From e050a404f833dc73de276e3de78fb3d68ce239d6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 31 2020 12:25:37 +0000 Subject: import sssd-1.16.4-37.el7_8.1 --- diff --git a/SOURCES/0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch b/SOURCES/0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch new file mode 100644 index 0000000..396cfcd --- /dev/null +++ b/SOURCES/0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch @@ -0,0 +1,81 @@ +From 442cd658329251d8390dd5bd790d86c78ead88ab Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Mon, 24 Jun 2019 15:58:09 +0200 +Subject: [PATCH] LDAP: failover does not work on non-responsive ldaps + +In case ldaps:// is used, then establishing the secure socket is +a sychronous operation. If there's nothing on the other end, then +the process would be stuck waiting in for the crypto library +to finish. + +Here we set socket read/write timeout so the operation can finish +in reasonable time with an error. The ldap_network_timeout +option is used for this timeout. + +Resolves: +https://pagure.io/SSSD/sssd/issue/2878 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Jakub Hrozek +(cherry picked from commit 2d657dffb419640860e46ed417137b0e2cc7d9af) +--- + src/util/sss_sockets.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c +index 5e9be9ebd..0e4d8df8a 100644 +--- a/src/util/sss_sockets.c ++++ b/src/util/sss_sockets.c +@@ -74,10 +74,11 @@ static errno_t set_fcntl_flags(int fd, int fd_flags, int fl_flags) + return EOK; + } + +-static errno_t set_fd_common_opts(int fd) ++static errno_t set_fd_common_opts(int fd, int timeout) + { + int dummy = 1; + int ret; ++ struct timeval tv; + + /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but + * failures are ignored.*/ +@@ -97,6 +98,27 @@ static errno_t set_fd_common_opts(int fd) + strerror(ret)); + } + ++ if (timeout > 0) { ++ /* Set socket read & write timeout */ ++ tv = tevent_timeval_set(timeout, 0); ++ ++ ret = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_FUNC_DATA, ++ "setsockopt SO_RCVTIMEO failed.[%d][%s].\n", ret, ++ strerror(ret)); ++ } ++ ++ ret = setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv)); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_FUNC_DATA, ++ "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret, ++ strerror(ret)); ++ } ++ } ++ + return EOK; + } + +@@ -264,7 +286,7 @@ struct tevent_req *sssd_async_socket_init_send(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = set_fd_common_opts(state->sd); ++ ret = set_fd_common_opts(state->sd, timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_fd_common_opts failed.\n"); + goto fail; +-- +2.20.1 + diff --git a/SOURCES/0111-Add-TCP-level-timeout-to-LDAP-services.patch b/SOURCES/0111-Add-TCP-level-timeout-to-LDAP-services.patch new file mode 100644 index 0000000..8c28ccb --- /dev/null +++ b/SOURCES/0111-Add-TCP-level-timeout-to-LDAP-services.patch @@ -0,0 +1,51 @@ +From bad7c631b7aab50d179755ee546357e4f4faca9d Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 10 Sep 2019 14:33:37 +0000 +Subject: [PATCH] Add TCP level timeout to LDAP services + +In some cases the TCP connection may hang with data sent because +of network conditions, this may cause the socket to stall for much +longer than the timeout intended. +Set a TCP option to forcibly timeout a socket that sees its data not +ACKed within the ldap_network_timeout seconds. + +Signed-off-by: Simo Sorce + +Reviewed-by: Sumit Bose +(cherry picked from commit 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac) +--- + src/util/sss_sockets.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c +index 0e4d8df8a..b6b6dbac5 100644 +--- a/src/util/sss_sockets.c ++++ b/src/util/sss_sockets.c +@@ -79,6 +79,7 @@ static errno_t set_fd_common_opts(int fd, int timeout) + int dummy = 1; + int ret; + struct timeval tv; ++ unsigned int milli; + + /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but + * failures are ignored.*/ +@@ -117,6 +118,16 @@ static errno_t set_fd_common_opts(int fd, int timeout) + "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret, + strerror(ret)); + } ++ ++ milli = timeout * 1000; /* timeout in milliseconds */ ++ ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli, ++ sizeof(milli)); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_FUNC_DATA, ++ "setsockopt TCP_USER_TIMEOUT failed.[%d][%s].\n", ret, ++ strerror(ret)); ++ } + } + + return EOK; +-- +2.20.1 + diff --git a/SOURCES/0112-sss_sockets-pass-pointer-instead-of-integer.patch b/SOURCES/0112-sss_sockets-pass-pointer-instead-of-integer.patch new file mode 100644 index 0000000..cc45b47 --- /dev/null +++ b/SOURCES/0112-sss_sockets-pass-pointer-instead-of-integer.patch @@ -0,0 +1,47 @@ +From 191f3722f28107ccde4ce96dd88a401fb36b059a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 10 Feb 2020 11:52:35 +0100 +Subject: [PATCH] sss_sockets: pass pointer instead of integer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +``` +/home/pbrezina/workspace/sssd/src/util/sss_sockets.c: In function ‘set_fd_common_opts’: +/home/pbrezina/workspace/sssd/src/util/sss_sockets.c:123:61: error: passing argument 4 of ‘setsockopt’ makes pointer from integer without a cast [-Werror=int-conversion] + 123 | ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli, + | ^~~~~ + | | + | unsigned int +In file included from /home/pbrezina/workspace/sssd/src/util/sss_sockets.c:28: +/usr/include/sys/socket.h:216:22: note: expected ‘const void *’ but argument is of type ‘unsigned int’ + 216 | const void *__optval, socklen_t __optlen) __THROW; + | ~~~~~~~~~~~~^~~~~~~~ + CC src/util/sssd_kcm-sss_iobuf.o +cc1: all warnings being treated as errors +``` + +Introduced by 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac + +Reviewed-by: Sumit Bose +(cherry picked from commit 5b87af6f5b50c464ee7ea4558f73431e398e1423) +--- + src/util/sss_sockets.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c +index b6b6dbac5..6f2b71bc8 100644 +--- a/src/util/sss_sockets.c ++++ b/src/util/sss_sockets.c +@@ -120,7 +120,7 @@ static errno_t set_fd_common_opts(int fd, int timeout) + } + + milli = timeout * 1000; /* timeout in milliseconds */ +- ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli, ++ ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &milli, + sizeof(milli)); + if (ret != 0) { + ret = errno; +-- +2.20.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 758ef2a..63d1c9c 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -48,7 +48,7 @@ Name: sssd Version: 1.16.4 -Release: 37%{?dist} +Release: 37%{?dist}.1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -166,6 +166,9 @@ Patch0106: 0106-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch Patch0107: 0107-ad-add-ad_use_ldaps.patch Patch0108: 0108-ldap-add-new-option-ldap_sasl_maxssf.patch Patch0109: 0109-ad-set-min-and-max-ssf-for-ldaps.patch +Patch0110: 0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch +Patch0111: 0111-Add-TCP-level-timeout-to-LDAP-services.patch +Patch0112: 0112-sss_sockets-pass-pointer-instead-of-integer.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -915,7 +918,7 @@ done %dir %{_sysconfdir}/rwtab.d %config(noreplace) %{_sysconfdir}/rwtab.d/sssd %dir %{_datadir}/sssd -%{_sysconfdir}/pam.d/sssd-shadowutils +%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils %{_libdir}/%{name}/conf/sssd.conf %{_datadir}/sssd/cfg_rules.ini @@ -1325,6 +1328,12 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Wed Mar 18 2020 Michal Židek - 1.16.4-37.1 +- Resolves: rhbz#1801208 - id command taking 1+ minute for returning user + information [rhel-7.8.z] + - Also updates spec file to not replace + /pam.d/sssd-shadowutils on update + * Tue Jan 15 2020 Michal Židek - 1.16.4-37 - Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages