diff --git a/SOURCES/0036-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch b/SOURCES/0036-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch new file mode 100644 index 0000000..396cfcd --- /dev/null +++ b/SOURCES/0036-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch @@ -0,0 +1,81 @@ +From 442cd658329251d8390dd5bd790d86c78ead88ab Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Mon, 24 Jun 2019 15:58:09 +0200 +Subject: [PATCH] LDAP: failover does not work on non-responsive ldaps + +In case ldaps:// is used, then establishing the secure socket is +a sychronous operation. If there's nothing on the other end, then +the process would be stuck waiting in for the crypto library +to finish. + +Here we set socket read/write timeout so the operation can finish +in reasonable time with an error. The ldap_network_timeout +option is used for this timeout. + +Resolves: +https://pagure.io/SSSD/sssd/issue/2878 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Jakub Hrozek +(cherry picked from commit 2d657dffb419640860e46ed417137b0e2cc7d9af) +--- + src/util/sss_sockets.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c +index 5e9be9ebd..0e4d8df8a 100644 +--- a/src/util/sss_sockets.c ++++ b/src/util/sss_sockets.c +@@ -74,10 +74,11 @@ static errno_t set_fcntl_flags(int fd, int fd_flags, int fl_flags) + return EOK; + } + +-static errno_t set_fd_common_opts(int fd) ++static errno_t set_fd_common_opts(int fd, int timeout) + { + int dummy = 1; + int ret; ++ struct timeval tv; + + /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but + * failures are ignored.*/ +@@ -97,6 +98,27 @@ static errno_t set_fd_common_opts(int fd) + strerror(ret)); + } + ++ if (timeout > 0) { ++ /* Set socket read & write timeout */ ++ tv = tevent_timeval_set(timeout, 0); ++ ++ ret = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_FUNC_DATA, ++ "setsockopt SO_RCVTIMEO failed.[%d][%s].\n", ret, ++ strerror(ret)); ++ } ++ ++ ret = setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv)); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_FUNC_DATA, ++ "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret, ++ strerror(ret)); ++ } ++ } ++ + return EOK; + } + +@@ -264,7 +286,7 @@ struct tevent_req *sssd_async_socket_init_send(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = set_fd_common_opts(state->sd); ++ ret = set_fd_common_opts(state->sd, timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_fd_common_opts failed.\n"); + goto fail; +-- +2.20.1 + diff --git a/SOURCES/0037-Add-TCP-level-timeout-to-LDAP-services.patch b/SOURCES/0037-Add-TCP-level-timeout-to-LDAP-services.patch new file mode 100644 index 0000000..8c28ccb --- /dev/null +++ b/SOURCES/0037-Add-TCP-level-timeout-to-LDAP-services.patch @@ -0,0 +1,51 @@ +From bad7c631b7aab50d179755ee546357e4f4faca9d Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 10 Sep 2019 14:33:37 +0000 +Subject: [PATCH] Add TCP level timeout to LDAP services + +In some cases the TCP connection may hang with data sent because +of network conditions, this may cause the socket to stall for much +longer than the timeout intended. +Set a TCP option to forcibly timeout a socket that sees its data not +ACKed within the ldap_network_timeout seconds. + +Signed-off-by: Simo Sorce + +Reviewed-by: Sumit Bose +(cherry picked from commit 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac) +--- + src/util/sss_sockets.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c +index 0e4d8df8a..b6b6dbac5 100644 +--- a/src/util/sss_sockets.c ++++ b/src/util/sss_sockets.c +@@ -79,6 +79,7 @@ static errno_t set_fd_common_opts(int fd, int timeout) + int dummy = 1; + int ret; + struct timeval tv; ++ unsigned int milli; + + /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but + * failures are ignored.*/ +@@ -117,6 +118,16 @@ static errno_t set_fd_common_opts(int fd, int timeout) + "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret, + strerror(ret)); + } ++ ++ milli = timeout * 1000; /* timeout in milliseconds */ ++ ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli, ++ sizeof(milli)); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_FUNC_DATA, ++ "setsockopt TCP_USER_TIMEOUT failed.[%d][%s].\n", ret, ++ strerror(ret)); ++ } + } + + return EOK; +-- +2.20.1 + diff --git a/SOURCES/0038-sss_sockets-pass-pointer-instead-of-integer.patch b/SOURCES/0038-sss_sockets-pass-pointer-instead-of-integer.patch new file mode 100644 index 0000000..cc45b47 --- /dev/null +++ b/SOURCES/0038-sss_sockets-pass-pointer-instead-of-integer.patch @@ -0,0 +1,47 @@ +From 191f3722f28107ccde4ce96dd88a401fb36b059a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 10 Feb 2020 11:52:35 +0100 +Subject: [PATCH] sss_sockets: pass pointer instead of integer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +``` +/home/pbrezina/workspace/sssd/src/util/sss_sockets.c: In function ‘set_fd_common_opts’: +/home/pbrezina/workspace/sssd/src/util/sss_sockets.c:123:61: error: passing argument 4 of ‘setsockopt’ makes pointer from integer without a cast [-Werror=int-conversion] + 123 | ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli, + | ^~~~~ + | | + | unsigned int +In file included from /home/pbrezina/workspace/sssd/src/util/sss_sockets.c:28: +/usr/include/sys/socket.h:216:22: note: expected ‘const void *’ but argument is of type ‘unsigned int’ + 216 | const void *__optval, socklen_t __optlen) __THROW; + | ~~~~~~~~~~~~^~~~~~~~ + CC src/util/sssd_kcm-sss_iobuf.o +cc1: all warnings being treated as errors +``` + +Introduced by 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac + +Reviewed-by: Sumit Bose +(cherry picked from commit 5b87af6f5b50c464ee7ea4558f73431e398e1423) +--- + src/util/sss_sockets.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c +index b6b6dbac5..6f2b71bc8 100644 +--- a/src/util/sss_sockets.c ++++ b/src/util/sss_sockets.c +@@ -120,7 +120,7 @@ static errno_t set_fd_common_opts(int fd, int timeout) + } + + milli = timeout * 1000; /* timeout in milliseconds */ +- ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli, ++ ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &milli, + sizeof(milli)); + if (ret != 0) { + ret = errno; +-- +2.20.1 + diff --git a/SOURCES/0039-ipa-add-failover-to-override-lookups.patch b/SOURCES/0039-ipa-add-failover-to-override-lookups.patch new file mode 100644 index 0000000..25cc1d9 --- /dev/null +++ b/SOURCES/0039-ipa-add-failover-to-override-lookups.patch @@ -0,0 +1,48 @@ +From 4897063996b624b71823e61c73916f47832f103a Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 29 Oct 2019 12:16:40 +0100 +Subject: [PATCH] ipa: add failover to override lookups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In the ipa_id_get_account_info request failover handling was missing. + +Related to https://pagure.io/SSSD/sssd/issue/4114 + +Reviewed-by: Michal Židek +(cherry picked from commit b9a53cfca91c9db51b1e32ac2cb0965db3ccf05b) +--- + src/providers/ipa/ipa_id.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c +index 94d5f9d90..9253514a3 100644 +--- a/src/providers/ipa/ipa_id.c ++++ b/src/providers/ipa/ipa_id.c +@@ -640,7 +640,22 @@ static void ipa_id_get_account_info_got_override(struct tevent_req *subreq) + ret = ipa_get_ad_override_recv(subreq, &dp_error, state, + &state->override_attrs); + talloc_zfree(subreq); ++ + if (ret != EOK) { ++ ret = sdap_id_op_done(state->op, ret, &dp_error); ++ ++ if (dp_error == DP_ERR_OK && ret != EOK) { ++ /* retry */ ++ subreq = sdap_id_op_connect_send(state->op, state, &ret); ++ if (subreq == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n"); ++ goto fail; ++ } ++ tevent_req_set_callback(subreq, ipa_id_get_account_info_connected, ++ req); ++ return; ++ } ++ + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); + goto fail; + } +-- +2.21.1 + diff --git a/SOURCES/0040-ipa-add-failover-to-access-checks.patch b/SOURCES/0040-ipa-add-failover-to-access-checks.patch new file mode 100644 index 0000000..76f63a0 --- /dev/null +++ b/SOURCES/0040-ipa-add-failover-to-access-checks.patch @@ -0,0 +1,61 @@ +From a4dd1eb5087c2f8a3a9133f42efa025221edc1c9 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 30 Oct 2019 14:23:12 +0100 +Subject: [PATCH] ipa: add failover to access checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While reading the different components of the HBAC rules failover +handling was missing. Since the access control is typically the second +step after authentication SSSD would have already switched to a working +server or into offline mode during authentication. But if e.g. ssh keys +are used for authentication and user data are read from cache the HABC +rule searches might have to handle failover as well. + +Related to https://pagure.io/SSSD/sssd/issue/4114 + +Reviewed-by: Michal Židek +(cherry picked from commit 707fdf0406644de08cfb7f59fa4eec393be5c62a) +--- + src/providers/ipa/ipa_access.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c +index de9f68170..375b6f885 100644 +--- a/src/providers/ipa/ipa_access.c ++++ b/src/providers/ipa/ipa_access.c +@@ -296,6 +296,7 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq) + struct ipa_fetch_hbac_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; ++ int dp_error; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_fetch_hbac_state); +@@ -308,7 +309,22 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq) + state->hosts->entry_subdir = HBAC_HOSTS_SUBDIR; + state->hosts->group_subdir = HBAC_HOSTGROUPS_SUBDIR; + talloc_zfree(subreq); ++ + if (ret != EOK) { ++ /* Only call sdap_id_op_done in case of an error to trigger a ++ * failover. In general changing the tevent_req layout would be better ++ * so that all searches are in another sub-request so that we can ++ * error out at any step and the parent request can call ++ * sdap_id_op_done just once. */ ++ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); ++ if (dp_error == DP_ERR_OK && ret != EOK) { ++ /* retry */ ++ ret = ipa_fetch_hbac_retry(req); ++ if (ret != EAGAIN) { ++ goto done; ++ } ++ return; ++ } + goto done; + } + +-- +2.21.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 5dba468..4608e75 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -48,7 +48,7 @@ Name: sssd Version: 1.16.4 -Release: 21%{?dist}.1 +Release: 21%{?dist}.3 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -92,6 +92,11 @@ Patch0032: 0032-Translation-Update-japanese-translation.patch Patch0033: 0033-Translation-Add-missing-newlines-in-the-ja-po-file.patch Patch0034: 0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch Patch0035: 0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch +Patch0036: 0036-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch +Patch0037: 0037-Add-TCP-level-timeout-to-LDAP-services.patch +Patch0038: 0038-sss_sockets-pass-pointer-instead-of-integer.patch +Patch0039: 0039-ipa-add-failover-to-override-lookups.patch +Patch0040: 0040-ipa-add-failover-to-access-checks.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1249,6 +1254,14 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Sun Mar 01 2020 Alexey Tikhonov - 1.16.4-21.3 +- Resolves: rhbz#1807934 - sssd failover leads to delayed and failed logins + [rhel-7.7.z] + +* Thu Feb 13 2020 Michal Židek - 1.16.4-21.2 +- Resolves: rhbz#1801207 - id command taking 1+ minute for returning user + information [rhel-7.7.z] ( + * Wed Oct 09 2019 Michal Židek - 1.16.4-21.1 - Resolves: rhbz#1758566 - negative cache does not use values from 'filter_users' config option for known domains [rhel-7.7.z]