From 7500e15dea1b67973289410218e6695f6b43fd7b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 27 2021 04:14:48 +0000 Subject: import sssd-2.4.0-9.el8_4.1 --- diff --git a/SOURCES/0052-handle-large-service-tickets.patch b/SOURCES/0052-handle-large-service-tickets.patch new file mode 100644 index 0000000..3847a09 --- /dev/null +++ b/SOURCES/0052-handle-large-service-tickets.patch @@ -0,0 +1,233 @@ +From b6efe6b119b0c11314a324e8a2cf96fb74a9c983 Mon Sep 17 00:00:00 2001 +From: Sam Morris +Date: Tue, 6 Apr 2021 18:42:19 +0100 +Subject: [PATCH 1/6] responder/common/responder_packet: handle large service + tickets + +Resolves: https://github.com/SSSD/sssd/issues/5568 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/responder_packet.c | 11 +++++++++++ + src/responder/common/responder_packet.h | 1 + + 2 files changed, 12 insertions(+) + +diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c +index f56d92276..d091332b0 100644 +--- a/src/responder/common/responder_packet.c ++++ b/src/responder/common/responder_packet.c +@@ -229,6 +229,17 @@ int sss_packet_recv(struct sss_packet *packet, int fd) + if (ret != EOK) { + return ret; + } ++ /* Kerberos tickets can get pretty big; since Windows Server 2012, the ++ * limit is 48 KiB! ++ */ ++ } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX) ++ && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE ++ && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) { ++ sss_packet_set_len(packet, 0); ++ ret = sss_packet_grow(packet, new_len); ++ if (ret != EOK) { ++ return ret; ++ } + } else { + return EINVAL; + } +diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h +index 509a22a9a..70bf1e8d3 100644 +--- a/src/responder/common/responder_packet.h ++++ b/src/responder/common/responder_packet.h +@@ -26,6 +26,7 @@ + + #define SSS_PACKET_MAX_RECV_SIZE 1024 + #define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE ) ++#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 ) + + struct sss_packet; + +-- +2.26.3 + + +From c6a76283580c25ff78b36b8b23efdabbdb3a2cc1 Mon Sep 17 00:00:00 2001 +From: Sam Morris +Date: Wed, 7 Apr 2021 14:21:34 +0100 +Subject: [PATCH 2/6] responder/common/responder_packet: reduce duplication of + code that handles larger-than-normal packets + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/responder_packet.c | 40 +++++++++++++------------ + 1 file changed, 21 insertions(+), 19 deletions(-) + +diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c +index d091332b0..523c9ddd4 100644 +--- a/src/responder/common/responder_packet.c ++++ b/src/responder/common/responder_packet.c +@@ -216,25 +216,27 @@ int sss_packet_recv(struct sss_packet *packet, int fd) + + new_len = sss_packet_get_len(packet); + if (new_len > packet->memsize) { +- /* Allow certificate based requests to use larger buffer but not +- * larger than SSS_CERT_PACKET_MAX_RECV_SIZE. Due to the way +- * sss_packet_grow() works the packet len must be set to '0' first and +- * then grow to the expected size. */ +- if ((sss_packet_get_cmd(packet) == SSS_NSS_GETNAMEBYCERT +- || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT) +- && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE +- && new_len < SSS_CERT_PACKET_MAX_RECV_SIZE) { +- sss_packet_set_len(packet, 0); +- ret = sss_packet_grow(packet, new_len); +- if (ret != EOK) { +- return ret; +- } +- /* Kerberos tickets can get pretty big; since Windows Server 2012, the +- * limit is 48 KiB! +- */ +- } else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX) +- && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE +- && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) { ++ enum sss_cli_command cmd = sss_packet_get_cmd(packet); ++ size_t max_recv_size; ++ ++ /* Allow certain packet types to use a larger buffer. */ ++ switch (cmd) { ++ case SSS_NSS_GETNAMEBYCERT: ++ case SSS_NSS_GETLISTBYCERT: ++ max_recv_size = SSS_CERT_PACKET_MAX_RECV_SIZE; ++ break; ++ ++ case SSS_GSSAPI_SEC_CTX: ++ max_recv_size = SSS_GSSAPI_PACKET_MAX_RECV_SIZE; ++ break; ++ ++ default: ++ max_recv_size = 0; ++ } ++ ++ /* Due