From c5e826b59c1554c36ac4ee3b5814f194904e0a57 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 22 2021 10:09:35 +0000 Subject: import sssd-2.4.0-6.el8 --- diff --git a/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch b/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch new file mode 100644 index 0000000..dae8746 --- /dev/null +++ b/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch @@ -0,0 +1,100 @@ +From 3f0ba4c2dcf9126b0f94bca4a056b516759d25c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 6 Mar 2020 12:49:04 +0100 +Subject: [PATCH 13/18] cache_req: allow cache_req to return ERR_OFFLINE if all + dp request failed + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/cache_req/cache_req.c | 13 +++++++++++++ + src/responder/common/cache_req/cache_req.h | 4 ++++ + src/responder/common/cache_req/cache_req_data.c | 12 ++++++++++++ + src/responder/common/cache_req/cache_req_private.h | 3 +++ + 4 files changed, 32 insertions(+) + +diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c +index afb0e7cda..0c8538414 100644 +--- a/src/responder/common/cache_req/cache_req.c ++++ b/src/responder/common/cache_req/cache_req.c +@@ -974,6 +974,13 @@ static void cache_req_search_domains_done(struct tevent_req *subreq) + case ERR_ID_OUTSIDE_RANGE: + case ENOENT: + if (state->check_next == false) { ++ if (state->cr->data->propogate_offline_status && !state->dp_success) { ++ /* Not found and data provider request failed so we were ++ * unable to fetch the data. */ ++ ret = ERR_OFFLINE; ++ goto done; ++ } ++ + /* Not found. */ + ret = ENOENT; + goto done; +@@ -1002,6 +1009,12 @@ done: + case EAGAIN: + break; + default: ++ if (ret == ENOENT && state->cr->data->propogate_offline_status ++ && !state->dp_success) { ++ /* Not found and data provider request failed so we were ++ * unable to fetch the data. */ ++ ret = ERR_OFFLINE; ++ } + tevent_req_error(req, ret); + break; + } +diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h +index 72d4abe5e..d36cb2d3b 100644 +--- a/src/responder/common/cache_req/cache_req.h ++++ b/src/responder/common/cache_req/cache_req.h +@@ -171,6 +171,10 @@ void + cache_req_data_set_requested_domains(struct cache_req_data *data, + char **requested_domains); + ++void ++cache_req_data_set_propogate_offline_status(struct cache_req_data *data, ++ bool propogate_offline_status); ++ + enum cache_req_type + cache_req_data_get_type(struct cache_req_data *data); + +diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c +index 14c4ad14f..fe9f3db29 100644 +--- a/src/responder/common/cache_req/cache_req_data.c ++++ b/src/responder/common/cache_req/cache_req_data.c +@@ -455,6 +455,18 @@ cache_req_data_set_requested_domains(struct cache_req_data *data, + data->requested_domains = requested_domains; + } + ++void ++cache_req_data_set_propogate_offline_status(struct cache_req_data *data, ++ bool propogate_offline_status) ++{ ++ if (data == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n"); ++ return; ++ } ++ ++ data->propogate_offline_status = propogate_offline_status; ++} ++ + enum cache_req_type + cache_req_data_get_type(struct cache_req_data *data) + { +diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h +index bfca688b9..2d52e7600 100644 +--- a/src/responder/common/cache_req/cache_req_private.h ++++ b/src/responder/common/cache_req/cache_req_private.h +@@ -103,6 +103,9 @@ struct cache_req_data { + + /* if set, only search in the listed domains */ + char **requested_domains; ++ ++ /* if set, ERR_OFFLINE is returned if data provider is offline */ ++ bool propogate_offline_status; + }; + + struct tevent_req * +-- +2.21.3 + diff --git a/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch b/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch new file mode 100644 index 0000000..f29ff36 --- /dev/null +++ b/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch @@ -0,0 +1,58 @@ +From e50258da70b67ff1b0f928e2e7875bc2fa32dfde Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 6 Mar 2020 13:12:46 +0100 +Subject: [PATCH 14/18] autofs: return ERR_OFFLINE if we fail to get + information from backend and cache is empty + +Resolves: +https://github.com/SSSD/sssd/issues/3413 + +Reviewed-by: Alexey Tikhonov +--- + .../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 ++ + .../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 ++ + .../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index cb674add6..55c9fc8b0 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -142,6 +142,8 @@ cache_req_autofs_entry_by_name_send(TALLOC_CTX *mem_ctx, + return NULL; + } + ++ cache_req_data_set_propogate_offline_status(data, true); ++ + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 3c08eaf4f..823eb3595 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -136,6 +136,8 @@ cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx, + return NULL; + } + ++ cache_req_data_set_propogate_offline_status(data, true); ++ + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index 1b5645fa0..3e47b1321 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -168,6 +168,8 @@ cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx, + return NULL; + } + ++ cache_req_data_set_propogate_offline_status(data, true); ++ + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, +-- +2.21.3 + diff --git a/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch b/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch new file mode 100644 index 0000000..c605483 --- /dev/null +++ b/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch @@ -0,0 +1,51 @@ +From 9098108a7142513fa04afdf92a2c1b3ac002c56e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 6 Mar 2020 13:44:56 +0100 +Subject: [PATCH 15/18] autofs: translate ERR_OFFLINE to EHOSTDOWN + +So we do not publish internal error code. + +Resolves: +https://github.com/SSSD/sssd/issues/3413 + +Reviewed-by: Alexey Tikhonov +--- + src/sss_client/common.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 902438c86..d29332939 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -44,6 +44,7 @@ + #define _(STRING) dgettext (PACKAGE, STRING) + #include "sss_cli.h" + #include "common_private.h" ++#include "util/util_errors.h" + + #if HAVE_PTHREAD + #include +@@ -1054,9 +1055,17 @@ int sss_autofs_make_request(enum sss_cli_command cmd, + uint8_t **repbuf, size_t *replen, + int *errnop) + { +- return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, +- repbuf, replen, errnop, +- SSS_AUTOFS_SOCKET_NAME); ++ enum sss_status status; ++ ++ status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, ++ repbuf, replen, errnop, ++ SSS_AUTOFS_SOCKET_NAME); ++ ++ if (*errnop == ERR_OFFLINE) { ++ *errnop = EHOSTDOWN; ++ } ++ ++ return status; + } + + int sss_ssh_make_request(enum sss_cli_command cmd, +-- +2.21.3 + diff --git a/SOURCES/0031-autofs-disable-fast-reply.patch b/SOURCES/0031-autofs-disable-fast-reply.patch new file mode 100644 index 0000000..8706aec --- /dev/null +++ b/SOURCES/0031-autofs-disable-fast-reply.patch @@ -0,0 +1,61 @@ +From 34c519a4851194164befc150df8e768431e66405 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 22 Sep 2020 11:04:25 +0200 +Subject: [PATCH 16/18] autofs: disable fast reply + +If the backend is offline when autofs starts and reads auto.master map +we don't want to wait 60 seconds before the offline flag is reset. We +need to allow autofs to retry the call much sooner. + +Resolves: +https://github.com/SSSD/sssd/issues/3413 + +Reviewed-by: Alexey Tikhonov +--- + .../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +- + .../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +- + .../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index 55c9fc8b0..cd2085187 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -84,7 +84,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx, + + return sbus_call_dp_autofs_GetEntry_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, +- DP_FAST_REPLY, data->name.name, ++ 0, data->name.name, + data->autofs_entry_name); + } + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 823eb3595..9d9bc3a97 