diff --git a/.gitignore b/.gitignore index f74e090..a743af2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.7.3.tar.gz +SOURCES/sssd-2.8.2.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 6132eb6..6575e58 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz +4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz diff --git a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch deleted file mode 100644 index 271a5d8..0000000 --- a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 21 Jul 2022 20:16:32 +0200 -Subject: [PATCH] Makefile: remove unneeded dependency -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f) ---- - Makefile.am | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 669a0fc56..92d046888 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \ - $(KRB5_CFLAGS) \ - $(UUID_CFLAGS) \ - $(CURL_CFLAGS) \ -- $(JANSSON_CFLAGS) \ - $(NULL) - sssd_kcm_LDADD = \ - $(LIBADD_DL) \ - $(KRB5_LIBS) \ -- $(JANSSON_LIBS) \ - $(SSSD_LIBS) \ - $(UUID_LIBS) \ - $(SYSTEMD_DAEMON_LIBS) \ -@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \ - $(UUID_CFLAGS) \ - $(NULL) - test_kcm_marshalling_LDADD = \ -- $(JANSSON_LIBS) \ - $(UUID_LIBS) \ - $(KRB5_LIBS) \ - $(CMOCKA_LIBS) \ -@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \ - test_kcm_renewals_LDADD = \ - $(LIBADD_DL) \ - $(UUID_LIBS) \ -- $(JANSSON_LIBS) \ - $(KRB5_LIBS) \ - $(CARES_LIBS) \ - $(CMOCKA_LIBS) \ --- -2.37.1 - diff --git a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch new file mode 100644 index 0000000..60feece --- /dev/null +++ b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch @@ -0,0 +1,158 @@ +From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 8 Dec 2022 15:14:05 +0100 +Subject: [PATCH] ldap: update shadow last change in sysdb as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise pam can use the changed information whe id chaching is +enabled, so next authentication that fits into the id timeout +(5 seconds by default) will still sees the password as expired. + +Resolves: https://github.com/SSSD/sssd/issues/6477 + +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman +(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) +--- + src/db/sysdb.h | 4 ++++ + src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ + src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- + 3 files changed, 52 insertions(+), 5 deletions(-) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index 7c666f5c4..06b44f5ba 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, + struct sysdb_attrs *attrs, + int mod_op); + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname); ++ + /* Replace group attrs */ + int sysdb_set_group_attr(struct sss_domain_info *domain, + const char *name, +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 0d6f2d5cd..ed0df9872 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -1485,6 +1485,38 @@ done: + return ret; + } + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname) ++{ ++ struct sysdb_attrs *attrs; ++ char *value; ++ errno_t ret; ++ ++ attrs = sysdb_new_attrs(NULL); ++ if (attrs == NULL) { ++ return ENOMEM; ++ } ++ ++ /* The attribute contains number of days since the epoch */ ++ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); ++ if (value == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = sysdb_attrs_add_string(attrs, attrname, value); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); ++ ++done: ++ talloc_free(attrs); ++ return ret; ++} ++ + /* =Replace-Attributes-On-Group=========================================== */ + + int sysdb_set_group_attr(struct sss_domain_info *domain, +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 6404a9d3a..96b9d6df4 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { + struct pam_data *pd; + struct sdap_handle *sh; + char *dn; ++ enum pwexpire pw_expire_type; + }; + + static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); +@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + { + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *req; +- enum pwexpire pw_expire_type; + void *pw_expire_data; + size_t msg_len; + uint8_t *msg; +@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + ret = auth_recv(subreq, state, &state->sh, &state->dn, +- &pw_expire_type, &pw_expire_data); ++ &state->pw_expire_type, &pw_expire_data); + talloc_free(subreq); + + if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && +@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + } + + if (ret == EOK) { +- switch (pw_expire_type) { ++ switch (state->pw_expire_type) { + case PWEXPIRE_SHADOW: + ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); + break; +@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, +- "Unknown password expiration type %d.\n", pw_expire_type); ++ "Unknown password expiration type %d.\n", ++ state->pw_expire_type); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } +@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + case ERR_PASSWORD_EXPIRED: + DEBUG(SSSDBG_TRACE_LIBS, + "user [%s] successfully authenticated.\n", state->dn); +- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); ++ ret = sdap_pam_chpass_handler_change_step(state, req, ++ state->pw_expire_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_pam_chpass_handler_change_step() failed.\n"); +@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) + + switch (ret) { + case EOK: ++ if (state->pw_expire_type == PWEXPIRE_SHADOW) { ++ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, ++ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); ++ if (ret != EOK) { ++ state->pd->pam_status = PAM_SYSTEM_ERR; ++ goto done; ++ } ++ } ++ + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_CHPASS_DENIED: +-- +2.37.3 + diff --git a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch deleted file mode 100644 index 6caa8fc..0000000 --- a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 29 Jul 2022 14:57:20 +0200 -Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it - should survive context destruction / re-initialization -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Iker Pedrosa -Reviewed-by: Pavel Březina -(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911) ---- - src/sss_client/nss_mc.h | 4 ++-- - src/sss_client/nss_mc_common.c | 10 ++++++++-- - src/sss_client/nss_mc_group.c | 5 +++++ - src/sss_client/nss_mc_initgr.c | 5 +++++ - src/sss_client/nss_mc_passwd.c | 5 +++++ - src/sss_client/nss_mc_sid.c | 5 +++++ - 6 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index b66e8f09f..de1496ccc 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -48,7 +48,7 @@ enum sss_mc_state { - struct sss_cli_mc_ctx { - enum sss_mc_state initialized; - #if HAVE_PTHREAD -- pthread_mutex_t mutex; -+ pthread_mutex_t *mutex; - #endif - int fd; - -@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx { - }; - - #if HAVE_PTHREAD --#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #else - #define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #endif -diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c -index c73a93a9a..f38a4a85a 100644 ---- a/src/sss_client/nss_mc_common.c -+++ b/src/sss_client/nss_mc_common.c -@@ -58,14 +58,14 @@ do { \ - static void sss_mt_lock(struct sss_cli_mc_ctx *ctx) - { - #if HAVE_PTHREAD -- pthread_mutex_lock(&ctx->mutex); -+ pthread_mutex_lock(ctx->mutex); - #endif - } - - static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx) - { - #if HAVE_PTHREAD -- pthread_mutex_unlock(&ctx->mutex); -+ pthread_mutex_unlock(ctx->mutex); - #endif - } - -@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) - static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - { - uint32_t active_threads = ctx->active_threads; -+#if HAVE_PTHREAD -+ pthread_mutex_t *mutex = ctx->mutex; -+#endif - - if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { - munmap(ctx->mmap_base, ctx->mmap_size); -@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - - /* restore count of active threads */ - ctx->active_threads = active_threads; -+#if HAVE_PTHREAD -+ ctx->mutex = mutex; -+#endif - } - - static errno_t sss_nss_mc_init_ctx(const char *name, -diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c -index 2ea40c435..d4f2a82ab 100644 ---- a/src/sss_client/nss_mc_group.c -+++ b/src/sss_client/nss_mc_group.c -@@ -29,7 +29,12 @@ - #include "nss_mc.h" - #include "shared/safealign.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - struct group *result, -diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c -index b05946263..bd7282935 100644 ---- a/src/sss_client/nss_mc_initgr.c -+++ b/src/sss_client/nss_mc_initgr.c -@@ -32,7 +32,12 @@ - #include "nss_mc.h" - #include "shared/safealign.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - long int *start, long int *size, -diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c -index 01c6801da..256d48444 100644 ---- a/src/sss_client/nss_mc_passwd.c -+++ b/src/sss_client/nss_mc_passwd.c -@@ -28,7 +28,12 @@ - #include - #include "nss_mc.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - struct passwd *result, -diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c -index af7d7bbd5..52e684da5 100644 ---- a/src/sss_client/nss_mc_sid.c -+++ b/src/sss_client/nss_mc_sid.c -@@ -30,7 +30,12 @@ - #include "util/mmap_cache.h" - #include "idmap/sss_nss_idmap.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type, - char **sid, uint32_t *type, --- -2.37.1 - diff --git a/SOURCES/0002-MAN-mention-attributes-in-see-also.patch b/SOURCES/0002-MAN-mention-attributes-in-see-also.patch new file mode 100644 index 0000000..c103d64 --- /dev/null +++ b/SOURCES/0002-MAN-mention-attributes-in-see-also.patch @@ -0,0 +1,29 @@ +From 897ccf40b2e7ab30c3b8a3fb42584d1d5b8c4bb3 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 13 Jan 2023 18:58:05 +0100 +Subject: [PATCH] MAN: mention `attributes` in 'see also' + +Reviewed-by: Justin Stephenson +Reviewed-by: Sumit Bose +(cherry picked from commit b631c3174a3f8f5c169e9507969015dd79fdfd80) +--- + src/man/include/seealso.xml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml +index 9999496fa..7f0bbe9df 100644 +--- a/src/man/include/seealso.xml ++++ b/src/man/include/seealso.xml +@@ -10,6 +10,9 @@ + + sssd-ldap5 + , ++ ++ sssd-ldap-attributes5 ++ , + + sssd-krb55 + , +-- +2.37.3 + diff --git a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch deleted file mode 100644 index 965ceaa..0000000 --- a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 1 Aug 2022 09:54:51 -0400 -Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Skip calling cache_req_data_set_hybrid_lookup() when hybrid data -is NULL for certain NSS request types (e.g. Service by Name). - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina -(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7) ---- - src/responder/nss/nss_get_object.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c -index 9762d6bfe..5a2e7e9bd 100644 ---- a/src/responder/nss/nss_get_object.c -+++ b/src/responder/nss/nss_get_object.c -@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx, - input_name); - } - -- cache_req_data_set_hybrid_lookup(hybrid_data, true); -+ if (hybrid_data != NULL) { -+ cache_req_data_set_hybrid_lookup(hybrid_data, true); -+ } - - return hybrid_data; - } --- -2.37.1 - diff --git a/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch b/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch new file mode 100644 index 0000000..df981a7 --- /dev/null +++ b/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch @@ -0,0 +1,90 @@ +From 45a5630e0cfe95ab90bf4a7dd1b32f418c4c759e Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 23 Dec 2022 16:36:58 +0100 +Subject: [PATCH] SSS_CLIENT: delete key in lib destructor + +pthread_key_delete() disables thread at-exit destructors. +Otherwise an attempt to execute already unloaded `sss_at_thread_exit()` +would trigger segfault. + +This doesn't solve an issue with leaking on `dlclose()` FDs initialized in +multiple threads, but better than crash. + +Resolves: https://github.com/SSSD/sssd/issues/6505 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Sumit Bose +(cherry picked from commit 08ccd23fb2c831d6ea918a59b777a0073d414858) +--- + src/sss_client/common.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index d762dff49..2c888faa9 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -63,7 +64,8 @@ + + #ifdef HAVE_PTHREAD_EXT + static pthread_key_t sss_sd_key; +-static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT; ++static pthread_once_t sss_sd_key_init = PTHREAD_ONCE_INIT; ++static atomic_bool sss_sd_key_initialized = false; + static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */ + static __thread struct stat sss_cli_sb; /* the sss client stat buffer */ + #else +@@ -71,9 +73,6 @@ static int sss_cli_sd = -1; /* the sss client socket descriptor */ + static struct stat sss_cli_sb; /* the sss client stat buffer */ + #endif + +-#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR +-__attribute__((destructor)) +-#endif + void sss_cli_close_socket(void) + { + if (sss_cli_sd != -1) { +@@ -91,9 +90,24 @@ static void sss_at_thread_exit(void *v) + static void init_sd_key(void) + { + pthread_key_create(&sss_sd_key, sss_at_thread_exit); ++ sss_sd_key_initialized = true; ++} ++#endif ++ ++#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR ++__attribute__((destructor)) void sss_at_lib_unload(void) ++{ ++#ifdef HAVE_PTHREAD_EXT ++ if (sss_sd_key_initialized) { ++ sss_sd_key_initialized = false; ++ pthread_key_delete(sss_sd_key); ++ } ++#endif ++ sss_cli_close_socket(); + } + #endif + ++ + /* Requests: + * + * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) +@@ -572,7 +586,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout + } + + #ifdef HAVE_PTHREAD_EXT +- pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */ ++ pthread_once(&sss_sd_key_init, init_sd_key); /* once for all threads */ + + /* It actually doesn't matter what value to set for a key. + * The only important thing: key must be non-NULL to ensure +-- +2.37.3 + diff --git a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch deleted file mode 100644 index 7f87ccc..0000000 --- a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Thu, 14 Jul 2022 11:21:04 -0400 -Subject: [PATCH] Analyzer: Fix escaping raw fstring - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Iker Pedrosa -(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19) ---- - src/tools/analyzer/modules/request.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index b8dd9b25c..935e13adc 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -243,8 +243,8 @@ class RequestAnalyzer: - be_results = False - component = source.Component.NSS - resp = "nss" -- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]'] -- pattern.append(rf"\[CID#{cid}\\]") -+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]'] -+ pattern.append(rf"\[CID#{cid}\]") - - if args.pam: - component = source.Component.PAM --- -2.37.1 - diff --git a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch deleted file mode 100644 index a820d44..0000000 --- a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Aug 2022 21:48:43 +0200 -Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f) ---- - src/sss_client/nss_mc.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index de1496ccc..0f88521e9 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx { - }; - - #if HAVE_PTHREAD --#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #else --#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #endif - - errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx); --- -2.37.1 - diff --git a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch deleted file mode 100644 index f759975..0000000 --- a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch +++ /dev/null @@ -1,78 +0,0 @@ -From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Aug 2022 21:51:03 +0200 -Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be - touched -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL` -was creating a possibility for a race. - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757) ---- - src/sss_client/nss_mc.h | 4 +++- - src/sss_client/nss_mc_common.c | 20 ++++++++++---------- - 2 files changed, 13 insertions(+), 11 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index 0f88521e9..9ab2736fa 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -44,7 +44,9 @@ enum sss_mc_state { - RECYCLED, - }; - --/* common stuff */ -+/* In the case this structure is extended, don't forget to update -+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`. -+ */ - struct sss_cli_mc_ctx { - enum sss_mc_state initialized; - #if HAVE_PTHREAD -diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c -index f38a4a85a..3128861bf 100644 ---- a/src/sss_client/nss_mc_common.c -+++ b/src/sss_client/nss_mc_common.c -@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) - - static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - { -- uint32_t active_threads = ctx->active_threads; --#if HAVE_PTHREAD -- pthread_mutex_t *mutex = ctx->mutex; --#endif - - if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { - munmap(ctx->mmap_base, ctx->mmap_size); - } -+ ctx->mmap_base = NULL; -+ ctx->mmap_size = 0; -+ - if (ctx->fd != -1) { - close(ctx->fd); - } -- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); - ctx->fd = -1; - -- /* restore count of active threads */ -- ctx->active_threads = active_threads; --#if HAVE_PTHREAD -- ctx->mutex = mutex; --#endif -+ ctx->seed = 0; -+ ctx->data_table = NULL; -+ ctx->dt_size = 0; -+ ctx->hash_table = NULL; -+ ctx->ht_size = 0; -+ ctx->initialized = UNINITIALIZED; -+ /* `mutex` and `active_threads` should be left intact */ - } - - static errno_t sss_nss_mc_init_ctx(const char *name, --- -2.37.1 - diff --git a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch deleted file mode 100644 index 0e06c29..0000000 --- a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch +++ /dev/null @@ -1,33 +0,0 @@ -From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 15 Aug 2022 16:17:59 -0400 -Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup - -Fixes an issue when the sssctl analyzer option is -used on systems where SSSD is not running or configured. This is -an expected use case when using --logdir option to analyze external -log files. - -Resolves: https://github.com/SSSD/sssd/issues/6298 - -Reviewed-by: Alexey Tikhonov ---- - src/tools/sssctl/sssctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index 3816125ad..f18689f9f 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -296,7 +296,7 @@ int main(int argc, const char **argv) - SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove), - SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch), - SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level), -- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze), -+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT), - #ifdef HAVE_LIBINI_CONFIG_V1_3 - SSS_TOOL_DELIMITER("Configuration files tools:"), - SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), --- -2.37.1 - diff --git a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch deleted file mode 100644 index 769e082..0000000 --- a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch +++ /dev/null @@ -1,297 +0,0 @@ -From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Fri, 19 Aug 2022 09:50:22 -0400 -Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Client ID is not stored properly to match requests -when parallel requests are made to client SSSD - -Resolves: https://github.com/SSSD/sssd/issues/6307 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/cache_req/cache_req.c | 5 +++-- - .../plugins/cache_req_autofs_entry_by_name.c | 3 ++- - .../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++- - .../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++- - .../plugins/cache_req_ssh_host_id_by_name.c | 3 ++- - src/responder/common/responder.h | 2 +- - src/responder/common/responder_common.c | 12 +++++++----- - src/responder/common/responder_dp.c | 5 +++-- - src/responder/common/responder_get_domains.c | 3 ++- - src/responder/pam/pamsrv_cmd.c | 4 ++-- - 10 files changed, 26 insertions(+), 17 deletions(-) - -diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c -index 4dd45b038..bc65bae71 100644 ---- a/src/responder/common/cache_req/cache_req.c -+++ b/src/responder/common/cache_req/cache_req.c -@@ -24,6 +24,7 @@ - #include - - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder.h" - #include "responder/common/cache_req/cache_req_private.h" - #include "responder/common/cache_req/cache_req_plugin.h" -@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx, - } - state->first_iteration = true; - -- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n", -- rctx->client_id_num, cr->reqname); -+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n", -+ sss_chain_id_get(), cr->reqname); - - ret = cache_req_is_well_known_object(state, cr, &result); - if (ret == EOK) { -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -index 788b6708c..b2b0a06eb 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, - data->autofs_entry_name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -index 5d82641cc..23b11b1cd 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -index 29f289723..18c08ca39 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -index a8b8f47a8..29f52f10d 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -@@ -23,6 +23,7 @@ - - #include "db/sysdb_ssh.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, data->alias, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - static bool -diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h -index 5cb79e3e6..259b3ff13 100644 ---- a/src/responder/common/responder.h -+++ b/src/responder/common/responder.h -@@ -165,13 +165,13 @@ struct cli_ctx { - - struct cli_creds *creds; - char *cmd_line; -- uint64_t old_chain_id; - - void *protocol_ctx; - void *state_ctx; - - struct tevent_timer *idle; - time_t last_request_time; -+ uint32_t client_id_num; - }; - - struct sss_cmd_table { -diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c -index 6e3b61ef0..a4ba8ea71 100644 ---- a/src/responder/common/responder_common.c -+++ b/src/responder/common/responder_common.c -@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev, - "Failed to close fd [%d]: [%s]\n", - ctx->cfd, strerror(ret)); - } -- /* Restore the original chain id */ -- sss_chain_id_set(ctx->old_chain_id); - - DEBUG(SSSDBG_TRACE_INTERNAL, - "Terminated client [%p][%d]\n", -@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev, - int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd; - - rctx->client_id_num++; -- - if (accept_ctx->is_private) { - ret = stat(rctx->priv_sock_name, &stat_buf); - if (ret == -1) { -@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev, - - talloc_set_destructor(cctx, cli_ctx_destructor); - -+ cctx->client_id_num = rctx->client_id_num; -+ - len = sizeof(cctx->addr); - cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); - if (cctx->cfd == -1) { -@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev, - - DEBUG(SSSDBG_TRACE_FUNC, - "[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n", -- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), -+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), - cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : ""); - - return; -@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr, - uint16_t flags) - { - errno_t ret; -+ uint64_t old_chain_id; - struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx); - - /* Always reset the responder idle timer on any activity */ -@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr, - } - - /* Set the chain id */ -- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num); -+ old_chain_id = sss_chain_id_set(cctx->client_id_num); - - if (flags & TEVENT_FD_READ) { - recv_fn(cctx); -@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr, - send_fn(cctx); - return; - } -+ /* Restore the original chain id */ -+ sss_chain_id_set(old_chain_id); - } - - int sss_connection_setup(struct cli_ctx *cctx) -diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c -index d549e02d3..4b4770da1 100644 ---- a/src/responder/common/responder_dp.c -+++ b/src/responder/common/responder_dp.c -@@ -23,6 +23,7 @@ - #include - #include - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder_packet.h" - #include "responder/common/responder.h" - #include "providers/data_provider.h" -@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx, - subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, dp_flags, - entry_type, filter, dom->name, extra, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx, - SSS_BUS_PATH, - dp_flags, entry_type, - filter_type, filter_value, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c -index 918124756..aeff28d73 100644 ---- a/src/responder/common/responder_get_domains.c -+++ b/src/responder/common/responder_get_domains.c -@@ -19,6 +19,7 @@ - */ - - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder.h" - #include "providers/data_provider.h" - #include "db/sysdb.h" -@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx, - be_conn->bus_name, - SSS_BUS_PATH, dp_flags, - entry_type, filter, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index cb0e1b82f..1695554fc 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) - } - preq->cctx = cctx; - preq->cert_auth_local = false; -- preq->client_id_num = pctx->rctx->client_id_num; -+ preq->client_id_num = cctx->client_id_num; - - preq->pd = create_pam_data(preq); - if (!preq->pd) { -@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) - - pd->cmd = pam_cmd; - pd->priv = cctx->priv; -- pd->client_id_num = pctx->rctx->client_id_num; -+ pd->client_id_num = cctx->client_id_num; - - ret = pam_forwarder_parse_data(cctx, pd); - if (ret == EAGAIN) { --- -2.37.1 - diff --git a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch deleted file mode 100644 index b2c49e1..0000000 --- a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch +++ /dev/null @@ -1,185 +0,0 @@ -From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Fri, 19 Aug 2022 14:44:11 -0400 -Subject: [PATCH 9/9] Analyzer: support parallel requests parsing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Analyzer code(primarily the list verbose command) needs -changes to handle parsing the necessary lines from -NSS/PAM log files when multiple intermixed/parallel -client requests are sent to SSSD. - -Resolves: https://github.com/SSSD/sssd/issues/6307 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina - -Reviewed-by: Alexey Tikhonov ---- - src/tools/analyzer/modules/request.py | 119 +++++++++++++++----------- - 1 file changed, 67 insertions(+), 52 deletions(-) - -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index 935e13adc..b9fe3caf8 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -16,7 +16,6 @@ class RequestAnalyzer: - """ - module_parser = None - consumed_logs = [] -- done = "" - list_opts = [ - Option('--verbose', 'Verbose output', bool, '-v'), - Option('--pam', 'Filter only PAM requests', bool), -@@ -149,58 +148,74 @@ class RequestAnalyzer: - print(line) - return found_results - -- def print_formatted(self, line, verbose): -+ def print_formatted_verbose(self, source, patterns): -+ """ -+ Parse line and print formatted verbose list_requests output -+ -+ Args: -+ source (Reader): source Reader object -+ patterns (list): List of regex patterns to use for -+ matching lines -+ """ -+ # Get CID number, and print the basic line first -+ for line in self.matched_line(source, patterns): -+ cid = self.print_formatted(line) -+ -+ # Loop through each line with this CID number to extract and -+ # print the verbose data needed -+ verbose_patterns = ["(cache_req_send|cache_req_process_input|" -+ "cache_req_search_send)"] -+ for cidline in self.matched_line(source, verbose_patterns): -+ plugin = "" -+ name = "" -+ id = "" -+ -+ # skip any lines not pertaining to this CID -+ if f"CID#{cid}]" not in cidline: -+ continue -+ if "refreshed" in cidline: -+ continue -+ # CR Plugin name -+ if re.search("cache_req_send", cidline): -+ plugin = cidline.split('\'')[1] -+ # CR Input name -+ elif re.search("cache_req_process_input", cidline): -+ name = cidline.rsplit('[')[-1] -+ # CR Input id -+ elif re.search("cache_req_search_send", cidline): -+ id = cidline.rsplit()[-1] -+ -+ if plugin: -+ print(" - " + plugin) -+ if name: -+ print(" - " + name[:-2]) -+ if (id and ("UID" in cidline or "GID" in cidline)): -+ print(" - " + id) -+ -+ def print_formatted(self, line): - """ - Parse line and print formatted list_requests output - - Args: - line (str): line to parse -- verbose (bool): If true, enable verbose output -+ Returns: -+ Client ID from printed line, 0 otherwise - """ -- plugin = "" -- name = "" -- id = "" -- - # exclude backtrace logs - if line.startswith(' * '): -- return -- fields = line.split("[") -- cr_field = fields[3][7:] -- cr = cr_field.split(":")[0][4:] -+ return 0 - if "refreshed" in line: -- return -- # CR Plugin name -- if re.search("cache_req_send", line): -- plugin = line.split('\'')[1] -- # CR Input name -- elif re.search("cache_req_process_input", line): -- name = line.rsplit('[')[-1] -- # CR Input id -- elif re.search("cache_req_search_send", line): -- id = line.rsplit()[-1] -- # CID and client process name -- else: -- ts = line.split(")")[0] -- ts = ts[1:] -- fields = line.split("[") -- cid = fields[3][4:-9] -- cmd = fields[4][4:-1] -- uid = fields[5][4:-1] -- if not uid.isnumeric(): -- uid = fields[6][4:-1] -- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') -- -- if verbose: -- if plugin: -- print(" - " + plugin) -- if name: -- if cr not in self.done: -- print(" - " + name[:-2]) -- self.done = cr -- if id: -- if cr not in self.done: -- print(" - " + id) -- self.done = cr -+ return 0 -+ ts = line.split(")")[0] -+ ts = ts[1:] -+ fields = line.split("[") -+ cid = fields[3][4:-9] -+ cmd = fields[4][4:-1] -+ uid = fields[5][4:-1] -+ if not uid.isnumeric(): -+ uid = fields[6][4:-1] -+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') -+ return cid - - def list_requests(self, args): - """ -@@ -215,20 +230,20 @@ class RequestAnalyzer: - # Log messages matching the following regex patterns contain - # the useful info we need to produce list output - patterns = [r'\[cmd'] -- patterns.append("(cache_req_send|cache_req_process_input|" -- "cache_req_search_send)") - if args.pam: - component = source.Component.PAM - resp = "pam" - - logger.info(f"******** Listing {resp} client requests ********") - source.set_component(component, False) -- self.done = "" -- for line in self.matched_line(source, patterns): -- if isinstance(source, Journald): -- print(line) -- else: -- self.print_formatted(line, args.verbose) -+ if args.verbose: -+ self.print_formatted_verbose(source, patterns) -+ else: -+ for line in self.matched_line(source, patterns): -+ if isinstance(source, Journald): -+ print(line) -+ else: -+ self.print_formatted(line) - - def track_request(self, args): - """ --- -2.37.1 - diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index be99c00..f598498 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,23 +26,17 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.7.3 -Release: 3%{?dist} +Version: 2.8.2 +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-Makefile-remove-unneeded-dependency.patch -Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch -Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch -Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch -Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch -Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch -Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch -Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch -Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch +Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch +Patch0002: 0002-MAN-mention-attributes-in-see-also.patch +Patch0003: 0003-SSS_CLIENT-delete-key-in-lib-destructor.patch ### Dependencies ### @@ -126,6 +120,7 @@ BuildRequires: samba-winbind BuildRequires: selinux-policy-targeted # required for p11_child smartcard tests BuildRequires: softhsm >= 2.1.0 +BuildRequires: bc BuildRequires: systemd-devel BuildRequires: systemtap-sdt-devel BuildRequires: uid_wrapper @@ -1067,6 +1062,40 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Jan 16 2023 Alexey Tikhonov - 2.8.2-2 +- Resolves: rhbz#2160001 - Reference to 'sssd-ldap-attributes' man page is missing in 'sssd-ldap', etc man pages +- Resolves: rhbz#2143159 - automount killed by SIGSEGV + +* Fri Dec 16 2022 Alexey Tikhonov - 2.8.2-1 +- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2 +- Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search +- Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service) +- Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. +- Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization +- Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list +- Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged +- Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately +- Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around + +* Fri Nov 4 2022 Alexey Tikhonov - 2.8.1-1 +- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2 +- Resolves: rhbz#1507035 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file +- Resolves: rhbz#1766490 - Use negative cache better and domain checks for lookup by SIDs +- Resolves: rhbz#1964121 - RFE: Add an option to sssd config to convert home directories to lowercase (or add a new template for the 'override_homedir' option) +- Resolves: rhbz#2074307 - reduce debug level in case well_known_sid_to_name() fails +- Resolves: rhbz#2096031 - SSSD: sdap_handle_id_collision_for_incomplete_groups debug message missing a new line +- Resolves: rhbz#2103325 - Supported AD group types should be explained in the docs +- Resolves: rhbz#2111388 - authenticating against external IdP services okta (native app) with OAuth client secret failed +- Resolves: rhbz#2115171 - SSSD: duplicate dns_resolver_* option in man sssd.conf +- Resolves: rhbz#2127492 - sssd timezone issues sudonotafter +- Resolves: rhbz#2128840 - [RFE] provide dbus method to find users by attr +- Resolves: rhbz#2128883 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) +- Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. +- Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list + +* Fri Aug 26 2022 Alexey Tikhonov - 2.7.3-4 +- Related: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs) + * Tue Aug 23 2022 Alexey Tikhonov - 2.7.3-3 - Resolves: rhbz#2116389 - rpc.gssd crash when access a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-2.el9 - Resolves: rhbz#2119373 - sssctl analyze --logdir option requires sssd to be configured