diff --git a/SOURCES/0104-nss-idmap-do-not-set-a-limit.patch b/SOURCES/0104-nss-idmap-do-not-set-a-limit.patch new file mode 100644 index 0000000..894d05e --- /dev/null +++ b/SOURCES/0104-nss-idmap-do-not-set-a-limit.patch @@ -0,0 +1,37 @@ +From 814108dc02a4de5d0333e9c2713f809fc3d2da47 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 18 Apr 2018 10:20:06 +0200 +Subject: [PATCH] nss-idmap: do not set a limit + +If the limit is set the needed size to return all groups cannot be +returned. + +Related to https://pagure.io/SSSD/sssd/issue/3715 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 46a4c265629d9b725c41f22849741ce7342bdd85) + +DOWNSTREAM: +Resolves: rhbz#1570527 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash [rhel-7.5.z] +--- + src/sss_client/idmap/sss_nss_ex.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c +index af6a95180656b598bcb94c209dfa821cb0275f02..f56bffcc24a7e2503e23a892541a9242ed4b5069 100644 +--- a/src/sss_client/idmap/sss_nss_ex.c ++++ b/src/sss_client/idmap/sss_nss_ex.c +@@ -96,7 +96,9 @@ errno_t sss_nss_mc_get(struct nss_input *inp) + inp->result.initgrrep.start, + inp->result.initgrrep.ngroups, + &(inp->result.initgrrep.groups), +- *(inp->result.initgrrep.ngroups)); ++ /* no limit so that needed size can ++ * be returned properly */ ++ -1); + break; + default: + return EINVAL; +-- +2.14.3 + diff --git a/SOURCES/0105-nss-idmap-use-right-group-list-pointer-after-sss_get.patch b/SOURCES/0105-nss-idmap-use-right-group-list-pointer-after-sss_get.patch new file mode 100644 index 0000000..5e524cd --- /dev/null +++ b/SOURCES/0105-nss-idmap-use-right-group-list-pointer-after-sss_get.patch @@ -0,0 +1,69 @@ +From c3e0098383fb199d678df54bfd129123a8184e70 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 18 Apr 2018 10:23:22 +0200 +Subject: [PATCH] nss-idmap: use right group list pointer after sss_get_ex() + +If the initial array is too small it will be reallocated during +sss_get_ex() and the pointer might change and the initial memory area +should not be used anymore. + +Related to https://pagure.io/SSSD/sssd/issue/3715 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b) +--- + src/sss_client/idmap/sss_nss_ex.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c +index f56bffcc24a7e2503e23a892541a9242ed4b5069..5bcfe8850b5355d6cbe0efc5e52fe076737f2a08 100644 +--- a/src/sss_client/idmap/sss_nss_ex.c ++++ b/src/sss_client/idmap/sss_nss_ex.c +@@ -485,7 +485,6 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group, + uint32_t flags, unsigned int timeout) + { + int ret; +- gid_t *new_groups; + long int new_ngroups; + long int start = 1; + struct nss_input inp = { +@@ -498,27 +497,28 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group, + } + + new_ngroups = MAX(1, *ngroups); +- new_groups = malloc(new_ngroups * sizeof(gid_t)); +- if (new_groups == NULL) { ++ inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t)); ++ if (inp.result.initgrrep.groups == NULL) { + free(discard_const(inp.rd.data)); + return ENOMEM; + } +- new_groups[0] = group; ++ inp.result.initgrrep.groups[0] = group; + +- inp.result.initgrrep.groups = new_groups, + inp.result.initgrrep.ngroups = &new_ngroups; + inp.result.initgrrep.start = &start; + +- ++ /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and ++ * inp.result.initgrrep.start might be modified by sss_get_ex() */ + ret = sss_get_ex(&inp, flags, timeout); + free(discard_const(inp.rd.data)); + if (ret != 0) { +- free(new_groups); ++ free(inp.result.initgrrep.groups); + return ret; + } + +- memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t)); +- free(new_groups); ++ memcpy(groups, inp.result.initgrrep.groups, ++ MIN(*ngroups, start) * sizeof(gid_t)); ++ free(inp.result.initgrrep.groups); + + if (start > *ngroups) { + ret = ERANGE; +-- +2.14.3 + diff --git a/SOURCES/0106-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch b/SOURCES/0106-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch new file mode 100644 