diff --git a/SOURCES/0044-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch b/SOURCES/0044-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch new file mode 100644 index 0000000..3b4dcbc --- /dev/null +++ b/SOURCES/0044-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch @@ -0,0 +1,65 @@ +From 9ace3a7899e6b3753ef428088303e0a646db4096 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Sun, 22 Nov 2020 17:44:07 +0100 +Subject: [PATCH] SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in + msgs[] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL +ptrs in results of sysdb_search_with_ts_attr() + +Resolves: https://github.com/SSSD/sssd/issues/5412 + +Reviewed-by: Pavel Březina +(cherry picked from commit ff24d1538af88f83d0a3cc2817952cf70e7ca580) +--- + src/db/sysdb_search.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c +index 6c89b4c98..7939944ba 100644 +--- a/src/db/sysdb_search.c ++++ b/src/db/sysdb_search.c +@@ -221,6 +221,7 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, + const char *attrs[]) + { + errno_t ret; ++ size_t ts_cache_res_count = 0; + struct ldb_result *ts_cache_res = NULL; + + if (ts_res == NULL || ctx->ldb_ts == NULL) { +@@ -231,7 +232,6 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, + if (ts_cache_res == NULL) { + return ENOMEM; + } +- ts_cache_res->count = ts_res->count; + ts_cache_res->msgs = talloc_zero_array(ts_cache_res, + struct ldb_message *, + ts_res->count); +@@ -244,15 +244,18 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, + ret = merge_msg_sysdb_attrs(ts_cache_res->msgs, + ctx, + ts_res->msgs[c], +- &ts_cache_res->msgs[c], attrs); +- if (ret != EOK) { ++ &ts_cache_res->msgs[ts_cache_res_count], ++ attrs); ++ if ((ret != EOK) || (ts_cache_res->msgs[ts_cache_res_count] == NULL)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot merge sysdb cache values for %s\n", + ldb_dn_get_linearized(ts_res->msgs[c]->dn)); +- /* non-fatal, we just get only the non-timestamp attrs */ ++ /* non-fatal, just skip */ + continue; + } ++ ts_cache_res_count += 1; + } ++ ts_cache_res->count = ts_cache_res_count; + + *_ts_cache_res = ts_cache_res; + return EOK; +-- +2.21.3 + diff --git a/SOURCES/0045-DEBUG-journal_send-was-made-static.patch b/SOURCES/0045-DEBUG-journal_send-was-made-static.patch new file mode 100644 index 0000000..5525677 --- /dev/null +++ b/SOURCES/0045-DEBUG-journal_send-was-made-static.patch @@ -0,0 +1,30 @@ +From 208372c7f6ad7d1d1d4b5cad57aaa08affaa0fac Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 21 Oct 2020 18:47:32 +0200 +Subject: [PATCH 45/46] DEBUG: journal_send() was made static +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Tomáš Halman +(cherry picked from commit 833034f5332d2492d413a9c97fded1480b58bf14) +--- + src/util/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/debug.c b/src/util/debug.c +index e2a76a414..e9633fb8c 100644 +--- a/src/util/debug.c ++++ b/src/util/debug.c +@@ -201,7 +201,7 @@ static void debug_printf(const char *format, ...) + } + + #ifdef WITH_JOURNALD +-errno_t journal_send(const char *file, ++static errno_t journal_send(const char *file, + long line, + const char *function, + int level, +-- +2.21.3 + diff --git a/SOURCES/0046-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch b/SOURCES/0046-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch new file mode 100644 index 0000000..2b684fe --- /dev/null +++ b/SOURCES/0046-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch @@ -0,0 +1,72 @@ +From 647a130b501374c22b63937decdcf97da5c92505 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 21 Oct 2020 19:20:03 +0200 +Subject: [PATCH 46/46] DEBUG: fixes program identifier as seen in syslog +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name` +to accomodate needs of own SSSD logs, but this affected journal/syslog +as well. + +This patch amends situation: + - journal messages gets "umbrella" identifier "sssd[]" + - syslog uses default which is program name + +Resolves: https://github.com/SSSD/sssd/issues/5384 + +Reviewed-by: Tomáš Halman +(cherry picked from commit 18233532b72e62452eac6886652fa633ba055d8c) +--- + src/util/debug.c | 2 +- + src/util/sss_log.c | 12 +++--------- + 2 files changed, 4 insertions(+), 10 deletions(-) + +diff --git a/src/util/debug.c b/src/util/debug.c +index e9633fb8c..ee5fc12f9 100644 +--- a/src/util/debug.c ++++ b/src/util/debug.c +@@ -250,7 +250,7 @@ static errno_t journal_send(const char *file, + "MESSAGE=%s", message, + "PRIORITY=%i", LOG_DEBUG, + "SSSD_DOMAIN=%s", domain, +- "SSSD_PRG_NAME=%s", debug_prg_name, ++ "SSSD_PRG_NAME=sssd[%s]", debug_prg_name, + "SSSD_DEBUG_LEVEL=%x", level, + NULL); + ret = -res; +diff --git a/src/util/sss_log.c b/src/util/sss_log.c +index 48e73dbea..c6b7435c6 100644 +--- a/src/util/sss_log.c ++++ b/src/util/sss_log.c +@@ -107,7 +107,7 @@ static void sss_log_internal(int priority, int facility, const char *format, + "SSSD_DOMAIN=%s", domain, + "PRIORITY=%i", syslog_priority, + "SYSLOG_FACILITY=%i", LOG_FAC(facility), +- "SYSLOG_IDENTIFIER=%s", debug_prg_name, ++ "SYSLOG_IDENTIFIER=sssd[%s]", debug_prg_name, + NULL); + + free(message); +@@ -118,15 +118,9 @@ static void sss_log_internal(int priority, int facility, const char *format, + static void sss_log_internal(int priority, int facility, const char *format, + va_list ap) + { +- int syslog_priority; +- +- syslog_priority = sss_to_syslog(priority); +- +- openlog(debug_prg_name, 0, facility); +- +- vsyslog(syslog_priority, format, ap); ++ int syslog_priority = sss_to_syslog(priority); + +- closelog(); ++ vsyslog(facility|syslog_priority, format, ap); + } + + #endif /* WITH_JOURNALD */ +-- +2.21.3 + diff --git a/SOURCES/0047-ifp-fix-use-after-free.patch b/SOURCES/0047-ifp-fix-use-after-free.patch new file mode 100644 index 0000000..b36076f --- /dev/null +++ b/SOURCES/0047-ifp-fix-use-after-free.patch @@ -0,0 +1,37 @@ +From 316b8cde698bd4586a70fc5ed50a70dedc4b424f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 3 Nov 2020 10:12:15 +0100 +Subject: [PATCH] ifp: fix use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The variable fqdn is pointing to some data from state->res->msgs[0]. But +before fqdn is used in the next search state->res and the memory +hierarchy below is freed. As a result the location where fqdn is pointing +to might hold the expected data or other data and the search will fail +intermittently. + +Resolves: https://github.com/SSSD/sssd/issues/5382 + +Reviewed-by: Pavel Březina +(cherry picked from commit 81e757b7b1d69893b5725f9c148c55d89c779e7b) +--- + src/responder/ifp/ifpsrv_cmd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c +index ddb03f6b0..d83600681 100644 +--- a/src/responder/ifp/ifpsrv_cmd.c ++++ b/src/responder/ifp/ifpsrv_cmd.c +@@ -124,6 +124,7 @@ ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req) + if (attr_req->attrs == NULL) { + return ENOMEM; + } ++ fqdn = talloc_steal(state, fqdn); + + ai = 0; + for (i = 0; i < nattrs; i++) { +-- +2.21.3 + diff --git a/SOURCES/0048-fp-fix-original-fix-use-after-free-1.16-version.patch b/SOURCES/0048-fp-fix-original-fix-use-after-free-1.16-version.patch new file mode 100644 index 0000000..9057579 --- /dev/null +++ b/SOURCES/0048-fp-fix-original-fix-use-after-free-1.16-version.patch @@ -0,0 +1,44 @@ +From 1b523ba2a6bfba6974c9c909d6180590d16cc6bd Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 23 Nov 2020 13:40:30 +0100 +Subject: [PATCH] fp: fix original fix use-after-free - 1.16 version + +This should have been a cherry-pick of +3b158934cbb8f87cbfaf1650389b8dcd654b92ca but the cherry-pick of the +original patch was broken and placed the change into a different function. + +This patch fixes this by directly placing the change at the right place. + +Resolves: +https://github.com/SSSD/sssd/issues/5382 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/ifp/ifpsrv_cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c +index d83600681..620afe86a 100644 +--- a/src/responder/ifp/ifpsrv_cmd.c ++++ b/src/responder/ifp/ifpsrv_cmd.c +@@ -124,7 +124,6 @@ ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req) + if (attr_req->attrs == NULL) { + return ENOMEM; + } +- fqdn = talloc_steal(state, fqdn); + + ai = 0; + for (i = 0; i < nattrs; i++) { +@@ -576,7 +575,8 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq) + } + + if (state->search_type == SSS_DP_USER) { +- /* throw away the result and perform attr search */ ++ /* throw away the result but keep the fqdn and perform attr search */ ++ fqdn = talloc_steal(state, fqdn); + talloc_zfree(state->res); + + ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn, +-- +2.21.3 + diff --git a/SOURCES/0049-krb5-only-try-pkinit-with-Smartcard-credentials.patch b/SOURCES/0049-krb5-only-try-pkinit-with-Smartcard-credentials.patch new file mode 100644 index 0000000..e2209a1 --- /dev/null +++ b/SOURCES/0049-krb5-only-try-pkinit-with-Smartcard-credentials.patch @@ -0,0 +1,40 @@ +From 277cd1fa71222f3bdf4d8b39d0bce7d07d0df07b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 24 Aug 2020 11:29:23 +0200 +Subject: [PATCH] krb5: only try pkinit with Smartcard credentials + +Currently pkinit is tried if a Smartcard is present. But depending on +the used PAM service and other configurations it might happen that the +user didn't provide the Smartcard PIN but e.g. the password. Hence, +before trying pkinit we should check if the right credentials are +available. + +Resolves: +https://github.com/SSSD/sssd/issues/5290 + +Reviewed-by: Alexey Tikhonov +(cherry picked from commit bca413267f58395e22415edc662a7ba89fbe7b30) +--- + src/providers/krb5/krb5_child.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 47eb181ba..d293d195d 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -805,7 +805,11 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx, + return kerr; + } + } else if (strcmp(question_list[c], +- KRB5_RESPONDER_QUESTION_PKINIT) == 0) { ++ KRB5_RESPONDER_QUESTION_PKINIT) == 0 ++ && (sss_authtok_get_type(kr->pd->authtok) ++ == SSS_AUTHTOK_TYPE_SC_PIN ++ || sss_authtok_get_type(kr->pd->authtok) ++ == SSS_AUTHTOK_TYPE_SC_KEYPAD)) { + return answer_pkinit(ctx, kr, rctx); + } + } +-- +2.21.3 + diff --git a/SOURCES/0050-negcache-make-sure-domain-config-does-not-leak-into-.patch b/SOURCES/0050-negcache-make-sure-domain-config-does-not-leak-into-.patch new file mode 100644 index 0000000..8f36171 --- /dev/null +++ b/SOURCES/0050-negcache-make-sure-domain-config-does-not-leak-into-.patch @@ -0,0 +1,37 @@ +From 96bdcbb4441ddf05c065bbafa88e5691300424d1 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 8 Oct 2020 12:18:41 +0200 +Subject: [PATCH 50/53] negcache: make sure domain config does not leak into + global + +Resolves: https://github.com/SSSD/sssd/issues/5238 + +Reviewed-by: Alexey Tikhonov +(cherry picked from commit 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe) +--- + src/responder/common/negcache.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c +index d9bf1417e..b9586f315 100644 +--- a/src/responder/common/negcache.c ++++ b/src/responder/common/negcache.c +@@ -1048,6 +1048,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + } + } + ++ talloc_zfree(filter_list); + /* Populate non domain-specific negative cache user entries */ + ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_FILTER_USERS, &filter_list); +@@ -1183,6 +1184,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + } + } + ++ talloc_zfree(filter_list); + /* Populate non domain-specific negative cache group entries */ + ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_FILTER_GROUPS, &filter_list); +-- +2.21.3 + diff --git a/SOURCES/0051-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch b/SOURCES/0051-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch new file mode 100644 index 0000000..d5a0f00 --- /dev/null +++ b/SOURCES/0051-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch @@ -0,0 +1,108 @@ +From ea32d0eb61336858aa23697b4e91d420481fc3e2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 8 Oct 2020 17:57:29 +0200 +Subject: [PATCH 51/53] utils: add SSS_GND_SUBDOMAINS flag for + get_next_domain() + +To allow to only iterate over a singel domain an its sub-domains a new +flag is added to get_next_domain(). + +Resolves: https://github.com/SSSD/sssd/issues/5238 + +Reviewed-by: Alexey Tikhonov +(cherry picked from commit 385af99ff4d5a75d0c1edc9ad830da3eb7478295) +--- + src/tests/cmocka/test_utils.c | 31 +++++++++++++++++++++++++++++++ + src/util/domain_info_utils.c | 10 +++++++--- + src/util/util.h | 4 ++++ + 3 files changed, 42 insertions(+), 3 deletions(-) + +diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c +index aa245f00b..8c0ce83f3 100644 +--- a/src/tests/cmocka/test_utils.c ++++ b/src/tests/cmocka/test_utils.c +@@ -876,6 +876,37 @@ static void test_get_next_domain_flags(void **state) + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); ++ ++ /* Descend only to subdomains */ ++ gnd_flags = SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED; ++ ++ dom = get_next_domain(test_ctx->dom_list, gnd_flags); ++ assert_non_null(dom); ++ assert_string_equal(dom->name, "sub1a"); ++ ++ dom = get_next_domain(dom, gnd_flags); ++ assert_null(dom); ++ ++ dom = find_domain_by_name_ex(test_ctx->dom_list, "dom2", true, ++ SSS_GND_ALL_DOMAINS); ++ assert_non_null(dom); ++ assert_string_equal(dom->name, "dom2"); ++ ++ dom = get_next_domain(dom, gnd_flags); ++ assert_non_null(dom); ++ assert_string_equal(dom->name, "sub2a"); ++ ++ dom = get_next_domain(dom, gnd_flags); ++ assert_non_null(dom); ++ assert_string_equal(dom->name, "sub2b"); ++ ++ dom = get_next_domain(dom, gnd_flags); ++ assert_null(dom); ++ ++ /* Expect NULL if the domain has no sub-domains */ ++ test_ctx->dom_list->subdomains = NULL; ++ dom = get_next_domain(test_ctx->dom_list, gnd_flags); ++ assert_null(dom); + } + + struct name_init_test_ctx { +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index c56a0611e..71dfcba02 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -39,16 +39,20 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, + uint32_t gnd_flags) + { + struct sss_domain_info *dom; +- bool descend = gnd_flags & SSS_GND_DESCEND; ++ bool descend = gnd_flags & (SSS_GND_DESCEND | SSS_GND_SUBDOMAINS); + bool include_disabled = gnd_flags & SSS_GND_INCLUDE_DISABLED; ++ bool only_subdomains = gnd_flags & SSS_GND_SUBDOMAINS; + + dom = domain; + while (dom) { + if (descend && dom->subdomains) { + dom = dom->subdomains; +- } else if (dom->next) { ++ } else if (dom->next && only_subdomains && IS_SUBDOMAIN(dom)) { + dom = dom->next; +- } else if (descend && IS_SUBDOMAIN(dom) && dom->parent->next) { ++ } else if (dom->next && !only_subdomains) { ++ dom = dom->next; ++ } else if (descend && !only_subdomains && IS_SUBDOMAIN(dom) ++ && dom->parent->next) { + dom = dom->parent->next; + } else { + dom = NULL; +diff --git a/src/util/util.h b/src/util/util.h +index d7d2017fa..486394448 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -558,7 +558,11 @@ struct sss_domain_info *get_domains_head(struct sss_domain_info *domain); + + #define SSS_GND_DESCEND 0x01 + #define SSS_GND_INCLUDE_DISABLED 0x02 ++/* Descend to sub-domains of current domain but do not go to next parent */ ++#define SSS_GND_SUBDOMAINS 0x04 + #define SSS_GND_ALL_DOMAINS (SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED) ++#define SSS_GND_ALL_SUBDOMAINS (SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED) ++ + struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, + uint32_t gnd_flags); + struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain, +-- +2.21.3 + diff --git a/SOURCES/0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch b/SOURCES/0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch new file mode 100644 index 0000000..70d3965 --- /dev/null +++ b/SOURCES/0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch @@ -0,0 +1,445 @@ +From c3207deee7411456827e69d0b72d7d44e7458853 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 9 Oct 2020 11:56:21 +0200 +Subject: [PATCH 52/53] negcache: make sure short names are added to + sub-domains + +If short names are used with filter_users or filter_groups in a +[domain/...] section they should be added to the sub-domains of this +domain as well. + +Resolves: https://github.com/SSSD/sssd/issues/5238 + +Reviewed-by: Alexey Tikhonov +(cherry picked from commit 0dc81a52e2836010974e9f71b1f3e47c20fd498d) +--- + src/responder/common/negcache.c | 105 +++++++------ + src/tests/cmocka/test_negcache.c | 254 +++++++++++++++++++++++++++++++ + 2 files changed, 312 insertions(+), 47 deletions(-) + +diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c +index b9586f315..47fbb2106 100644 +--- a/src/responder/common/negcache.c ++++ b/src/responder/common/negcache.c +@@ -969,6 +969,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + char *name = NULL; + struct sss_domain_info *dom = NULL; + struct sss_domain_info *domain_list = rctx->domains; ++ struct sss_domain_info *ddom; + char *domainname = NULL; + char *conf_path = NULL; + TALLOC_CTX *tmpctx = talloc_new(NULL); +@@ -1011,39 +1012,44 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + continue; + } + +- if (domainname && strcmp(domainname, dom->name)) { +- DEBUG(SSSDBG_TRACE_FUNC, +- "Mismatch between domain name (%s) and name " +- "set in FQN (%s), assuming %s is UPN\n", +- dom->name, domainname, filter_list[i]); +- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); ++ /* Check domain and its sub-domains */ ++ for (ddom = dom; ddom != NULL; ++ ddom = get_next_domain(ddom, SSS_GND_ALL_SUBDOMAINS)) { ++ ++ if (domainname && strcmp(domainname, ddom->name)) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Mismatch between domain name (%s) and name " ++ "set in FQN (%s), assuming %s is UPN\n", ++ ddom->name, domainname, filter_list[i]); ++ ret = sss_ncache_set_upn(ncache, true, ddom, filter_list[i]); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sss_ncache_set_upn failed (%d [%s]), ignored\n", ++ ret, sss_strerror(ret)); ++ } ++ continue; ++ } ++ ++ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name); ++ if (fqname == NULL) { ++ continue; ++ } ++ ++ ret = sss_ncache_set_upn(ncache, true, ddom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_set_upn failed (%d [%s]), ignored\n", + ret, sss_strerror(ret)); + } +- continue; +- } +- +- fqname = sss_create_internal_fqname(tmpctx, name, dom->name); +- if (fqname == NULL) { +- continue; +- } +- +- ret = sss_ncache_set_upn(ncache, true, dom, fqname); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sss_ncache_set_upn failed (%d [%s]), ignored\n", +- ret, sss_strerror(ret)); +- } +- ret = sss_ncache_set_user(ncache, true, dom, fqname); +- talloc_zfree(fqname); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to store permanent user filter for [%s]" +- " (%d [%s])\n", filter_list[i], +- ret, sss_strerror(ret)); +- continue; ++ ret = sss_ncache_set_user(ncache, true, ddom, fqname); ++ talloc_zfree(fqname); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to store permanent user filter for [%s]" ++ " (%d [%s])\n", filter_list[i], ++ ret, sss_strerror(ret)); ++ continue; ++ } + } + } + } +@@ -1159,27 +1165,32 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + continue; + } + +- if (domainname && strcmp(domainname, dom->name)) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Mismatch between domain name (%s) and name " +- "set in FQN (%s), skipping group %s\n", +- dom->name, domainname, name); +- continue; +- } ++ /* Check domain and its sub-domains */ ++ for (ddom = dom; ++ ddom != NULL && (ddom == dom || ddom->parent != NULL); ++ ddom = get_next_domain(ddom, SSS_GND_ALL_DOMAINS)) { ++ if (domainname && strcmp(domainname, ddom->name)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Mismatch between domain name (%s) and name " ++ "set in FQN (%s), skipping group %s\n", ++ ddom->name, domainname, name); ++ continue; ++ } + +- fqname = sss_create_internal_fqname(tmpctx, name, dom->name); +- if (fqname == NULL) { +- continue; +- } ++ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name); ++ if (fqname == NULL) { ++ continue; ++ } + +- ret = sss_ncache_set_group(ncache, true, dom, fqname); +- talloc_zfree(fqname); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to store permanent group filter for [%s]" +- " (%d [%s])\n", filter_list[i], +- ret, strerror(ret)); +- continue; ++ ret = sss_ncache_set_group(ncache, true, ddom, fqname); ++ talloc_zfree(fqname); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to store permanent group filter for [%s]" ++ " (%d [%s])\n", filter_list[i], ++ ret, strerror(ret)); ++ continue; ++ } + } + } + } +diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c +index 0876cfdaf..7a8827685 100644 +--- a/src/tests/cmocka/test_negcache.c ++++ b/src/tests/cmocka/test_negcache.c +@@ -102,6 +102,8 @@ static int setup(void **state) + int ret; + struct test_state *ts; + ++ test_dom_suite_setup(TESTS_PATH); ++ + ts = talloc(NULL, struct test_state); + assert_non_null(ts); + +@@ -116,6 +118,7 @@ static int setup(void **state) + static int teardown(void **state) + { + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); ++ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + talloc_free(ts); + return 0; + } +@@ -904,6 +907,255 @@ static void test_sss_ncache_reset_prepopulate(void **state) + assert_int_equal(ret, EEXIST); + } + ++/* The main purpose of test_sss_ncache_short_name_in_domain is to test that ++ * short names in the filter_users or filter_groups options in a [domain/...] ++ * section are properly added to the related sub-domains as well (if there are ++ * any) and not added to domains from other [domain/...] sections. For ++ * completeness entries with fully-qualified names of the parent and the ++ * sub-domain and the generic UPN are added as well. ++ * ++ * The result should of course be independent of the present domains. To ++ * verify this the domains are added one after the other and the negative ++ * cache is repopulated each time. ++ * ++ * With the given domains, users and group we have to following expectations: ++ * - the short name entry will be added to the domain and all sub-domains as ++ * name and as upn by expanding it to a fully-qualified name with the ++ * domain name or sub-domain name respectively ++ * - the fully-qualified name from the parent domain is added as name and upn ++ * to the parent domain and as upn to all sub-domains ++ * - the fully-qualified name from the sub-domain is added as name to the ++ * sub-domain and as upn to the parent and all sub-domains ++ * - the generic upn is nowhere added as name and as upn to the parent and all ++ * sub-domains ++ * - none of the names is added to a different parent domain ++ * ++ * The following table should illustrated the expectations: ++ * ++ * user (name): ++ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom ++ *-----------------+-----------+-----------------------+--------------------------+------------ ++ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING | MISSING ++ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT | MISSING ++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING ++ * ++ * user (upn): ++ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom ++ *-----------------+-----------+-----------------------+--------------------------+------------ ++ * TEST_DOM_NAME | PRESENT | PRESENT | PRESENT | PRESENT ++ * subTEST_DOM_NAME| PRESENT | PRESENT | PRESENT | PRESENT ++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING ++ * ++ * ++ * ++ * groups: ++ * | shortgroup | parentg@TEST_DOM_NAME | subdomg@subTEST_DOM_NAME ++ *-----------------+------------+-----------------------+------------------------- ++ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING ++ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT ++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING ++ * ++ * ++ * The following expect_*() implement checks for the expextations: ++ */ ++ ++static void expect_in_parent(struct sss_nc_ctx *ncache, ++ struct sss_domain_info *dom) ++{ ++ int ret; ++ ++ ret = check_user_in_ncache(ncache, dom, "shortuser"); ++ assert_int_equal(ret, EEXIST); ++ ret = sss_ncache_check_upn(ncache, dom, "shortuser@"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, dom, "parentu"); ++ assert_int_equal(ret, EEXIST); ++ ret = sss_ncache_check_upn(ncache, dom, "parentu@"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, dom, "subdomu"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom, "subdomu@sub"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, dom, "upn"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom, "upn@upn.dom"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, dom, "shortgroup"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, dom, "parentg"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, dom, "subdomg"); ++ assert_int_equal(ret, ENOENT); ++} ++ ++static void expect_in_subdomain(struct sss_nc_ctx *ncache, ++ struct sss_domain_info *sub_dom) ++{ ++ int ret; ++ ++ ret = check_user_in_ncache(ncache, sub_dom, "shortuser"); ++ assert_int_equal(ret, EEXIST); ++ ret = sss_ncache_check_upn(ncache, sub_dom, "shortuser@sub"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, sub_dom, "subdomu"); ++ assert_int_equal(ret, EEXIST); ++ ret = sss_ncache_check_upn(ncache, sub_dom, "subdomu@sub"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, sub_dom, "upn"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, sub_dom, "upn@upn.dom"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, sub_dom, "parentu"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, sub_dom, "parentu@"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ++ ret = check_group_in_ncache(ncache, sub_dom, "shortgroup"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, sub_dom, "parentg"); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_group_in_ncache(ncache, sub_dom, "subdomg"); ++ assert_int_equal(ret, EEXIST); ++} ++static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache, ++ struct sss_domain_info *dom2) ++{ ++ int ret; ++ ++ ret = check_user_in_ncache(ncache, dom2, "shortuser"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom2, "shortuser"TEST_DOM_NAME); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_user_in_ncache(ncache, dom2, "parentu"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom2, "parentu@"TEST_DOM_NAME); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_user_in_ncache(ncache, dom2, "subdomu"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom2, "subdomu@sub"TEST_DOM_NAME); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_user_in_ncache(ncache, dom2, "upn"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom2, "upn@upn.dom"); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_group_in_ncache(ncache, dom2, "shortgroup"); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_group_in_ncache(ncache, dom2, "parentg"); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_group_in_ncache(ncache, dom2, "subdomg"); ++ assert_int_equal(ret, ENOENT); ++} ++ ++static void test_sss_ncache_short_name_in_domain(void **state) ++{ ++ int ret; ++ struct test_state *ts; ++ struct tevent_context *ev; ++ struct sss_nc_ctx *ncache; ++ struct sss_test_ctx *tc; ++ struct sss_domain_info *dom; ++ struct sss_domain_info *dom2; ++ struct sss_domain_info *sub_dom; ++ ++ struct sss_test_conf_param params[] = { ++ { "filter_users", "shortuser, parentu@"TEST_DOM_NAME", " ++ "subdomu@sub"TEST_DOM_NAME", upn@upn.dom" }, ++ { "filter_groups", "shortgroup, parentg@"TEST_DOM_NAME", " ++ "subdomg@sub"TEST_DOM_NAME }, ++ { NULL, NULL }, ++ }; ++ ++ const char *nss_filter_users[] = { params[0].value, NULL}; ++ const char *nss_filter_groups[] = { params[1].value, NULL}; ++ ++ ts = talloc_get_type_abort(*state, struct test_state); ++ ++ ev = tevent_context_init(ts); ++ assert_non_null(ev); ++ ++ dom = talloc_zero(ts, struct sss_domain_info); ++ assert_non_null(dom); ++ dom->name = discard_const_p(char, TEST_DOM_NAME); ++ sss_domain_set_state(dom, DOM_ACTIVE); ++ ++ ts->nctx = mock_nctx(ts); ++ assert_non_null(ts->nctx); ++ ++ tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB, ++ TEST_DOM_NAME, TEST_ID_PROVIDER, params); ++ assert_non_null(tc); ++ ++ ret = confdb_add_param(tc->confdb, true, "config/domain/"TEST_DOM_NAME, ++ "filter_users", nss_filter_users); ++ assert_int_equal(ret, EOK); ++ ++ ret = confdb_add_param(tc->confdb, true, "config/domain"TEST_DOM_NAME, ++ "filter_groups", nss_filter_groups); ++ assert_int_equal(ret, EOK); ++ ++ ncache = ts->ctx; ++ ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); ++ assert_non_null(ts->rctx); ++ ts->rctx->cdb = tc->confdb; ++ ++ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); ++ assert_int_equal(ret, EOK); ++ ++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); ++ assert_int_equal(ret, EOK); ++ ++ /* Add another domain */ ++ dom2 = talloc_zero(ts, struct sss_domain_info); ++ assert_non_null(dom2); ++ dom2->name = discard_const_p(char, TEST_DOM_NAME"2"); ++ sss_domain_set_state(dom2, DOM_ACTIVE); ++ dom->next = dom2; ++ dom2->names = dom->names; ++ ++ expect_in_parent(ncache, dom); ++ expect_no_entries_in_dom(ncache, dom2); ++ ++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); ++ assert_int_equal(ret, EOK); ++ ++ expect_in_parent(ncache, dom); ++ expect_no_entries_in_dom(ncache, dom2); ++ ++ /* Add a sub domain */ ++ sub_dom = talloc_zero(ts, struct sss_domain_info); ++ assert_non_null(sub_dom); ++ sub_dom->name = discard_const_p(char, "sub"TEST_DOM_NAME); ++ sss_domain_set_state(sub_dom, DOM_ACTIVE); ++ sub_dom->parent = dom; ++ dom->subdomains = sub_dom; ++ sub_dom->names = dom->names; ++ ++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); ++ assert_int_equal(ret, EOK); ++ ++ expect_in_parent(ncache, dom); ++ expect_in_subdomain(ncache, sub_dom); ++ expect_no_entries_in_dom(ncache, dom2); ++} ++ + static void test_sss_ncache_reset(void **state) + { + errno_t ret; +@@ -1066,6 +1318,8 @@ int