 Oct 2021 13:49:01 +0200 +Subject: [PATCH 80/83] ad: use already discovered forest name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the cldap-ping on the current connection does not return a reply with +the name of the forest root and the site of the client the stored values +from the DNS discovery step are used. + +Resolves: https://github.com/SSSD/sssd/issues/5820 + +Reviewed-by: Pavel Březina +(cherry picked from commit 99c4161910e542dd40c740032196d268c4163d07) + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_subdomains.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 8a331c503..562047a02 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -2095,6 +2095,23 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) + return; + } + ++ if (state->forest == NULL) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Forest name was not found, using the one " ++ "which was already discovered [%s].\n", ++ state->ad_options->current_forest != NULL ? ++ state->ad_options->current_forest : ++ "- not available-"); ++ if (state->ad_options->current_forest != NULL) { ++ state->forest = talloc_strdup(state, ++ state->ad_options->current_forest); ++ if (state->forest == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy forest name.\n"); ++ tevent_req_error(req, ENOMEM); ++ return; ++ } ++ } ++ } ++ + realm = dp_opt_get_cstring(state->ad_options->basic, AD_KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm.\n"); +-- +2.26.3 + diff --git a/SOURCES/0081-ad-make-ad_srv_plugin_ctx_switch_site-public.patch b/SOURCES/0081-ad-make-ad_srv_plugin_ctx_switch_site-public.patch new file mode 100644 index 0000000..0d40213 --- /dev/null +++ b/SOURCES/0081-ad-make-ad_srv_plugin_ctx_switch_site-public.patch @@ -0,0 +1,256 @@ +From 664ae9d2247b5139d2286975228baa0cea39a8e4 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 20 Oct 2021 13:59:40 +0200 +Subject: [PATCH 81/83] ad: make ad_srv_plugin_ctx_switch_site() public +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the name of the AD DCs are given explicitly with the ad_server option +the forest and site lookups are not done in the discovery phase, which +is skipped, but with a netlogon query on the current connection. This +patch makes sure the results are stored in the same way as during the +discovery step. + +Resolves: https://github.com/SSSD/sssd/issues/5820 + +Reviewed-by: Pavel Březina +(cherry picked from commit 918abaf37d7f13d72b29863933e133bcbd24d87c) + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_common.c | 48 +++++++++++++++++++++ + src/providers/ad/ad_common.h | 3 ++ + src/providers/ad/ad_domain_info.h | 1 - + src/providers/ad/ad_srv.c | 70 ++++++------------------------- + src/providers/ad/ad_subdomains.c | 34 ++++++++++++++- + 5 files changed, 96 insertions(+), 60 deletions(-) + +diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c +index c99c4d110..4463349e4 100644 +--- a/src/providers/ad/ad_common.c ++++ b/src/providers/ad/ad_common.c +@@ -1554,3 +1554,51 @@ done: + + return ret; + } ++ ++errno_t ++ad_options_switch_site(struct ad_options *ad_options, struct be_ctx *be_ctx, ++ const char *new_site, const char *new_forest) ++{ ++ const char *site; ++ const char *forest; ++ errno_t ret; ++ ++ /* Switch forest. */ ++ if (new_forest != NULL ++ && (ad_options->current_forest == NULL ++ || strcmp(ad_options->current_forest, new_forest) != 0)) { ++ forest = talloc_strdup(ad_options, new_forest); ++ if (forest == NULL) { ++ return ENOMEM; ++ } ++ ++ talloc_zfree(ad_options->current_forest); ++ ad_options->current_forest = forest; ++ } ++ ++ if (new_site == NULL) { ++ return EOK; ++ } ++ ++ if (ad_options->current_site != NULL ++ && strcmp(ad_options->current_site, new_site) == 0) { ++ return EOK; ++ } ++ ++ site = talloc_strdup(ad_options, new_site); ++ if (site == NULL) { ++ return ENOMEM; ++ } ++ ++ talloc_zfree(ad_options->current_site); ++ ad_options->current_site = site; ++ ++ ret = sysdb_set_site(be_ctx->domain, ad_options->current_site); ++ if (ret != EOK) { ++ /* Not fatal. */ ++ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information " ++ "[%d]: %s\n", ret, sss_strerror(ret)); ++ } ++ ++ return EOK; ++} +diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h +index 311b84f4c..08fcc00fd 100644 +--- a/src/providers/ad/ad_common.h ++++ b/src/providers/ad/ad_common.h +@@ -238,4 +238,7 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts, + errno_t ad_refresh_init(struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx); + ++errno_t ++ad_options_switch_site(struct ad_options *ad_options, struct be_ctx *be_ctx, ++ const char *new_site, const char *new_forest); + #endif /* AD_COMMON_H_ */ +diff --git a/src/providers/ad/ad_domain_info.h b/src/providers/ad/ad_domain_info.h +index 631e543f5..cf601cff6 100644 +--- a/src/providers/ad/ad_domain_info.h ++++ b/src/providers/ad/ad_domain_info.h +@@ -39,5 +39,4 @@ ad_domain_info_recv(struct tevent_req *req, + char **_id, + char **_site, + char **_forest); +- + #endif /* _AD_DOMAIN_INFO_H_ */ +diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c +index a10c6a247..d45f1601e 100644 +--- a/src/providers/ad/ad_srv.c ++++ b/src/providers/ad/ad_srv.c +@@ -196,55 +196,6 @@ fail: + return NULL; + } + +-static errno_t +-ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx, +- const char *new_site, +- const char *new_forest) +-{ +- const char *site; +- const char *forest; +- errno_t ret; +- +- /* Switch forest. */ +- if (new_forest != NULL +- && (ctx->ad_options->current_forest == NULL +- || strcmp(ctx->ad_options->current_forest, new_forest) != 0)) { +- forest = talloc_strdup(ctx->ad_options, new_forest); +- if (forest == NULL) { +- return ENOMEM; +- } +- +- talloc_zfree(ctx->ad_options->current_forest); +- ctx->ad_options->current_forest = forest; +- } +- +- if (new_site == NULL) { +- return EOK; +- } +- +- if (ctx->ad_options->current_site != NULL +- && strcmp(ctx->ad_options->current_site, new_site) == 0) { +- return EOK; +- } +- +- site = talloc_strdup(ctx->ad_options, new_site); +- if (site == NULL) { +- return ENOMEM; +- } +- +- talloc_zfree(ctx->ad_options->current_site); +- ctx->ad_options->current_site = site; +- +- ret = sysdb_set_site(ctx->be_ctx->domain, ctx->ad_options->current_site); +- if (ret != EOK) { +- /* Not fatal. */ +- DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information " +- "[%d]: %s\n", ret, sss_strerror(ret)); +- } +- +- return EOK; +-} +- + struct ad_srv_plugin_state { + struct tevent_context *ev; + struct ad_srv_plugin_ctx *ctx; +@@ -382,16 +333,19 @@ static void ad_srv_plugin_ping_done(struct tevent_req *subreq) + /* Remember current site so it can be used during next lookup so + * we can contact directory controllers within a known reachable + * site first. */ +- ret = ad_srv_plugin_ctx_switch_site(state->ctx, state->site, +- state->forest); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set site [%d]: %s\n", +- ret, sss_strerror(ret)); +- goto done; +- } ++ if (state->site != NULL) { ++ ret = ad_options_switch_site(state->ctx->ad_options, ++ state->ctx->be_ctx, ++ state->site, state->forest); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set site [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } + +- /* Do not renew the site again unless we go offline. */ +- state->ctx->renew_site = false; ++ /* Do not renew the site again unless we go offline. */ ++ state->ctx->renew_site = false; ++ } + + if (strcmp(state->service, "gc") == 0) { + if (state->forest != NULL) { +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 562047a02..e4e248c1d 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -2080,13 +2080,15 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) + const char *realm; + char *master_sid; + char *flat_name; ++ char *site = NULL; + errno_t ret; ++ char *ad_site_override = NULL; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_subdomains_refresh_state); + + ret = ad_domain_info_recv(subreq, state, &flat_name, &master_sid, +- NULL, &state->forest); ++ &site, &state->forest); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get master domain information " +@@ -2112,6 +2114,36 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) + } + } + ++ /* If the site was not discovered during the DNS discovery, e.g. because ++ * the server name was given explicitly in sssd.conf, we try to set the ++ * site here. */ ++ if (state->ad_options->current_site == NULL) { ++ /* Ignore AD site found in netlogon attribute if specific site is set in ++ * configuration file. */ ++ ad_site_override = dp_opt_get_string(state->ad_options->basic, AD_SITE); ++ if (ad_site_override != NULL) { ++ DEBUG(SSSDBG_TRACE_INTERNAL, ++ "Ignoring AD site found by DNS discovery: '%s', " ++ "using configured value: '%s' instead.