From a537778ec181d64264c6344ed9bc33afca862c90 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 28 2023 09:10:22 +0000 Subject: import sssd-2.8.2-2.el8 --- diff --git a/.gitignore b/.gitignore index f74e090..a743af2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.7.3.tar.gz +SOURCES/sssd-2.8.2.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 6132eb6..6575e58 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz +4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz diff --git a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch deleted file mode 100644 index 271a5d8..0000000 --- a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 21 Jul 2022 20:16:32 +0200 -Subject: [PATCH] Makefile: remove unneeded dependency -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f) ---- - Makefile.am | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 669a0fc56..92d046888 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \ - $(KRB5_CFLAGS) \ - $(UUID_CFLAGS) \ - $(CURL_CFLAGS) \ -- $(JANSSON_CFLAGS) \ - $(NULL) - sssd_kcm_LDADD = \ - $(LIBADD_DL) \ - $(KRB5_LIBS) \ -- $(JANSSON_LIBS) \ - $(SSSD_LIBS) \ - $(UUID_LIBS) \ - $(SYSTEMD_DAEMON_LIBS) \ -@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \ - $(UUID_CFLAGS) \ - $(NULL) - test_kcm_marshalling_LDADD = \ -- $(JANSSON_LIBS) \ - $(UUID_LIBS) \ - $(KRB5_LIBS) \ - $(CMOCKA_LIBS) \ -@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \ - test_kcm_renewals_LDADD = \ - $(LIBADD_DL) \ - $(UUID_LIBS) \ -- $(JANSSON_LIBS) \ - $(KRB5_LIBS) \ - $(CARES_LIBS) \ - $(CMOCKA_LIBS) \ --- -2.37.1 - diff --git a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch new file mode 100644 index 0000000..60feece --- /dev/null +++ b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch @@ -0,0 +1,158 @@ +From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 8 Dec 2022 15:14:05 +0100 +Subject: [PATCH] ldap: update shadow last change in sysdb as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise pam can use the changed information whe id chaching is +enabled, so next authentication that fits into the id timeout +(5 seconds by default) will still sees the password as expired. + +Resolves: https://github.com/SSSD/sssd/issues/6477 + +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman +(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) +--- + src/db/sysdb.h | 4 ++++ + src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ + src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- + 3 files changed, 52 insertions(+), 5 deletions(-) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index 7c666f5c4..06b44f5ba 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, + struct sysdb_attrs *attrs, + int mod_op); + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname); ++ + /* Replace group attrs */ + int sysdb_set_group_attr(struct sss_domain_info *domain, + const char *name, +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 0d6f2d5cd..ed0df9872 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -1485,6 +1485,38 @@ done: + return ret; + } + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname) ++{ ++ struct sysdb_attrs *attrs; ++ char *value; ++ errno_t ret; ++ ++ attrs = sysdb_new_attrs(NULL); ++ if (attrs == NULL) { ++ return ENOMEM; ++ } ++ ++ /* The attribute contains number of days since the epoch */ ++ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); ++ if (value == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = sysdb_attrs_add_string(attrs, attrname, value); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); ++ ++done: ++ talloc_free(attrs); ++ return ret; ++} ++ + /* =Replace-Attributes-On-Group=========================================== */ + + int sysdb_set_group_attr(struct sss_domain_info *domain, +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 6404a9d3a..96b9d6df4 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { + struct pam_data *pd; + struct sdap_handle *sh; + char *dn; ++ enum pwexpire pw_expire_type; + }; + + static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); +@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + { + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *req; +- enum pwexpire pw_expire_type; + void *pw_expire_data; + size_t msg_len; + uint8_t *msg; +@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + ret = auth_recv(subreq, state, &state->sh, &state->dn, +- &pw_expire_type, &pw_expire_data); ++ &state->pw_expire_type, &pw_expire_data); + talloc_free(subreq); + + if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && +@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + } + + if (ret == EOK) { +- switch (pw_expire_type) { ++ switch (state->pw_expire_type) { + case PWEXPIRE_SHADOW: + ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); + break; +@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, +- "Unknown password expiration type %d.\n", pw_expire_type); ++ "Unknown password expiration type %d.\n", ++ state->pw_expire_type); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } +@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + case ERR_PASSWORD_EXPIRED: + DEBUG(SSSDBG_TRACE_LIBS, + "user [%s] successfully authenticated.\n", state->dn); +- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); ++ ret = sdap_pam_chpass_handler_change_step(state, req, ++ state->pw_expire_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_pam_chpass_handler_change_step() failed.