index 0000000..2611011 --- /dev/null +++ b/SOURCES/0106-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch @@ -0,0 +1,119 @@ +From f9859498b52d89bf60dbddd898752f859f4952d3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 15 Mar 2018 12:50:20 +0100 +Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index + +Netgroups are not looked up with the help of a single request but by +calling setnetgrent(), getnetgrent() and endnetgrent() where +getnetgrent() might be called multiple times depending on the number of +netgroup elements. Since the caller does not provide a state the state +has to be maintained by the SSSD nss responder. Besides the netgroup +name this is mainly the number of elements already returned. + +This number is used to select the next element to return and currently +it is assumed that there are not changes to the netgroup while the +client is requesting the individual elements. But if e.g. the 3 nss +calls are not used correctly or the netgroup is modified while the +client is sending getnetgrent() calls the stored number might be out of +range. To be on the safe side the stored number should be always +compared with the current number of netgroup elements. + +Related to https://pagure.io/SSSD/sssd/issue/3679 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 08db22b1b1a2e742edbca92e35087294d963adda) + +DOWNSTREAM: +Resolves: rhbz#1579703 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000] [rhel-7.5.z] +--- + src/db/sysdb.h | 3 ++- + src/db/sysdb_search.c | 5 ++++- + src/responder/nss/nss_enum.c | 3 ++- + src/responder/nss/nss_private.h | 1 + + src/responder/nss/nss_protocol_netgr.c | 7 +++++++ + 5 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index fd18ecefed2b2c5f35060fa47fd160a8968e073b..2660314a75a574d7f5625c8672e5261587056d1a 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx, + + errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, + struct ldb_result *res, +- struct sysdb_netgroup_ctx ***entries); ++ struct sysdb_netgroup_ctx ***entries, ++ size_t *netgroup_count); + + errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input, + char **sanitized); +diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c +index a6a81e23d257331614085403b4dca8ded860600b..9f37cbcd50a778145518c15b6146ad812a5b4fa3 100644 +--- a/src/db/sysdb_search.c ++++ b/src/db/sysdb_search.c +@@ -1829,7 +1829,8 @@ done: + + errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, + struct ldb_result *res, +- struct sysdb_netgroup_ctx ***entries) ++ struct sysdb_netgroup_ctx ***entries, ++ size_t *netgroup_count) + { + errno_t ret; + size_t size = 0; +@@ -1933,6 +1934,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, + tmp_entry[c] = NULL; + + *entries = talloc_steal(mem_ctx, tmp_entry); ++ *netgroup_count = c; ++ + ret = EOK; + + done: +diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c +index da844fbced529f606a3e98669fb7b95e0696ce00..b2b22bbae8a373ed3abb47381fabd989d4931690 100644 +--- a/src/responder/nss/nss_enum.c ++++ b/src/responder/nss/nss_enum.c +@@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq) + /* We need to expand the netgroup into triples and members. */ + ret = sysdb_netgr_to_entries(state->enum_ctx, + result[0]->ldb_result, +- &state->enum_ctx->netgroup); ++ &state->enum_ctx->netgroup, ++ &state->enum_ctx->netgroup_count); + if (ret != EOK) { + goto done; + } +diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h +index 5fc19d26be9adda4d967086e7b239e49a78866ee..aa8d8e9cde0d73e72d3aa4c186f104d6baae411f 100644 +--- a/src/responder/nss/nss_private.h ++++ b/src/responder/nss/nss_private.h +@@ -41,6 +41,7 @@ struct nss_enum_index { + struct nss_enum_ctx { + struct cache_req_result **result; + struct sysdb_netgroup_ctx **netgroup; ++ size_t netgroup_count; + + /* Ongoing cache request that is constructing enumeration result. */ + struct tevent_req *ongoing; +diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c +index ed04fd25821031554e20e14afebaca9b828a748b..9f27c6b78d47f188dea99600a634a18be2512bfb 100644 +--- a/src/responder/nss/nss_protocol_netgr.c ++++ b/src/responder/nss/nss_protocol_netgr.c +@@ -126,6 +126,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx, + idx = cmd_ctx->enum_index; + entries = cmd_ctx->enum_ctx->netgroup; + ++ if (idx->result > cmd_ctx->enum_ctx->netgroup_count) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unconsistent state while processing netgroups.