diff --git a/SOURCES/0074-util-inotify-fixed-bug-in-inotify-event-processing.patch b/SOURCES/0074-util-inotify-fixed-bug-in-inotify-event-processing.patch new file mode 100644 index 0000000..688c3a3 --- /dev/null +++ b/SOURCES/0074-util-inotify-fixed-bug-in-inotify-event-processing.patch @@ -0,0 +1,101 @@ +From 758b99590a8e1f69b4487fad9cf343525797e05f Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 12 Jun 2020 20:45:23 +0200 +Subject: [PATCH] util/inotify: fixed bug in inotify event processing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Error was spotted with the help of the following warning: +``` +Error: CLANG_WARNING: +sssd-2.3.1/src/util/inotify.c:327:21: warning: Value stored to 'rewatch' is never read + # rewatch = true; + # ^ ~~~~ +``` + +First part of the issue was that EAGAIN returned by the process_dir_event() +didn't trigger snotify_rewatch() (as suggested by the comments). +Fixing this part is already enough to resolve issue #1031 (as it was +reported). + +Another part of the issue was that process_file_event() return code wasn't +checked against EAGAIN (again, as suggested by the DEBUG message). +Strictly speaking, I'm not sure if this part is really required or +if processing DIR events would cover all cases, but rebuilding watches +on IN_IGNORED won't hurt. + +Resolves: https://github.com/SSSD/sssd/issues/1031 + +Reviewed-by: Tomáš Halman +(cherry picked from commit 0c5711f9bae1cb46d4cd3fbe5d86d8688087be13) + +Reviewed-by: Tomáš Halman +--- + src/util/inotify.c | 29 ++++++++++++----------------- + 1 file changed, 12 insertions(+), 17 deletions(-) + +diff --git a/src/util/inotify.c b/src/util/inotify.c +index ffc15ad4d..11a2e0f32 100644 +--- a/src/util/inotify.c ++++ b/src/util/inotify.c +@@ -286,7 +286,7 @@ static void snotify_internal_cb(struct tevent_context *ev, + struct snotify_ctx *snctx; + ssize_t len; + errno_t ret; +- bool rewatch; ++ bool rewatch = false; + + snctx = talloc_get_type(data, struct snotify_ctx); + if (snctx == NULL) { +@@ -305,7 +305,7 @@ static void snotify_internal_cb(struct tevent_context *ev, + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "All inotify events processed\n"); + } +- return; ++ break; + } + + if ((size_t) len < sizeof(struct inotify_event)) { +@@ -323,28 +323,23 @@ static void snotify_internal_cb(struct tevent_context *ev, + + if (snctx->wctx->dir_wd == in_event->wd) { + ret = process_dir_event(snctx, in_event); +- if (ret == EAGAIN) { +- rewatch = true; +- /* Continue with the loop and read all the events from +- * this descriptor first, then rewatch when done +- */ +- } else if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Failed to process inotify event\n"); +- continue; +- } + } else if (snctx->wctx->file_wd == in_event->wd) { + ret = process_file_event(snctx, in_event); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Failed to process inotify event\n"); +- continue; +- } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unknown watch %d\n", in_event->wd); + ret = EOK; + } ++ ++ if (ret == EAGAIN) { ++ rewatch = true; ++ /* Continue with the loop and read all the events from ++ * this descriptor first, then rewatch when done ++ */ ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Failed to process inotify event\n"); ++ } + } + } + +-- +2.26.3 + diff --git a/SOURCES/0075-sdap-always-create-sdap-object-for-a-forest-root.patch b/SOURCES/0075-sdap-always-create-sdap-object-for-a-forest-root.patch new file mode 100644 index 0000000..cc17c34 --- /dev/null +++ b/SOURCES/0075-sdap-always-create-sdap-object-for-a-forest-root.patch @@ -0,0 +1,54 @@ +From 46b194196749d4ea77d5d4e6bdd64d7c0996b105 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 31 Aug 2021 12:59:15 +0200 +Subject: [PATCH] sdap: always create sdap object for a forest root +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Even if the forest root is disabled for user and group lookups a sdap +object is needed to lookup trusted domains. + +This already works if the forest root is discovered for the first time +at runtime. But if SSSD is restarted only the domain object but not the +sdap object is created. + +Resolves: https://github.com/SSSD/sssd/issues/5770 + +:fixes: Even if the forest root is disabled for lookups all required + internal data is initialized to be able to refresh the list of trusted + domains in the forest from a DC of the forest root. + +Reviewed-by: Pavel Březina +(cherry picked from commit 2a617c0efc07d10efc0688652bfe7ab2d8d6f477) +--- + src/providers/ldap/sdap_domain.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c +index d384b2e4a..fa6e9340d 100644 +--- a/src/providers/ldap/sdap_domain.c ++++ b/src/providers/ldap/sdap_domain.c +@@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, + struct sdap_domain *sdom, *sditer; + errno_t ret; + +- for (dom = get_next_domain(parent, SSS_GND_DESCEND); ++ for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ +- dom = get_next_domain(dom, 0)) { ++ dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) { ++ ++ /* Always create sdap domain object for the forest root, even if it is ++ * disabled so that we can connect later to discover trusted domains ++ * in the forest. */ ++ if (sss_domain_get_state(dom) == DOM_DISABLED ++ && !sss_domain_is_forest_root(dom)) { ++ continue; ++ } + + DLIST_FOR_EACH(sditer, sdom_list) { + if (sditer->dom == dom) { +-- +2.26.3 + diff --git a/SOURCES/0076-ad-filter-trusted-domains.patch b/SOURCES/0076-ad-filter-trusted-domains.patch new file mode 100644 index 0000000..eb4161d --- /dev/null +++ b/SOURCES/0076-ad-filter-trusted-domains.patch @@ -0,0 +1,188 @@ +From 87aaf96ab7bd39698c41625d56602ca3de943b87 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 6 Oct 2021 13:03:27 +0200 +Subject: [PATCH] ad: filter trusted domains +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The fix for https://github.com/SSSD/sssd/issues/5528 might discover +domains which are not trusted (one-way trust) or are from a different +forest (direct trust). Both should be ignored because they are not +trusted or can currently not be handled properly. This patch filters out +those domains. + +Resolves: https://github.com/SSSD/sssd/issues/5819 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit 4c48c4a7792961cf8a228c76975ac370d32904e1) +--- + src/providers/ad/ad_subdomains.c | 104 +++++++++++++++++++++++++++++-- + 1 file changed, 99 insertions(+), 5 deletions(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 9b32196b7..6b98cdf1d 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -46,6 +46,7 @@ + #define AD_AT_TRUST_PARTNER "trustPartner" + #define AD_AT_TRUST_ATTRS "trustAttributes" + #define AD_AT_DOMAIN_NAME "cn" ++#define AD_AT_TRUST_DIRECTION "trustDirection" + + /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See + * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx +@@ -69,6 +70,12 @@ + /* do not refresh more often than every 5 seconds for now */ + #define AD_SUBDOMAIN_REFRESH_LIMIT 5 + ++/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */ ++#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x00000020 ++ ++/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */ ++#define TRUST_DIRECTION_OUTBOUND 0x00000002 ++ + static void + ad_disable_gc(struct ad_options *ad_options) + { +@@ -646,6 +653,85 @@ done: + return ret; + } + ++/* When reading trusted domains from the local DC we are basically interested ++ * in domains from the local forest we are trusting, i.e. users from this ++ * domain can connect to us. To not unnecessarily bloat the list of domains ++ * and make multi-domain searches slow we filter domains from other forest and ++ * domains we do not trust. ++ * In future we might add config options to broaden the scope and allow more ++ * domains. ++ * If ad_filter_domains() returns successfully with EOK in input array is not ++ * valid anymore and should be freed by the caller. */ ++static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx, ++ struct sysdb_attrs **subdomains, ++ size_t num_subdomains, ++ struct sysdb_attrs ***_sd_out, ++ size_t *_num_sd_out) ++{ ++ int ret; ++ size_t c; ++ uint32_t tmp_uint32_t; ++ const char *value; ++ struct sysdb_attrs **sd_out; ++ size_t num_sd_out = 0; ++ ++ sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *, ++ num_subdomains + 1); ++ if (sd_out == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Failed to allocate memory for sub-domain list.\n"); ++ return ENOMEM; ++ } ++ ++ for (c = 0; c < num_subdomains; c++) { ++ ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER, ++ &value); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); ++ talloc_free(sd_out); ++ return ret; ++ } ++ ++ /* Ignore direct trusts to domains from other forests ++ * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not ++ * trust (TRUST_DIRECTION_OUTBOUND is not set) */ ++ ++ tmp_uint32_t = 0; ++ ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS, ++ &tmp_uint32_t); ++ if (ret != EOK ++ || (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) { ++ DEBUG(SSSDBG_FUNC_DATA, ++ "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n", ++ value); ++ continue; ++ } ++ ++ tmp_uint32_t = 0; ++ ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION, ++ &tmp_uint32_t); ++ if (ret != EOK ++ || (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) { ++ DEBUG(SSSDBG_FUNC_DATA, ++ "TRUST_DIRECTION_OUTBOUND not set for [%s].\n", ++ value); ++ continue; ++ } ++ ++ sd_out[num_sd_out] = subdomains[c]; ++ num_sd_out++; ++ } ++ ++ for (c = 0; c < num_sd_out; c++) { ++ sd_out[c] = talloc_steal(sd_out, sd_out[c]); ++ } ++ ++ *_sd_out = sd_out; ++ *_num_sd_out = num_sd_out; ++ ++ return EOK; ++} ++ + /* How many times we keep a domain not found during searches before it will be + * removed. */ + #define MAX_NOT_FOUND 6 +@@ -1128,7 +1214,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq) + errno_t ret; + const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER, + AD_AT_SID, AD_AT_TRUST_TYPE, +- AD_AT_TRUST_ATTRS, NULL }; ++ AD_AT_TRUST_ATTRS, AD_AT_TRUST_DIRECTION, NULL }; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_slave_domain_state); +@@ -1336,7 +1422,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, + struct sdap_options *opts; + errno_t ret; + const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER, +- AD_AT_SID, AD_AT_TRUST_TYPE, ++ AD_AT_SID, AD_AT_TRUST_TYPE, AD_AT_TRUST_DIRECTION, + AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL }; + + req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state); +@@ -1414,13 +1500,15 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) + struct ad_get_root_domain_state *state; + errno_t ret; + bool has_changes = false; ++ struct sysdb_attrs **unfiltered_reply; ++ size_t unfiltered_reply_count; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_root_domain_state); + + ret = sdap_search_bases_return_first_recv(subreq, state, +- &state->reply_count, +- &state->reply); ++ &unfiltered_reply_count, ++ &unfiltered_reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information " +@@ -1428,7 +1516,13 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) + goto done; + } + +- find_domain(state->reply_count, state->reply, state->forest); ++ ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count, ++ &state->reply, &state->reply_count); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Failed to filter list of returned domains.\n"); ++ goto done; ++ } + + if (state->reply_count == 0 + || find_domain(state->reply_count, state->reply, +-- +2.26.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index f78d819..72da1e1 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -50,7 +50,7 @@ Name: sssd Version: 1.16.5 -Release: 10%{?dist}.10 +Release: 10%{?dist}.11 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -132,6 +132,9 @@ Patch0070: 0070-AD-do-not-override-LDAP-data-during-GC-lookups.patch Patch0071: 0071-simple-fix-memory-leak-while-reloading-lists.patch Patch0072: 0072-TOOLS-replace-system-with-execvp.patch Patch0073: 0073-cldap.patch +Patch0074: 0074-util-inotify-fixed-bug-in-inotify-event-processing.patch +Patch0075: 0075-sdap-always-create-sdap-object-for-a-forest-root.patch +Patch0076: 0076-ad-filter-trusted-domains.patch #Those patches should not be removed in RHEL-7 Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1307,6 +1310,11 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Tue Nov 02 2021 Alexey Tikhonov 1.16.5-10.11 +- Resolves: rhbz#1968316 - SSSD: User authentication failing after server reboot. +- Resolves: rhbz#2000238 - disabled root ad domain causes subdomains to be marked offline +- Resolves: rhbz#1984591 - After sssd update to 1.16.5-10.el7_9.8.x86_64 the customer is facing slow connection/authentication (due to discovery of unexpected AD domains) + * Wed Aug 11 2021 Alexey Tikhonov 1.16.5-10.10 - Resolves: rhbz#1973796 - SSSD is NOT able to contact the Global Catalog when local site is down