diff --git a/.gitignore b/.gitignore index 8927f97..f74e090 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.6.2.tar.gz +SOURCES/sssd-2.7.3.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index b533b3d..6132eb6 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz +0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz diff --git a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch new file mode 100644 index 0000000..271a5d8 --- /dev/null +++ b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch @@ -0,0 +1,51 @@ +From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 21 Jul 2022 20:16:32 +0200 +Subject: [PATCH] Makefile: remove unneeded dependency +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f) +--- + Makefile.am | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 669a0fc56..92d046888 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \ + $(KRB5_CFLAGS) \ + $(UUID_CFLAGS) \ + $(CURL_CFLAGS) \ +- $(JANSSON_CFLAGS) \ + $(NULL) + sssd_kcm_LDADD = \ + $(LIBADD_DL) \ + $(KRB5_LIBS) \ +- $(JANSSON_LIBS) \ + $(SSSD_LIBS) \ + $(UUID_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ +@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \ + $(UUID_CFLAGS) \ + $(NULL) + test_kcm_marshalling_LDADD = \ +- $(JANSSON_LIBS) \ + $(UUID_LIBS) \ + $(KRB5_LIBS) \ + $(CMOCKA_LIBS) \ +@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \ + test_kcm_renewals_LDADD = \ + $(LIBADD_DL) \ + $(UUID_LIBS) \ +- $(JANSSON_LIBS) \ + $(KRB5_LIBS) \ + $(CARES_LIBS) \ + $(CMOCKA_LIBS) \ +-- +2.37.1 + diff --git a/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch b/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch deleted file mode 100644 index 068853a..0000000 --- a/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 4 Jan 2022 10:11:49 +0100 -Subject: [PATCH] ipa: fix reply socket of selinux_child - -Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched -the reply socket of selinux_child from stdout to stderr while switching -from exec_child to exec_child_ex. This patch returns the original -behavior. - -Resolves: https://github.com/SSSD/sssd/issues/5939 - -Reviewed-by: Alexey Tikhonov ---- - src/providers/ipa/ipa_selinux.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c -index 6f885c0fd..2e0593dd7 100644 ---- a/src/providers/ipa/ipa_selinux.c -+++ b/src/providers/ipa/ipa_selinux.c -@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) - if (pid == 0) { /* child */ - exec_child_ex(state, pipefd_to_child, pipefd_from_child, - SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args, -- false, STDIN_FILENO, STDERR_FILENO); -+ false, STDIN_FILENO, STDOUT_FILENO); - DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n", - ret, sss_strerror(ret)); - return ret; --- -2.26.3 - diff --git a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch new file mode 100644 index 0000000..6caa8fc --- /dev/null +++ b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch @@ -0,0 +1,155 @@ +From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 29 Jul 2022 14:57:20 +0200 +Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it + should survive context destruction / re-initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Iker Pedrosa +Reviewed-by: Pavel Březina +(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911) +--- + src/sss_client/nss_mc.h | 4 ++-- + src/sss_client/nss_mc_common.c | 10 ++++++++-- + src/sss_client/nss_mc_group.c | 5 +++++ + src/sss_client/nss_mc_initgr.c | 5 +++++ + src/sss_client/nss_mc_passwd.c | 5 +++++ + src/sss_client/nss_mc_sid.c | 5 +++++ + 6 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h +index b66e8f09f..de1496ccc 100644 +--- a/src/sss_client/nss_mc.h ++++ b/src/sss_client/nss_mc.h +@@ -48,7 +48,7 @@ enum sss_mc_state { + struct sss_cli_mc_ctx { + enum sss_mc_state initialized; + #if HAVE_PTHREAD +- pthread_mutex_t mutex; ++ pthread_mutex_t *mutex; + #endif + int fd; + +@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx { + }; + + #if HAVE_PTHREAD +-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} ++#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} + #else + #define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} + #endif +diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c +index c73a93a9a..f38a4a85a 100644 +--- a/src/sss_client/nss_mc_common.c ++++ b/src/sss_client/nss_mc_common.c +@@ -58,14 +58,14 @@ do { \ + static void sss_mt_lock(struct sss_cli_mc_ctx *ctx) + { + #if HAVE_PTHREAD +- pthread_mutex_lock(&ctx->mutex); ++ pthread_mutex_lock(ctx->mutex); + #endif + } + + static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx) + { + #if HAVE_PTHREAD +- pthread_mutex_unlock(&ctx->mutex); ++ pthread_mutex_unlock(ctx->mutex); + #endif + } + +@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) + static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) + { + uint32_t active_threads = ctx->active_threads; ++#if HAVE_PTHREAD ++ pthread_mutex_t *mutex = ctx->mutex; ++#endif + + if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { + munmap(ctx->mmap_base, ctx->mmap_size); +@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) + + /* restore count of active threads */ + ctx->active_threads = active_threads; ++#if HAVE_PTHREAD ++ ctx->mutex = mutex; ++#endif + } + + static errno_t sss_nss_mc_init_ctx(const char *name, +diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c +index 2ea40c435..d4f2a82ab 100644 +--- a/src/sss_client/nss_mc_group.c ++++ b/src/sss_client/nss_mc_group.c +@@ -29,7 +29,12 @@ + #include "nss_mc.h" + #include "shared/safealign.h" + ++#if HAVE_PTHREAD ++static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; ++static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex); ++#else + static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; ++#endif + + static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + struct group *result, +diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c +index b05946263..bd7282935 100644 +--- a/src/sss_client/nss_mc_initgr.c ++++ b/src/sss_client/nss_mc_initgr.c +@@ -32,7 +32,12 @@ + #include "nss_mc.h" + #include "shared/safealign.h" + ++#if HAVE_PTHREAD ++static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; ++static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex); ++#else + static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; ++#endif + + static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + long int *start, long int *size, +diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c +index 01c6801da..256d48444 100644 +--- a/src/sss_client/nss_mc_passwd.c ++++ b/src/sss_client/nss_mc_passwd.c +@@ -28,7 +28,12 @@ + #include + #include "nss_mc.h" + ++#if HAVE_PTHREAD ++static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; ++static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex); ++#else + static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; ++#endif + + static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + struct passwd *result, +diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c +index af7d7bbd5..52e684da5 100644 +--- a/src/sss_client/nss_mc_sid.c ++++ b/src/sss_client/nss_mc_sid.c +@@ -30,7 +30,12 @@ + #include "util/mmap_cache.h" + #include "idmap/sss_nss_idmap.h" + ++#if HAVE_PTHREAD ++static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; ++static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex); ++#else + static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; ++#endif + + static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type, + char **sid, uint32_t *type, +-- +2.37.1 + diff --git a/SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch b/SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch deleted file mode 100644 index 2ff9888..0000000 --- a/SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch +++ /dev/null @@ -1,42 +0,0 @@ -From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 16 Dec 2021 11:14:18 +0100 -Subject: [PATCH] ad: add required 'cn' attribute to subdomain object -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the forest root is not part of the return trusted domain objects -from the local domain controller we generate an object for further -processing. During this processing it is expected that the 'cn' -attribute is set and contains the name of the forest root. So far this -attribute was missing and it is now added by this patch. - -Resolves: https://github.com/SSSD/sssd/issues/5926 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_subdomains.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 0353de76f..0c3f8ac31 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) - goto done; - } - -+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME, -+ state->forest); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); -+ goto done; -+ } -+ - err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id, - &id_val.data, &id_val.length); - if (err != IDMAP_SUCCESS) { --- -2.26.3 - diff --git a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch new file mode 100644 index 0000000..965ceaa --- /dev/null +++ b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch @@ -0,0 +1,36 @@ +From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Mon, 1 Aug 2022 09:54:51 -0400 +Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Skip calling cache_req_data_set_hybrid_lookup() when hybrid data +is NULL for certain NSS request types (e.g. Service by Name). + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7) +--- + src/responder/nss/nss_get_object.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c +index 9762d6bfe..5a2e7e9bd 100644 +--- a/src/responder/nss/nss_get_object.c ++++ b/src/responder/nss/nss_get_object.c +@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx, + input_name); + } + +- cache_req_data_set_hybrid_lookup(hybrid_data, true); ++ if (hybrid_data != NULL) { ++ cache_req_data_set_hybrid_lookup(hybrid_data, true); ++ } + + return hybrid_data; + } +-- +2.37.1 + diff --git a/SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch b/SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch deleted file mode 100644 index 07f55b0..0000000 --- a/SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch +++ /dev/null @@ -1,140 +0,0 @@ -From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Thu, 13 Jan 2022 11:28:30 +0100 -Subject: [PATCH] krb5: AD and IPA don't change Kerberos port -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -AD and IPA providers use a common fo_server object for LDAP and -Kerberos, which is created with the LDAP data. This means that due to -the changes introduced in -https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f -the port in use for the Kerberos requests would be the one specified for -LDAP, usually the default one (389). - -In order to avoid that, AD and IPA providers shouldn't change the -Kerberos port with the one provided for LDAP. - -:fixes: A critical regression that prevented authentication of users via -AD and IPA providers was fixed. LDAP port was reused for Kerberos -communication and this provider would send incomprehensible information -to this port. - -Resolves: https://github.com/SSSD/sssd/issues/5947 - -Signed-off-by: Iker Pedrosa - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_common.c | 1 + - src/providers/ipa/ipa_common.c | 1 + - src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++------------- - src/providers/krb5/krb5_common.h | 1 + - 4 files changed, 23 insertions(+), 14 deletions(-) - -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index e263444c5..1ca5f8e3a 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server) - if (service->krb5_service->write_kdcinfo) { - ret = write_krb5info_file_from_fo_server(service->krb5_service, - server, -+ true, - SSS_KRB5KDC_FO_SRV, - ad_krb5info_file_filter); - if (ret != EOK) { -diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c -index 1509cb1ce..e6c1f9aa4 100644 ---- a/src/providers/ipa/ipa_common.c -+++ b/src/providers/ipa/ipa_common.c -@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server) - if (service->krb5_service->write_kdcinfo) { - ret = write_krb5info_file_from_fo_server(service->krb5_service, - server, -+ true, - SSS_KRB5KDC_FO_SRV, - NULL); - if (ret != EOK) { -diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c -index 719ce6a12..5ffa20809 100644 ---- a/src/providers/krb5/krb5_common.c -+++ b/src/providers/krb5/krb5_common.c -@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv - - errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, - struct fo_server *server, -+ bool force_default_port, - const char *service, - bool (*filter)(struct fo_server *)) - { -@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, - if (filter == NULL || filter(server) == false) { - address = fo_server_address_or_name(tmp_ctx, server); - if (address) { -- port = fo_get_server_port(server); -- if (port != 0) { -- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); -- if (address == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); -- talloc_free(tmp_ctx); -- return ENOMEM; -+ if (!force_default_port) { -+ port = fo_get_server_port(server); -+ if (port != 0) { -+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); -+ if (address == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); -+ talloc_free(tmp_ctx); -+ return ENOMEM; -+ } - } - } - -@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, - continue; - } - -- port = fo_get_server_port(item); -- if (port != 0) { -- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); -- if (address == NULL) { -- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); -- talloc_free(tmp_ctx); -- return ENOMEM; -+ if (!force_default_port) { -+ port = fo_get_server_port(item); -+ if (port != 0) { -+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); -+ if (address == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); -+ talloc_free(tmp_ctx); -+ return ENOMEM; -+ } - } - } - -@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) - if (krb5_service->write_kdcinfo) { - ret = write_krb5info_file_from_fo_server(krb5_service, - server, -+ false, - krb5_service->name, - NULL); - if (ret != EOK) { -diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h -index 151f446d1..2fd39a751 100644 ---- a/src/providers/krb5/krb5_common.h -+++ b/src/providers/krb5/krb5_common.h -@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service, - - errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, - struct fo_server *server, -+ bool force_default_port, - const char *service, - bool (*filter)(struct fo_server *)); - --- -2.26.3 - diff --git a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch new file mode 100644 index 0000000..7f87ccc --- /dev/null +++ b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch @@ -0,0 +1,30 @@ +From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Thu, 14 Jul 2022 11:21:04 -0400 +Subject: [PATCH] Analyzer: Fix escaping raw fstring + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Iker Pedrosa +(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19) +--- + src/tools/analyzer/modules/request.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py +index b8dd9b25c..935e13adc 100644 +--- a/src/tools/analyzer/modules/request.py ++++ b/src/tools/analyzer/modules/request.py +@@ -243,8 +243,8 @@ class RequestAnalyzer: + be_results = False + component = source.Component.NSS + resp = "nss" +- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]'] +- pattern.append(rf"\[CID#{cid}\\]") ++ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]'] ++ pattern.append(rf"\[CID#{cid}\]") + + if args.pam: + component = source.Component.PAM +-- +2.37.1 + diff --git a/SOURCES/0004-po-update-translations.patch b/SOURCES/0004-po-update-translations.patch deleted file mode 100644 index 0433c32..0000000 --- a/SOURCES/0004-po-update-translations.patch +++ /dev/null @@ -1,1249 +0,0 @@ -From e7069c53235d11e2a8f2b58f2781d303bdbe13b3 Mon Sep 17 00:00:00 2001 -From: Weblate -Date: Wed, 5 Jan 2022 13:23:20 +0100 -Subject: [PATCH] po: update translations -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Japanese) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(Finnish) currently translated at 3.5% (93 of 2627 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/ - -po: update translations - -(Swedish) currently translated at 100.0% (2627 of 2627 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/ - -po: update translations - -(Swedish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/ - -po: update translations - -(Korean) currently translated at 14.4% (379 of 2615 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - -po: update translations - -(Korean) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ - -po: update translations - -(Ukrainian) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ - -po: update translations - -(Polish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ - -Update translation files - -Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. - -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ - -po: update translations - -(Korean) currently translated at 14.4% (379 of 2615 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - -po: update translations - -(Korean) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ - -po: update translations - -(Korean) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ - -po: update translations - -(Korean) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ - -po: update translations - -(Finnish) currently translated at 6.1% (38 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ - -po: update translations - -(Finnish) currently translated at 6.1% (38 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ - -po: update translations - -(Chinese (Traditional) (zh_TW)) currently translated at 7.9% (49 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_TW/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ - -po: update translations - -(Ukrainian) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ - -po: update translations - -(Ukrainian) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ - -po: update translations - -(Turkish) currently translated at 15.1% (94 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/ - -po: update translations - -(Turkish) currently translated at 15.1% (94 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/ - -po: update translations - -(Tajik) currently translated at 0.9% (6 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tg/ - -po: update translations - -(Swedish) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/ - -po: update translations - -(Swedish) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/ - -po: update translations - -(Russian) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ - -po: update translations - -(Russian) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ - -po: update translations - -(Russian) currently translated at 99.0% (613 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ - -po: update translations - -(Portuguese (Brazil)) currently translated at 0.8% (5 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt_BR/ - -po: update translations - -(Portuguese) currently translated at 15.6% (97 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/ - -po: update translations - -(Polish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ - -po: update translations - -(Polish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ - -po: update translations - -(Dutch) currently translated at 47.6% (295 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/nl/ - -po: update translations - -(Norwegian Bokmål) currently translated at 2.2% (14 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/nb_NO/ - -po: update translations - -(Japanese) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -po: update translations - -(Japanese) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -po: update translations - -(Japanese) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ - -po: update translations - -(Italian) currently translated at 19.0% (118 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/it/ - -po: update translations - -(Italian) currently translated at 19.0% (118 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/it/ - -po: update translations - -(Indonesian) currently translated at 8.7% (54 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/id/ - -po: update translations - -(Hungarian) currently translated at 7.1% (44 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/hu/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(French) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - -po: update translations - -(Basque) currently translated at 6.7% (42 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/eu/ - -po: update translations - -(Spanish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/ - -po: update translations - -(Spanish) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/ - -po: update translations - -(German) currently translated at 51.5% (319 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/de/ - -po: update translations - -(German) currently translated at 51.5% (319 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/de/ - -po: update translations - -(Czech) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ - -po: update translations - -(Czech) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ - -po: update translations - -(Czech) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ - -po: update translations - -(Catalan) currently translated at 55.7% (345 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ca/ - -po: update translations - -(Bulgarian) currently translated at 15.1% (94 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/bg/ - -po: update translations - -(Ukrainian) currently translated at 100.0% (2627 of 2627 strings) -Translation: SSSD/sssd-manpage -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ - -po: update translations - -(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings) -Translation: SSSD/sssd -Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ ---- - po/cs.po | 6 +++ - po/es.po | 6 +++ - po/fr.po | 19 +++++--- - po/ja.po | 18 +++++--- - po/ko.po | 15 +++--- - po/pl.po | 17 ++++--- - po/sv.po | 21 ++++----- - po/uk.po | 16 +++++-- - po/zh_CN.po | 25 +++++----- - src/man/po/fi.po | 10 ++-- - src/man/po/sv.po | 117 +++++++++++++++++------------------------------ - src/man/po/uk.po | 21 +++++---- - 13 files changed, 161 insertions(+), 152 deletions(-) - -diff --git a/po/cs.po b/po/cs.po -index 3a707d70c..abc1f36cc 100644 ---- a/po/cs.po -+++ b/po/cs.po -@@ -2935,6 +2935,12 @@ msgstr "Informuje, že odpovídač byl aktivován přes dbus" - #~ "Je doporučeno použít volbu --logdir vůči identifikátoru tevent řetězce " - #~ "podporovaným záznamům událostí v SSSD.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "POZN.: chybí podpora pro identifikátor tevent řetězce, analýza požadavku " -+#~ "bude jen základní.\n" -+ - #~ msgid "Timeout for messages sent over the SBUS" - #~ msgstr "Časový limit pro zprávy posílané přes SBUS" - -diff --git a/po/es.po b/po/es.po -index dfa4f12f2..2a05620bd 100644 ---- a/po/es.po -+++ b/po/es.po -@@ -2997,6 +2997,12 @@ msgstr "Informa que el contestador ha sido dbus-activated" - #~ "Se recomienda usar la opción --logdir contra la ID de la cadena de " - #~ "eventos soportada por los registros SSSD.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "AVISO: Falta el soporte de identificación de la cadena de eventos, el " -+#~ "análisis de solicitudes será limitado.\n" -+ - #~ msgid "Timeout for messages sent over the SBUS" - #~ msgstr "Tiempo máximo para los mensajes enviados a través de SBUS" - -diff --git a/po/fr.po b/po/fr.po -index 2687f3c1a..b5c2e531c 100644 ---- a/po/fr.po -+++ b/po/fr.po -@@ -8,7 +8,7 @@ - # Fabien Archambault , 2012 - # Mariko Vincent , 2012 - # Jérôme Fenal , 2016. #zanata --# Ludek Janda , 2020. #zanata, 2021. -+# Ludek Janda , 2020. #zanata, 2021, 2022. - # Pavel Brezina , 2020. #zanata - # Jean-Baptiste Holcroft , 2020. - # Sundeep Anand , 2021. -@@ -17,7 +17,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-12-22 07:16+0000\n" -+"PO-Revision-Date: 2022-01-05 12:23+0000\n" - "Last-Translator: Ludek Janda \n" - "Language-Team: French \n" -@@ -26,7 +26,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n > 1;\n" --"X-Generator: Weblate 4.10\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -2085,7 +2085,7 @@ msgstr "Utiliser la version personnalisée de krb5_get_init_creds_password" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "ID de chaîne Tevent utilisé à des fins de journalisation" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2762,11 +2762,10 @@ msgid "Specify debug level you want to set" - msgstr "Spécifiez le niveau de débogage que vous souhaitez définir" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" - msgstr "" --"REMARQUE : Prise en charge de l’ID de chaîne Tevent manquante, l’analyse des " --"demandes sera limitée.\n" -+"ERREUR : Prise en charge de l’ID de chaîne Tevent manquante, l’analyseur de " -+"journal n’est pas pris en charge.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -3011,6 +3010,12 @@ msgstr "Informe que le répondeur a été activé par un dbus" - #~ "Il est recommandé d’utiliser l’option --logdir pour les journaux SSSD " - #~ "pris en charge par l’ID de chaîne Tevent.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "REMARQUE : Prise en charge de l’ID de chaîne Tevent manquante, l’analyse " -+#~ "des demandes sera limitée.\n" -+ - #~ msgid "Running under %" - #~ msgstr "En cours d’exécution sous %" - -diff --git a/po/ja.po b/po/ja.po -index 3156fe5a7..699980621 100644 ---- a/po/ja.po -+++ b/po/ja.po -@@ -6,7 +6,7 @@ - # Tomoyuki KATO , 2012-2013 - # Noriko Mizumoto , 2016. #zanata - # Keiko Moriguchi , 2019. #zanata --# Ludek Janda , 2020. #zanata, 2021. -+# Ludek Janda , 2020. #zanata, 2021, 2022. - # Pavel Brezina , 2020. #zanata - # Sundeep Anand , 2021. - msgid "" -@@ -14,7 +14,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-12-22 07:16+0000\n" -+"PO-Revision-Date: 2022-01-05 12:23+0000\n" - "Last-Translator: Ludek Janda \n" - "Language-Team: Japanese \n" -@@ -23,7 +23,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Weblate 4.10\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -1960,7 +1960,7 @@ msgstr "krb5_get_init_creds_password のカスタムバージョンを使用し - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "デバッグのロギングの冗長性を設定する" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2629,10 +2629,8 @@ msgid "Specify debug level you want to set" - msgstr "設定したいデバッグレベルを指定します" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" --msgstr "" --"注記: Tevent チェーン ID サポートがないため、リクエスト分析は制限されます。\n" -+msgstr "エラー: Tevent chain ID サポートがなく、ログアナライザーはサポートされません。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -2877,6 +2875,12 @@ msgstr "レスポンダーが dbus でアクティベートされたと知らせ - #~ "tevent チェーン ID でサポートされる SSSD ログに対して --logdir オプション" - #~ "を使用することが推奨されます。\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "注記: Tevent チェーン ID サポートがないため、リクエスト分析は制限されま" -+#~ "す。\n" -+ - #~ msgid "Running under %" - #~ msgstr "% 化で実行" - -diff --git a/po/ko.po b/po/ko.po -index 5a27bab30..2dd7cbd52 100644 ---- a/po/ko.po -+++ b/po/ko.po -@@ -9,8 +9,8 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-12-22 07:16+0000\n" --"Last-Translator: Ludek Janda \n" -+"PO-Revision-Date: 2021-12-25 00:16+0000\n" -+"Last-Translator: simmon \n" - "Language-Team: Korean \n" - "Language: ko\n" -@@ -18,7 +18,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Weblate 4.10\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -1929,7 +1929,7 @@ msgstr "krb5_get_init_creds_password의 사용자 지정 버전 사용" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "로깅 목적을 위해 사용되는 T이벤트 체인 ID" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2588,9 +2588,8 @@ msgid "Specify debug level you want to set" - msgstr "설정할 디버그 수준 지정" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" --msgstr "참고: Tevent 체인 ID 지원이 누락되어 요청 분석이 제한됩니다.\n" -+msgstr "오류: T이벤트 체인 ID 지원이 누락되었으며, 로그 분석이 지원되지 않습니다.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -2835,6 +2834,10 @@ msgstr "응답자가 dbus-활성화 되었음을 알립니다" - #~ "tevent 체인 ID에서 지원되는 SSSD 로그에 대해 --logdir 옵션을 사용하는 것" - #~ "이 좋습니다.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "참고: Tevent 체인 ID 지원이 누락되어 요청 분석이 제한됩니다.\n" -+ - #~ msgid "Timeout for messages sent over the SBUS" - #~ msgstr "SBUS를 통해 전송된 메시지에 시간초과" - -diff --git a/po/pl.po b/po/pl.po -index 60c4090b5..89969bf6e 100644 ---- a/po/pl.po -+++ b/po/pl.po -@@ -16,7 +16,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-11-11 11:34+0000\n" -+"PO-Revision-Date: 2021-12-24 10:33+0000\n" - "Last-Translator: Piotr Drąg \n" - "Language-Team: Polish \n" -@@ -26,7 +26,7 @@ msgstr "" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " - "|| n%100>=20) ? 1 : 2;\n" --"X-Generator: Weblate 4.8.1\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -2025,7 +2025,7 @@ msgstr "Użycie niestandardowej wersji krb5_get_init_creds_password" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "Identyfikator łańcucha tevent używany do celów zapisywania w dzienniku" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2692,11 +2692,10 @@ msgid "Specify debug level you want to set" - msgstr "Podaje poziom debugowania do ustawienia" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" - msgstr "" --"UWAGA: brak obsługi identyfikatora łańcucha tevent, analiza żądań będzie " --"ograniczona.\n" -+"BŁĄD: brak obsługi identyfikatora łańcucha tevent, analizator dziennika jest " -+"nieobsługiwany.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -2941,6 +2940,12 @@ msgstr "Informuje, że program odpowiadający został aktywowany magistralą D-B - #~ "Zalecane jest używanie opcji --logdir przy dziennikach SSSD obsługujących " - #~ "identyfikator łańcucha tevent.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "UWAGA: brak obsługi identyfikatora łańcucha tevent, analiza żądań będzie " -+#~ "ograniczona.\n" -+ - #~ msgid "Running under %" - #~ msgstr "Uruchamianie jako %" - -diff --git a/po/sv.po b/po/sv.po -index 910a89552..d679d83b9 100644 ---- a/po/sv.po -+++ b/po/sv.po -@@ -13,7 +13,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-08-08 16:04+0000\n" -+"PO-Revision-Date: 2021-12-31 15:16+0000\n" - "Last-Translator: Göran Uddeborg \n" - "Language-Team: Swedish \n" -@@ -22,7 +22,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n != 1;\n" --"X-Generator: Weblate 4.7.2\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -823,9 +823,8 @@ msgstr "" - "servern när den senaste förfrågan inte hittade någon regel" - - #: src/config/SSSDConfig/sssdoptions.py:244 --#, fuzzy - msgid "Search base for SUBID ranges" --msgstr "Sökbas för vybehållare" -+msgstr "Sökbas för SUBAID-intervall" - - #: src/config/SSSDConfig/sssdoptions.py:245 - msgid "The LDAP attribute that contains FQDN of the host." -@@ -1951,7 +1950,7 @@ msgstr "Flaggan -g är inkompatibel med -D eller -i\n" - #: src/monitor/monitor.c:2401 - #, c-format - msgid "Running under %, must be root\n" --msgstr "" -+msgstr "Kör under %, måste vara root\n" - - #: src/monitor/monitor.c:2483 - msgid "SSSD is already running\n" -@@ -1999,7 +1998,7 @@ msgstr "Använd en anpassad version av krb5_get_init_creds_password" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "Tevent-kedje-ID använt för loggningssyfte" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2335,14 +2334,14 @@ msgid "Error while executing external command\n" - msgstr "Fel när externt kommando kördes\n" - - #: src/tools/sssctl/sssctl.c:123 --#, fuzzy, c-format -+#, c-format - msgid "Error while executing external command '%s'\n" --msgstr "Fel när externt kommando kördes\n" -+msgstr "Fel när externt kommando kördes ”%s”\n" - - #: src/tools/sssctl/sssctl.c:126 --#, fuzzy, c-format -+#, c-format - msgid "Command '%s' failed with [%d]\n" --msgstr "dlsym misslyckades med [%s].\n" -+msgstr "Kommandot ”%s” misslyckades med [%d].\n" - - #: src/tools/sssctl/sssctl.c:173 - msgid "SSSD needs to be running. Start SSSD now?" -@@ -2665,7 +2664,7 @@ msgstr "Ange felsökningsnivå du vill sätta" - - #: src/tools/sssctl/sssctl_logs.c:398 - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" --msgstr "" -+msgstr "FEL: stöd för tevent-kedje-ID saknas, logganalysatorn stödjs inte.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -diff --git a/po/uk.po b/po/uk.po -index 9ee86deb0..84e63bcc9 100644 ---- a/po/uk.po -+++ b/po/uk.po -@@ -16,7 +16,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-11-12 12:05+0000\n" -+"PO-Revision-Date: 2021-12-25 00:16+0000\n" - "Last-Translator: Yuri Chornoivan \n" - "Language-Team: Ukrainian \n" -@@ -26,7 +26,7 @@ msgstr "" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" - "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" --"X-Generator: Weblate 4.8.1\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -2088,6 +2088,7 @@ msgstr "Використовувати нетипову версію krb5_get_in - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" - msgstr "" -+"Ідентифікатор ланцюжка Tevent, який використовується для ведення журналу" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2757,11 +2758,10 @@ msgid "Specify debug level you want to set" - msgstr "Вкажіть рівень діагностики, яким ви хочете скористатися" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" - msgstr "" --"УВАГА: немає підтримки ідентифікатора черги Tevent, можливості аналізу " --"запитів буде обмежено.\n" -+"Помилка: немає підтримки ідентифікатора ланцюжка Tevent, можливість аналізу " -+"журналу недоступна.\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -3006,6 +3006,12 @@ msgstr "Інформує про те, що на відповідачі заді - #~ "Рекомендуємо скористатися параметром --logdir для обробки журналу SSSD із " - #~ "підтримкою ідентифікаторів ланцюжка tevent.\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "" -+#~ "УВАГА: немає підтримки ідентифікатора черги Tevent, можливості аналізу " -+#~ "запитів буде обмежено.\n" -+ - #~ msgid "Running under %" - #~ msgstr "Запущено від імені %" - -diff --git a/po/zh_CN.po b/po/zh_CN.po -index 5f23f62eb..1ade71110 100644 ---- a/po/zh_CN.po -+++ b/po/zh_CN.po -@@ -4,7 +4,7 @@ - # - # Translators: - # Christopher Meng , 2012 --# Ludek Janda , 2020. #zanata, 2021. -+# Ludek Janda , 2020. #zanata, 2021, 2022. - # Pavel Brezina , 2020. #zanata - # Charles Lee , 2020, 2021. - # Sundeep Anand , 2021. -@@ -13,7 +13,7 @@ msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" - "POT-Creation-Date: 2021-12-23 12:58+0100\n" --"PO-Revision-Date: 2021-12-22 07:16+0000\n" -+"PO-Revision-Date: 2022-01-05 12:23+0000\n" - "Last-Translator: Ludek Janda \n" - "Language-Team: Chinese (Simplified) \n" -@@ -22,7 +22,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" --"X-Generator: Weblate 4.10\n" -+"X-Generator: Weblate 4.10.1\n" - - #: src/config/SSSDConfig/sssdoptions.py:20 - #: src/config/SSSDConfig/sssdoptions.py:21 -@@ -1007,7 +1007,7 @@ msgstr "Kerberos 备份服务器地址" - - #: src/config/SSSDConfig/sssdoptions.py:313 - msgid "Kerberos realm" --msgstr "Kerberos realm" -+msgstr "Kerberos 域" - - #: src/config/SSSDConfig/sssdoptions.py:314 - msgid "Authentication timeout" -@@ -1071,7 +1071,7 @@ msgstr "启用企业主体" - - #: src/config/SSSDConfig/sssdoptions.py:331 - msgid "Enables using of subdomains realms for authentication" --msgstr "启用使用子域域进行验证" -+msgstr "允许使用子域域进行身份验证" - - #: src/config/SSSDConfig/sssdoptions.py:332 - msgid "A mapping from user names to Kerberos principal names" -@@ -1128,7 +1128,7 @@ msgstr "离线时尝试重新连接的时间间隔" - - #: src/config/SSSDConfig/sssdoptions.py:350 - msgid "Use only the upper case for realm names" --msgstr "realm 名称仅使用大写字母" -+msgstr "对于域名称仅使用大写字母" - - #: src/config/SSSDConfig/sssdoptions.py:351 - msgid "File that contains CA certificates" -@@ -1164,7 +1164,7 @@ msgstr "指定要使用的 sasl 授权 ID" - - #: src/config/SSSDConfig/sssdoptions.py:359 - msgid "Specify the sasl authorization realm to use" --msgstr "指定要使用的 sasl 授权 realm" -+msgstr "指定要使用的 sasl 授权域" - - #: src/config/SSSDConfig/sssdoptions.py:360 - msgid "Specify the minimal SSF for LDAP sasl authorization" -@@ -1876,7 +1876,7 @@ msgstr "组创建 FAST 缓存为" - - #: src/providers/krb5/krb5_child.c:3336 - msgid "Kerberos realm to use" --msgstr "使用的 kerberos realm" -+msgstr "要使用的 kerberos 域" - - #: src/providers/krb5/krb5_child.c:3338 - msgid "Requested lifetime of the ticket" -@@ -1904,7 +1904,7 @@ msgstr "使用自定义版本的 krb5_get_init_creds_password" - - #: src/providers/krb5/krb5_child.c:3351 - msgid "Tevent chain ID used for logging purposes" --msgstr "" -+msgstr "用于日志记录的 Tevent 链 ID" - - #: src/providers/krb5/krb5_child.c:3379 src/providers/ldap/ldap_child.c:663 - msgid "talloc_asprintf failed.\n" -@@ -2558,9 +2558,8 @@ msgid "Specify debug level you want to set" - msgstr "指定要设置的调试级别" - - #: src/tools/sssctl/sssctl_logs.c:398 --#, fuzzy - msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n" --msgstr "注意:缺少 Tevent 链 ID 支持,请求分析会受到限制。\n" -+msgstr "ERROR:缺少 Tevent 链 ID 支持,不支持日志分析器。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" -@@ -2803,6 +2802,10 @@ msgstr "通知响应者已被 dbus 激活" - #~ "supported SSSD logs.\n" - #~ msgstr "建议对 tevent 链 ID 支持的 SSSD 日志使用 --logdir 选项。\n" - -+#~ msgid "" -+#~ "NOTE: Tevent chain ID support missing, request analysis will be limited.\n" -+#~ msgstr "注意:缺少 Tevent 链 ID 支持,请求分析会受到限制。\n" -+ - #~ msgid "Running under %" - #~ msgstr "运行于 % 下" - -diff --git a/src/man/po/fi.po b/src/man/po/fi.po -index 6ebf97280..e5c596767 100644 ---- a/src/man/po/fi.po -+++ b/src/man/po/fi.po -@@ -4,7 +4,7 @@ msgstr "" - "Project-Id-Version: sssd-docs 2.3.0\n" - "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" - "POT-Creation-Date: 2021-12-20 16:05+0100\n" --"PO-Revision-Date: 2021-09-14 13:04+0000\n" -+"PO-Revision-Date: 2022-01-02 20:16+0000\n" - "Last-Translator: Jan Kuparinen \n" - "Language-Team: Finnish \n" -@@ -13,7 +13,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n != 1;\n" --"X-Generator: Weblate 4.8\n" -+"X-Generator: Weblate 4.10.1\n" - - #. type: Content of: - #: sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 -@@ -1393,7 +1393,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> - #: sssd.conf.5.xml:1115 - msgid "default_shell" --msgstr "" -+msgstr "Oletuskomentorivitulkki" - - #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:1118 -@@ -11978,7 +11978,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> - #: sssd-krb5.5.xml:174 - msgid "principal name" --msgstr "" -+msgstr "ensisijaisen nimi" - - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> - #: sssd-krb5.5.xml:178 -@@ -11988,7 +11988,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> - #: sssd-krb5.5.xml:179 - msgid "realm name" --msgstr "" -+msgstr "alueen nimi" - - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> - #: sssd-krb5.5.xml:182 -diff --git a/src/man/po/sv.po b/src/man/po/sv.po -index 9123017be..a96d14770 100644 ---- a/src/man/po/sv.po -+++ b/src/man/po/sv.po -@@ -7,7 +7,7 @@ msgstr "" - "Project-Id-Version: sssd-docs 2.3.0\n" - "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" - "POT-Creation-Date: 2021-12-20 16:05+0100\n" --"PO-Revision-Date: 2021-09-17 22:04+0000\n" -+"PO-Revision-Date: 2021-12-31 15:16+0000\n" - "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n" - "Language-Team: Swedish <https://translate.fedoraproject.org/projects/sssd/" - "sssd-manpage-master/sv/>\n" -@@ -16,7 +16,7 @@ msgstr "" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=2; plural=n != 1;\n" --"X-Generator: Weblate 4.8\n" -+"X-Generator: Weblate 4.10.1\n" - - #. type: Content of: <reference><title> - #: sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 -@@ -678,6 +678,9 @@ msgid "" - "e. accessible via <quote>files</quote> service of <filename>nsswitch.conf</" - "filename>." - msgstr "" -+"Både ett användarnamn och ett aid kan användas men användaren skall vara " -+"lokal, d.v.s. åtkomlig via tjänsten <quote>files</quote> i <filename>nsswitch" -+".conf</filename>." - - #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:433 -@@ -3174,6 +3177,8 @@ msgid "" - "Local user names are required, i.e. accessible via <quote>files</quote> " - "service of <filename>nsswitch.conf</filename>." - msgstr "" -+"Lokalt användarnamn krävs, d.v.s. åtkomligt via tjänsten <quote>files</" -+"quote> i <filename>nsswitch.conf</filename>." - - #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:2177 -@@ -4800,6 +4805,8 @@ msgstr "" - msgid "" - "The AD provider will use this option for the CLDAP ping timeouts as well." - msgstr "" -+"AD-leverantören kommer även att använda detta alternativ för CLDAP-" -+"pingtidsgränsen." - - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:3437 sssd.conf.5.xml:3457 sssd.conf.5.xml:3476 -@@ -15938,7 +15945,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><refsect2><title> - #: sssd-ifp.5.xml:43 - msgid "FIND BY VALID CERTIFICATE" --msgstr "" -+msgstr "HITTA MED GILTIGT CERTIFIKAT" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para> - #: sssd-ifp.5.xml:45 -@@ -15946,6 +15953,8 @@ msgid "" - "The following options can be used to control how the certificates are " - "validated when using the FindByValidCertificate() API:" - msgstr "" -+"Följande alternativ kan användas för att styra hur certifikat valideras när " -+"API:et FindByValidCertificate() används:" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> - #: sssd-ifp.5.xml:48 sss_ssh_authorizedkeys.1.xml:92 -@@ -15964,16 +15973,12 @@ msgstr "certificate_verification" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para> - #: sssd-ifp.5.xml:52 --#, fuzzy --#| msgid "" --#| "For more details, see the <citerefentry> <refentrytitle>sssd.conf</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." - msgid "" - "For more details about the options see <citerefentry><refentrytitle>sssd." - "conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." - msgstr "" --"För fler detaljer, se manualsidan <citerefentry> <refentrytitle>sssd.conf</" --"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." -+"För fler detaljer om alternativet, se <citerefentry><refentrytitle>sssd." -+"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." - - #. type: Content of: <reference><refentry><refsect1><para> - #: sssd-ifp.5.xml:62 -@@ -20750,45 +20755,6 @@ msgstr "" - - #. type: Content of: <refsect1><para> - #: include/seealso.xml:4 --#, fuzzy --#| msgid "" --#| "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</" --#| "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" --#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" --#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" --#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sssd-files</" --#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition=" --#| "\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " --#| "<manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase condition=" --#| "\"with_secrets\"> <citerefentry> <refentrytitle>sssd-secrets</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " --#| "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " --#| "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" --#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" --#| "citerefentry>, <citerefentry> <refentrytitle>sss_seed</" --#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" --#| "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> " --#| "<citerefentry> <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " --#| "<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " --#| "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" --#| "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " --#| "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" --#| "manvolnum> </citerefentry>, </phrase> <citerefentry> " --#| "<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </" --#| "citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <phrase condition=" --#| "\"with_stap\"> <citerefentry> <refentrytitle>sssd-systemtap</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> </phrase>" - msgid "" - "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" - "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" -@@ -20826,41 +20792,42 @@ msgid "" - "citerefentry> </phrase>" - msgstr "" - "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" --"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> <refentrytitle>sssd." -+"conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " - "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" --"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> <refentrytitle>sssd-" -+"krb5</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " - "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" --"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> <refentrytitle>sssd-" -+"ipa</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " - "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd-files</" --"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition=" --"\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " --"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase condition=" --"\"with_secrets\"> <citerefentry> <refentrytitle>sssd-secrets</refentrytitle> " --"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> " --"<refentrytitle>sssd-session-recording</refentrytitle> <manvolnum>5</" --"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_cache</" --"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> <refentrytitle>sssd-" -+"files</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " -+"condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" -+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " -+"<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " -+"<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " -+"<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" -+"citerefentry>, <citerefentry> " - "<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" --"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> " -+"<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" -+"citerefentry>, <citerefentry> " - "<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" --"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" --"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" --"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" --"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " -+"citerefentry>, <citerefentry> " -+"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" -+"manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> " -+"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</" -+"manvolnum> </citerefentry>, <citerefentry> " - "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" - "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " - "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" --"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" --"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " --"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" --"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " --"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" --"citerefentry> </phrase>" -+"manvolnum> </citerefentry>, </phrase> <citerefentry> " -+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </" -+"citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</refentrytitle> " -+"<manvolnum>5</manvolnum> </citerefentry> <phrase condition=\"with_stap\"> " -+"<citerefentry> <refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</" -+"manvolnum> </citerefentry> </phrase>" - - #. type: Content of: <listitem><para> - #: include/ldap_search_bases.xml:3 -diff --git a/src/man/po/uk.po b/src/man/po/uk.po -index dd08f055e..e6477148e 100644 ---- a/src/man/po/uk.po -+++ b/src/man/po/uk.po -@@ -16,7 +16,7 @@ msgstr "" - "Project-Id-Version: sssd-docs 2.3.0\n" - "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" - "POT-Creation-Date: 2021-12-20 16:05+0100\n" --"PO-Revision-Date: 2021-10-20 03:21+0000\n" -+"PO-Revision-Date: 2021-12-22 10:38+0000\n" - "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n" - "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/sssd/" - "sssd-manpage-master/uk/>\n" -@@ -26,7 +26,7 @@ msgstr "" - "Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" - "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" --"X-Generator: Weblate 4.8\n" -+"X-Generator: Weblate 4.10\n" - - #. type: Content of: <reference><title> - #: sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 -@@ -703,6 +703,9 @@ msgid "" - "e. accessible via <quote>files</quote> service of <filename>nsswitch.conf</" - "filename>." - msgstr "" -+"Можна скористатися іменем користувача і UID, але користувач має бути " -+"локальним, тобто доступним для служби <quote>files</quote> <filename>nsswitch" -+".conf</filename>." - - #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:433 -@@ -3255,6 +3258,8 @@ msgid "" - "Local user names are required, i.e. accessible via <quote>files</quote> " - "service of <filename>nsswitch.conf</filename>." - msgstr "" -+"Потрібні локальні імена користувачів, тобто імена, які доступні зі служби " -+"<quote>files</quote> <filename>nsswitch.conf</filename>." - - #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:2177 -@@ -4915,6 +4920,8 @@ msgstr "" - msgid "" - "The AD provider will use this option for the CLDAP ping timeouts as well." - msgstr "" -+"Надавач даних AD використовуватиме цей параметр також для визначення часу " -+"очікування на відгук на луна-імпульс CLDAP." - - #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> - #: sssd.conf.5.xml:3437 sssd.conf.5.xml:3457 sssd.conf.5.xml:3476 -@@ -16286,7 +16293,7 @@ msgstr "" - #. type: Content of: <reference><refentry><refsect1><refsect2><title> - #: sssd-ifp.5.xml:43 - msgid "FIND BY VALID CERTIFICATE" --msgstr "" -+msgstr "ПОШУК ЗА ЧИННИМ СЕРТИФІКАТОМ" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para> - #: sssd-ifp.5.xml:45 -@@ -16294,6 +16301,8 @@ msgid "" - "The following options can be used to control how the certificates are " - "validated when using the FindByValidCertificate() API:" - msgstr "" -+"Для керування тим, як буде виконуватися перевірка, якщо використано " -+"програмний інтерфейс FindByValidCertificate(), використовують такі параметри:" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> - #: sssd-ifp.5.xml:48 sss_ssh_authorizedkeys.1.xml:92 -@@ -16312,15 +16321,11 @@ msgstr "certificate_verification" - - #. type: Content of: <reference><refentry><refsect1><refsect2><para> - #: sssd-ifp.5.xml:52 --#, fuzzy --#| msgid "" --#| "For more details, see the <citerefentry> <refentrytitle>sssd.conf</" --#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." - msgid "" - "For more details about the options see <citerefentry><refentrytitle>sssd." - "conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." - msgstr "" --"Щоб дізнатися більше, ознайомтеся зі сторінкою підручника щодо " -+"Щоб дізнатися більше про параметри, ознайомтеся зі сторінкою підручника щодо " - "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" - "manvolnum> </citerefentry>." - --- -2.26.3 - diff --git a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch new file mode 100644 index 0000000..a820d44 --- /dev/null +++ b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch @@ -0,0 +1,34 @@ +From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <atikhono@redhat.com> +Date: Tue, 16 Aug 2022 21:48:43 +0200 +Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Sumit Bose <sbose@redhat.com> +Reviewed-by: Tomáš Halman <thalman@redhat.com> +(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f) +--- + src/sss_client/nss_mc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h +index de1496ccc..0f88521e9 100644 +--- a/src/sss_client/nss_mc.h ++++ b/src/sss_client/nss_mc.h +@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx { + }; + + #if HAVE_PTHREAD +-#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} ++#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} + #else +-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} ++#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} + #endif + + errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx); +-- +2.37.1 + diff --git a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch new file mode 100644 index 0000000..f759975 --- /dev/null +++ b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch @@ -0,0 +1,78 @@ +From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <atikhono@redhat.com> +Date: Tue, 16 Aug 2022 21:51:03 +0200 +Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be + touched +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL` +was creating a possibility for a race. + +Reviewed-by: Sumit Bose <sbose@redhat.com> +Reviewed-by: Tomáš Halman <thalman@redhat.com> +(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757) +--- + src/sss_client/nss_mc.h | 4 +++- + src/sss_client/nss_mc_common.c | 20 ++++++++++---------- + 2 files changed, 13 insertions(+), 11 deletions(-) + +diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h +index 0f88521e9..9ab2736fa 100644 +--- a/src/sss_client/nss_mc.h ++++ b/src/sss_client/nss_mc.h +@@ -44,7 +44,9 @@ enum sss_mc_state { + RECYCLED, + }; + +-/* common stuff */ ++/* In the case this structure is extended, don't forget to update ++ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`. ++ */ + struct sss_cli_mc_ctx { + enum sss_mc_state initialized; + #if HAVE_PTHREAD +diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c +index f38a4a85a..3128861bf 100644 +--- a/src/sss_client/nss_mc_common.c ++++ b/src/sss_client/nss_mc_common.c +@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) + + static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) + { +- uint32_t active_threads = ctx->active_threads; +-#if HAVE_PTHREAD +- pthread_mutex_t *mutex = ctx->mutex; +-#endif + + if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { + munmap(ctx->mmap_base, ctx->mmap_size); + } ++ ctx->mmap_base = NULL; ++ ctx->mmap_size = 0; ++ + if (ctx->fd != -1) { + close(ctx->fd); + } +- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); + ctx->fd = -1; + +- /* restore count of active threads */ +- ctx->active_threads = active_threads; +-#if HAVE_PTHREAD +- ctx->mutex = mutex; +-#endif ++ ctx->seed = 0; ++ ctx->data_table = NULL; ++ ctx->dt_size = 0; ++ ctx->hash_table = NULL; ++ ctx->ht_size = 0; ++ ctx->initialized = UNINITIALIZED; ++ /* `mutex` and `active_threads` should be left intact */ + } + + static errno_t sss_nss_mc_init_ctx(const char *name, +-- +2.37.1 + diff --git a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch new file mode 100644 index 0000000..0e06c29 --- /dev/null +++ b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch @@ -0,0 +1,33 @@ +From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson <jstephen@redhat.com> +Date: Mon, 15 Aug 2022 16:17:59 -0400 +Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup + +Fixes an issue when the sssctl analyzer option is +used on systems where SSSD is not running or configured. This is +an expected use case when using --logdir option to analyze external +log files. + +Resolves: https://github.com/SSSD/sssd/issues/6298 + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +--- + src/tools/sssctl/sssctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 3816125ad..f18689f9f 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -296,7 +296,7 @@ int main(int argc, const char **argv) + SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove), + SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch), + SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level), +- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze), ++ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT), + #ifdef HAVE_LIBINI_CONFIG_V1_3 + SSS_TOOL_DELIMITER("Configuration files tools:"), + SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), +-- +2.37.1 + diff --git a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch new file mode 100644 index 0000000..769e082 --- /dev/null +++ b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch @@ -0,0 +1,297 @@ +From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001 +From: Justin Stephenson <jstephen@redhat.com> +Date: Fri, 19 Aug 2022 09:50:22 -0400 +Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Client ID is not stored properly to match requests +when parallel requests are made to client SSSD + +Resolves: https://github.com/SSSD/sssd/issues/6307 + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Pavel Březina <pbrezina@redhat.com> + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +--- + src/responder/common/cache_req/cache_req.c | 5 +++-- + .../plugins/cache_req_autofs_entry_by_name.c | 3 ++- + .../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++- + .../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++- + .../plugins/cache_req_ssh_host_id_by_name.c | 3 ++- + src/responder/common/responder.h | 2 +- + src/responder/common/responder_common.c | 12 +++++++----- + src/responder/common/responder_dp.c | 5 +++-- + src/responder/common/responder_get_domains.c | 3 ++- + src/responder/pam/pamsrv_cmd.c | 4 ++-- + 10 files changed, 26 insertions(+), 17 deletions(-) + +diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c +index 4dd45b038..bc65bae71 100644 +--- a/src/responder/common/cache_req/cache_req.c ++++ b/src/responder/common/cache_req/cache_req.c +@@ -24,6 +24,7 @@ + #include <errno.h> + + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "responder/common/responder.h" + #include "responder/common/cache_req/cache_req_private.h" + #include "responder/common/cache_req/cache_req_plugin.h" +@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx, + } + state->first_iteration = true; + +- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n", +- rctx->client_id_num, cr->reqname); ++ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n", ++ sss_chain_id_get(), cr->reqname); + + ret = cache_req_is_well_known_object(state, cr, &result); + if (ret == EOK) { +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index 788b6708c..b2b0a06eb 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -24,6 +24,7 @@ + #include "db/sysdb.h" + #include "db/sysdb_autofs.h" + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "providers/data_provider.h" + #include "responder/common/cache_req/cache_req_plugin.h" + +@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx, + be_conn->bus_name, SSS_BUS_PATH, + 0, data->name.name, + data->autofs_entry_name, +- cr->rctx->client_id_num); ++ sss_chain_id_get()); + } + + bool +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 5d82641cc..23b11b1cd 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -24,6 +24,7 @@ + #include "db/sysdb.h" + #include "db/sysdb_autofs.h" + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "providers/data_provider.h" + #include "responder/common/cache_req/cache_req_plugin.h" + +@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx, + return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, + 0, data->name.name, +- cr->rctx->client_id_num); ++ sss_chain_id_get()); + } + + bool +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index 29f289723..18c08ca39 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -24,6 +24,7 @@ + #include "db/sysdb.h" + #include "db/sysdb_autofs.h" + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "providers/data_provider.h" + #include "responder/common/cache_req/cache_req_plugin.h" + +@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx, + return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, + 0, data->name.name, +- cr->rctx->client_id_num); ++ sss_chain_id_get()); + } + + bool +diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c +index a8b8f47a8..29f52f10d 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c +@@ -23,6 +23,7 @@ + + #include "db/sysdb_ssh.h" + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "providers/data_provider.h" + #include "responder/common/cache_req/cache_req_plugin.h" + +@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx, + return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, + 0, data->name.name, data->alias, +- cr->rctx->client_id_num); ++ sss_chain_id_get()); + } + + static bool +diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h +index 5cb79e3e6..259b3ff13 100644 +--- a/src/responder/common/responder.h ++++ b/src/responder/common/responder.h +@@ -165,13 +165,13 @@ struct cli_ctx { + + struct cli_creds *creds; + char *cmd_line; +- uint64_t old_chain_id; + + void *protocol_ctx; + void *state_ctx; + + struct tevent_timer *idle; + time_t last_request_time; ++ uint32_t client_id_num; + }; + + struct sss_cmd_table { +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index 6e3b61ef0..a4ba8ea71 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev, + "Failed to close fd [%d]: [%s]\n", + ctx->cfd, strerror(ret)); + } +- /* Restore the original chain id */ +- sss_chain_id_set(ctx->old_chain_id); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Terminated client [%p][%d]\n", +@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev, + int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd; + + rctx->client_id_num++; +- + if (accept_ctx->is_private) { + ret = stat(rctx->priv_sock_name, &stat_buf); + if (ret == -1) { +@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev, + + talloc_set_destructor(cctx, cli_ctx_destructor); + ++ cctx->client_id_num = rctx->client_id_num; ++ + len = sizeof(cctx->addr); + cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); + if (cctx->cfd == -1) { +@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev, + + DEBUG(SSSDBG_TRACE_FUNC, + "[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n", +- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), ++ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), + cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : ""); + + return; +@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr, + uint16_t flags) + { + errno_t ret; ++ uint64_t old_chain_id; + struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx); + + /* Always reset the responder idle timer on any activity */ +@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr, + } + + /* Set the chain id */ +- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num); ++ old_chain_id = sss_chain_id_set(cctx->client_id_num); + + if (flags & TEVENT_FD_READ) { + recv_fn(cctx); +@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr, + send_fn(cctx); + return; + } ++ /* Restore the original chain id */ ++ sss_chain_id_set(old_chain_id); + } + + int sss_connection_setup(struct cli_ctx *cctx) +diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c +index d549e02d3..4b4770da1 100644 +--- a/src/responder/common/responder_dp.c ++++ b/src/responder/common/responder_dp.c +@@ -23,6 +23,7 @@ + #include <sys/time.h> + #include <time.h> + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "responder/common/responder_packet.h" + #include "responder/common/responder.h" + #include "providers/data_provider.h" +@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx, + subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, dp_flags, + entry_type, filter, dom->name, extra, +- rctx->client_id_num); ++ sss_chain_id_get()); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); + ret = ENOMEM; +@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx, + SSS_BUS_PATH, + dp_flags, entry_type, + filter_type, filter_value, +- rctx->client_id_num); ++ sss_chain_id_get()); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); + ret = ENOMEM; +diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c +index 918124756..aeff28d73 100644 +--- a/src/responder/common/responder_get_domains.c ++++ b/src/responder/common/responder_get_domains.c +@@ -19,6 +19,7 @@ + */ + + #include "util/util.h" ++#include "util/sss_chain_id.h" + #include "responder/common/responder.h" + #include "providers/data_provider.h" + #include "db/sysdb.h" +@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx, + be_conn->bus_name, + SSS_BUS_PATH, dp_flags, + entry_type, filter, +- rctx->client_id_num); ++ sss_chain_id_get()); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); + ret = ENOMEM; +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index cb0e1b82f..1695554fc 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) + } + preq->cctx = cctx; + preq->cert_auth_local = false; +- preq->client_id_num = pctx->rctx->client_id_num; ++ preq->client_id_num = cctx->client_id_num; + + preq->pd = create_pam_data(preq); + if (!preq->pd) { +@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) + + pd->cmd = pam_cmd; + pd->priv = cctx->priv; +- pd->client_id_num = pctx->rctx->client_id_num; ++ pd->client_id_num = cctx->client_id_num; + + ret = pam_forwarder_parse_data(cctx, pd); + if (ret == EAGAIN) { +-- +2.37.1 + diff --git a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch new file mode 100644 index 0000000..b2c49e1 --- /dev/null +++ b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch @@ -0,0 +1,185 @@ +From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson <jstephen@redhat.com> +Date: Fri, 19 Aug 2022 14:44:11 -0400 +Subject: [PATCH 9/9] Analyzer: support parallel requests parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Analyzer code(primarily the list verbose command) needs +changes to handle parsing the necessary lines from +NSS/PAM log files when multiple intermixed/parallel +client requests are sent to SSSD. + +Resolves: https://github.com/SSSD/sssd/issues/6307 + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Pavel Březina <pbrezina@redhat.com> + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +--- + src/tools/analyzer/modules/request.py | 119 +++++++++++++++----------- + 1 file changed, 67 insertions(+), 52 deletions(-) + +diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py +index 935e13adc..b9fe3caf8 100644 +--- a/src/tools/analyzer/modules/request.py ++++ b/src/tools/analyzer/modules/request.py +@@ -16,7 +16,6 @@ class RequestAnalyzer: + """ + module_parser = None + consumed_logs = [] +- done = "" + list_opts = [ + Option('--verbose', 'Verbose output', bool, '-v'), + Option('--pam', 'Filter only PAM requests', bool), +@@ -149,58 +148,74 @@ class RequestAnalyzer: + print(line) + return found_results + +- def print_formatted(self, line, verbose): ++ def print_formatted_verbose(self, source, patterns): ++ """ ++ Parse line and print formatted verbose list_requests output ++ ++ Args: ++ source (Reader): source Reader object ++ patterns (list): List of regex patterns to use for ++ matching lines ++ """ ++ # Get CID number, and print the basic line first ++ for line in self.matched_line(source, patterns): ++ cid = self.print_formatted(line) ++ ++ # Loop through each line with this CID number to extract and ++ # print the verbose data needed ++ verbose_patterns = ["(cache_req_send|cache_req_process_input|" ++ "cache_req_search_send)"] ++ for cidline in self.matched_line(source, verbose_patterns): ++ plugin = "" ++ name = "" ++ id = "" ++ ++ # skip any lines not pertaining to this CID ++ if f"CID#{cid}]" not in cidline: ++ continue ++ if "refreshed" in cidline: ++ continue ++ # CR Plugin name ++ if re.search("cache_req_send", cidline): ++ plugin = cidline.split('\'')[1] ++ # CR Input name ++ elif re.search("cache_req_process_input", cidline): ++ name = cidline.rsplit('[')[-1] ++ # CR Input id ++ elif re.search("cache_req_search_send", cidline): ++ id = cidline.rsplit()[-1] ++ ++ if plugin: ++ print(" - " + plugin) ++ if name: ++ print(" - " + name[:-2]) ++ if (id and ("UID" in cidline or "GID" in cidline)): ++ print(" - " + id) ++ ++ def print_formatted(self, line): + """ + Parse line and print formatted list_requests output + + Args: + line (str): line to parse +- verbose (bool): If true, enable verbose output ++ Returns: ++ Client ID from printed line, 0 otherwise + """ +- plugin = "" +- name = "" +- id = "" +- + # exclude backtrace logs + if line.startswith(' * '): +- return +- fields = line.split("[") +- cr_field = fields[3][7:] +- cr = cr_field.split(":")[0][4:] ++ return 0 + if "refreshed" in line: +- return +- # CR Plugin name +- if re.search("cache_req_send", line): +- plugin = line.split('\'')[1] +- # CR Input name +- elif re.search("cache_req_process_input", line): +- name = line.rsplit('[')[-1] +- # CR Input id +- elif re.search("cache_req_search_send", line): +- id = line.rsplit()[-1] +- # CID and client process name +- else: +- ts = line.split(")")[0] +- ts = ts[1:] +- fields = line.split("[") +- cid = fields[3][4:-9] +- cmd = fields[4][4:-1] +- uid = fields[5][4:-1] +- if not uid.isnumeric(): +- uid = fields[6][4:-1] +- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') +- +- if verbose: +- if plugin: +- print(" - " + plugin) +- if name: +- if cr not in self.done: +- print(" - " + name[:-2]) +- self.done = cr +- if id: +- if cr not in self.done: +- print(" - " + id) +- self.done = cr ++ return 0 ++ ts = line.split(")")[0] ++ ts = ts[1:] ++ fields = line.split("[") ++ cid = fields[3][4:-9] ++ cmd = fields[4][4:-1] ++ uid = fields[5][4:-1] ++ if not uid.isnumeric(): ++ uid = fields[6][4:-1] ++ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') ++ return cid + + def list_requests(self, args): + """ +@@ -215,20 +230,20 @@ class RequestAnalyzer: + # Log messages matching the following regex patterns contain + # the useful info we need to produce list output + patterns = [r'\[cmd'] +- patterns.append("(cache_req_send|cache_req_process_input|" +- "cache_req_search_send)") + if args.pam: + component = source.Component.PAM + resp = "pam" + + logger.info(f"******** Listing {resp} client requests ********") + source.set_component(component, False) +- self.done = "" +- for line in self.matched_line(source, patterns): +- if isinstance(source, Journald): +- print(line) +- else: +- self.print_formatted(line, args.verbose) ++ if args.verbose: ++ self.print_formatted_verbose(source, patterns) ++ else: ++ for line in self.matched_line(source, patterns): ++ if isinstance(source, Journald): ++ print(line) ++ else: ++ self.print_formatted(line) + + def track_request(self, args): + """ +-- +2.37.1 + diff --git a/SOURCES/0010-CLIENT-fix-client-fd-leak.patch b/SOURCES/0010-CLIENT-fix-client-fd-leak.patch new file mode 100644 index 0000000..48622c8 --- /dev/null +++ b/SOURCES/0010-CLIENT-fix-client-fd-leak.patch @@ -0,0 +1,295 @@ +From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <atikhono@redhat.com> +Date: Thu, 25 Aug 2022 18:10:46 +0200 +Subject: [PATCH] CLIENT: fix client fd leak + + - close client socket at thread exit + - only build lock-free client support if libc has required + functionality for a proper cleanup + - use proper mechanisms to init lock_mode only once + +:relnote:Lock-free client support will be only built if libc +provides `pthread_key_create()` and `pthread_once()`. For glibc +this means version 2.34+ + +Reviewed-by: Justin Stephenson <jstephen@redhat.com> +Reviewed-by: Sumit Bose <sbose@redhat.com> +(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb) +--- + configure.ac | 29 +++++++++-- + src/man/Makefile.am | 5 +- + src/man/sssd.8.xml | 2 +- + src/sss_client/common.c | 83 +++++++++++++++++++------------- + src/sss_client/idmap/common_ex.c | 4 ++ + 5 files changed, 84 insertions(+), 39 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 93bd93b85..5a05de41e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]]) + m4_include([src/build_macros.m4]) + BUILD_WITH_SHARED_BUILD_DIR + +-AC_COMPILE_IFELSE( ++ ++SAVE_LIBS=$LIBS ++LIBS= ++AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[#include <pthread.h>]], + [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER; +- (void) m; /* unused */ ++ pthread_mutex_lock(&m); ++ pthread_mutex_unlock(&m); + ]])], + [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.]) + HAVE_PTHREAD=1 + ], +- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])]) ++ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])]) ++LIBS=$SAVE_LIBS ++AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) + + +-AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) ++SAVE_LIBS=$LIBS ++LIBS= ++AC_LINK_IFELSE( ++ [AC_LANG_PROGRAM([[#include <pthread.h>]], ++ [[static pthread_key_t k; ++ static pthread_once_t f = PTHREAD_ONCE_INIT; ++ pthread_once(&f, NULL); ++ pthread_key_create(&k, NULL); ++ ]])], ++ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.]) ++ HAVE_PTHREAD_EXT=1 ++ ], ++ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])]) ++LIBS=$SAVE_LIBS ++AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"]) ++ + + # Check library for the timer_create function + SAVE_LIBS=$LIBS +diff --git a/src/man/Makefile.am b/src/man/Makefile.am +index 93dd14819..063ff1bf0 100644 +--- a/src/man/Makefile.am ++++ b/src/man/Makefile.am +@@ -46,9 +46,12 @@ endif + if BUILD_KCM_RENEWAL + KCM_RENEWAL_CONDS = ;enable_kcm_renewal + endif ++if BUILD_LOCKFREE_CLIENT ++LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support ++endif + + +-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS) ++CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS) + + + #Special Rules: +diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml +index df07b7f29..5f507c631 100644 +--- a/src/man/sssd.8.xml ++++ b/src/man/sssd.8.xml +@@ -240,7 +240,7 @@ + If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", + client applications will not use the fast in-memory cache. + </para> +- <para> ++ <para condition="enable_lockfree_support"> + If the environment variable SSS_LOCKFREE is set to "NO", requests + from multiple threads of a single application will be serialized. + </para> +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 29c751a50..d762dff49 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -35,7 +35,6 @@ + #include <stdlib.h> + #include <stdbool.h> + #include <stdint.h> +-#include <stdatomic.h> + #include <string.h> + #include <fcntl.h> + #include <poll.h> +@@ -62,8 +61,15 @@ + + /* common functions */ + ++#ifdef HAVE_PTHREAD_EXT ++static pthread_key_t sss_sd_key; ++static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT; + static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */ + static __thread struct stat sss_cli_sb; /* the sss client stat buffer */ ++#else ++static int sss_cli_sd = -1; /* the sss client socket descriptor */ ++static struct stat sss_cli_sb; /* the sss client stat buffer */ ++#endif + + #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR + __attribute__((destructor)) +@@ -76,6 +82,18 @@ void sss_cli_close_socket(void) + } + } + ++#ifdef HAVE_PTHREAD_EXT ++static void sss_at_thread_exit(void *v) ++{ ++ sss_cli_close_socket(); ++} ++ ++static void init_sd_key(void) ++{ ++ pthread_key_create(&sss_sd_key, sss_at_thread_exit); ++} ++#endif ++ + /* Requests: + * + * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) +@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout + return -1; + } + ++#ifdef HAVE_PTHREAD_EXT ++ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */ ++ ++ /* It actually doesn't matter what value to set for a key. ++ * The only important thing: key must be non-NULL to ensure ++ * destructor is executed at thread exit. ++ */ ++ pthread_setspecific(sss_sd_key, &sss_cli_sd); ++#endif ++ + /* set as non-blocking, close on exec, and make sure standard + * descriptors are not used */ + sd = make_safe_fd(sd); +@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len) + } + + #if HAVE_PTHREAD +-bool sss_is_lockfree_mode(void) ++ ++#ifdef HAVE_PTHREAD_EXT ++static bool sss_lock_free = true; ++static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT; ++ ++static void init_lock_mode(void) + { +- const char *env = NULL; +- enum { +- MODE_UNDEF, +- MODE_LOCKING, +- MODE_LOCKFREE +- }; +- static atomic_int mode = MODE_UNDEF; +- +- if (mode == MODE_UNDEF) { +- env = getenv("SSS_LOCKFREE"); +- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { +- mode = MODE_LOCKING; +- } else { +- mode = MODE_LOCKFREE; +- } ++ const char *env = getenv("SSS_LOCKFREE"); ++ ++ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { ++ sss_lock_free = false; + } ++} + +- return (mode == MODE_LOCKFREE); ++bool sss_is_lockfree_mode(void) ++{ ++ pthread_once(&sss_lock_mode_initialized, init_lock_mode); ++ return sss_lock_free; + } ++#endif + + struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; +- + static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; +- +-static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; +- + static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; + + static void sss_mt_lock(struct sss_mutex *m) + { ++#ifdef HAVE_PTHREAD_EXT + if (sss_is_lockfree_mode()) { + return; + } ++#endif + + pthread_mutex_lock(&m->mtx); + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state); +@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m) + + static void sss_mt_unlock(struct sss_mutex *m) + { ++#ifdef HAVE_PTHREAD_EXT + if (sss_is_lockfree_mode()) { + return; + } ++#endif + + pthread_setcancelstate(m->old_cancel_state, NULL); + pthread_mutex_unlock(&m->mtx); +@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void) + sss_mt_unlock(&sss_nss_mtx); + } + +-/* NSS mutex wrappers */ ++/* PAM mutex wrappers */ + void sss_pam_lock(void) + { + sss_mt_lock(&sss_pam_mtx); +@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void) + sss_mt_unlock(&sss_pam_mtx); + } + +-/* NSS mutex wrappers */ +-void sss_nss_mc_lock(void) +-{ +- sss_mt_lock(&sss_nss_mc_mtx); +-} +-void sss_nss_mc_unlock(void) +-{ +- sss_mt_unlock(&sss_nss_mc_mtx); +-} +- + /* PAC mutex wrappers */ + void sss_pac_lock(void) + { +diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c +index 4f454cd63..8c4894fd9 100644 +--- a/src/sss_client/idmap/common_ex.c ++++ b/src/sss_client/idmap/common_ex.c +@@ -28,7 +28,9 @@ + #include "common_private.h" + + extern struct sss_mutex sss_nss_mtx; ++#ifdef HAVE_PTHREAD_EXT + bool sss_is_lockfree_mode(void); ++#endif + + #define SEC_FROM_MSEC(ms) ((ms) / 1000) + #define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000) +@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime) + { + int ret; + ++#ifdef HAVE_PTHREAD_EXT + if (sss_is_lockfree_mode()) { + return 0; + } ++#endif + + ret = pthread_mutex_timedlock(&m->mtx, endtime); + if (ret != 0) { +-- +2.37.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index b4e367f..bcd13a8 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -18,8 +18,8 @@ %global enable_systemtap_opt --enable-systemtap Name: sssd -Version: 2.6.2 -Release: 3%{?dist} +Version: 2.7.3 +Release: 4%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -27,10 +27,16 @@ URL: https://github.com/SSSD/sssd Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch -Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch -Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch -Patch0004: 0004-po-update-translations.patch +Patch0001: 0001-Makefile-remove-unneeded-dependency.patch +Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch +Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch +Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch +Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch +Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch +Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch +Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch +Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch +Patch0010: 0010-CLIENT-fix-client-fd-leak.patch ### Downstream Patches ### @@ -104,6 +110,9 @@ BuildRequires: pam_wrapper BuildRequires: p11-kit-devel BuildRequires: openssl-devel BuildRequires: gnutls-utils +BuildRequires: jansson-devel +BuildRequires: libcurl-devel +BuildRequires: libjose-devel BuildRequires: softhsm >= 2.1.0 BuildRequires: openssl BuildRequires: openssh @@ -536,6 +545,16 @@ Requires: krb5-libs >= 1.18.2-11 An implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache. +%package idp +Summary: Kerberos plugins and OIDC helper for external identity providers. +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} + +%description idp +This package provides Kerberos plugins that are required to enable +authentication against external identity providers. Additionally a helper +program to handle the OAuth 2.0 Device Authorization Grant is provided. + %prep # Update timestamps on the files touched by a patch, to avoid non-equal # .pyc/.pyo files across the multilib peers within a build, where "Level" @@ -621,6 +640,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache +# Enable krb5 idp plugins by default (when sssd-idp package is installed) +cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \ + $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp + # krb5 configuration snippet cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir @@ -927,6 +950,7 @@ done %{_mandir}/man8/pam_sss.8* %{_mandir}/man8/pam_sss_gss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* +%{_mandir}/man8/sssd_krb5_localauth_plugin.8* %files -n libsss_sudo %defattr(-,root,root,-) @@ -1048,6 +1072,12 @@ done %{_unitdir}/sssd-kcm.service %{_mandir}/man8/sssd-kcm.8* +%files idp +%{_libexecdir}/%{servicename}/oidc_child +%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so +%{_datadir}/sssd/krb5-snippets/sssd_enable_idp +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp + %pre ipa getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd @@ -1157,6 +1187,48 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4 +- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 + +* Tue Aug 23 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-3 +- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 +- Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured +- Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend + +* Wed Aug 10 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-2 +- Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases +- Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs +- Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL + +* Wed Jul 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-1 +- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 +- Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization + +* Mon Jun 20 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.2-1 +- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 +- Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets +- Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file +- Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 +- Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf +- Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP +- Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect +- Resolves: rhbz#2098617 - Harden kerberos ticket validation +- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol + +* Wed May 18 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-2 +- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 +- Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) +- Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. +- Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 +- Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() +- Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd +- Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop +- Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send +- Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker +- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol +- Resolves: rhbz#2087745 - 2FA prompting setting ineffective +- Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language + * Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3 - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.