\n"); ++ ret = EINVAL; ++ goto done; ++ } ++ + /* First two fields (length and reserved), filled up later. */ + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); + if (ret != EOK) { +-- +2.17.0 + diff --git a/SOURCES/0107-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch b/SOURCES/0107-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch new file mode 100644 index 0000000..3ae5b68 --- /dev/null +++ b/SOURCES/0107-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch @@ -0,0 +1,36 @@ +From 1e2f20f89b1b699e569dfecb7cba98ec8f6fc936 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 15 Mar 2018 12:43:34 +0100 +Subject: [PATCH] nss: initialize nss_enum_index in nss_setnetgrent() + +setnetgrent() is the first call when looking up a netgroup and sets the +netgroup name for upcoming getnetgrent() and endnetgrent() calls. +Currently the state is reset by calling endnetgrent() but it would be +more robust to unconditionally reset the state in setnetgrent() as well +in case calling endnetgrent() was forgotten. + +Related to https://pagure.io/SSSD/sssd/issue/3679 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 37a84285aeb497ed4909d16916bbf934af3f68b3) +--- + src/responder/nss/nss_cmd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c +index 956ee53cb88dd24faaa95ac39c8d9540af66cfb2..9f8479b7b350823ee81b5af15199e0dda9acda8b 100644 +--- a/src/responder/nss/nss_cmd.c ++++ b/src/responder/nss/nss_cmd.c +@@ -756,6 +756,9 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, + goto done; + } + ++ state_ctx->netgrent.domain = 0; ++ state_ctx->netgrent.result = 0; ++ + talloc_zfree(state_ctx->netgroup); + state_ctx->netgroup = talloc_strdup(state_ctx, netgroup); + if (state_ctx->netgroup == NULL) { +-- +2.17.0 + diff --git a/SOURCES/0108-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch b/SOURCES/0108-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch new file mode 100644 index 0000000..89c55c3 --- /dev/null +++ b/SOURCES/0108-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch @@ -0,0 +1,52 @@ +From d92cb9cb3860d7ff1b3ab64b459edf6051f69291 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 4 May 2018 17:00:55 +0200 +Subject: [PATCH] NSS: nss_clear_netgroup_hash_table() do not free data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +nss_clear_netgroup_hash_table() is called during the clearEnumCache SBUS +request, which is e.g. used during 'sss_cache -E', to remove netgroup +data cached in the memory of the NSS responder. + +Currently nss_clear_netgroup_hash_table() calls +'sss_ptr_hash_delete_all(nss_ctx->netgrent, true);' which not only +removes all entries in the 'netgerent' hash table but frees them as +well. + +The second step is not needed because nss_setnetgrent_set_timeout() +takes care that the data is freed after a timeout. Additionally freeing +the data in nss_clear_netgroup_hash_table() can even do harm when the +request is received by the NSS responder while waiting for the backend +to acquire the netgroup data. Because if the backend is done the NSS +responder tries do use enum_ctx which might have been freed in the +meantime. + +Because of this nss_clear_netgroup_hash_table() should only remove the +data from the hash table but not free it. + +Related to https://pagure.io/SSSD/sssd/issue/3731 + +Reviewed-by: Pavel Březina +(cherry picked from commit b13cc2d1413a0d5bbe36e06e5ffd87dbf5c0cb9f) +--- + src/responder/nss/nsssrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c +index 11d19fd30c86283d537623db12e52caa6cc4dcd3..123a2d73ce93a025c789524fa90b41d9a0afb58b 100644 +--- a/src/responder/nss/nsssrv.c ++++ b/src/responder/nss/nsssrv.c +@@ -142,7 +142,7 @@ static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *da + + DEBUG(SSSDBG_TRACE_FUNC, "Invalidating netgroup hash table\n"); + +- sss_ptr_hash_delete_all(nss_ctx->netgrent, true); ++ sss_ptr_hash_delete_all(nss_ctx->netgrent, false); + + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); + } +-- +2.17.0 + diff --git a/SOURCES/0109-winbind-idmap-plugin-support-inferface-version-6.patch b/SOURCES/0109-winbind-idmap-plugin-support-inferface-version-6.patch new file mode 100644 index 0000000..a2b93a0 --- /dev/null +++ b/SOURCES/0109-winbind-idmap-plugin-support-inferface-version-6.patch @@ -0,0 +1,236 @@ +From 9ae62c07c579fa9b3f0804c12cc0715f5f2524d4 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 15 May 2018 11:55:35 +0200 +Subject: [PATCH] winbind idmap plugin: support inferface version 6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With Samba 4.7 the interface version of the idmap plugin was updated to +6. The patch adds support for this new version but can be complied with +the older version as well. + +A configure option is added to select the version, if no version is +given configure tries to detect the version with the help of an internal +Samba library libidmap-samba4.so. + +To make sure that always the right version is used configure will fail +if Samba is used (--with-samba, default) and no version can be +determined. + +Resolves https://pagure.io/SSSD/sssd/issue/3741 + +Reviewed-by: Alexander Bokovoy +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit c6b99b070268c3807833e9f894d9a36304014417) + +DOWNSTREAM: +Resolves: rhbz#1580281 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION [rhel-7.5.z] +--- + contrib/ci/configure.sh | 9 ++ + contrib/sssd.spec.in | 12 +++ + src/external/samba.m4 | 82 +++++++++++++++++++ + src/lib/winbind_idmap_sss/winbind_idmap_sss.c | 6 ++ + src/lib/winbind_idmap_sss/winbind_idmap_sss.h | 6 +- + 5 files changed, 114 insertions(+), 1 deletion(-) + +diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh +index 9d18d0c187561a2dc3bc47d3e8913626e7ff3046..09da5b4e7b0b4a7859bcf81db987394ac91f4fa2 100644 +--- a/contrib/ci/configure.sh ++++ b/contrib/ci/configure.sh +@@ -35,6 +35,7 @@ declare -a CONFIGURE_ARG_LIST=( + if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- || + "$DISTRO_BRANCH" == -redhat-centos-6.*- ]]; then + CONFIGURE_ARG_LIST+=( ++ "--with-smb-idmap-interface-version=5" + "--disable-cifs-idmap-plugin" + "--with-syslog=syslog" + "--without-python3-bindings" +@@ -56,6 +57,14 @@ if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-7.*- || + ) + fi + ++# Different versions of Debian might need different versions here but this is ++# sufficient to make the CI work ++if [[ "$DISTRO_BRANCH" == -debian-* ]]; then ++ CONFIGURE_ARG_LIST+=( ++ "--with-smb-idmap-interface-version=5" ++ ) ++fi ++ + declare -r -a CONFIGURE_ARG_LIST + + fi # _CONFIGURE_SH +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index d9323bf1a2d84f4219f8ab11886e5ce87b401c15..3ddd054dea8a4b5dd46457acf9aaabed29ab754e 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -127,6 +127,14 @@ + %global with_gdm_pam_extensions 0 + %endif + ++# Do not try to detect the idmap version on RHEL6 to avoid conflicts between ++# samba and samba4 package ++%if (0%{?fedora} || 0%{?rhel} >= 7) ++ %global detect_idmap_version 1 ++%else ++ %global with_idmap_version --with-smb-idmap-interface-version=5 ++%endif ++ + Name: @PACKAGE_NAME@ + Version: @PACKAGE_VERSION@ + Release: 0@PRERELEASE_VERSION@%{?dist} +@@ -225,6 +233,9 @@ BuildRequires: nfs-utils-lib-devel + + BuildRequires: samba4-devel + BuildRequires: libsmbclient-devel ++%if (0%{?detect_idmap_version} == 1) ++BuildRequires: samba-winbind ++%endif + + %if (0%{?enable_systemtap} == 1) + BuildRequires: systemtap-sdt-devel +@@ -747,6 +758,7 @@ autoreconf -ivf + %{?enable_systemtap_opt} \ + %{?with_secret_responder} \ + %{?with_kcm_option} \ ++ %{?with_idmap_version} \ + %{?experimental} + + make %{?