to the way sss_packet_grow() works, the packet len must be set ++ * to 0 first, and then grown to the expected size. */ ++ if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) { + sss_packet_set_len(packet, 0); + ret = sss_packet_grow(packet, new_len); + if (ret != EOK) { +-- +2.26.3 + + +From 63f318f73c933dc2cb08cad2f911a52d2281c45b Mon Sep 17 00:00:00 2001 +From: Sam Morris +Date: Wed, 7 Apr 2021 14:22:25 +0100 +Subject: [PATCH 3/6] responder/common/responder_packet: add debug logging to + assist with errors caused by overlarge packets + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/responder_packet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c +index 523c9ddd4..01a4e640e 100644 +--- a/src/responder/common/responder_packet.c ++++ b/src/responder/common/responder_packet.c +@@ -243,6 +243,9 @@ int sss_packet_recv(struct sss_packet *packet, int fd) + return ret; + } + } else { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Refusing to read overlarge packet from fd %d (length %zu bytes, cmd %#04x)", ++ fd, new_len, cmd); + return EINVAL; + } + } +-- +2.26.3 + + +From 37d331774385b2b871ba76fcdef6ceafd776efce Mon Sep 17 00:00:00 2001 +From: Sam Morris +Date: Wed, 7 Apr 2021 14:23:03 +0100 +Subject: [PATCH 4/6] responder/common/responder_packet: further increase + packet size for SSS_GSSAPI_SEC_CTX + +Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB +provides extra overhead should that increase in the future. + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/responder_packet.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h +index 70bf1e8d3..fd991969b 100644 +--- a/src/responder/common/responder_packet.h ++++ b/src/responder/common/responder_packet.h +@@ -26,7 +26,7 @@ + + #define SSS_PACKET_MAX_RECV_SIZE 1024 + #define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE ) +-#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 ) ++#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( 128 * 1024 ) + + struct sss_packet; + +-- +2.26.3 + + +From 5c9fa75bd0ffa02e31cbbf19ee68134ed384229a Mon Sep 17 00:00:00 2001 +From: Sam Morris +Date: Wed, 7 Apr 2021 19:59:45 +0100 +Subject: [PATCH 5/6] responder/common/responder_packet: remove some + unnecessary checks before growing packet + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/responder_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c +index 01a4e640e..c4b38f71b 100644 +--- a/src/responder/common/responder_packet.c ++++ b/src/responder/common/responder_packet.c +@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd) + + /* Due to the way sss_packet_grow() works, the packet len must be set + * to 0 first, and then grown to the expected size. */ +- if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) { ++ if (new_len < max_recv_size) { + sss_packet_set_len(packet, 0); + ret = sss_packet_grow(packet, new_len); + if (ret != EOK) { +-- +2.26.3 + + +From b87619f9a917d6ed9ecdb5360c4bf242dce8e372 Mon Sep 17 00:00:00 2001 +From: Sam Morris +Date: Thu, 8 Apr 2021 19:09:33 +0100 +Subject: [PATCH 6/6] responder/common/responder_packet: allow packets of max + size + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/responder_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c +index c4b38f71b..f2223c665 100644 +--- a/src/responder/common/responder_packet.c ++++ b/src/responder/common/responder_packet.c +@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd) + + /* Due to the way sss_packet_grow() works, the packet len must be set + * to 0 first, and then grown to the expected size. */ +- if (new_len < max_recv_size) { ++ if (new_len <= max_recv_size) { + sss_packet_set_len(packet, 0); + ret = sss_packet_grow(packet, new_len); + if (ret != EOK) { +-- +2.26.3 + diff --git a/SOURCES/0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch b/SOURCES/0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch new file mode 100644 index 0000000..71f3a00 --- /dev/null +++ b/SOURCES/0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch @@ -0,0 +1,46 @@ +From e865b008aa8947efca0116deb95e29cc2309256f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 30 Mar 2021 15:31:17 +0200 +Subject: [PATCH] AD GPO: respect ad_gpo_implicit_deny if no GPO is present +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at +all for the given client. With this patch this case is handled as +expected as well. + +Resolves: https://github.com/SSSD/sssd/issues/5561 + +:fixes: `ad_gpo_implicit_deny` is now respected even if there are no + applicable GPOs present + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_gpo.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index b15e0f345..4ef6a7219 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -2472,7 +2472,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) + } + } + +- ret = EOK; ++ if (state->gpo_implicit_deny == true) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "No applicable GPOs have been found and ad_gpo_implicit_deny" ++ " is set to 'true'. The user will be denied access.\n"); ++ ret = ERR_ACCESS_DENIED; ++ } else { ++ ret = EOK; ++ } ++ + goto done; + } + +-- +2.26.3 + diff --git a/SOURCES/0054-sss_domain_info-add-not_found_counter.patch b/SOURCES/0054-sss_domain_info-add-not_found_counter.patch new file mode 100644 index 0000000..73653fb --- /dev/null +++ b/SOURCES/0054-sss_domain_info-add-not_found_counter.patch @@ -0,0 +1,64 @@ +From 5d65411f1aa16af929ae2271ee4d3d9101728a67 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 14 Apr 2021 17:22:06 +0200 +Subject: [PATCH 54/55] sss_domain_info: add not_found_counter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This new counter should be used to track how often a domain could not be +found while discovering the environment so that it can be deleted after +a number of failed attempts. + +Resolves: https://github.com/SSSD/sssd/issues/5528 + +Reviewed-by: Pavel Březina +--- + src/confdb/confdb.c | 1 + + src/confdb/confdb.h | 4 ++++ + src/db/sysdb_subdomains.c | 2 ++ + 3 files changed, 7 insertions(+) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index cca76159b..c554edda0 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1620,6 +1620,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + domain->view_name = NULL; + + domain->state = DOM_ACTIVE; ++ domain->not_found_counter = 0; + + *_domain = domain; + ret = EOK; +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 81b68a0f1..c6c2514f8 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -441,6 +441,10 @@ struct sss_domain_info { + char *gssapi_check_upn; /* true | false | NULL */ + /* List of indicators associated with the specific PAM service */ + char **gssapi_indicators_map; ++ ++ /* Counts how often the domain was not found during a refresh of the ++ * domain list */ ++ size_t not_found_counter; + }; + + /** +diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c +index e2381c8af..348f242d0 100644 +--- a/src/db/sysdb_subdomains.c ++++ b/src/db/sysdb_subdomains.c +@@ -193,6 +193,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, + dom->gssapi_services = parent->gssapi_services; + dom->gssapi_indicators_map = parent->gssapi_indicators_map; + ++ dom->not_found_counter = 0; ++ + if (parent->sysdb == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n"); + goto fail; +-- +2.26.3 + diff --git a/SOURCES/0055-AD-read-trusted-domains-from-local-domain-as-well.patch b/SOURCES/0055-AD-read-trusted-domains-from-local-domain-as-well.patch new file mode 100644 index 0000000..c56e782 --- /dev/null +++ b/SOURCES/0055-AD-read-trusted-domains-from-local-domain-as-well.patch @@ -0,0 +1,241 @@ +From 95adf488f94f5968f6cfba9e3bef74c07c02ccff Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 16 Feb 2021 14:30:55 +0100 +Subject: [PATCH 55/55] AD: read trusted domains from local domain as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently SSSD only uses information stored in a domain controller of +the forest root domain to get the names of other trusted domains in the +forest. Depending on how the forest was created the forest root might +not have LDAP objects for all domains in the forest. It looks like a +typical case are child