\n", ++ site, ad_site_override); ++ site = ad_site_override; ++ } ++ ++ if (site != NULL) { ++ ret = ad_options_switch_site(state->ad_options, state->be_ctx, site, ++ state->forest); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to store forest and site name, " ++ "will try again after a new lookup.\n"); ++ } ++ } else { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Site name currently not available will try again later. " ++ "The site name can be added manually my setting 'ad_site' " ++ "in sssd.conf.\n"); ++ } ++ } ++ + realm = dp_opt_get_cstring(state->ad_options->basic, AD_KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm.\n"); +-- +2.26.3 + diff --git a/SOURCES/0082-ad-only-send-cldap-ping-to-our-local-domain.patch b/SOURCES/0082-ad-only-send-cldap-ping-to-our-local-domain.patch new file mode 100644 index 0000000..6f079b3 --- /dev/null +++ b/SOURCES/0082-ad-only-send-cldap-ping-to-our-local-domain.patch @@ -0,0 +1,45 @@ +From ed243335d3e74ab2cde49eacc9a85ca5408a8dec Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 15 Oct 2021 13:39:50 +0200 +Subject: [PATCH 82/83] ad: only send cldap-ping to our local domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since we are using the name of the local domain in the search filter of +the CLDAP ping only a DC from the local domain can send a proper reply. +DCs from other domains will only return an error so we can skip the +CLDAP ping for those domains. + +Resolves: https://github.com/SSSD/sssd/issues/5822 + +Reviewed-by: Pavel Březina +(cherry picked from commit 724293d0873ee3229866ae4c13e1c8829375146f) + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_cldap_ping.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c +index 100d448f5..91db81bfc 100644 +--- a/src/providers/ad/ad_cldap_ping.c ++++ b/src/providers/ad/ad_cldap_ping.c +@@ -621,6 +621,14 @@ struct tevent_req *ad_cldap_ping_send(TALLOC_CTX *mem_ctx, + goto done; + } + ++ if (strcmp(srv_ctx->ad_domain, discovery_domain) != 0) { ++ DEBUG(SSSDBG_TRACE_ALL, "Trying to discover domain [%s] " ++ "which is not our local domain [%s], skipping CLDAP ping.\n", ++ discovery_domain, srv_ctx->ad_domain); ++ ret = EOK; ++ goto done; ++ } ++ + DEBUG(SSSDBG_TRACE_FUNC, "Sending CLDAP ping\n"); + + state->ev = ev; +-- +2.26.3 + diff --git a/SOURCES/0083-cldap-use-dns_resolver_server_timeout-timeout-for-cl.patch b/SOURCES/0083-cldap-use-dns_resolver_server_timeout-timeout-for-cl.patch new file mode 100644 index 0000000..2112ae5 --- /dev/null +++ b/SOURCES/0083-cldap-use-dns_resolver_server_timeout-timeout-for-cl.patch @@ -0,0 +1,93 @@ +From be3ee30c68dd9d2e5184da226dfbe66f516a4b92 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 16 Nov 2021 15:01:20 +0100 +Subject: [PATCH 83/83] cldap: use dns_resolver_server_timeout timeout for + cldap ping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently the cldap ping is using the ldap_search_timeout since it is +basically a LDAP search operation. However, the default of +ldap_search_timeout is 6s which is quite a long time for the discovery +of the AD DCs where the cldap ping is a part of. The default even +collides which the default of dns_resolver_timeout which might easily +lead to failures during the discovery phase. + +To avoid the addition of a new option this patch is using +dns_resolver_server_timeout, which has a default of 1000ms (1s), as new +timeout for the clapd ping. Since the original purpose of the timeout is +the waiting time