\n"); +@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) + + switch (ret) { + case EOK: ++ if (state->pw_expire_type == PWEXPIRE_SHADOW) { ++ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, ++ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); ++ if (ret != EOK) { ++ state->pd->pam_status = PAM_SYSTEM_ERR; ++ goto done; ++ } ++ } ++ + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_CHPASS_DENIED: +-- +2.37.3 + diff --git a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch deleted file mode 100644 index 6caa8fc..0000000 --- a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 29 Jul 2022 14:57:20 +0200 -Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it - should survive context destruction / re-initialization -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Iker Pedrosa -Reviewed-by: Pavel Březina -(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911) ---- - src/sss_client/nss_mc.h | 4 ++-- - src/sss_client/nss_mc_common.c | 10 ++++++++-- - src/sss_client/nss_mc_group.c | 5 +++++ - src/sss_client/nss_mc_initgr.c | 5 +++++ - src/sss_client/nss_mc_passwd.c | 5 +++++ - src/sss_client/nss_mc_sid.c | 5 +++++ - 6 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index b66e8f09f..de1496ccc 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -48,7 +48,7 @@ enum sss_mc_state { - struct sss_cli_mc_ctx { - enum sss_mc_state initialized; - #if HAVE_PTHREAD -- pthread_mutex_t mutex; -+ pthread_mutex_t *mutex; - #endif - int fd; - -@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx { - }; - - #if HAVE_PTHREAD --#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #else - #define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #endif -diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c -index c73a93a9a..f38a4a85a 100644 ---- a/src/sss_client/nss_mc_common.c -+++ b/src/sss_client/nss_mc_common.c -@@ -58,14 +58,14 @@ do { \ - static void sss_mt_lock(struct sss_cli_mc_ctx *ctx) - { - #if HAVE_PTHREAD -- pthread_mutex_lock(&ctx->mutex); -+ pthread_mutex_lock(ctx->mutex); - #endif - } - - static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx) - { - #if HAVE_PTHREAD -- pthread_mutex_unlock(&ctx->mutex); -+ pthread_mutex_unlock(ctx->mutex); - #endif - } - -@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) - static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - { - uint32_t active_threads = ctx->active_threads; -+#if HAVE_PTHREAD -+ pthread_mutex_t *mutex = ctx->mutex; -+#endif - - if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { - munmap(ctx->mmap_base, ctx->mmap_size); -@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - - /* restore count of active threads */ - ctx->active_threads = active_threads; -+#if HAVE_PTHREAD -+ ctx->mutex = mutex; -+#endif - } - - static errno_t sss_nss_mc_init_ctx(const char *name, -diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c -index 2ea40c435..d4f2a82ab 100644 ---- a/src/sss_client/nss_mc_group.c -+++ b/src/sss_client/nss_mc_group.c -@@ -29,7 +29,12 @@ - #include "nss_mc.h" - #include "shared/safealign.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - struct group *result, -diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c -index b05946263..bd7282935 100644 ---- a/src/sss_client/nss_mc_initgr.c -+++ b/src/sss_client/nss_mc_initgr.c -@@ -32,7 +32,12 @@ - #include "nss_mc.h" - #include "shared/safealign.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - long int *start, long int *size, -diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c -index 01c6801da..256d48444 100644 ---- a/src/sss_client/nss_mc_passwd.c -+++ b/src/sss_client/nss_mc_passwd.c -@@ -28,7 +28,12 @@ - #include - #include "nss_mc.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - struct passwd *result, -diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c -index af7d7bbd5..52e684da5 100644 ---- a/src/sss_client/nss_mc_sid.c -+++ b/src/sss_client/nss_mc_sid.c -@@ -30,7 +30,12 @@ - #include "util/mmap_cache.h" - #include "idmap/sss_nss_idmap.h" - -+#if HAVE_PTHREAD -+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex); -+#else - static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER; -+#endif - - static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type, - char **sid, uint32_t *type, --- -2.37.1 - diff --git a/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch new file mode 100644 index 0000000..fdc756a --- /dev/null +++ b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch @@ -0,0 +1,58 @@ +From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 3 Feb 2023 11:35:42 +0100 +Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common + read/write/check helpers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)` +error condition is detected, regular `POLLIN/POLLOUT` won't be set. +Error code set by error condition should have a priority. This enables +users of this helper to retry attempt (as designed). + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd) +--- + src/sss_client/common.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 2c888faa9..27e09f6f3 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & POLLOUT)) { ++ } else if (!(pfd.revents & POLLOUT)) { + *errnop = EBUSY; + } + break; +@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, + } + if (pfd.revents & (POLLERR | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & POLLIN)) { ++ } else if (!(pfd.revents & POLLIN)) { + *errnop = EBUSY; + } + break; +@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop, + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { + *errnop = EPIPE; +- } +- if (!(pfd.revents & (POLLIN | POLLOUT))) { ++ } else if (!