domains of other domains in the forest. + +As a start SSSD can now include trusted domains stored in the LDAP tree +of a local domain controller as well. In a long run it would make sense +to allow SSSD to explicitly search for domain by looking up DNS entries +and checking a potential domain controller with a CLDAP ping. + +Resolves: https://github.com/SSSD/sssd/issues/5528 + +:feature: Besides trusted domains known by the forest root, trusted + domains known by the local domain are used as well. + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_subdomains.c | 105 +++++++++++++++++++++++++------ + 1 file changed, 86 insertions(+), 19 deletions(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index f5b0be6c2..3eb49c93f 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -45,6 +45,7 @@ + #define AD_AT_TRUST_TYPE "trustType" + #define AD_AT_TRUST_PARTNER "trustPartner" + #define AD_AT_TRUST_ATTRS "trustAttributes" ++#define AD_AT_DOMAIN_NAME "cn" + + /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See + * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx +@@ -56,7 +57,6 @@ + */ + #define SLAVE_DOMAIN_FILTER_BASE "(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))" + #define SLAVE_DOMAIN_FILTER "(&"SLAVE_DOMAIN_FILTER_BASE")" +-#define FOREST_ROOT_FILTER_FMT "(&"SLAVE_DOMAIN_FILTER_BASE"(cn=%s))" + + /* Attributes of schema objects. See e.g. + * https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes +@@ -646,6 +646,10 @@ done: + return ret; + } + ++/* How many times we keep a domain not found during searches before it will be ++ * removed. */ ++#define MAX_NOT_FOUND 6 ++ + static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, + struct sdap_idmap_ctx *idmap_ctx, + struct sdap_options *opts, +@@ -706,6 +710,25 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, + } + + if (c >= num_subdomains) { ++ DEBUG(SSSDBG_CONF_SETTINGS, "Domain [%s] not in current list.\n", ++ dom->name); ++ /* Since the forest root might not have trustedDomain objects for ++ * each domain in the forest, especially e.g. for child-domains of ++ * child-domains, we cannot reliable say if a domain is still ++ * present or not. ++ * Maybe it would work to check the crossRef objects in ++ * CN=Partitions,CN=Configuration as well to understand if a ++ * domain is still known in the forest or not. ++ * For the time being we use a counter, if a domain was not found ++ * after multiple attempts it will be deleted. */ ++ ++ if (dom->not_found_counter++ < MAX_NOT_FOUND) { ++ DEBUG(SSSDBG_TRACE_ALL, ++ "Domain [%s] was not found [%zu] times.\n", dom->name, ++ dom->not_found_counter); ++ continue; ++ } ++ + /* ok this subdomain does not exist anymore, let's clean up */ + sss_domain_set_state(dom, DOM_DISABLED); + +@@ -740,6 +763,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, + /* terminate all requests for this subdomain so we can free it */ + dp_terminate_domain_requests(be_ctx->provider, dom->name); + talloc_zfree(sdom); ++ + } else { + /* ok let's try to update it */ + ret = ad_subdom_enumerates(domain, subdomains[c], &enumerate); +@@ -747,6 +771,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, + goto done; + } + ++ dom->not_found_counter = 0; + ret = ad_subdom_store(be_ctx->cdb, idmap_ctx, domain, + subdomains[c], enumerate); + if (ret) { +@@ -1307,10 +1332,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_req *req; + struct sdap_options *opts; + errno_t ret; +- const char *filter; + const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER, + AD_AT_SID, AD_AT_TRUST_TYPE, +- AD_AT_TRUST_ATTRS, NULL }; ++ AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL }; + + req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state); + if (req == NULL) { +@@ -1335,15 +1359,10 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, + state->domain = domain; + state->forest = forest; + +- filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest); +- if (filter == NULL) { +- ret = ENOMEM; +- goto immediately; +- } +- + subreq = sdap_search_bases_return_first_send(state, ev, opts, sh, + opts->sdom->search_bases, +- NULL, false, 