for a reply from a DNS server and both DNS and cldap by +default use UDP I think reusing the option here is justified. + +Resolves: https://github.com/SSSD/sssd/issues/5875 + +Reviewed-by: Pavel Březina +(cherry picked from commit c0941810fc3c3d74a00697349723f14e2f6bbdd2) + +Reviewed-by: Pavel Březina +--- + src/man/sssd.conf.5.xml | 4 ++++ + src/providers/ad/ad_cldap_ping.c | 10 +++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index a597828ca..d81ec35a6 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -2817,6 +2817,10 @@ pam_p11_allowed_services = +my_pam_service, -login + SSSD would try to talk to DNS server before + trying next DNS server. + ++ ++ The AD provider will use this option for the ++ CLDAP ping timeouts as well. ++ + + Please see the section FAILOVER + for more information about the service +diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c +index 91db81bfc..8ae65e8c9 100644 +--- a/src/providers/ad/ad_cldap_ping.c ++++ b/src/providers/ad/ad_cldap_ping.c +@@ -39,6 +39,7 @@ + struct ad_cldap_ping_dc_state { + struct tevent_context *ev; + struct sdap_options *opts; ++ struct be_resolv_ctx *be_res; + struct fo_server_info *dc; + struct sdap_handle *sh; + const char *ad_domain; +@@ -72,6 +73,7 @@ static struct tevent_req *ad_cldap_ping_dc_send(TALLOC_CTX *mem_ctx, + + state->ev = ev; + state->opts = opts; ++ state->be_res = be_res; + state->dc = dc; + state->ad_domain = ad_domain; + +@@ -103,6 +105,7 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq) + char *filter; + int timeout; + errno_t ret; ++ div_t timeout_int; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_cldap_ping_dc_state); +@@ -127,7 +130,12 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq) + goto done; + } + +- timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); ++ /* DP_RES_OPT_RESOLVER_SERVER_TIMEOUT is in milli-seconds and ++ * sdap_get_generic_send() expects seconds */ ++ timeout_int = div(dp_opt_get_int(state->be_res->opts, ++ DP_RES_OPT_RESOLVER_SERVER_TIMEOUT), ++ 1000); ++ timeout = (timeout_int.quot > 0) ? timeout_int.quot : 1; + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, "", + LDAP_SCOPE_BASE, filter, attrs, NULL, + 0, timeout, false); +-- +2.26.3 + diff --git a/SOURCES/0084-sysdb-more-specific-mpg-search-filter.patch b/SOURCES/0084-sysdb-more-specific-mpg-search-filter.patch new file mode 100644 index 0000000..8738ccf --- /dev/null +++ b/SOURCES/0084-sysdb-more-specific-mpg-search-filter.patch @@ -0,0 +1,60 @@ +From 0dde096aac1db7d8533f51254f6a8c22a67114d8 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 2 Aug 2021 15:53:42 +0200 +Subject: [PATCH] sysdb: more specific mpg search filter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally all user of an mpg domain had an automatically created +user-private group and as a result the ID space was unified in the sense +that a given ID either belongs to a group or to a user with a +user-private group. + +With the introduction of id-overrides and the auto_private_groups option +this assumption is not true anymore and as a result the search filter +for GIDs must be more specific with respect to the user objects. + +Resolves: https://github.com/SSSD/sssd/issues/5790 + +:fixes: Improve mpg search filter to be more reliable with id-overrides + and the new auto_private_groups options. + +Reviewed-by: Pavel Březina +(cherry picked from commit 4be5fcd9afd62b1094eb27970627d327ac770127) + +Reviewed-by: Tomáš Halman +--- + src/db/sysdb.h | 2 +- + src/db/sysdb_search.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index c771ce633..c601c251f 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -215,7 +215,7 @@ + #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))" + #define SYSDB_GRENT_FILTER "("SYSDB_GC")" + #define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" +-#define SYSDB_GRGID_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_GIDNUM"=%lu))" ++#define SYSDB_GRGID_MPG_FILTER "(|(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))(&("SYSDB_UC")("SYSDB_GIDNUM"=%lu)("SYSDB_UIDNUM"=%lu)))" + #define SYSDB_GRENT_MPG_FILTER "("SYSDB_MPGC")" + + #define SYSDB_INITGR_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=*))" +diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c +index 7939944ba..d783abc68 100644 +--- a/src/db/sysdb_search.c ++++ b/src/db/sysdb_search.c +@@ -1355,7 +1355,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx, + } + + ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, +- LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid); ++ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid, ul_gid, ul_gid); + if (ret != EOK) { + ret = sysdb_error_to_errno(ret); + goto done; +-- +2.26.3 + diff --git a/SOURCES/0085-ad-add-required-cn-attribute-to-subdomain-object.patch b/SOURCES/0085-ad-add-required-cn-attribute-to-subdomain-object.patch new file mode 100644 index 0000000..f3fe3d3 --- /dev/null +++ b/SOURCES/0085-ad-add-required-cn-attribute-to-subdomain-object.patch @@ -0,0 +1,43 @@ +From 64192cf7c2823ae93820623b0ae285b697fabe12 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 16 Dec 2021 11:14:18 +0100 +Subject: [PATCH] ad: add required 'cn' attribute to subdomain object +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the forest root is not part of the return trusted domain objects +from the local domain controller we generate an object for further +processing. During this processing it is expected that the 'cn' +attribute is set and contains the name of the forest root. So far this +attribute was missing and it is now added by this patch. + +Resolves: https://github.com/SSSD/sssd/issues/5926 + +Reviewed-by: Pavel Březina +(cherry picked from commit bf6059eb55c8caa3111ef718db1676c96a67c084) +--- + src/providers/ad/ad_subdomains.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index e4e248c1d..c92faba95 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -1649,6 +1649,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) + goto done; + } + ++ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME, ++ state->forest); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); ++ goto done; ++ } ++ + err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id, + &id_val.data, &id_val.length); + if (err != IDMAP_SUCCESS) { +-- +2.26.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 72da1e1..6103e53 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -50,7 +50,7 @@ Name: sssd Version: 1.16.5 -Release: 10%{?dist}.11 +Release: 10%{?dist}.12 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -135,6 +135,15 @@ Patch0073: 0073-cldap.patch Patch0074: 0074-util-inotify-fixed-bug-in-inotify-event-processing.patch Patch0075: 0075-sdap-always-create-sdap-object-for-a-forest-root.patch Patch0076: 0076-ad-filter-trusted-domains.patch +Patch0077: 0077-SSSD-man-man_dns_resolver_parameter_modification.patch +Patch0078: 0078-ad-require-name-when-looking-up-root-domain.patch +Patch0079: 0079-ad-move-current-site-and-forest-name-to-a-more-globa.patch +Patch0080: 0080-ad-use-already-discovered-forest-name.patch +Patch0081: 0081-ad-make-ad_srv_plugin_ctx_switch_site-public.patch +Patch0082: 0082-ad-only-send-cldap-ping-to-our-local-domain.patch +Patch0083: 0083-cldap-use-dns_resolver_server_timeout-timeout-for-cl.patch +Patch0084: 0084-sysdb-more-specific-mpg-search-filter.patch +Patch0085: 0085-ad-add-required-cn-attribute-to-subdomain-object.patch #Those patches should not be removed in RHEL-7 Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1310,6 +1319,12 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Mon Jan 31 2022 Alexey Tikhonov 1.16.5-10.12 +- Resolves: rhbz#2006382 - IPA Intermittence fetching groups +- Resolves: rhbz#2006866 - sssd_be segfault due to empty forest root name +- Resolves: rhbz#2031729 - IPA clients fail to resolve override group names. +- Resolves: rhbz#2032867 - AD Domain in the AD Forest Missing after sssd latest update + * Tue Nov 02 2021 Alexey Tikhonov 1.16.5-10.11 - Resolves: rhbz#1968316 - SSSD: User authentication failing after server reboot. - Resolves: rhbz#2000238 - disabled root ad domain causes subdomains to be marked offline