(pfd.revents & (POLLIN | POLLOUT))) { + *errnop = EBUSY; + } + break; +-- +2.37.3 + diff --git a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch deleted file mode 100644 index 965ceaa..0000000 --- a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 1 Aug 2022 09:54:51 -0400 -Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Skip calling cache_req_data_set_hybrid_lookup() when hybrid data -is NULL for certain NSS request types (e.g. Service by Name). - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina -(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7) ---- - src/responder/nss/nss_get_object.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c -index 9762d6bfe..5a2e7e9bd 100644 ---- a/src/responder/nss/nss_get_object.c -+++ b/src/responder/nss/nss_get_object.c -@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx, - input_name); - } - -- cache_req_data_set_hybrid_lookup(hybrid_data, true); -+ if (hybrid_data != NULL) { -+ cache_req_data_set_hybrid_lookup(hybrid_data, true); -+ } - - return hybrid_data; - } --- -2.37.1 - diff --git a/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch new file mode 100644 index 0000000..d7c875f --- /dev/null +++ b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch @@ -0,0 +1,63 @@ +From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 8 Feb 2023 17:48:52 +0100 +Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is + alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise + there is a risk to close "foreign" socket opened in another thread. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3) +--- + src/sss_client/common.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 27e09f6f3..c8ade645b 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, + *errnop = ETIME; + break; + case 1: +- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { ++ if (pfd.revents & (POLLERR | POLLHUP)) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & POLLOUT)) { + *errnop = EBUSY; +@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, + if (pfd.revents & (POLLHUP)) { + pollhup = true; + } +- if (pfd.revents & (POLLERR | POLLNVAL)) { ++ if (pfd.revents & POLLERR) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & POLLIN)) { + *errnop = EBUSY; +@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop, + *errnop = ETIME; + break; + case 1: +- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { ++ if (pfd.revents & (POLLERR | POLLHUP)) { ++ *errnop = EPIPE; ++ } else if (pfd.revents & POLLNVAL) { ++ /* Invalid request: fd is not opened */ ++ sss_cli_sd = -1; + *errnop = EPIPE; + } else if (!(pfd.revents & (POLLIN | POLLOUT))) { + *errnop = EBUSY; +-- +2.37.3 + diff --git a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch deleted file mode 100644 index 7f87ccc..0000000 --- a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Thu, 14 Jul 2022 11:21:04 -0400 -Subject: [PATCH] Analyzer: Fix escaping raw fstring - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Iker Pedrosa -(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19) ---- - src/tools/analyzer/modules/request.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index b8dd9b25c..935e13adc 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -243,8 +243,8 @@ class RequestAnalyzer: - be_results = False - component = source.Component.NSS - resp = "nss" -- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]'] -- pattern.append(rf"\[CID#{cid}\\]") -+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]'] -+ pattern.append(rf"\[CID#{cid}\]") - - if args.pam: - component = source.Component.PAM --- -2.37.1 - diff --git a/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch new file mode 100644 index 0000000..dee9c9d --- /dev/null +++ b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch @@ -0,0 +1,53 @@ +From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 8 Feb 2023 18:58:37 +0100 +Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with + mutex. Otherwise a thread calling pam_end() can close socket mid pam + transaction in another thread. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug only manifested on platforms where "lockfree client" +feature wasn't built. + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082) +--- + src/sss_client/pam_sss.c | 3 +++ + src/sss_client/pam_sss_gss.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index afbdef59a..39ad17188 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err) + #endif /* PAM_DATA_REPLACE */ + + D(("Closing the fd")); ++ ++ sss_pam_lock(); + sss_cli_close_socket(); ++ sss_pam_unlock(); + } + + struct cert_auth_info { +diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c +index 1109ec570..dd578ae5d 100644 +--- a/src/sss_client/pam_sss_gss.c ++++ b/src/sss_client/pam_sss_gss.c +@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, + } + + done: ++ sss_pam_lock(); + sss_cli_close_socket(); ++ sss_pam_unlock(); + free(username); + free(domain); + free(target); +-- +2.37.3 + diff --git a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch deleted file mode 100644 index a820d44..0000000 --- a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Aug 2022 21:48:43 +0200 -Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f) ---- - src/sss_client/nss_mc.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index de1496ccc..0f88521e9 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx { - }; - - #if HAVE_PTHREAD --#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #else --#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0} -+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0} - #endif - - errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx); --- -2.37.1 - diff --git a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch deleted file mode 100644 index f759975..0000000 --- a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch +++ /dev/null @@ -1,78 +0,0 @@ -From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Aug 2022 21:51:03 +0200 -Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be - touched -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL` -was creating a possibility for a race. - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757) ---- - src/sss_client/nss_mc.h | 4 +++- - src/sss_client/nss_mc_common.c | 20 ++++++++++---------- - 2 files changed, 13 insertions(+), 11 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index 0f88521e9..9ab2736fa 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -44,7 +44,9 @@ enum sss_mc_state { - RECYCLED, - }; - --/* common stuff */ -+/* In the case this structure is extended, don't forget to update -+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`. -+ */ - struct sss_cli_mc_ctx { - enum sss_mc_state initialized; - #if HAVE_PTHREAD -diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c -index f38a4a85a..3128861bf 100644 ---- a/src/sss_client/nss_mc_common.c -+++ b/src/sss_client/nss_mc_common.c -@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) - - static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) - { -- uint32_t active_threads = ctx->active_threads; --#if HAVE_PTHREAD -- pthread_mutex_t *mutex = ctx->mutex; --#endif - - if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { - munmap(ctx->mmap_base, ctx->mmap_size); - } -+ ctx->mmap_base = NULL; -+ ctx->mmap_size = 0; -+ - if (ctx->fd != -1) { - close(ctx->fd); - } -- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); - ctx->fd = -1; - -- /* restore count of active threads */ -- ctx->active_threads = active_threads; --#if HAVE_PTHREAD -- ctx->mutex = mutex; --#endif -+ ctx->seed = 0; -+ ctx->data_table = NULL; -+ ctx->dt_size = 0; -+ ctx->hash_table = NULL; -+ ctx->ht_size = 0; -+ ctx->initialized = UNINITIALIZED; -+ /* `mutex` and `active_threads` should be left intact */ - } - - static errno_t sss_nss_mc_init_ctx(const char *name, --- -2.37.1 - diff --git a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch deleted file mode 100644 index 0e06c29..0000000 --- a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch +++ /dev/null @@ -1,33 +0,0 @@ -From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 15 Aug 2022 16:17:59 -0400 -Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup - -Fixes an issue when the sssctl analyzer option is -used on systems where SSSD is not running or configured. This is -an expected use case when using --logdir option to analyze external -log files. - -Resolves: https://github.com/SSSD/sssd/issues/6298 - -Reviewed-by: Alexey Tikhonov ---- - src/tools/sssctl/sssctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c -index 3816125ad..f18689f9f 100644 ---- a/src/tools/sssctl/sssctl.c -+++ b/src/tools/sssctl/sssctl.c -@@ -296,7 +296,7 @@ int main(int argc, const char **argv) - SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove), - SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch), - SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level), -- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze), -+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT), - #ifdef HAVE_LIBINI_CONFIG_V1_3 - SSS_TOOL_DELIMITER("Configuration files tools:"), - SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), --- -2.37.1 - diff --git a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch deleted file mode 100644 index 769e082..0000000 --- a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch +++ /dev/null @@ -1,297 +0,0 @@ -From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Fri, 19 Aug 2022 09:50:22 -0400 -Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Client ID is not stored properly to match requests -when parallel requests are made to client SSSD - -Resolves: https://github.com/SSSD/sssd/issues/6307 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina - -Reviewed-by: Alexey Tikhonov ---- - src/responder/common/cache_req/cache_req.c | 5 +++-- - .../plugins/cache_req_autofs_entry_by_name.c | 3 ++- - .../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++- - .../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++- - .../plugins/cache_req_ssh_host_id_by_name.c | 3 ++- - src/responder/common/responder.h | 2 +- - src/responder/common/responder_common.c | 12 +++++++----- - src/responder/common/responder_dp.c | 5 +++-- - src/responder/common/responder_get_domains.c | 3 ++- - src/responder/pam/pamsrv_cmd.c | 4 ++-- - 10 files changed, 26 insertions(+), 17 deletions(-) - -diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c -index 4dd45b038..bc65bae71 100644 ---- a/src/responder/common/cache_req/cache_req.c -+++ b/src/responder/common/cache_req/cache_req.c -@@ -24,6 +24,7 @@ - #include - - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder.h" - #include "responder/common/cache_req/cache_req_private.h" - #include "responder/common/cache_req/cache_req_plugin.h" -@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx, - } - state->first_iteration = true; - -- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n", -- rctx->client_id_num, cr->reqname); -+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n", -+ sss_chain_id_get(), cr->reqname); - - ret = cache_req_is_well_known_object(state, cr, &result); - if (ret == EOK) { -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -index 788b6708c..b2b0a06eb 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, - data->autofs_entry_name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -index 5d82641cc..23b11b1cd 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -index 29f289723..18c08ca39 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c -@@ -24,6 +24,7 @@ - #include "db/sysdb.h" - #include "db/sysdb_autofs.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - bool -diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -index a8b8f47a8..29f52f10d 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c -@@ -23,6 +23,7 @@ - - #include "db/sysdb_ssh.h" - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "providers/data_provider.h" - #include "responder/common/cache_req/cache_req_plugin.h" - -@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx, - return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, - 0, data->name.name, data->alias, -- cr->rctx->client_id_num); -+ sss_chain_id_get()); - } - - static bool -diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h -index 5cb79e3e6..259b3ff13 100644 ---- a/src/responder/common/responder.h -+++ b/src/responder/common/responder.h -@@ -165,13 +165,13 @@ struct cli_ctx { - - struct cli_creds *creds; - char *cmd_line; -- uint64_t old_chain_id; - - void *protocol_ctx; - void *state_ctx; - - struct tevent_timer *idle; - time_t last_request_time; -+ uint32_t client_id_num; - }; - - struct sss_cmd_table { -diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c -index 6e3b61ef0..a4ba8ea71 100644 ---- a/src/responder/common/responder_common.c -+++ b/src/responder/common/responder_common.c -@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev, - "Failed to close fd [%d]: [%s]\n", - ctx->cfd, strerror(ret)); - } -- /* Restore the original chain id */ -- sss_chain_id_set(ctx->old_chain_id); - - DEBUG(SSSDBG_TRACE_INTERNAL, - "Terminated client [%p][%d]\n", -@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev, - int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd; - - rctx->client_id_num++; -- - if (accept_ctx->is_private) { - ret = stat(rctx->priv_sock_name, &stat_buf); - if (ret == -1) { -@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev, - - talloc_set_destructor(cctx, cli_ctx_destructor); - -+ cctx->client_id_num = rctx->client_id_num; -+ - len = sizeof(cctx->addr); - cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); - if (cctx->cfd == -1) { -@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev, - - DEBUG(SSSDBG_TRACE_FUNC, - "[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n", -- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), -+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds), - cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : ""); - - return; -@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr, - uint16_t flags) - { - errno_t ret; -+ uint64_t old_chain_id; - struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx); - - /* Always reset the responder idle timer on any activity */ -@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr, - } - - /* Set the chain id */ -- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num); -+ old_chain_id = sss_chain_id_set(cctx->client_id_num); - - if (flags & TEVENT_FD_READ) { - recv_fn(cctx); -@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr, - send_fn(cctx); - return; - } -+ /* Restore the original chain id */ -+ sss_chain_id_set(old_chain_id); - } - - int sss_connection_setup(struct cli_ctx *cctx) -diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c -index d549e02d3..4b4770da1 100644 ---- a/src/responder/common/responder_dp.c -+++ b/src/responder/common/responder_dp.c -@@ -23,6 +23,7 @@ - #include - #include - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder_packet.h" - #include "responder/common/responder.h" - #include "providers/data_provider.h" -@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx, - subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn, - be_conn->bus_name, SSS_BUS_PATH, dp_flags, - entry_type, filter, dom->name, extra, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx, - SSS_BUS_PATH, - dp_flags, entry_type, - filter_type, filter_value, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c -index 918124756..aeff28d73 100644 ---- a/src/responder/common/responder_get_domains.c -+++ b/src/responder/common/responder_get_domains.c -@@ -19,6 +19,7 @@ - */ - - #include "util/util.h" -+#include "util/sss_chain_id.h" - #include "responder/common/responder.h" - #include "providers/data_provider.h" - #include "db/sysdb.h" -@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx, - be_conn->bus_name, - SSS_BUS_PATH, dp_flags, - entry_type, filter, -- rctx->client_id_num); -+ sss_chain_id_get()); - if (subreq == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); - ret = ENOMEM; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index cb0e1b82f..1695554fc 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) - } - preq->cctx = cctx; - preq->cert_auth_local = false; -- preq->client_id_num = pctx->rctx->client_id_num; -+ preq->client_id_num = cctx->client_id_num; - - preq->pd = create_pam_data(preq); - if (!preq->pd) { -@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) - - pd->cmd = pam_cmd; - pd->priv = cctx->priv; -- pd->client_id_num = pctx->rctx->client_id_num; -+ pd->client_id_num = cctx->client_id_num; - - ret = pam_forwarder_parse_data(cctx, pd); - if (ret == EAGAIN) { --- -2.37.1 - diff --git a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch deleted file mode 100644 index b2c49e1..0000000 --- a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch +++ /dev/null @@ -1,185 +0,0 @@ -From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Fri, 19 Aug 2022 14:44:11 -0400 -Subject: [PATCH 9/9] Analyzer: support parallel requests parsing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Analyzer code(primarily the list verbose command) needs -changes to handle parsing the necessary lines from -NSS/PAM log files when multiple intermixed/parallel -client requests are sent to SSSD. - -Resolves: https://github.com/SSSD/sssd/issues/6307 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina - -Reviewed-by: Alexey Tikhonov ---- - src/tools/analyzer/modules/request.py | 119 +++++++++++++++----------- - 1 file changed, 67 insertions(+), 52 deletions(-) - -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index 935e13adc..b9fe3caf8 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -16,7 +16,6 @@ class RequestAnalyzer: - """ - module_parser = None - consumed_logs = [] -- done = "" - list_opts = [ - Option('--verbose', 'Verbose output', bool, '-v'), - Option('--pam', 'Filter only PAM requests', bool), -@@ -149,58 +148,74 @@ class RequestAnalyzer: - print(line) - return found_results - -- def print_formatted(self, line, verbose): -+ def print_formatted_verbose(self, source, patterns): -+ """ -+ Parse line and print formatted verbose list_requests output -+ -+ Args: -+ source (Reader): source Reader object -+ patterns (list): List of regex patterns to use for -+ matching lines -+ """ -+ # Get CID number, and print the basic line first -+ for line in self.matched_line(source, patterns): -+ cid = self.print_formatted(line) -+ -+ # Loop through each line with this CID number to extract and -+ # print the verbose data needed -+ verbose_patterns = ["(cache_req_send|cache_req_process_input|" -+ "cache_req_search_send)"] -+ for cidline in self.matched_line(source, verbose_patterns): -+ plugin = "" -+ name = "" -+ id = "" -+ -+ # skip any lines not pertaining to this CID -+ if f"CID#{cid}]" not in cidline: -+ continue -+ if "refreshed" in cidline: -+ continue -+ # CR Plugin name -+ if re.search("cache_req_send", cidline): -+ plugin = cidline.split('\'')[1] -+ # CR Input name -+ elif re.search("cache_req_process_input", cidline): -+ name = cidline.rsplit('[')[-1] -+ # CR Input id -+ elif re.search("cache_req_search_send", cidline): -+ id = cidline.rsplit()[-1] -+ -+ if plugin: -+ print(" - " + plugin) -+ if name: -+ print(" - " + name[:-2]) -+ if (id and ("UID" in cidline or "GID" in cidline)): -+ print(" - " + id) -+ -+ def print_formatted(self, line): - """ - Parse line and print formatted list_requests output - - Args: - line (str): line to parse -- verbose (bool): If true, enable verbose output -+ Returns: -+ Client ID from printed line, 0 otherwise - """ -- plugin = "" -- name = "" -- id = "" -- - # exclude backtrace logs - if line.startswith(' * '): -- return -- fields = line.split("[") -- cr_field = fields[3][7:] -- cr = cr_field.split(":")[0][4:] -+ return 0 - if "refreshed" in line: -- return -- # CR Plugin name -- if re.search("cache_req_send", line): -- plugin = line.split('\'')[1] -- # CR Input name -- elif re.search("cache_req_process_input", line): -- name = line.rsplit('[')[-1] -- # CR Input id -- elif re.search("cache_req_search_send", line): -- id = line.rsplit()[-1] -- # CID and client process name -- else: -- ts = line.split(")")[0] -- ts = ts[1:] -- fields = line.split("[") -- cid = fields[3][4:-9] -- cmd = fields[4][4:-1] -- uid = fields[5][4:-1] -- if not uid.isnumeric(): -- uid = fields[6][4:-1] -- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') -- -- if verbose: -- if plugin: -- print(" - " + plugin) -- if name: -- if cr not in self.done: -- print(" - " + name[:-2]) -- self.done = cr -- if id: -- if cr not in self.done: -- print(" - " + id) -- self.done = cr -+ return 0 -+ ts = line.split(")")[0] -+ ts = ts[1:] -+ fields = line.split("[") -+ cid = fields[3][4:-9] -+ cmd = fields[4][4:-1] -+ uid = fields[5][4:-1] -+ if not uid.isnumeric(): -+ uid = fields[6][4:-1] -+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}') -+ return cid - - def list_requests(self, args): - """ -@@ -215,20 +230,20 @@ class RequestAnalyzer: - # Log messages matching the following regex patterns contain - # the useful info we need to produce list output - patterns = [r'\[cmd'] -- patterns.append("(cache_req_send|cache_req_process_input|" -- "cache_req_search_send)") - if args.pam: - component = source.Component.PAM - resp = "pam" - - logger.info(f"******** Listing {resp} client requests ********") - source.set_component(component, False) -- self.done = "" -- for line in self.matched_line(source, patterns): -- if isinstance(source, Journald): -- print(line) -- else: -- self.print_formatted(line, args.verbose) -+ if args.verbose: -+ self.print_formatted_verbose(source, patterns) -+ else: -+ for line in self.matched_line(source, patterns): -+ if isinstance(source, Journald): -+ print(line) -+ else: -+ self.print_formatted(line) - - def track_request(self, args): - """ --- -2.37.1 - diff --git a/SOURCES/0010-CLIENT-fix-client-fd-leak.patch b/SOURCES/0010-CLIENT-fix-client-fd-leak.patch deleted file mode 100644 index 48622c8..0000000 --- a/SOURCES/0010-CLIENT-fix-client-fd-leak.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 25 Aug 2022 18:10:46 +0200 -Subject: [PATCH] CLIENT: fix client fd leak - - - close client socket at thread exit - - only build lock-free client support if libc has required - functionality for a proper cleanup - - use proper mechanisms to init lock_mode only once - -:relnote:Lock-free client support will be only built if libc -provides `pthread_key_create()` and `pthread_once()`. For glibc -this means version 2.34+ - -Reviewed-by: Justin Stephenson -Reviewed-by: Sumit Bose -(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb) ---- - configure.ac | 29 +++++++++-- - src/man/Makefile.am | 5 +- - src/man/sssd.8.xml | 2 +- - src/sss_client/common.c | 83 +++++++++++++++++++------------- - src/sss_client/idmap/common_ex.c | 4 ++ - 5 files changed, 84 insertions(+), 39 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 93bd93b85..5a05de41e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include ]]) - m4_include([src/build_macros.m4]) - BUILD_WITH_SHARED_BUILD_DIR - --AC_COMPILE_IFELSE( -+ -+SAVE_LIBS=$LIBS -+LIBS= -+AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER; -- (void) m; /* unused */ -+ pthread_mutex_lock(&m); -+ pthread_mutex_unlock(&m); - ]])], - [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.]) - HAVE_PTHREAD=1 - ], -- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])]) -+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])]) -+LIBS=$SAVE_LIBS -+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) - - --AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) -+SAVE_LIBS=$LIBS -+LIBS= -+AC_LINK_IFELSE( -+ [AC_LANG_PROGRAM([[#include ]], -+ [[static pthread_key_t k; -+ static pthread_once_t f = PTHREAD_ONCE_INIT; -+ pthread_once(&f, NULL); -+ pthread_key_create(&k, NULL); -+ ]])], -+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.]) -+ HAVE_PTHREAD_EXT=1 -+ ], -+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])]) -+LIBS=$SAVE_LIBS -+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"]) -+ - - # Check library for the timer_create function - SAVE_LIBS=$LIBS -diff --git a/src/man/Makefile.am b/src/man/Makefile.am -index 93dd14819..063ff1bf0 100644 ---- a/src/man/Makefile.am -+++ b/src/man/Makefile.am -@@ -46,9 +46,12 @@ endif - if BUILD_KCM_RENEWAL - KCM_RENEWAL_CONDS = ;enable_kcm_renewal - endif -+if BUILD_LOCKFREE_CLIENT -+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support -+endif - - --CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS) -+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS) - - - #Special Rules: -diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml -index df07b7f29..5f507c631 100644 ---- a/src/man/sssd.8.xml -+++ b/src/man/sssd.8.xml -@@ -240,7 +240,7 @@ - If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", - client applications will not use the fast in-memory cache. - -- -+ - If the environment variable SSS_LOCKFREE is set to "NO", requests - from multiple threads of a single application will be serialized. - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 29c751a50..d762dff49 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -35,7 +35,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -62,8 +61,15 @@ - - /* common functions */ - -+#ifdef HAVE_PTHREAD_EXT -+static pthread_key_t sss_sd_key; -+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT; - static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */ - static __thread struct stat sss_cli_sb; /* the sss client stat buffer */ -+#else -+static int sss_cli_sd = -1; /* the sss client socket descriptor */ -+static struct stat sss_cli_sb; /* the sss client stat buffer */ -+#endif - - #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR - __attribute__((destructor)) -@@ -76,6 +82,18 @@ void sss_cli_close_socket(void) - } - } - -+#ifdef HAVE_PTHREAD_EXT -+static void sss_at_thread_exit(void *v) -+{ -+ sss_cli_close_socket(); -+} -+ -+static void init_sd_key(void) -+{ -+ pthread_key_create(&sss_sd_key, sss_at_thread_exit); -+} -+#endif -+ - /* Requests: - * - * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) -@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout - return -1; - } - -+#ifdef HAVE_PTHREAD_EXT -+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */ -+ -+ /* It actually doesn't matter what value to set for a key. -+ * The only important thing: key must be non-NULL to ensure -+ * destructor is executed at thread exit. -+ */ -+ pthread_setspecific(sss_sd_key, &sss_cli_sd); -+#endif -+ - /* set as non-blocking, close on exec, and make sure standard - * descriptors are not used */ - sd = make_safe_fd(sd); -@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len) - } - - #if HAVE_PTHREAD --bool sss_is_lockfree_mode(void) -+ -+#ifdef HAVE_PTHREAD_EXT -+static bool sss_lock_free = true; -+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT; -+ -+static void init_lock_mode(void) - { -- const char *env = NULL; -- enum { -- MODE_UNDEF, -- MODE_LOCKING, -- MODE_LOCKFREE -- }; -- static atomic_int mode = MODE_UNDEF; -- -- if (mode == MODE_UNDEF) { -- env = getenv("SSS_LOCKFREE"); -- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { -- mode = MODE_LOCKING; -- } else { -- mode = MODE_LOCKFREE; -- } -+ const char *env = getenv("SSS_LOCKFREE"); -+ -+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) { -+ sss_lock_free = false; - } -+} - -- return (mode == MODE_LOCKFREE); -+bool sss_is_lockfree_mode(void) -+{ -+ pthread_once(&sss_lock_mode_initialized, init_lock_mode); -+ return sss_lock_free; - } -+#endif - - struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- - static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- --static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; -- - static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; - - static void sss_mt_lock(struct sss_mutex *m) - { -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return; - } -+#endif - - pthread_mutex_lock(&m->mtx); - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state); -@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m) - - static void sss_mt_unlock(struct sss_mutex *m) - { -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return; - } -+#endif - - pthread_setcancelstate(m->old_cancel_state, NULL); - pthread_mutex_unlock(&m->mtx); -@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void) - sss_mt_unlock(&sss_nss_mtx); - } - --/* NSS mutex wrappers */ -+/* PAM mutex wrappers */ - void sss_pam_lock(void) - { - sss_mt_lock(&sss_pam_mtx); -@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void) - sss_mt_unlock(&sss_pam_mtx); - } - --/* NSS mutex wrappers */ --void sss_nss_mc_lock(void) --{ -- sss_mt_lock(&sss_nss_mc_mtx); --} --void sss_nss_mc_unlock(void) --{ -- sss_mt_unlock(&sss_nss_mc_mtx); --} -- - /* PAC mutex wrappers */ - void sss_pac_lock(void) - { -diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c -index 4f454cd63..8c4894fd9 100644 ---- a/src/sss_client/idmap/common_ex.c -+++ b/src/sss_client/idmap/common_ex.c -@@ -28,7 +28,9 @@ - #include "common_private.h" - - extern struct sss_mutex sss_nss_mtx; -+#ifdef HAVE_PTHREAD_EXT - bool sss_is_lockfree_mode(void); -+#endif - - #define SEC_FROM_MSEC(ms) ((ms) / 1000) - #define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000) -@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime) - { - int ret; - -+#ifdef HAVE_PTHREAD_EXT - if (sss_is_lockfree_mode()) { - return 0; - } -+#endif - - ret = pthread_mutex_timedlock(&m->mtx, endtime); - if (ret != 0) { --- -2.37.1 - diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index bcd13a8..c395105 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -18,8 +18,8 @@ %global enable_systemtap_opt --enable-systemtap Name: sssd -Version: 2.7.3 -Release: 4%{?dist} +Version: 2.8.2 +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -27,16 +27,10 @@ URL: https://github.com/SSSD/sssd Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-Makefile-remove-unneeded-dependency.patch -Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch -Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch -Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch -Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch -Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch -Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch -Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch -Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch -Patch0010: 0010-CLIENT-fix-client-fd-leak.patch +Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch +Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch +Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch +Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch ### Downstream Patches ### @@ -114,6 +108,7 @@ BuildRequires: jansson-devel BuildRequires: libcurl-devel BuildRequires: libjose-devel BuildRequires: softhsm >= 2.1.0 +BuildRequires: bc BuildRequires: openssl BuildRequires: openssh BuildRequires: libnl3-devel @@ -600,7 +595,6 @@ autoreconf -ivf --with-syslog=journald \ --with-subid \ --enable-sss-default-nss-plugin \ - --enable-files-domain \ --without-python2-bindings \ --with-sssd-user=sssd \ %{?with_cifs_utils_plugin_option} \ @@ -1104,6 +1098,38 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %systemd_post sssd-ssh.socket %systemd_post sssd-sudo.socket +function mod_nss() { + if [ -f "$1" ] ; then + # Change order 'sss <-> files' if default pattern is found + match_pattern="^[[:blank:]]*(passwd|group):(.*)sss[[:blank:]]+files(.*)" + if grep -E -r -q -s "$match_pattern" "$1"; then + sed -i.save_by_rpm -E -e " + s/$match_pattern/\1:\2files sss\3/ + " "$1" &>/dev/null || : + # Remove obsolete comment + sed -i -E -e '/# .sssd. performs its own .files.-based caching, so it should generally/d' "$1" &>/dev/null || : + sed -i -E -e '/# come before .files.\./d' "$1" &>/dev/null || : + fi + fi +} + +if grep -E -r -q -s "[[:blank:]]*id_provider[[:blank:]]*=[[:blank:]]*files" /etc/sssd/ || + grep -E -i -r -q -s "[[:blank:]]*enable_files_domain[[:blank:]]*=[[:blank:]]*true" /etc/sssd ; then + # "files provider" configured explicitly, leave nsswitch.conf intact + : +else + NSSFILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)" + if [ "$NSSFILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then + mod_nss "/etc/authselect/user-nsswitch.conf" + authselect apply-changes &> /dev/null || : + else + mod_nss "$NSSFILE" + # also apply the same changes to user-nsswitch.conf to affect + # possible future authselect configuration + mod_nss "/etc/authselect/user-nsswitch.conf" + fi +fi + %preun common %systemd_preun sssd.service %systemd_preun sssd-autofs.socket @@ -1187,6 +1213,30 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Feb 13 2023 Alexey Tikhonov - 2.8.2-2 +- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" + +* Mon Dec 19 2022 Alexey Tikhonov - 2.8.2-1 +- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 +- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. +- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization +- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list +- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged +- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around +- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) + +* Tue Nov 22 2022 Alexey Tikhonov - 2.8.1-1 +- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 +- Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr +- Resolves: rhbz#2144579 - sssd timezone issues sudonotafter +- Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file +- Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) +- Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed + +* Mon Oct 31 2022 Alexey Tikhonov - 2.7.3-5 +- Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release + Rebuild against Samba rebase. + * Fri Aug 26 2022 Alexey Tikhonov - 2.7.3-4 - Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8