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -81,7 +81,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx, + + return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, +- DP_FAST_REPLY, data->name.name); ++ 0, data->name.name); + } + + bool +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index 3e47b1321..ee0156b6a 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -113,7 +113,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx, + + return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, +- DP_FAST_REPLY, data->name.name); ++ 0, data->name.name); + } + + bool +-- +2.21.3 + diff --git a/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch b/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch new file mode 100644 index 0000000..9188a5e --- /dev/null +++ b/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch @@ -0,0 +1,168 @@ +From 8a22d4ad45f5fc8e888be693539495093c2b3c35 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 4 Nov 2020 14:20:10 +0100 +Subject: [PATCH 17/18] autofs: correlate errors for different protocol + versions + +Reviewed-by: Alexey Tikhonov +--- + src/sss_client/autofs/autofs_test_client.c | 12 ++++++++ + src/sss_client/autofs/sss_autofs.c | 35 +++++++++++++++++++--- + src/sss_client/autofs/sss_autofs.exports | 9 +++--- + src/sss_client/autofs/sss_autofs_private.h | 5 ++++ + 4 files changed, 53 insertions(+), 8 deletions(-) + +diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c +index c5358233f..4b285151e 100644 +--- a/src/sss_client/autofs/autofs_test_client.c ++++ b/src/sss_client/autofs/autofs_test_client.c +@@ -45,10 +45,14 @@ int main(int argc, const char *argv[]) + char *value = NULL; + char *pc_key = NULL; + int pc_setent = 0; ++ int pc_protocol = 1; ++ unsigned int protocol; ++ unsigned int requested_protocol = 1; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "by-name", 'n', POPT_ARG_STRING, &pc_key, 0, "Request map by name", NULL }, + { "only-setent", 's', POPT_ARG_VAL, &pc_setent, 1, "Run only setent, do not enumerate", NULL }, ++ { "protocol", 'p', POPT_ARG_INT, &pc_protocol, 0, "Protocol version", NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; +@@ -69,6 +73,14 @@ int main(int argc, const char *argv[]) + + poptFreeContext(pc); + ++ requested_protocol = pc_protocol; ++ protocol = _sss_auto_protocol_version(requested_protocol); ++ if (protocol != requested_protocol) { ++ fprintf(stderr, "Unsupported protocol version: %d -> %d\n", ++ requested_protocol, protocol); ++ exit(EXIT_FAILURE); ++ } ++ + ret = _sss_setautomntent(mapname, &ctx); + if (ret) { + fprintf(stderr, "setautomntent failed [%d]: %s\n", +diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c +index 482ff2c40..ef27cf895 100644 +--- a/src/sss_client/autofs/sss_autofs.c ++++ b/src/sss_client/autofs/sss_autofs.c +@@ -20,6 +20,7 @@ + + #include + #include ++#include + + #include "sss_client/autofs/sss_autofs_private.h" + #include "sss_client/sss_cli.h" +@@ -33,6 +34,32 @@ + /* How many entries shall _sss_getautomntent_r retrieve at once */ + #define GETAUTOMNTENT_MAX_ENTRIES 512 + ++static atomic_uint _protocol = 0; ++ ++unsigned int _sss_auto_protocol_version(unsigned int requested) ++{ ++ switch (requested) { ++ case 0: ++ /* EHOSTDOWN will be translated to ENOENT */ ++ _protocol = 0; ++ return 0; ++ default: ++ /* There is no other protocol version at this point. */ ++ _protocol = 1; ++ return 1; ++ } ++} ++ ++/* Returns correct errno based on autofs version expectations. */ ++static errno_t errnop_to_errno(int errnop) ++{ ++ if (errnop == EHOSTDOWN && _protocol == 0) { ++ return ENOENT; ++ } ++ ++ return errnop; ++} ++ + struct automtent { + char *mapname; + size_t cursor; +@@ -93,7 +120,7 @@ _sss_setautomntent(const char *mapname, void **context) + &repbuf, &replen, &errnop); + if (ret != SSS_STATUS_SUCCESS) { + free(name); +- ret = errnop; ++ ret = errnop_to_errno(errnop); + goto out; + } + +@@ -310,7 +337,7 @@ _sss_getautomntent_r(char **key, char **value, void *context) + &repbuf, &replen, &errnop); + free(data); + if (ret != SSS_STATUS_SUCCESS) { +- ret = errnop; ++ ret = errnop_to_errno(errnop); + goto out; + } + +@@ -408,7 +435,7 @@ _sss_getautomntbyname_r(const char *key, char **value, void *context) + &repbuf, &replen, &errnop); + free(data); + if (ret != SSS_STATUS_SUCCESS) { +- ret = errnop; ++ ret = errnop_to_errno(errnop); + goto out; + } + +@@ -467,7 +494,7 @@ _sss_endautomntent(void **context) + ret = sss_autofs_make_request(SSS_AUTOFS_ENDAUTOMNTENT, + NULL, NULL, NULL, &errnop); + if (ret != SSS_STATUS_SUCCESS) { +- ret = errnop; ++ ret = errnop_to_errno(errnop); + goto out; + } + +diff --git a/src/sss_client/autofs/sss_autofs.exports b/src/sss_client/autofs/sss_autofs.exports +index f9ce8f5b2..ec61f715e 100644 +--- a/src/sss_client/autofs/sss_autofs.exports ++++ b/src/sss_client/autofs/sss_autofs.exports +@@ -2,10 +2,11 @@ EXPORTED { + + # public functions + global: +- _sss_setautomntent; +- _sss_getautomntent_r; +- _sss_getautomntbyname_r; +- _sss_endautomntent; ++ _sss_auto_protocol_version; ++ _sss_setautomntent; ++ _sss_getautomntent_r; ++ _sss_getautomntbyname_r; ++ _sss_endautomntent; + + # everything else is local + local: +diff --git a/src/sss_client/autofs/sss_autofs_private.h b/src/sss_client/autofs/sss_autofs_private.h +index 6459c1cc7..7fd49db1d 100644 +--- a/src/sss_client/autofs/sss_autofs_private.h ++++ b/src/sss_client/autofs/sss_autofs_private.h +@@ -21,6 +21,11 @@ + #include + #include "util/util.h" + ++/** ++ * Choose an autofs protocol version to be used between autofs and sss_autofs. ++ */ ++unsigned int _sss_auto_protocol_version(unsigned int requested); ++ + /** + * Selects a map for processing. + */ +-- +2.21.3 + diff --git a/SOURCES/0033-configure-check-for-stdatomic.h.patch b/SOURCES/0033-configure-check-for-stdatomic.h.patch new file mode 100644 index 0000000..699c3f6 --- /dev/null +++ b/SOURCES/0033-configure-check-for-stdatomic.h.patch @@ -0,0 +1,28 @@ +From 075519bceca7a8f4fa28a0b7c538f2f50d552d13 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 26 Nov 2020 14:56:08 +0100 +Subject: [PATCH 18/18] configure: check for stdatomic.h + +Recent autofs patches adds dependency on automic_uint/_Atomic type from C11 +standard. This is supported in both gcc and clang for a long time now. + +Reviewed-by: Alexey Tikhonov +--- + configure.ac | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/configure.ac b/configure.ac +index 1af1d1785..0d24c4b35 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -42,6 +42,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) + AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + + AC_CHECK_HEADERS(stdint.h dlfcn.h) ++AC_CHECK_HEADERS([stdatomic.h],,AC_MSG_ERROR([C11 atomic types are not supported])) + AC_CONFIG_HEADER(config.h) + + AC_CHECK_TYPES([errno_t], [], [], [[#include ]]) +-- +2.21.3 + diff --git a/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch b/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch new file mode 100644 index 0000000..5181137 --- /dev/null +++ b/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch @@ -0,0 +1,131 @@ +From 2499bd145f566bfd73b8c7e284b910dd2b36c6d1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 15 Jan 2021 12:04:38 +0100 +Subject: [PATCH] cache_req: ignore autofs not configured error + +Otherwise we return ERR_OFFLINE for domains where autofs provider is not +set (such as implicit files domain) which is undesirable. + +Steps to reproduce: +1. Enable implicit files domains and LDAP domain with autofs configured +2. Setup NFS server to export `/exports` with `/exports/home/test` +3. Add autofs mount points: +``` +dn: ou=mount,dc=ldap,dc=vm +ou: mount +objectClass: organizationalUnit +objectClass: top + +dn: nisMapName=auto.master,ou=mount,dc=ldap,dc=vm +objectClass: nisMap +objectClass: top +nisMapName: auto.master + +dn: cn=/export/home,nisMapName=auto.master,ou=mount,dc=ldap,dc=vm +objectClass: nisObject +objectClass: top +cn: /export/home +nisMapEntry: auto.home +nisMapName: auto.master + +dn: nisMapName=auto.home,ou=mount,dc=ldap,dc=vm +objectClass: nisMap +objectClass: top +nisMapName: auto.home + +dn: cn=/,nisMapName=auto.home,ou=mount,dc=ldap,dc=vm +objectClass: nisObject +objectClass: top +cn: / +nisMapEntry: -fstype=nfs,rw master.ldap.vm:/export/home/& +nisMapName: auto.home +``` +4. Run SSSD and autofs +5. cd to /exports/home/test + +The directory will not be mounted with the new autofs protocol. It +will succeed with the old protocol. In both versions, you'll see +that SSSD returned ERR_OFFLINE: + +``` +(2021-01-15 11:44:48): [be[implicit_files]] [sbus_issue_request_done] (0x0040): sssd.DataProvider.Autofs.GetEntry: Error [1432158215]: DP target is not configured +... +(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Looking up [auto.home:test] in cache +(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Object [auto.home:test] was not found in cache +(2021-01-15 11:44:49): [autofs] [cache_req_search_ncache_add_to_domain] (0x2000): CR #3: This request type does not support negative cache +(2021-01-15 11:44:49): [autofs] [cache_req_process_result] (0x0400): CR #3: Finished: Error 1432158212: SSSD is offline +``` + +Reviewed-by: Alexey Tikhonov +--- + .../cache_req/plugins/cache_req_autofs_entry_by_name.c | 10 +++++++++- + .../cache_req/plugins/cache_req_autofs_map_by_name.c | 10 +++++++++- + .../cache_req/plugins/cache_req_autofs_map_entries.c | 10 +++++++++- + 3 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index cd2085187..f411fd351 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -92,7 +92,15 @@ bool + cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq, + struct cache_req *cr) + { +- return sbus_call_dp_autofs_GetEntry_recv(subreq) == EOK; ++ errno_t ret; ++ ++ ret = sbus_call_dp_autofs_GetEntry_recv(subreq); ++ ++ if (ret == ERR_MISSING_DP_TARGET) { ++ ret = EOK; ++ } ++ ++ return ret == EOK; + } + + const struct cache_req_plugin cache_req_autofs_entry_by_name = { +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 9d9bc3a97..c22cf0c8e 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -88,7 +88,15 @@ bool + cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq, + struct cache_req *cr) + { +- return sbus_call_dp_autofs_GetMap_recv(subreq) == EOK; ++ errno_t ret; ++ ++ ret = sbus_call_dp_autofs_GetMap_recv(subreq); ++ ++ if (ret == ERR_MISSING_DP_TARGET) { ++ ret = EOK; ++ } ++ ++ return ret == EOK; + } + + const struct cache_req_plugin cache_req_autofs_map_by_name = { +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index ee0156b6a..4d9db6595 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -120,7 +120,15 @@ bool + cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq, + struct cache_req *cr) + { +- return sbus_call_dp_autofs_Enumerate_recv(subreq) == EOK; ++ errno_t ret; ++ ++ ret = sbus_call_dp_autofs_Enumerate_recv(subreq); ++ ++ if (ret == ERR_MISSING_DP_TARGET) { ++ ret = EOK; ++ } ++ ++ return ret == EOK; + } + + const struct cache_req_plugin cache_req_autofs_map_entries = { +-- +2.21.3 + diff --git a/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch b/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch new file mode 100644 index 0000000..5cd16fa --- /dev/null +++ b/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch @@ -0,0 +1,100 @@ +From 19c2c641e669ee1c08d6706c132625dc30e64609 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 12 Jan 2021 16:40:56 +0100 +Subject: [PATCH] simple: fix memory leak while reloading lists + +The simple access provider will reload the access and deny lists at +runtime to make sure that users and groups from domains which are +discovered at runtime are properly processed. + +While reloading the lists the original lists are not freed and an +intermediate list wasn't removed as well. + +Resolves: https://github.com/SSSD/sssd/issues/5456 + +:fixes: Memory leak in the simple access provider + +Reviewed-by: Alexey Tikhonov +--- + src/providers/simple/simple_access.