_smp_mflags} all +diff --git a/src/external/samba.m4 b/src/external/samba.m4 +index 91a583a0d0f514dab40d4f65cc32b17d0368f540..610831bf054e3687eb13025e954acf345fca1a00 100644 +--- a/src/external/samba.m4 ++++ b/src/external/samba.m4 +@@ -39,4 +39,86 @@ them. In this case, you will need to execute configure script with argument + --without-samba + ]]) + fi ++ ++ AC_ARG_WITH([smb-idmap-interface-version], ++ [AC_HELP_STRING([--with-smb-idmap-interface-version=[5|6]], ++ [Idmap interface version of installed Samba] ++ ) ++ ] ++ ) ++ ++ if test x"$with_smb_idmap_interface_version" != x; then ++ if test x"$with_smb_idmap_interface_version" = x5 -o x"$with_smb_idmap_interface_version" = x6; then ++ idmap_test_result=$with_smb_idmap_interface_version ++ else ++ AC_MSG_ERROR([Illegal value -$with_smb_idmap_interface_version- for option --with-smb-idmap-interface-version]) ++ fi ++ else ++ ++ AC_MSG_CHECKING([Samba's idmap plugin interface version]) ++ sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba ++ SAVE_CFLAGS=$CFLAGS ++ SAVE_LIBS=$LIBS ++ CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS -I/usr/include/samba-4.0" ++ LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}" ++ AC_RUN_IFELSE( ++ [AC_LANG_SOURCE([ ++#include ++#include ++#include ++#include ++#include ++ ++struct winbindd_domain; ++ ++/* overwrite some winbind internal functions */ ++struct winbindd_domain *find_domain_from_name(const char *domain_name) ++{ ++ return NULL; ++} ++ ++bool get_global_winbindd_state_offline(void) { ++ return false; ++} ++ ++struct tevent_context *winbind_event_context(void) ++{ ++ return NULL; ++} ++ ++struct idmap_methods; ++ ++NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods); ++ ++int main(void) ++{ ++ int v; ++ NTSTATUS ret; ++ ++ /* Check the versions we know about */ ++ for (v = 5; v <= 6; v++) { ++ ret = smb_register_idmap(v, NULL, NULL); ++ if (ret != NT_STATUS_OBJECT_TYPE_MISMATCH) { ++ return v; ++ } ++ } ++ ++ return -1; ++}])], ++ [AC_MSG_ERROR([idmap version test program is not expected to return 0])], ++ [idmap_test_result=$?; AC_MSG_RESULT([idmap test result is: $idmap_test_result])] ++ ) ++ fi ++ ++ CFLAGS=$SAVE_CFLAGS ++ LIBS=$SAVE_LIBS ++ ++ if test $idmap_test_result -eq 5 -o $idmap_test_result -eq 6 ; then ++ idmap_version=$idmap_test_result ++ else ++ AC_MSG_ERROR([Cannot determine Samba's idmap interface version, please use --with-smb-idmap-interface-version]) ++ fi ++ AC_MSG_NOTICE([Samba's idmap interface version: $idmap_version]) ++ AC_DEFINE_UNQUOTED(SMB_IDMAP_INTERFACE_VERSION, $idmap_version, ++ [Detected version of Samba's idmap plugin interface]) + fi +diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c +index 26f753708303f513e265de465e4d888f84e22b6a..ea5e727c3461524c3af84ea35c6ee032a5948ddf 100644 +--- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c ++++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c +@@ -190,7 +190,13 @@ static struct idmap_methods sss_methods = { + .sids_to_unixids = idmap_sss_sids_to_unixids, + }; + ++#if SMB_IDMAP_INTERFACE_VERSION == 5 + NTSTATUS idmap_sss_init(void) ++#elif SMB_IDMAP_INTERFACE_VERSION == 6 ++NTSTATUS idmap_sss_init(TALLOC_CTX *ctx) ++#else ++#error Unexpected Samba idmpa inferface version ++#endif + { + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods); + } +diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h +index 0f27c8561a540b63fb365edb79867eb4eb8d6e21..868049ffff7bd788507bf02d61245ff254aca465 100644 +--- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h ++++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h +@@ -32,6 +32,8 @@ + #include + #include + ++#include "config.h" ++ + /* The following definitions are taken from the Samba header files + * - winbindd/idmap_proto.h + * - idmap.d +@@ -64,7 +66,9 @@ struct id_map { + enum id_mapping status; + }; + +-#define SMB_IDMAP_INTERFACE_VERSION 5 ++#ifndef SMB_IDMAP_INTERFACE_VERSION ++#error Missing Samba idmap interface version ++#endif + + struct idmap_domain { + const char *name; +-- +2.17.0 + diff --git a/SOURCES/0110-winbind-idmap-plugin-fix-detection.patch b/SOURCES/0110-winbind-idmap-plugin-fix-detection.patch new file mode 100644 index 0000000..ad6b2e6 --- /dev/null +++ b/SOURCES/0110-winbind-idmap-plugin-fix-detection.patch @@ -0,0 +1,49 @@ +From f2a1f317dfa76ec7b5ff7a218b82f92e2de5f30d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 18 May 2018 21:34:44 +0200 +Subject: [PATCH] winbind idmap plugin: fix detection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently when compiling the detection code for the idmap interface +version only SMBCLIENT_CFLAGS are used. Since libsmbclient does not use +NTSTATUS the cflags do not contain '-DHAVE_IMMEDIATE_STRUCTURES=1' which +make NTSTATUS to a struct instead of an integer. Since Samba itself +might be complied with this define (it typically is) we have to make +sure we use it as well. Otherwise the test program might crash on +platforms where this change changes the calling convention as well. + +Related to https://pagure.io/SSSD/sssd/issue/3741 + +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit 095bbe17b25369b967e97162d945cb001a13029e) +--- + src/external/samba.m4 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/external/samba.m4 b/src/external/samba.m4 +index 610831bf054e3687eb13025e954acf345fca1a00..794cac2461d7fbd5e690ea105cd346cbe6fcce9a 100644 +--- a/src/external/samba.m4 ++++ b/src/external/samba.m4 +@@ -59,7 +59,7 @@ them. In this case, you will need to execute configure script with argument + sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba + SAVE_CFLAGS=$CFLAGS + SAVE_LIBS=$LIBS +- CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS -I/usr/include/samba-4.0" ++ CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS -I/usr/include/samba-4.0" + LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}" + AC_RUN_IFELSE( + [AC_LANG_SOURCE([ +@@ -98,7 +98,7 @@ int main(void) + /* Check the versions we know about */ + for (v = 5; v <= 6; v++) { + ret = smb_register_idmap(v, NULL, NULL); +- if (ret != NT_STATUS_OBJECT_TYPE_MISMATCH) { ++ if (!NT_STATUS_EQUAL(ret, NT_STATUS_OBJECT_TYPE_MISMATCH)) { + return v; + } + } +-- +2.17.0 + diff --git a/SOURCES/0111-Do-not-keep-allocating-external-groups-on-a-long-liv.patch b/SOURCES/0111-Do-not-keep-allocating-external-groups-on-a-long-liv.patch new file mode 100644 index 0000000..825aa79 --- /dev/null +++ b/SOURCES/0111-Do-not-keep-allocating-external-groups-on-a-long-liv.patch @@ -0,0 +1,59 @@ +From d2e17974c6bcb3ae2fc8a2cde696d387385c7d61 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 3 Apr 2018 21:48:37 +0200 +Subject: [PATCH] Do not keep allocating external groups on a long-lived + context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The hash table with the external groups was never freed, so the +server_mode->ext_groups context was growing over time. + +This patch keeps the new hash on the state if something failed, then +frees the previous hash and finally steals the new hash onto the server +mode. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3719 + +Signed-off-by: Sumit Bose +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit 10213efaf1f9f587b47a82778a252d79863f665e) + +DOWNSTREAM: +Resolves: rhbz#1583746 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process [rhel-7.5.z] +--- + src/providers/ipa/ipa_subdomains_ext_groups.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c +index 9e1d6c3a9bdeda56b421a2dc9198dff0b84c54ce..63ff7c7d7373a4e6a18fc914eff7ca00d477bca6 100644 +--- a/src/providers/ipa/ipa_subdomains_ext_groups.c ++++ b/src/providers/ipa/ipa_subdomains_ext_groups.c +@@ -583,14 +583,19 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq) + DEBUG(SSSDBG_TRACE_FUNC, "[%zu] external groups found.