main(void) + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate, + setup, teardown), ++ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain, ++ setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid, +-- +2.21.3 + diff --git a/SOURCES/0053-negcache-do-not-use-default_domain_suffix.patch b/SOURCES/0053-negcache-do-not-use-default_domain_suffix.patch new file mode 100644 index 0000000..eb0bcec --- /dev/null +++ b/SOURCES/0053-negcache-do-not-use-default_domain_suffix.patch @@ -0,0 +1,155 @@ +From 56d509ad3001101f04c4af050c3da7472032e4cb Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 9 Oct 2020 15:26:39 +0200 +Subject: [PATCH 53/53] negcache: do not use default_domain_suffix + +When splitting the names from the filter_users and filter_groups options +do not use the default_domain_suffix because it will hide that the +original name is a short name and should be added everywhere. + +Additionally this patch fixes a typo where sss_parse_name() was used +instead of sss_parse_name_for_domains(). + +Resolves: https://github.com/SSSD/sssd/issues/5238 + +Reviewed-by: Alexey Tikhonov +(cherry picked from commit fa4b46e7de7297da3c0e37913eab8cba7f103629) +--- + src/responder/common/negcache.c | 29 +++++++++++++++-------------- + src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++-- + 2 files changed, 35 insertions(+), 16 deletions(-) + +diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c +index 47fbb2106..ff05aaea5 100644 +--- a/src/responder/common/negcache.c ++++ b/src/responder/common/negcache.c +@@ -998,13 +998,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, +- rctx->default_domain, ++ NULL, + filter_list[i], + &domainname, &name); + if (ret == EAGAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, +- "cannot add [%s] to negcache because the required or " +- "default domain are not known yet\n", filter_list[i]); ++ "Can add [%s] only as UPN to negcache because the " ++ "required domain is not known yet\n", filter_list[i]); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterUsers list: [%s] (%d)\n", +@@ -1064,12 +1064,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, +- rctx->default_domain, filter_list[i], ++ NULL, filter_list[i], + &domainname, &name); + if (ret == EAGAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, +- "Cannot add [%s] to negcache because the required or " +- "default domain are not known yet\n", filter_list[i]); ++ "Can add [%s] only as UPN to negcache because the " ++ "required domain is not known yet\n", filter_list[i]); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterUsers list: [%s] (%d)\n", +@@ -1156,9 +1156,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + if (ret != EOK) goto done; + + for (i = 0; (filter_list && filter_list[i]); i++) { +- ret = sss_parse_name(tmpctx, dom->names, filter_list[i], +- &domainname, &name); ++ ret = sss_parse_name_for_domains(tmpctx, domain_list, ++ NULL, filter_list[i], ++ &domainname, &name); + if (ret != EOK) { ++ /* Groups do not have UPNs, so domain names, if present, ++ * must be known */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterGroups list: [%s] (%d)\n", + filter_list[i], ret); +@@ -1205,13 +1208,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, +- rctx->default_domain, filter_list[i], ++ NULL, filter_list[i], + &domainname, &name); +- if (ret == EAGAIN) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Cannot add [%s] to negcache because the required or " +- "default domain are not known yet\n", filter_list[i]); +- } else if (ret != EOK) { ++ if (ret != EOK) { ++ /* Groups do not have UPNs, so domain names, if present, ++ * must be known */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterGroups list: [%s] (%d)\n", + filter_list[i], ret); +diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c +index 7a8827685..f8cbbc1fe 100644 +--- a/src/tests/cmocka/test_negcache.c ++++ b/src/tests/cmocka/test_negcache.c +@@ -916,7 +916,9 @@ static void test_sss_ncache_reset_prepopulate(void **state) + * + * The result should of course be independent of the present domains. To + * verify this the domains are added one after the other and the negative +- * cache is repopulated each time. ++ * cache is repopulated each time. The result should be also independent of ++ * the setting of default_domain_suffix option which is tested by ++ * test_sss_ncache_short_name_in_domain_with_prefix. + * + * With the given domains, users and group we have to following expectations: + * - the short name entry will be added to the domain and all sub-domains as +@@ -1064,7 +1066,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache, + assert_int_equal(ret, ENOENT); + } + +-static void test_sss_ncache_short_name_in_domain(void **state) ++static void run_sss_ncache_short_name_in_domain(void **state, ++ bool use_default_domain_prefix) + { + int ret; + struct test_state *ts; +@@ -1114,6 +1117,9 @@ static void test_sss_ncache_short_name_in_domain(void **state) + ncache = ts->ctx; + ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); + assert_non_null(ts->rctx); ++ if (use_default_domain_prefix) { ++ ts->rctx->default_domain = discard_const(TEST_DOM_NAME); ++ } + ts->rctx->cdb = tc->confdb; + + ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); +@@ -1156,6 +1162,16 @@ static void test_sss_ncache_short_name_in_domain(void **state) + expect_no_entries_in_dom(ncache, dom2); + } + ++static void test_sss_ncache_short_name_in_domain(void **state) ++{ ++ run_sss_ncache_short_name_in_domain(state, false); ++} ++ ++static void test_sss_ncache_short_name_in_domain_with_prefix(void **state) ++{ ++ run_sss_ncache_short_name_in_domain(state, true); ++} ++ + static void test_sss_ncache_reset(void **state) + { + errno_t ret; +@@ -1320,6 +1336,8 @@ int main(void) + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain, + setup, teardown), ++ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix, ++ setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid, +-- +2.21.3 + diff --git a/SOURCES/0054-ad-add-ad_allow_remote_domain_local_groups.patch b/SOURCES/0054-ad-add-ad_allow_remote_domain_local_groups.patch new file mode 100644 index 0000000..a2924cc --- /dev/null +++ b/SOURCES/0054-ad-add-ad_allow_remote_domain_local_groups.patch @@ -0,0 +1,193 @@ +From 6f31f43ee15bcb0933ddca8726b166a93f9371a9 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 1 Oct 2019 20:24:09 +0200 +Subject: [PATCH] ad: add ad_allow_remote_domain_local_groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As the option name says if set to true Domain Local groups from remote +domains won't be filtered out. This option is added to facilitate the +migration from other solution and should only be used for this purpose. + +Resolves: https://github.com/SSSD/sssd/issues/5346 + +Reviewed-by: Pavel Březina +(cherry picked with changes from commit 4f65a8d15b8e5f3dd613e789d68f38e60e0addc5) + +Reviewed-by: Pavel Březina +--- + src/config/SSSDConfig/__init__.py.in | 1 + + src/config/cfg_rules.ini | 1 + + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + + src/man/sssd-ad.5.xml | 49 ++++++++++++++++++++++++++ + src/providers/ad/ad_common.c | 3 ++ + src/providers/ad/ad_common.h | 1 + + src/providers/ad/ad_opts.c | 1 + + src/providers/ldap/sdap.h | 1 + + src/providers/ldap/sdap_ad_groups.c | 3 +- + 9 files changed, 60 insertions(+), 1 deletion(-) + +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index 1aa93f8cf..15ab632aa 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -250,6 +250,7 @@ option_strings = { + 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), + 