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c +index 1868569b1..49226adf2 100644 +--- a/src/providers/simple/simple_access.c ++++ b/src/providers/simple/simple_access.c +@@ -117,17 +117,13 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + const char *name; + const char *option; + char **orig_list; +- char ***ctx_list; ++ char **ctx_list; + } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL}, + {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL}, + {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL}, + {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL}, + {NULL, NULL, NULL, NULL}}; + +- lists[0].ctx_list = &ctx->allow_users; +- lists[1].ctx_list = &ctx->deny_users; +- lists[2].ctx_list = &ctx->allow_groups; +- lists[3].ctx_list = &ctx->deny_groups; + + ret = sysdb_master_domain_update(bectx->domain); + if (ret != EOK) { +@@ -141,7 +137,6 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + lists[i].option, &lists[i].orig_list); + if (ret == ENOENT) { + DEBUG(SSSDBG_FUNC_DATA, "%s list is empty.\n", lists[i].name); +- *lists[i].ctx_list = NULL; + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string_as_list failed.\n"); +@@ -149,7 +144,8 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + } + + ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list, +- lists[i].ctx_list); ++ &lists[i].ctx_list); ++ talloc_free(lists[i].orig_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse %s list [%d]: %s\n", + lists[i].name, ret, sss_strerror(ret)); +@@ -157,6 +153,18 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + } + } + ++ talloc_free(ctx->allow_users); ++ ctx->allow_users = talloc_steal(ctx, lists[0].ctx_list); ++ ++ talloc_free(ctx->deny_users); ++ ctx->deny_users = talloc_steal(ctx, lists[1].ctx_list); ++ ++ talloc_free(ctx->allow_groups); ++ ctx->allow_groups = talloc_steal(ctx, lists[2].ctx_list); ++ ++ talloc_free(ctx->deny_groups); ++ ctx->deny_groups = talloc_steal(ctx, lists[3].ctx_list); ++ + if (!ctx->allow_users && + !ctx->allow_groups && + !ctx->deny_users && +@@ -165,9 +173,15 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + "No rules supplied for simple access provider. " + "Access will be granted for all users.\n"); + } ++ ++ + return EOK; + + failed: ++ for (i = 0; lists[i].name != NULL; i++) { ++ talloc_free(lists[i].ctx_list); ++ } ++ + return ret; + } + +-- +2.21.3 + diff --git a/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch b/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch new file mode 100644 index 0000000..d432682 --- /dev/null +++ b/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch @@ -0,0 +1,38 @@ +From bdf461c7577c458d7b2a785b2007c0ccae73e3f7 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 11 Jan 2021 18:28:02 +0100 +Subject: [PATCH] SBUS: do not try to del non existing sender +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/5425 + +Reviewed-by: Pavel Březina +--- + src/sbus/request/sbus_request_sender.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/sbus/request/sbus_request_sender.c b/src/sbus/request/sbus_request_sender.c +index cecb188b0..39cdec064 100644 +--- a/src/sbus/request/sbus_request_sender.c ++++ b/src/sbus/request/sbus_request_sender.c +@@ -101,10 +101,11 @@ void + sbus_senders_delete(hash_table_t *table, + const char *name) + { +- DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n", +- name); +- +- sss_ptr_hash_delete(table, name, true); ++ if (sss_ptr_hash_has_key(table, name)) { ++ DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n", ++ name); ++ sss_ptr_hash_delete(table, name, true); ++ } + } + + errno_t +-- +2.21.3 + diff --git a/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch b/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch new file mode 100644 index 0000000..cb06e15 --- /dev/null +++ b/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch @@ -0,0 +1,34 @@ +From c0ae6d34ff7c170ca0e6d0faa8a2daf9a77becb7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 8 Jan 2021 14:00:47 +0100 +Subject: [PATCH] pamsrv_gssapi: fix implicit conversion warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +src/responder/pam/pamsrv_gssapi.c: In function ‘pam_cmd_gssapi_sec_ctx’: +src/responder/pam/pamsrv_gssapi.c:716:64: error: implicit conversion from ‘enum sss_domain_type’ to ‘enum cache_req_dom_type’ [-Werror=enum-conversion] + 716 | cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX, + +Reviewed-by: Alexey Tikhonov +--- + src/responder/pam/pamsrv_gssapi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c +index 099675e1c..2d05c7888 100644 +--- a/src/responder/pam/pamsrv_gssapi.c ++++ b/src/responder/pam/pamsrv_gssapi.c +@@ -713,7 +713,8 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) + DEBUG(SSSDBG_TRACE_FUNC, "Checking that target user matches UPN\n"); + + req = cache_req_user_by_upn_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx, +- cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX, ++ cli_ctx->rctx->ncache, 0, ++ CACHE_REQ_POSIX_DOM, + domain->name, state->authenticated_upn); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); +-- +2.21.3 + diff --git a/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch b/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch new file mode 100644 index 0000000..d4ea08c --- /dev/null +++ b/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch @@ -0,0 +1,34 @@ +From cc173629f30fbc885ee90e52a205554b118e0ee6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 11 Jan 2021 13:11:39 +0100 +Subject: [PATCH 38/39] gssapi: default pam_gssapi_services to NULL in domain + section + +We need to distinguish when the option is not set in domain section and when +it is is explicitly disabled. Now if it is not set, domain->gssapi_services +is NULL and we'll use value from the pam section. + +Without this change, the value in the pam section is ignored. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +--- + src/confdb/confdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 2881ce5da..befcfff2d 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1582,7 +1582,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES, +- "-"); ++ NULL); + if (tmp != NULL) { + ret = split_on_separator(domain, tmp, ',', true, true, + &domain->gssapi_services, NULL); +-- +2.21.3 + diff --git a/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch b/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch new file mode 100644 index 0000000..cd37baf --- /dev/null +++ b/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch @@ -0,0 +1,133 @@ +From 111b8b4d62a4fe192c075e6f6bfacb408e6074b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 12 Jan 2021 13:50:11 +0100 +Subject: [PATCH 39/39] pam_sss_gssapi: fix coverity issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +``` +1. Defect type: RESOURCE_LEAK +7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to. +Expand +2. Defect type: RESOURCE_LEAK +3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to. +Expand +3. Defect type: RESOURCE_LEAK +7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to. +Expand +4. Defect type: RESOURCE_LEAK +6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to. +Expand +5. Defect type: RESOURCE_LEAK +7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to. +Expand +6. Defect type: RESOURCE_LEAK +7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to. + +1. Defect type: CLANG_WARNING +1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username' +Expand +2. Defect type: CLANG_WARNING +1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn' +Expand +3. Defect type: CLANG_WARNING +1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target' +Expand +4. Defect type: CLANG_WARNING +1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain' +``` + +Also fix compilation warning +``` +../src/sss_client/pam_sss_gss.c:339:5: warning: ‘reply’ may be used uninitialized in this function [-Wmaybe-uninitialized] + 339 | free(reply); + | ^~~~~~~~~~~ +../src/sss_client/pam_sss_gss.c:328:14: note: ‘reply’ was declared here + 328 | uint8_t *reply; + | ^~~~~ +../src/sss_client/pam_sss_gss.c:270:11: warning: ‘reply_len’ may be used uninitialized in this function [-Wmaybe-uninitialized] + 270 | upn = malloc(reply_len * sizeof(char)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../src/sss_client/pam_sss_gss.c:327:12: note: ‘reply_len’ was declared here + 327 | size_t reply_len; + | ^~~~~~~~~ +``` + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +--- + src/sss_client/pam_sss_gss.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c +index cd38db7da..51be36ece 100644 +--- a/src/sss_client/pam_sss_gss.c ++++ b/src/sss_client/pam_sss_gss.c +@@ -195,6 +195,8 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, + struct sss_cli_req_data req_data; + size_t service_len; + size_t user_len; ++ size_t reply_len; ++ uint8_t *reply = NULL; + uint8_t *data; + errno_t ret; + int ret_errno; +@@ -217,7 +219,7 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, + + req_data.data = data; + +- ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len, ++ ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, &reply, &reply_len, + &ret_errno); + free(data); + if (ret != PAM_SUCCESS) { +@@ -233,6 +235,16 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, + return (ret_errno != EOK) ? ret_errno : EIO; + } + ++ if (ret_errno == EOK) { ++ *_reply = reply; ++ *_reply_len = reply_len; ++ } else { ++ /* We got PAM_SUCCESS therefore the communication with SSSD was ++ * successful and we have received a reply buffer. We just don't care ++ * about it, we are only interested in the error code. */ ++ free(reply); ++ } ++ + return ret_errno; + } + +@@ -257,7 +269,8 @@ static errno_t sssd_gssapi_init_recv(uint8_t *reply, + target = malloc(reply_len * sizeof(char)); + upn = malloc(reply_len * sizeof(char)); + if (username == NULL || domain == NULL || target == NULL || upn == NULL) { +- return ENOMEM; ++ ret = ENOMEM; ++ goto done; + } + + buf = (const char*)reply; +@@ -311,8 +324,8 @@ static errno_t sssd_gssapi_init(pam_handle_t *pamh, + char **_target, + char **_upn) + { +- size_t reply_len; +- uint8_t *reply; ++ size_t reply_len = 0; ++ uint8_t *reply = NULL; + errno_t ret; + + ret = sssd_gssapi_init_send(pamh, pam_service, pam_user, &reply, +@@ -549,6 +562,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, + + done: + sss_pam_close_fd(); ++ free(username); + free(domain); + free(target); + free(upn); +-- +2.21.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index a05bfb9..ebb7edc 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,7 +26,7 @@ Name: sssd Version: 2.4.0 -Release: 5%{?dist} +Release: 6%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -61,6 +61,18 @@ Patch0024: 0024-pam-fix-typo-in-debug-message.patch Patch0025: 0025-pam-add-pam_gssapi_services-option.patch Patch0026: 0026-pam-add-pam_gssapi_check_upn-option.patch Patch0027: 0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch +Patch0028: 0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch +Patch0029: 0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch +Patch0030: 0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch +Patch0031: 0031-autofs-disable-fast-reply.patch +Patch0032: 0032-autofs-correlate-errors-for-different-protocol-versi.patch +Patch0033: 0033-configure-check-for-stdatomic.h.patch +Patch0034: 0034-cache_req-ignore-autofs-not-configured-error.patch +Patch0035: 0035-simple-fix-memory-leak-while-reloading-lists.patch +Patch0036: 0036-SBUS-do-not-try-to-del-non-existing-sender.patch +Patch0037: 0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch +Patch0038: 0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch +Patch0039: 0039-pam_sss_gssapi-fix-coverity-issues.patch ### Downstream Patches ### @@ -1236,6 +1248,12 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Mon Jan 18 2021 Alexey Tikhonov - 2.4.0-6 +- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched +- Resolves: rhbz#1915395 - Memory leak in the simple access provider +- Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup +- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) + * Mon Dec 28 2020 Alexey Tikhonov - 2.4.0-5 - Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches)