diff --git a/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch b/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch new file mode 100644 index 0000000..ca3d905 --- /dev/null +++ b/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch @@ -0,0 +1,40 @@ +From cd48ef5071741443e3b84e100a4d4d28e3578e4f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 25 Jan 2021 15:14:05 +0200 +Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When IPA allows to add AD users and groups directly to sudo rules +(FreeIPA 4.9.1 or later), external groups will already have '%' prefix. +Thus, we don't need to add additional '%'. + +Resolves: https://github.com/SSSD/sssd/issues/5475 +Signed-off-by: Alexander Bokovoy + +Reviewed-by: Pavel Březina +--- + src/providers/ipa/ipa_sudo_conversion.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c +index cfb41d8b0..1bfee096d 100644 +--- a/src/providers/ipa/ipa_sudo_conversion.c ++++ b/src/providers/ipa/ipa_sudo_conversion.c +@@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx, + const char *value, + bool *skip_entry) + { ++ if (value == NULL) ++ return NULL; ++ ++ if (value[0] == '%') ++ return talloc_strdup(mem_ctx, value); ++ + return talloc_asprintf(mem_ctx, "%%%s", value); + } + +-- +2.21.3 + diff --git a/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch b/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch new file mode 100644 index 0000000..e61ec25 --- /dev/null +++ b/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch @@ -0,0 +1,199 @@ +From e07eeea7df55ede36ac0978ac904c1bb11188265 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 20 Jan 2021 17:48:44 +0100 +Subject: [PATCH 41/42] responders: add callback to schedule_get_domains_task() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To allow responders to run dedicated code at the end of the initial +getDomains request a callback is added. + +Resolves: https://github.com/SSSD/sssd/issues/5469 + +Reviewed-by: Tomáš Halman +--- + src/responder/autofs/autofssrv.c | 2 +- + src/responder/common/responder.h | 5 ++++- + src/responder/common/responder_get_domains.c | 12 +++++++++++- + src/responder/ifp/ifpsrv.c | 2 +- + src/responder/nss/nsssrv.c | 3 ++- + src/responder/pac/pacsrv.c | 2 +- + src/responder/pam/pamsrv.c | 3 ++- + src/responder/ssh/sshsrv.c | 2 +- + src/responder/sudo/sudosrv.c | 2 +- + src/tests/cmocka/test_responder_common.c | 2 +- + 10 files changed, 25 insertions(+), 10 deletions(-) + +diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c +index 27de1b44a..130eaf775 100644 +--- a/src/responder/autofs/autofssrv.c ++++ b/src/responder/autofs/autofssrv.c +@@ -142,7 +142,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h +index f83ba1bc0..ff0559c08 100644 +--- a/src/responder/common/responder.h ++++ b/src/responder/common/responder.h +@@ -366,10 +366,13 @@ errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_domain); + ++typedef void (get_domains_callback_fn_t)(void *); + errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, +- struct sss_nc_ctx *optional_ncache); ++ struct sss_nc_ctx *optional_ncache, ++ get_domains_callback_fn_t *callback, ++ void *callback_pvt); + + errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string, + bool allow_sss_loop, +diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c +index e551b0fff..12b6e9028 100644 +--- a/src/responder/common/responder_get_domains.c ++++ b/src/responder/common/responder_get_domains.c +@@ -430,6 +430,8 @@ static errno_t check_last_request(struct resp_ctx *rctx, const char *hint) + struct get_domains_state { + struct resp_ctx *rctx; + struct sss_nc_ctx *optional_ncache; ++ get_domains_callback_fn_t *callback; ++ void *callback_pvt; + }; + + static void get_domains_at_startup_done(struct tevent_req *req) +@@ -462,6 +464,10 @@ static void get_domains_at_startup_done(struct tevent_req *req) + } + } + ++ if (state->callback != NULL) { ++ state->callback(state->callback_pvt); ++ } ++ + talloc_free(state); + return; + } +@@ -489,7 +495,9 @@ static void get_domains_at_startup(struct tevent_context *ev, + errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, +- struct sss_nc_ctx *optional_ncache) ++ struct sss_nc_ctx *optional_ncache, ++ get_domains_callback_fn_t *callback, ++ void *callback_pvt) + { + struct tevent_immediate *imm; + struct get_domains_state *state; +@@ -500,6 +508,8 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, + } + state->rctx = rctx; + state->optional_ncache = optional_ncache; ++ state->callback = callback; ++ state->callback_pvt = callback_pvt; + + imm = tevent_create_immediate(mem_ctx); + if (imm == NULL) { +diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c +index 7407ee07b..ee1452728 100644 +--- a/src/responder/ifp/ifpsrv.c ++++ b/src/responder/ifp/ifpsrv.c +@@ -266,7 +266,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx, + return EIO; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "schedule_get_domains_tasks failed.\n"); +diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c +index e80104e3d..2b7958e80 100644 +--- a/src/responder/nss/nsssrv.c ++++ b/src/responder/nss/nsssrv.c +@@ -557,7 +557,8 @@ int nss_process_init(TALLOC_CTX *mem_ctx, + } + responder_set_fd_limit(fd_limit); + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache, ++ NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c +index 217f83c26..96935150b 100644 +--- a/src/responder/pac/pacsrv.c ++++ b/src/responder/pac/pacsrv.c +@@ -129,7 +129,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c +index de1620e82..8b1ce2e92 100644 +--- a/src/responder/pam/pamsrv.c ++++ b/src/responder/pam/pamsrv.c +@@ -246,7 +246,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, + } + responder_set_fd_limit(fd_limit); + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache, ++ NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto done; +diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c +index 6072a702c..e79a0438c 100644 +--- a/src/responder/ssh/sshsrv.c ++++ b/src/responder/ssh/sshsrv.c +@@ -126,7 +126,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c +index 5951b17b1..dc4a44b2f 100644 +--- a/src/responder/sudo/sudosrv.c ++++ b/src/responder/sudo/sudosrv.c +@@ -102,7 +102,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c +index 5fc0d712d..29356253b 100644 +--- a/src/tests/cmocka/test_responder_common.c ++++ b/src/tests/cmocka/test_responder_common.c +@@ -265,7 +265,7 @@ void test_schedule_get_domains_task(void **state) + ret = schedule_get_domains_task(dummy_ncache_ptr, + parse_inp_ctx->rctx->ev, + parse_inp_ctx->rctx, +- dummy_ncache_ptr); ++ dummy_ncache_ptr, NULL, NULL); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(parse_inp_ctx->tctx); +-- +2.21.3 + diff --git a/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch b/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch new file mode 100644 index 0000000..882f567 --- /dev/null +++ b/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch @@ -0,0 +1,64 @@ +From cb936e92041d63f79a74c30bae8140c74a18dbc0 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 20 Jan 2021 18:25:04 +0100 +Subject: [PATCH 42/42] pam: refresh certificate maps at the end of initial + domains lookup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +During startup SSSD's responders send a getDomains request to all +backends to refresh some domain related needed by the responders. + +The PAM responder specifically needs the certificate mapping and +matching rules when Smartcard authentication is enable. Currently the +rules are not refreshed at the end of the initial request but the code +assumed that the related structures are initialized after the request +finished. + +To avoid a race condition this patch adds a callback to the end of the +request to make sure the rules are properly refreshed even if they are +already initialized before. + +Resolves: https://github.com/SSSD/sssd/issues/5469 + +Reviewed-by: Tomáš Halman +--- + src/responder/pam/pamsrv.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c +index 8b1ce2e92..65370662d 100644 +--- a/src/responder/pam/pamsrv.c ++++ b/src/responder/pam/pamsrv.c +@@ -154,6 +154,18 @@ static errno_t get_app_services(struct pam_ctx *pctx) + return EOK; + } + ++static void pam_get_domains_callback(void *pvt) ++{ ++ struct pam_ctx *pctx; ++ int ret; ++ ++ pctx = talloc_get_type(pvt, struct pam_ctx); ++ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n"); ++ } ++} ++ + static int pam_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb, +@@ -247,7 +259,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, + responder_set_fd_limit(fd_limit); + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache, +- NULL, NULL); ++ pam_get_domains_callback, pctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto done; +-- +2.21.3 + diff --git a/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch b/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch new file mode 100644 index 0000000..eb99c88 --- /dev/null +++ b/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch @@ -0,0 +1,134 @@ +From 0c6924b8d474daf35ee30d74e5496957e503b206 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 20 Jan 2021 15:40:34 +0100 +Subject: [PATCH] SBUS: set sbus_name before dp_init_send() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some async task might access sbus_name before dp_initialized() was executed + +Resolves: https://github.com/SSSD/sssd/issues/5466 + +Reviewed-by: Pavel Březina +--- + src/providers/data_provider/dp.c | 21 ++++----------------- + src/providers/data_provider/dp.h | 6 +++--- + src/providers/data_provider_be.c | 12 ++++++++++-- + 3 files changed, 17 insertions(+), 22 deletions(-) + +diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c +index 90324d74d..64fe847b2 100644 +--- a/src/providers/data_provider/dp.c ++++ b/src/providers/data_provider/dp.c +@@ -134,7 +134,6 @@ static int dp_destructor(struct data_provider *provider) + struct dp_init_state { + struct be_ctx *be_ctx; + struct data_provider *provider; +- char *sbus_name; + }; + + static void dp_init_done(struct tevent_req *subreq); +@@ -144,7 +143,8 @@ dp_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + uid_t uid, +- gid_t gid) ++ gid_t gid, ++ const char *sbus_name) + { + struct dp_init_state *state; + struct tevent_req *subreq; +@@ -177,13 +177,6 @@ dp_init_send(TALLOC_CTX *mem_ctx, + state->provider->gid = gid; + state->provider->be_ctx = be_ctx; + +- state->sbus_name = sss_iface_domain_bus(state, be_ctx->domain); +- if (state->sbus_name == NULL) { +- DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n"); +- ret = ENOMEM; +- goto done; +- } +- + /* Initialize data provider bus. Data provider can receive client + * registration and other D-Bus methods. However no data provider + * request will be executed as long as the modules and targets +@@ -192,7 +185,7 @@ dp_init_send(TALLOC_CTX *mem_ctx, + talloc_set_destructor(state->provider, dp_destructor); + + subreq = sbus_server_create_and_connect_send(state->provider, ev, +- state->sbus_name, NULL, sbus_address, true, 1000, uid, gid, ++ sbus_name, NULL, sbus_address, true, 1000, uid, gid, + (sbus_server_on_connection_cb)dp_client_init, + (sbus_server_on_connection_data)state->provider); + if (subreq == NULL) { +@@ -270,16 +263,10 @@ done: + } + + errno_t dp_init_recv(TALLOC_CTX *mem_ctx, +- struct tevent_req *req, +- const char **_sbus_name) ++ struct tevent_req *req) + { +- struct dp_init_state *state; +- state = tevent_req_data(req, struct dp_init_state); +- + TEVENT_REQ_RETURN_ON_ERROR(req); + +- *_sbus_name = talloc_steal(mem_ctx, state->sbus_name); +- + return EOK; + } + +diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h +index a8b6e9f3a..95c6588ad 100644 +--- a/src/providers/data_provider/dp.h ++++ b/src/providers/data_provider/dp.h +@@ -122,11 +122,11 @@ dp_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + uid_t uid, +- gid_t gid); ++ gid_t gid, ++ const char *sbus_name); + + errno_t dp_init_recv(TALLOC_CTX *mem_ctx, +- struct tevent_req *req, +- const char **_sbus_name); ++ struct tevent_req *req); + + bool _dp_target_enabled(struct data_provider *provider, + const char *module_name, +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index f059a3f96..8458146ea 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -565,7 +565,15 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx, + goto done; + } + +- req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid); ++ be_ctx->sbus_name = sss_iface_domain_bus(be_ctx, be_ctx->domain); ++ if (be_ctx->sbus_name == NULL) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid, ++ be_ctx->sbus_name); + if (req == NULL) { + ret = ENOMEM; + goto done; +@@ -612,7 +620,7 @@ static void dp_initialized(struct tevent_req *req) + + be_ctx = tevent_req_callback_data(req, struct be_ctx); + +- ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name); ++ ret = dp_init_recv(be_ctx, req); + talloc_zfree(req); + if (ret != EOK) { + goto done; +-- +2.21.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index ebb7edc..0bc7768 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,7 +26,7 @@ Name: sssd Version: 2.4.0 -Release: 6%{?dist} +Release: 7%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -73,6 +73,10 @@ Patch0036: 0036-SBUS-do-not-try-to-del-non-existing-sender.patch Patch0037: 0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch Patch0038: 0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch Patch0039: 0039-pam_sss_gssapi-fix-coverity-issues.patch +Patch0040: 0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch +Patch0041: 0041-responders-add-callback-to-schedule_get_domains_task.patch +Patch0042: 0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch +Patch0043: 0043-SBUS-set-sbus_name-before-dp_init_send.patch ### Downstream Patches ### @@ -197,6 +201,7 @@ Recommends: libsss_sudo = %{version}-%{release} Recommends: libsss_autofs%{?_isa} = %{version}-%{release} Recommends: sssd-nfs-idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Requires(pre): shadow-utils %{?systemd_requires} @@ -253,6 +258,7 @@ Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: sssd-dbus %description tools @@ -307,6 +313,7 @@ Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} %description ldap Provides the LDAP back end that the SSSD can utilize to fetch identity data @@ -357,6 +364,7 @@ Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libipa_hbac%{?_isa} = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} @@ -376,6 +384,7 @@ Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Recommends: adcli Suggests: sssd-libwbclient = %{version}-%{release} @@ -1248,6 +1257,11 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Tue Jan 26 2021 Alexey Tikhonov - 2.4.0-7 +- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules +- Resolves: rhbz#1918433 - sssd unable to lookup certmap rules +- Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 + * Mon Jan 18 2021 Alexey Tikhonov - 2.4.0-6 - Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched - Resolves: rhbz#1915395 - Memory leak in the simple access provider