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), + 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'), ++ 'ad_allow_remote_domain_local_groups' : _('Do not filter domain local groups from other domains'), + + # [provider/krb5] + 'krb5_kdcip' : _('Kerberos server address'), +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index e8ea13081..8f8ef30c3 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -459,6 +459,7 @@ option = ad_maximum_machine_account_password_age + option = ad_server + option = ad_site + option = ad_use_ldaps ++option = ad_allow_remote_domain_local_groups + + # IPA provider specific options + option = ipa_anchor_uuid +diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf +index c53c08f37..74599a56d 100644 +--- a/src/config/etc/sssd.api.d/sssd-ad.conf ++++ b/src/config/etc/sssd.api.d/sssd-ad.conf +@@ -21,6 +21,7 @@ ad_site = str, None, false + ad_maximum_machine_account_password_age = int, None, false + ad_machine_account_password_renewal_opts = str, None, false + ad_use_ldaps = bool, None, false ++ad_allow_remote_domain_local_groups = bool, None, false + ldap_uri = str, None, false + ldap_backup_uri = str, None, false + ldap_search_base = str, None, false +diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml +index 6fc57ca21..839279bad 100644 +--- a/src/man/sssd-ad.5.xml ++++ b/src/man/sssd-ad.5.xml +@@ -923,6 +923,55 @@ ad_gpo_map_deny = +my_pam_service + + + ++ ++ ad_allow_remote_domain_local_groups (boolean) ++ ++ ++ If this option is set to true SSSD ++ will not filter out Domain Local groups from remote ++ domains in the AD forest. By default they are ++ filtered out e.g. when following a nested group ++ hierarchy in remote domains because they are not ++ valid in the local domain. To be compatible with ++ other solutions which make AD users and groups ++ available on Linux client this option was added. ++ ++ ++ Please note that setting this option to ++ true will be against the intention of ++ Domain Local group in Active Directory and ++ SHOULD ONLY BE USED TO FACILITATE ++ MIGRATION FROM OTHER SOLUTIONS. Although ++ the group exists and user can be member of the group ++ the intention is that the group should be only used ++ in the domain it is defined and in no others. Since ++ there is only one type of POSIX groups the only way ++ to achieve this on the Linux side is to ignore those ++ groups. This is also done by Active Directory as can ++ be seen in the PAC of the Kerberos ticket for a ++ local service or in tokenGroups requests where ++ remote Domain Local groups are missing as well. ++ ++ ++ Given the comments above, if this option is set to ++ true the tokenGroups request must be ++ disabled by setting ++ ldap_use_tokengroups to ++ false to get consistent ++ group-memberships of a users. Additionally the ++ Global Catalog lookup should be skipped as well by ++ setting ad_enable_gc to ++ false. Finally it might be necessary ++ to modify ldap_group_nesting_level if ++ the remote Domain Local groups can only be found ++ with a deeper nesting level. ++ ++ ++ Default: False ++ ++ ++ ++ + + dyndns_update (boolean) + +diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c +index 4e46da7f2..4e51d08e6 100644 +--- a/src/providers/ad/ad_common.c ++++ b/src/providers/ad/ad_common.c +@@ -1072,6 +1072,9 @@ ad_set_sdap_options(struct ad_options *ad_opts, + keytab_path); + } + ++ id_opts->allow_remote_domain_local_groups = dp_opt_get_bool(ad_opts->basic, ++ AD_ALLOW_REMOTE_DOMAIN_LOCAL); ++ + ret = sdap_set_sasl_options(id_opts, + dp_opt_get_string(ad_opts->basic, + AD_HOSTNAME), +diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h +index 753394832..815b41419 100644 +--- a/src/providers/ad/ad_common.h ++++ b/src/providers/ad/ad_common.h +@@ -69,6 +69,7 @@ enum ad_basic_opt { + AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, + AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, + AD_USE_LDAPS, ++ AD_ALLOW_REMOTE_DOMAIN_LOCAL, + + AD_OPTS_BASIC /* opts counter */ + }; +diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c +index f2596a935..950ea51ff 100644 +--- a/src/providers/ad/ad_opts.c ++++ b/src/providers/ad/ad_opts.c +@@ -55,6 +55,7 @@ struct dp_option ad_basic_opts[] = { + { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, + { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, + { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, ++ { "ad_allow_remote_domain_local_groups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + DP_OPTION_TERMINATOR + }; + +diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h +index 0bf4fe12b..d9eff20ec 100644 +--- a/src/providers/ldap/sdap.h ++++ b/src/providers/ldap/sdap.h +@@ -511,6 +511,7 @@ struct sdap_options { + bool support_matching_rule; + enum dc_functional_level dc_functional_level; + const char *schema_basedn; ++ bool allow_remote_domain_local_groups; + + /* Certificate mapping support */ + struct sdap_certmap_ctx *sdap_certmap_ctx; +diff --git a/src/providers/ldap/sdap_ad_groups.c b/src/providers/ldap/sdap_ad_groups.c +index 0e36328b9..e8c6280d0 100644 +--- a/src/providers/ldap/sdap_ad_groups.c ++++ b/src/providers/ldap/sdap_ad_groups.c +@@ -38,7 +38,8 @@ errno_t sdap_check_ad_group_type(struct sss_domain_info *dom, + errno_t ret = EOK; + *_need_filter = false; + +- if (opts->schema_type == SDAP_SCHEMA_AD) { ++ if (opts->schema_type == SDAP_SCHEMA_AD ++ && !opts->allow_remote_domain_local_groups) { + ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE, + &ad_group_type); + if (ret != EOK) { +-- +2.21.3 + diff --git a/SOURCES/0055-man-fix-description-of-dns_resolver_op_timeout.patch b/SOURCES/0055-man-fix-description-of-dns_resolver_op_timeout.patch new file mode 100644 index 0000000..df5070e --- /dev/null +++ b/SOURCES/0055-man-fix-description-of-dns_resolver_op_timeout.patch @@ -0,0 +1,37 @@ +From f768f73903bf0c3d0d1b4361ebff6b111a918470 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 11 Jun 2019 13:49:13 +0200 +Subject: [PATCH 55/57] man: fix description of dns_resolver_op_timeout + +Resolves: +https://pagure.io/SSSD/sssd/issue/3217 + +Reviewed-by: Jakub Hrozek +Reviewed-by: Sumit Bose +(cherry picked from commit 7b4635c8428917ced63954f2c3c70491b45d7870) +--- + src/man/include/failover.xml | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml +index cd6fd4d79..11ff86a38 100644 +--- a/src/man/include/failover.xml ++++ b/src/man/include/failover.xml +@@ -77,7 +77,13 @@ + + + +- How long would SSSD talk to a single DNS server. ++ Time in seconds to tell how long would SSSD try ++ to resolve single DNS query (e.g. resolution of a ++ hostname or an SRV record) before trying the next ++ hostname or discovery domain. ++ ++ ++ Default: 6 + + + +-- +2.21.3 + diff --git a/SOURCES/0056-man-fix-description-of-dns_resolver_timeout.patch b/SOURCES/0056-man-fix-description-of-dns_resolver_timeout.patch new file mode 100644 index 0000000..e589679 --- /dev/null +++ b/SOURCES/0056-man-fix-description-of-dns_resolver_timeout.patch @@ -0,0 +1,32 @@ +From 9b1f6f88b1245bc8737a4b2616299a8427d822e0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 11 Jun 2019 13:49:33 +0200 +Subject: [PATCH 56/57] man: fix description of dns_resolver_timeout + +Resolves: +https://pagure.io/SSSD/sssd/issue/3217 + +Reviewed-by: Jakub Hrozek +Reviewed-by: Sumit Bose +(cherry picked from commit 3807de1d97fc87cf7c25af264a8b1bbabdef54e2) +--- + src/man/include/failover.xml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml +index 11ff86a38..7b451d831 100644 +--- a/src/man/include/failover.xml ++++ b/src/man/include/failover.xml +@@ -98,6 +98,9 @@ + include several steps, such as resolving DNS SRV + queries or locating the site. + ++ ++ Default: 6 ++ + + + +-- +2.21.3 + diff --git a/SOURCES/0057-failover-add-dns_resolver_server_timeout-option.patch b/SOURCES/0057-failover-add-dns_resolver_server_timeout-option.patch new file mode 100644 index 0000000..01fb7da --- /dev/null +++ b/SOURCES/0057-failover-add-dns_resolver_server_timeout-option.patch @@ -0,0 +1,277 @@ +From 2c7c69485883ab0f408cf2f8cdcc4617462d68ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 11 Jun 2019 13:37:23 +0200 +Subject: [PATCH 57/57] failover: add dns_resolver_server_timeout option + +Resolves: +https://pagure.io/SSSD/sssd/issue/3217 + +Reviewed-by: Jakub Hrozek +Reviewed-by: Sumit Bose +(cherry picked with fixes from commit 99e2a107f01c625cb59cb88589db87294176d6c6) +--- + src/config/SSSDConfig/__init__.py.in | 1 + + src/config/SSSDConfigTest.py | 2 ++ + src/config/cfg_rules.ini | 1 + + src/config/etc/sssd.api.conf | 1 + + src/man/include/failover.xml | 17 ++++++++++++++++- + src/providers/data_provider.h | 1 + + src/providers/data_provider_fo.c | 3 +++ + src/resolv/async_resolv.c | 10 ++++++---- + src/resolv/async_resolv.h | 2 +- + src/tests/cmocka/test_fo_srv.c | 4 ++-- + src/tests/cmocka/test_resolv_fake.c | 2 +- + src/tests/fail_over-tests.c | 2 +- + src/tests/resolv-tests.c | 2 +- + 13 files changed, 37 insertions(+), 11 deletions(-) + +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index f3c6cfebf..1aa93f8cf 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -170,6 +170,7 @@ option_strings = { + 'entry_cache_timeout' : _('Entry cache timeout length (seconds)'), + 'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'), + 'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'), ++ 'dns_resolver_server_timeout' : _('How long should SSSD talk to single DNS server before trying next server (miliseconds)'), + 'dns_resolver_op_timeout' : _('How long should keep trying to resolve single DNS query (seconds)'), + 'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'), + 'dns_discovery_domain' : _('The domain part of service discovery DNS query'), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 979b1806f..d484e527e 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -608,6 +608,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'refresh_expired_interval', + 'lookup_family_order', + 'account_cache_expiration', ++ 'dns_resolver_server_timeout', + 'dns_resolver_op_timeout', + 'dns_resolver_timeout', + 'dns_discovery_domain', +@@ -980,6 +981,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'refresh_expired_interval', + 'account_cache_expiration', + 'lookup_family_order', ++ 'dns_resolver_server_timeout', + 'dns_resolver_op_timeout', + 'dns_resolver_timeout', + 'dns_discovery_domain', +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index 79e366875..e8ea13081 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -367,6 +367,7 @@ option = account_cache_expiration + option = pwd_expiration_warning + option = filter_users + option = filter_groups ++option = dns_resolver_server_timeout + option = dns_resolver_op_timeout + option = dns_resolver_timeout + option = dns_discovery_domain +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index 355c1fc9b..a771a1148 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -170,6 +170,7 @@ account_cache_expiration = int, None, false + pwd_expiration_warning = int, None, false + filter_users = list, str, false + filter_groups = list, str, false ++dns_resolver_server_timeout = int, None, false + dns_resolver_op_timeout = int, None, false + dns_resolver_timeout = int, None, false + dns_discovery_domain = str, None, false +diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml +index 7b451d831..f2a01b933 100644 +--- a/src/man/include/failover.xml ++++ b/src/man/include/failover.xml +@@ -71,6 +71,20 @@ + , + manual page. + ++ ++ ++ dns_resolver_server_timeout ++ ++ ++ ++ Time in milliseconds that sets how long would SSSD ++ talk to a single DNS server before trying next one. ++ ++ ++ Default: 2000 ++ ++ ++ + + + dns_resolver_op_timeout +@@ -111,7 +125,8 @@ + ldap_opt_timeout> timeout should be set to + a larger value than dns_resolver_timeout + which in turn should be set to a larger value than +- dns_resolver_op_timeout. ++ dns_resolver_op_timeout which should be larger ++ than dns_resolver_server_timeout. + + + +diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h +index d30d81bda..e8568993a 100644 +--- a/src/providers/data_provider.h ++++ b/src/providers/data_provider.h +@@ -328,6 +328,7 @@ enum dp_res_opts { + DP_RES_OPT_FAMILY_ORDER, + DP_RES_OPT_RESOLVER_TIMEOUT, + DP_RES_OPT_RESOLVER_OP_TIMEOUT, ++ DP_RES_OPT_RESOLVER_SERVER_TIMEOUT, + DP_RES_OPT_DNS_DOMAIN, + + DP_RES_OPTS /* attrs counter */ +diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c +index 6e375147d..0cdb97323 100644 +--- a/src/providers/data_provider_fo.c ++++ b/src/providers/data_provider_fo.c +@@ -835,6 +835,7 @@ static struct dp_option dp_res_default_opts[] = { + { "lookup_family_order", DP_OPT_STRING, { "ipv4_first" }, NULL_STRING }, + { "dns_resolver_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "dns_resolver_op_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, ++ { "dns_resolver_server_timeout", DP_OPT_NUMBER, { .number = 2000 }, NULL_NUMBER }, + { "dns_discovery_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + DP_OPTION_TERMINATOR + }; +@@ -896,6 +897,8 @@ errno_t be_res_init(struct be_ctx *ctx) + ret = resolv_init(ctx, ctx->ev, + dp_opt_get_int(ctx->be_res->opts, + DP_RES_OPT_RESOLVER_OP_TIMEOUT), ++ dp_opt_get_int(ctx->be_res->opts, ++ DP_RES_OPT_RESOLVER_SERVER_TIMEOUT), + &ctx->be_res->resolv); + if (ret != EOK) { + talloc_zfree(ctx->be_res); +diff --git a/src/resolv/async_resolv.c b/src/resolv/async_resolv.c +index bb2701154..b833d7211 100644 +--- a/src/resolv/async_resolv.c ++++ b/src/resolv/async_resolv.c +@@ -60,8 +60,6 @@ + #define DNS_RR_LEN(r) DNS__16BIT((r) + 8) + #define DNS_RR_TTL(r) DNS__32BIT((r) + 4) + +-#define RESOLV_TIMEOUTMS 2000 +- + enum host_database default_host_dbs[] = { DB_FILES, DB_DNS, DB_SENTINEL }; + + struct fd_watch { +@@ -83,6 +81,9 @@ struct resolv_ctx { + /* Time in milliseconds before canceling a DNS request */ + int timeout; + ++ /* Time in milliseconds for communication with single DNS server. */ ++ int ares_timeout; ++ + /* The timeout watcher periodically calls ares_process_fd() to check + * if our pending requests didn't timeout. */ + int pending_requests; +@@ -423,7 +424,7 @@ recreate_ares_channel(struct resolv_ctx *ctx) + */ + options.sock_state_cb = fd_event; + options.sock_state_cb_data = ctx; +- options.timeout = RESOLV_TIMEOUTMS; ++ options.timeout = ctx->ares_timeout; + /* Only affects ares_gethostbyname */ + options.lookups = discard_const("f"); + options.tries = 1; +@@ -450,7 +451,7 @@ recreate_ares_channel(struct resolv_ctx *ctx) + + int + resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, +- int timeout, struct resolv_ctx **ctxp) ++ int timeout, int ares_timeout, struct resolv_ctx **ctxp) + { + int ret; + struct resolv_ctx *ctx; +@@ -467,6 +468,7 @@ resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, + + ctx->ev_ctx = ev_ctx; + ctx->timeout = timeout; ++ ctx->ares_timeout = ares_timeout; + + ret = recreate_ares_channel(ctx); + if (ret != EOK) { +diff --git a/src/resolv/async_resolv.h b/src/resolv/async_resolv.h +index 90ed03707..d83a7be44 100644 +--- a/src/resolv/async_resolv.h ++++ b/src/resolv/async_resolv.h +@@ -52,7 +52,7 @@ + struct resolv_ctx; + + int resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, +- int timeout, struct resolv_ctx **ctxp); ++ int timeout, int ares_timeout, struct resolv_ctx **ctxp); + + void resolv_reread_configuration(struct resolv_ctx *ctx); + +diff --git a/src/tests/cmocka/test_fo_srv.c b/src/tests/cmocka/test_fo_srv.c +index a11ebbb54..c13cf3a69 100644 +--- a/src/tests/cmocka/test_fo_srv.c ++++ b/src/tests/cmocka/test_fo_srv.c +@@ -49,7 +49,7 @@ struct resolv_ctx { + + /* mock resolver interface. The resolver test is separate */ + int resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, +- int timeout, struct resolv_ctx **ctxp) ++ int timeout, int ares_timeout, struct resolv_ctx **ctxp) + { + *ctxp = talloc(mem_ctx, struct resolv_ctx); + return EOK; +@@ -230,7 +230,7 @@ static int test_fo_setup(void **state) + assert_non_null(test_ctx->ctx); + + ret = resolv_init(test_ctx, test_ctx->ctx->ev, +- TEST_RESOLV_TIMEOUT, &test_ctx->resolv); ++ TEST_RESOLV_TIMEOUT, 2000, &test_ctx->resolv); + assert_non_null(test_ctx->resolv); + + memset(&fopts, 0, sizeof(fopts)); +diff --git a/src/tests/cmocka/test_resolv_fake.c b/src/tests/cmocka/test_resolv_fake.c +index 4cb3d4027..0f4011a39 100644 +--- a/src/tests/cmocka/test_resolv_fake.c ++++ b/src/tests/cmocka/test_resolv_fake.c +@@ -240,7 +240,7 @@ static int test_resolv_fake_setup(void **state) + assert_non_null(test_ctx->ctx); + + ret = resolv_init(test_ctx, test_ctx->ctx->ev, +- TEST_DEFAULT_TIMEOUT, &test_ctx->resolv); ++ TEST_DEFAULT_TIMEOUT, 2000, &test_ctx->resolv); + assert_int_equal(ret, EOK); + + *state = test_ctx; +diff --git a/src/tests/fail_over-tests.c b/src/tests/fail_over-tests.c +index 5312b2772..b2269ef3b 100644 +--- a/src/tests/fail_over-tests.c ++++ b/src/tests/fail_over-tests.c +@@ -73,7 +73,7 @@ setup_test(void) + fail("Could not init tevent context"); + } + +- ret = resolv_init(ctx, ctx->ev, 5, &ctx->resolv); ++ ret = resolv_init(ctx, ctx->ev, 5, 2000, &ctx->resolv); + if (ret != EOK) { + talloc_free(ctx); + fail("Could not init resolv context"); +diff --git a/src/tests/resolv-tests.c b/src/tests/resolv-tests.c +index 4a2b3b904..bc4cd7cc1 100644 +--- a/src/tests/resolv-tests.c ++++ b/src/tests/resolv-tests.c +@@ -76,7 +76,7 @@ static int setup_resolv_test(int timeout, struct resolv_test_ctx **ctx) + return EFAULT; + } + +- ret = resolv_init(test_ctx, test_ctx->ev, timeout, &test_ctx->resolv); ++ ret = resolv_init(test_ctx, test_ctx->ev, timeout, 2000, &test_ctx->resolv); + if (ret != EOK) { + fail("Could not init resolv context"); + talloc_free(test_ctx); +-- +2.21.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 5a57ad9..ff965ad 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -50,7 +50,7 @@ Name: sssd Version: 1.16.5 -Release: 10%{?dist}.5 +Release: 10%{?dist}.6 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -102,6 +102,20 @@ Patch0040: 0040-UTIL-DN-sanitization.patch Patch0041: 0041-UTIL-Use-sss_sanitize_dn-where-we-deal-with-DN.patch Patch0042: 0042-UTIL-Use-sss_sanitize_dn-where-we-deal-with-DN-2.patch Patch0043: 0043-ldap-use-member-DN-to-create-ghost-user-hash-table.patch +Patch0044: 0044-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch +Patch0045: 0045-DEBUG-journal_send-was-made-static.patch +Patch0046: 0046-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch +Patch0047: 0047-ifp-fix-use-after-free.patch +Patch0048: 0048-fp-fix-original-fix-use-after-free-1.16-version.patch +Patch0049: 0049-krb5-only-try-pkinit-with-Smartcard-credentials.patch +Patch0050: 0050-negcache-make-sure-domain-config-does-not-leak-into-.patch +Patch0051: 0051-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch +Patch0052: 0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch +Patch0053: 0053-negcache-do-not-use-default_domain_suffix.patch +Patch0054: 0054-ad-add-ad_allow_remote_domain_local_groups.patch +Patch0055: 0055-man-fix-description-of-dns_resolver_op_timeout.patch +Patch0056: 0056-man-fix-description-of-dns_resolver_timeout.patch +Patch0057: 0057-failover-add-dns_resolver_server_timeout-option.patch #Those patches should not be removed in RHEL-7 Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1135,6 +1149,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %pre common getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd +rm -f /var/tmp/sssd_is_running /bin/systemctl is-active --quiet sssd.service && touch /var/tmp/sssd_is_running || : %post common @@ -1276,61 +1291,71 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog -* Fri Aug 28 2020 Alexey Tikhonov 1.16.5-10.5 +* Wed Nov 25 2020 Alexey Tikhonov 1.16.5-10.6 +- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] +- Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] +- Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] +- Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] +- Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] +- Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] +- Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] +- Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z] + +* Fri Aug 28 2020 Alexey Tikhonov 1.16.5-10.5 - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target -* Fri Aug 28 2020 Alexey Tikhonov 1.16.5-10.4 +* Fri Aug 28 2020 Alexey Tikhonov 1.16.5-10.4 - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) -* Wed Aug 19 2020 Alexey Tikhonov 1.16.5-10.3 +* Wed Aug 19 2020 Alexey Tikhonov 1.16.5-10.3 - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete) -* Tue Aug 18 2020 Alexey Tikhonov 1.16.5-10.2 +* Tue Aug 18 2020 Alexey Tikhonov 1.16.5-10.2 - Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target -* Tue Aug 18 2020 Alexey Tikhonov 1.16.5-10.1 +* Tue Aug 18 2020 Alexey Tikhonov 1.16.5-10.1 - Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] -* Fri Jun 05 2020 Alexey Tikhonov 1.16.5-10 +* Fri Jun 05 2020 Alexey Tikhonov 1.16.5-10 - Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False -* Fri May 29 2020 Alexey Tikhonov 1.16.5-9 +* Fri May 29 2020 Alexey Tikhonov 1.16.5-9 - Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization -* Wed May 27 2020 Alexey Tikhonov 1.16.5-8 +* Wed May 27 2020 Alexey Tikhonov 1.16.5-8 - Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages). -* Thu May 21 2020 Alexey Tikhonov 1.16.5-7 +* Thu May 21 2020 Alexey Tikhonov 1.16.5-7 - Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process. -* Wed May 20 2020 Alexey Tikhonov 1.16.5-6 +* Wed May 20 2020 Alexey Tikhonov 1.16.5-6 - Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen -* Tue May 19 2020 Alexey Tikhonov 1.16.5-5 +* Tue May 19 2020 Alexey Tikhonov 1.16.5-5 - Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation -* Mon May 11 2020 Alexey Tikhonov 1.16.5-4 +* Mon May 11 2020 Alexey Tikhonov 1.16.5-4 - Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package -* Thu May 07 2020 Alexey Tikhonov 1.16.5-3 +* Thu May 07 2020 Alexey Tikhonov 1.16.5-3 - Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup -* Thu Apr 23 2020 Alexey Tikhonov 1.16.5-2 +* Thu Apr 23 2020 Alexey Tikhonov 1.16.5-2 - Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work @@ -1341,7 +1366,7 @@ systemctl try-restart sssd >/dev/null 2>&1 || : - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings -* Fri Mar 20 2020 Alexey Tikhonov 1.16.5-1 +* Fri Mar 20 2020 Alexey Tikhonov 1.16.5-1 - Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9 * Wed Mar 18 2020 Michal Židek - 1.16.4-38