0, filter, attrs, ++ NULL, false, 0, ++ SLAVE_DOMAIN_FILTER, attrs, + NULL); + if (subreq == NULL) { + ret = ENOMEM; +@@ -1365,11 +1384,33 @@ immediately: + return req; + } + ++static struct sysdb_attrs *find_domain(size_t count, struct sysdb_attrs **reply, ++ const char *dom_name) ++{ ++ size_t c; ++ const char *name; ++ int ret; ++ ++ for (c = 0; c < count; c++) { ++ ret = sysdb_attrs_get_string(reply[c], AD_AT_DOMAIN_NAME, &name); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to find domain name, skipping"); ++ continue; ++ } ++ if (strcasecmp(name, dom_name) == 0) { ++ return reply[c]; ++ } ++ } ++ ++ return NULL; ++} ++ + static void ad_get_root_domain_done(struct tevent_req *subreq) + { + struct tevent_req *req; + struct ad_get_root_domain_state *state; + errno_t ret; ++ bool has_changes = false; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_root_domain_state); +@@ -1384,7 +1425,37 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) + goto done; + } + +- if (state->reply_count == 0) { ++ find_domain(state->reply_count, state->reply, state->forest); ++ ++ if (state->reply_count == 0 ++ || find_domain(state->reply_count, state->reply, ++ state->forest) == NULL) { ++ ++ if (state->reply_count > 0) { ++ /* refresh the other domains we have found before checking forest ++ * root */ ++ ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, ++ state->opts, ++ state->reply, state->reply_count, false, ++ &state->sd_ctx->last_refreshed, ++ &has_changes); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ad_subdomains_refresh failed [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ if (has_changes) { ++ ret = ad_subdom_reinit(state->sd_ctx); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Could not reinitialize subdomains\n"); ++ goto done; ++ } ++ } ++ } ++ + DEBUG(SSSDBG_OP_FAILURE, + "No information provided for root domain, trying directly.\n"); + subreq = ad_check_domain_send(state, state->ev, state->be_ctx, +@@ -1397,11 +1468,6 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) + } + tevent_req_set_callback(subreq, ad_check_root_domain_done, req); + return; +- } else if (state->reply_count > 1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, " +- "domain list might be incomplete!\n"); +- ret = ERR_MALFORMED_ENTRY; +- goto done; + } + + ret = ad_get_root_domain_refresh(state); +@@ -1519,7 +1585,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) + errno_t ret; + + ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts, +- state->reply, state->reply_count, true, ++ state->reply, state->reply_count, false, + &state->sd_ctx->last_refreshed, + &has_changes); + if (ret != EOK) { +@@ -1536,8 +1602,9 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) + } + } + +- state->root_domain_attrs = state->reply[0]; +- root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]); ++ state->root_domain_attrs = find_domain(state->reply_count, state->reply, ++ state->forest); ++ root_domain = ads_get_root_domain(state->be_ctx, state->root_domain_attrs); + if (root_domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n"); + ret = EFAULT; +-- +2.26.3 + diff --git a/SOURCES/0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch b/SOURCES/0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch new file mode 100644 index 0000000..91227f1 --- /dev/null +++ b/SOURCES/0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch @@ -0,0 +1,109 @@ +From 231d1118727b989a4af9911a45a465912fe659d6 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 12 Mar 2021 14:38:54 +0100 +Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When checking if a group returned by an initgroups request is filtered +in the negative cache the domain of the user was used. This does not +work reliable if the user can be a member of groups from multiple +domains. + +With this patch th domain the group belongs to is determined and used +while checking the negative cache. + +Resolves: https://github.com/SSSD/sssd/issues/5534 + +Reviewed-by: Pavel Březina +--- + src/db/sysdb.c | 22 ++++++++++++++++++++++ + src/db/sysdb.h | 7 +++++++ + src/responder/nss/nss_protocol_grent.c | 8 +++++--- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/src/db/sysdb.c b/src/db/sysdb.c +index 693f687be..6001c49cb 100644 +--- a/src/db/sysdb.c ++++ b/src/db/sysdb.c +@@ -2139,3 +2139,25 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level, + fmt, ap); + } + } ++ ++struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom, ++ struct ldb_message *msg) ++{ ++ const char *name; ++ struct sss_domain_info *obj_dom = NULL; ++ ++ name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); ++ if (name == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Object does not have a name attribute.\n"); ++ return dom; ++ } ++ ++ obj_dom = find_domain_by_object_name(get_domains_head(dom), name); ++ if (obj_dom == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name); ++ return dom; ++ } ++ ++ return obj_dom; ++} +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index a00efa55f..37a2c4124 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -1532,4 +1532,11 @@ errno_t sysdb_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, + void ldb_debug_messages(void *context, enum ldb_debug_level level, + const char *fmt, va_list ap); + ++/* Try to detect the object domain from the object's SYSDB_NAME attribute and ++ * return the matching sss_domain_info. This should work reliable with user ++ * and group objects since fully-qualified names are used here. If the proper ++ * domain cannot be detected the given domain is returned. */ ++struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom, ++ struct ldb_message *msg); ++ + #endif /* __SYS_DB_H__ */ +diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c +index 135b392f7..f6e00eb10 100644 +--- a/src/responder/nss/nss_protocol_grent.c ++++ b/src/responder/nss/nss_protocol_grent.c +@@ -361,6 +361,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + struct cache_req_result *result) + { + struct sss_domain_info *domain; ++ struct sss_domain_info *grp_dom; + struct ldb_message *user; + struct ldb_message *msg; + struct ldb_message *primary_group_msg; +@@ -418,10 +419,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + num_results = 0; + for (i = 1; i < result->count; i++) { + msg = result->msgs[i]; +- gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, ++ grp_dom = find_domain_by_msg(domain, msg); ++ gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM, + 0); + posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); +- grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME, ++ grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME, + NULL); + + if (gid == 0) { +@@ -435,7 +437,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + } + } + +- if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) { ++ if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) { + continue; + } + +-- +2.26.3 + diff --git a/SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch b/SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch new file mode 100644 index 0000000..4227dc5 --- /dev/null +++ b/SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch @@ -0,0 +1,198 @@ +From 0cddb67128edc86be4163489e29eaa3c4e123b7b Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 12 Mar 2021 19:27:12 +0100 +Subject: [PATCH] DEBUG: introduce SSSDBG_TOOLS_DEFAULT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/5488 + +Reviewed-by: Tomáš Halman +--- + src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +- + src/tools/common/sss_tools.c | 2 +- + src/tools/sss_cache.c | 2 +- + src/tools/sss_groupadd.c | 2 +- + src/tools/sss_groupdel.c | 2 +- + src/tools/sss_groupmod.c | 2 +- + src/tools/sss_groupshow.c | 2 +- + src/tools/sss_seed.c | 2 +- + src/tools/sss_useradd.c | 2 +- + src/tools/sss_userdel.c | 2 +- + src/tools/sss_usermod.c | 2 +- + src/util/debug.h | 1 + + 13 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c +index e356f28c3..324e5e3a3 100644 +--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c ++++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c +@@ -32,7 +32,7 @@ + int main(int argc, const char **argv) + { + TALLOC_CTX *mem_ctx = NULL; +- int pc_debug = SSSDBG_FATAL_FAILURE; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + const char *pc_domain = NULL; + const char *pc_user = NULL; + struct poptOption long_options[] = { +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index 3cd12b480..170ba30a3 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -174,7 +174,7 @@ connect_proxy_command(char **args) + int main(int argc, const char **argv) + { + TALLOC_CTX *mem_ctx = NULL; +- int pc_debug = SSSDBG_FATAL_FAILURE; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + int pc_port = 22; + const char *pc_domain = NULL; + const char *pc_host = NULL; +diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c +index 368d09ae2..637e251f6 100644 +--- a/src/tools/common/sss_tools.c ++++ b/src/tools/common/sss_tools.c +@@ -56,7 +56,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx, + int *argc, const char **argv) + { + poptContext pc; +- int debug = SSSDBG_DEFAULT; ++ int debug = SSSDBG_TOOLS_DEFAULT; + int orig_argc = *argc; + int help = 0; + +diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c +index cea900bf1..b5391b16d 100644 +--- a/src/tools/sss_cache.c ++++ b/src/tools/sss_cache.c +@@ -709,7 +709,7 @@ static errno_t init_context(int argc, const char *argv[], + struct cache_tool_ctx *ctx = NULL; + int idb = INVALIDATE_NONE; + struct input_values values = { 0 }; +- int debug = SSSDBG_DEFAULT; ++ int debug = SSSDBG_TOOLS_DEFAULT; + errno_t ret = EOK; + + poptContext pc = NULL; +diff --git a/src/tools/sss_groupadd.c b/src/tools/sss_groupadd.c +index f71d6dde7..91559116d 100644 +--- a/src/tools/sss_groupadd.c ++++ b/src/tools/sss_groupadd.c +@@ -34,7 +34,7 @@ + int main(int argc, const char **argv) + { + gid_t pc_gid = 0; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug",'\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, +diff --git a/src/tools/sss_groupdel.c b/src/tools/sss_groupdel.c +index 5dcc2056d..e64441758 100644 +--- a/src/tools/sss_groupdel.c ++++ b/src/tools/sss_groupdel.c +@@ -33,7 +33,7 @@ + int main(int argc, const char **argv) + { + int ret = EXIT_SUCCESS; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + const char *pc_groupname = NULL; + struct tools_ctx *tctx = NULL; + +diff --git a/src/tools/sss_groupmod.c b/src/tools/sss_groupmod.c +index eddc7034a..8770b6684 100644 +--- a/src/tools/sss_groupmod.c ++++ b/src/tools/sss_groupmod.c +@@ -35,7 +35,7 @@ + int main(int argc, const char **argv) + { + gid_t pc_gid = 0; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, +diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c +index 7b0fbe117..aa618eecb 100644 +--- a/src/tools/sss_groupshow.c ++++ b/src/tools/sss_groupshow.c +@@ -654,7 +654,7 @@ static void print_recursive(struct group_info **group_members, unsigned level) + int main(int argc, const char **argv) + { + int ret = EXIT_SUCCESS; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + bool pc_recursive = false; + const char *pc_groupname = NULL; + struct tools_ctx *tctx = NULL; +diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c +index 1189604a3..17ba81956 100644 +--- a/src/tools/sss_seed.c ++++ b/src/tools/sss_seed.c +@@ -460,7 +460,7 @@ static int seed_init(TALLOC_CTX *mem_ctx, + struct seed_ctx **_sctx) + { + TALLOC_CTX *tmp_ctx = NULL; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + const char *pc_domain = NULL; + const char *pc_name = NULL; + uid_t pc_uid = 0; +diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c +index ca2cbd6c1..fa1091ec8 100644 +--- a/src/tools/sss_useradd.c ++++ b/src/tools/sss_useradd.c +@@ -38,7 +38,7 @@ int main(int argc, const char **argv) + const char *pc_gecos = NULL; + const char *pc_home = NULL; + char *pc_shell = NULL; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + int pc_create_home = 0; + const char *pc_username = NULL; + const char *pc_skeldir = NULL; +diff --git a/src/tools/sss_userdel.c b/src/tools/sss_userdel.c +index bd703fd2e..60bb0f835 100644 +--- a/src/tools/sss_userdel.c ++++ b/src/tools/sss_userdel.c +@@ -125,7 +125,7 @@ int main(int argc, const char **argv) + struct tools_ctx *tctx = NULL; + const char *pc_username = NULL; + +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + int pc_remove = 0; + int pc_force = 0; + int pc_kick = 0; +diff --git a/src/tools/sss_usermod.c b/src/tools/sss_usermod.c +index 6a818f13a..0f3230d27 100644 +--- a/src/tools/sss_usermod.c ++++ b/src/tools/sss_usermod.c +@@ -40,7 +40,7 @@ int main(int argc, const char **argv) + char *pc_gecos = NULL; + char *pc_home = NULL; + char *pc_shell = NULL; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_TOOLS_DEFAULT; + const char *pc_selinux_user = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP +diff --git a/src/util/debug.h b/src/util/debug.h +index a3adfe576..54a7e3934 100644 +--- a/src/util/debug.h ++++ b/src/util/debug.h +@@ -108,6 +108,7 @@ int rotate_debug_files(void); + #define SSSDBG_INVALID -1 + #define SSSDBG_UNRESOLVED 0 + #define SSSDBG_DEFAULT (SSSDBG_FATAL_FAILURE|SSSDBG_CRIT_FAILURE|SSSDBG_OP_FAILURE) ++#define SSSDBG_TOOLS_DEFAULT (SSSDBG_FATAL_FAILURE) + + + /** \def DEBUG(level, format, ...) +-- +2.26.3 + diff --git a/SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch b/SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch new file mode 100644 index 0000000..36eb7d8 --- /dev/null +++ b/SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch @@ -0,0 +1,34 @@ +From fbf33babe3fb52323f098aa300b51bf8fc5ee363 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 19 May 2021 17:20:52 +0200 +Subject: [PATCH] TOOLS: removed unneeded debug message +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This message was logged before `sss_tool_init()` that sets debug level, +thus ignoring configured debug level. + +Since the same message is printed via `ERROR` on a next line, this log +message doesn't add any information and can be simply removed. + +Reviewed-by: Tomáš Halman +--- + src/tools/common/sss_tools.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c +index 637e251f6..806667f46 100644 +--- a/src/tools/common/sss_tools.c ++++ b/src/tools/common/sss_tools.c +@@ -512,7 +512,6 @@ int sss_tool_main(int argc, const char **argv, + + uid = getuid(); + if (uid != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid); + ERROR("%1$s must be run as root\n", argv[0]); + return EXIT_FAILURE; + } +-- +2.26.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 15e684b..a614ae0 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,7 +26,7 @@ Name: sssd Version: 2.4.0 -Release: 9%{?dist} +Release: 9%{?dist}.1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -85,6 +85,13 @@ Patch0048: 0048-pot-update-pot-files.patch Patch0049: 0049-Update-the-translations-for-the-2.4.1-release.patch Patch0050: 0050-pot-update-pot-files.patch Patch0051: 0051-po-update-translations.patch +Patch0052: 0052-handle-large-service-tickets.patch +Patch0053: 0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch +Patch0054: 0054-sss_domain_info-add-not_found_counter.patch +Patch0055: 0055-AD-read-trusted-domains-from-local-domain-as-well.patch +Patch0056: 0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch +Patch0057: 0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch +Patch0058: 0058-TOOLS-removed-unneeded-debug-message.patch ### Downstream Patches ### @@ -1266,6 +1273,13 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Mon May 24 2021 Alexey Tikhonov - 2.4.0-9.1 +- Resolves: rhbz#1949170 - pam_sss_gss.so doesn't work with large kerberos tickets [rhel-8.4.0.z] +- Resolves: rhbz#1945656 - No gpo found and ad_gpo_implicit_deny set to True still permits user login [rhel-8.4.0.z] +- Resolves: rhbz#1945655 - SSSD not detecting subdomain from AD forest (RHEL 8.3) [rhel-8.4.0.z] +- Resolves: rhbz#1945654 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-8.4.0.z] +- Resolves: rhbz#1942438 - Wrong default debug level of sssd tools [rhel-8.4.0.z] + * Fri Mar 19 2021 Alexey Tikhonov - 2.4.0-9 - Resolves: rhbz#1899712 - [sssd] RHEL 8.4 Tier 0 Localization