\n", + state->reply_count); + +- ret = process_ext_groups(state->server_mode->ext_groups, +- state->reply_count, state->reply, &ext_group_hash); ++ ret = process_ext_groups(state, ++ state->reply_count, ++ state->reply, ++ &ext_group_hash); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_ext_groups failed.\n"); + goto fail; + } + +- state->server_mode->ext_groups->ext_groups = ext_group_hash; ++ talloc_free(state->server_mode->ext_groups->ext_groups); ++ state->server_mode->ext_groups->ext_groups = talloc_steal( ++ state->server_mode->ext_groups, ++ ext_group_hash); + /* Do we have to make the update timeout configurable? */ + state->server_mode->ext_groups->next_update = time(NULL) + 10; + +-- +2.17.0 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index f4ef270..197046c 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -38,9 +38,17 @@ %global with_kcm_option --without-kcm %endif +# Do not try to detect the idmap version on RHEL6 to avoid conflicts between +# samba and samba4 package +%if (0%{?fedora} || 0%{?rhel} >= 7) + %global detect_idmap_version 1 +%else + %global with_idmap_version --with-smb-idmap-interface-version=5 +%endif + Name: sssd Version: 1.16.0 -Release: 19%{?dist} +Release: 19%{?dist}.5 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -154,6 +162,14 @@ Patch0100: 0100-MAN-Explain-how-does-auto_private_groups-affect-subd.patch Patch0101: 0101-AD-Use-the-right-sdap_domain-for-the-forest-root.patch Patch0102: 0102-AD-sdap_get_ad_tokengroups_done-allocate-temporary-d.patch Patch0103: 0103-AD-do-not-allocate-temporary-data-on-long-living-con.patch +Patch0104: 0104-nss-idmap-do-not-set-a-limit.patch +Patch0105: 0105-nss-idmap-use-right-group-list-pointer-after-sss_get.patch +Patch0106: 0106-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch +Patch0107: 0107-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch +Patch0108: 0108-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch +Patch0109: 0109-winbind-idmap-plugin-support-inferface-version-6.patch +Patch0110: 0110-winbind-idmap-plugin-fix-detection.patch +Patch0111: 0111-Do-not-keep-allocating-external-groups-on-a-long-liv.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -227,6 +243,9 @@ BuildRequires: cifs-utils-devel %endif BuildRequires: libnfsidmap-devel BuildRequires: samba4-devel >= 4.0.0-59beta2 +%if (0%{?detect_idmap_version} == 1) +BuildRequires: samba-winbind +%endif BuildRequires: libsmbclient-devel BuildRequires: systemtap-sdt-devel BuildRequires: jansson-devel @@ -677,7 +696,8 @@ autoreconf -ivf --with-ad-gpo-default=permissive \ %{?enable_polkit_rules_option} \ %{?enable_systemtap_opt} \ - %{?with_kcm_option} + %{?with_kcm_option} \ + %{?with_idmap_version} make %{?_smp_mflags} all docs @@ -1285,7 +1305,7 @@ if [ $1 -eq 0 ]; then fi %posttrans common -%systemd_postun_with_restart sssd.service +systemctl try-restart sssd >/dev/null 2>&1 || : # After changing order of sssd-common and *libwbclient, # older version of sssd will restart sssd.service in postun scriptlet # It failed due to missing alternative to libwbclient. Start it again. @@ -1297,6 +1317,21 @@ fi } %changelog +* Thu May 31 2018 Fabiano Fidêncio - 1.16.0-19.5 +- Resolves: rhbz#1583746 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process [rhel-7.5.z] + +* Mon May 21 2018 Fabiano Fidêncio - 1.16.0-19.4 +- Resolves: rhbz#1580281 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION [rhel-7.5.z] + +* Fri May 18 2018 Fabiano Fidêncio - 1.16.0-19.3 +- Resolves: rhbz#1579780 - After updating to RHEL 7.5 failing to clear the sssd cache [rhel-7.5.z] + +* Fri May 18 2018 Fabiano Fidêncio - 1.16.0-19.2 +- Resolves: rhbz#1579703 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000] [rhel-7.5.z] + +* Mon Apr 23 2018 Fabiano Fidêncio - 1.16.0-19.1 +- Resolves: rhbz#1570527 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash [rhel-7.5.z] + * Wed Feb 21 2018 Fabiano Fidêncio - 1.16.0-19 - Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket