packages/sssd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some patches

Browse Source
This commit is contained in:
hzero1996 2023-11-28 15:51:33 +08:00
parent 0e94db44d3
commit 08424ac466
8 changed files with 1195 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
backport-KCM-Display-in-the-log-the-limit-as-set-by-the-user.patch Normal file
View File

@ -0,0 +1,42 @@
From 96d8b77ae6e7d1dd72b9add553935fc4aa6ab2c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Mon, 9 Oct 2023 10:56:08 +0200
Subject: [PATCH] KCM: Display in the log the limit as set by the user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
max_uid_ccaches is unconditionally incremented by 2 in ccdb_secdb_init()
to create space for some internal entries. We cannot just show this
value as it is not what the user configured.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/96d8b77ae6e7d1dd72b9add553935fc4aa6ab2c5
Conflict: NA
---
src/responder/kcm/secrets/secrets.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 4dc748c3b..8f32c63e9 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -381,11 +381,12 @@ static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
ret = local_db_remove_oldest_expired_secret(res, req);
if (ret != EOK) {
if (ret == ERR_NO_MATCHING_CREDS) {
+ /* max_uid_secrets is incremented by 2 for internal entries. */
DEBUG(SSSDBG_OP_FAILURE,
"Cannot store any more secrets for this client (basedn %s) "
"as the maximum allowed limit (%d) has been reached\n",
ldb_dn_get_linearized(cli_basedn),
- req->quota->max_uid_secrets);
+ req->quota->max_uid_secrets - 2);
ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
}
goto done;
--
2.33.0

299
backport-KCM-Remove-the-oldest-expired-credential-if-no-more-.patch Normal file
View File

@ -0,0 +1,299 @@
From 93ee0159a0f467ced3412d034ec706dd3508901e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Tue, 3 Oct 2023 12:39:49 +0200
Subject: [PATCH] KCM: Remove the oldest expired credential if no more space.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
:feature: When adding a new credential to KCM and the user has
already reached their limit, the oldest expired credential
will be removed to free some space.
If no expired credential is found to be removed, the operation
will fail as it happened in the previous versions.
Resolves: https://github.com/SSSD/sssd/issues/6667
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/93ee0159a0f467ced3412d034ec706dd3508901e
Conflict: NA
---
src/responder/kcm/secrets/secrets.c | 203 +++++++++++++++++++++++++---
1 file changed, 186 insertions(+), 17 deletions(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 025d1c421..4dc748c3b 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -18,15 +18,18 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "config.h"
+#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
-#include <fcntl.h>
+#include <time.h>
#include <uuid/uuid.h>
-#include "config.h"
-
+#include "responder/kcm/kcmsrv_ccache.h"
#include "util/util.h"
+#include "util/util_creds.h"
+#include "util/sss_iobuf.h"
#include "util/strtonum.h"
#include "util/crypto/sss_crypto.h"
#include "sec_pvt.h"
@@ -50,6 +53,10 @@ static struct sss_sec_quota default_kcm_quota = {
.containers_nest_level = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
};
+static char *local_dn_to_path(TALLOC_CTX *mem_ctx,
+ struct ldb_dn *basedn,
+ struct ldb_dn *dn);
+
static int local_db_check_containers(TALLOC_CTX *mem_ctx,
struct sss_sec_ctx *sec_ctx,
struct ldb_dn *leaf_dn)
@@ -181,11 +188,166 @@ static struct ldb_dn *per_uid_container(TALLOC_CTX *mem_ctx,
return uid_base_dn;
}
+static errno_t get_secret_expiration_time(uint8_t *key, size_t key_length,
+ uint8_t *sec, size_t sec_length,
+ time_t *_expiration)
+{
+ errno_t ret;
+ TALLOC_CTX *tmp_ctx;
+ time_t expiration = 0;
+ struct cli_creds client = {};
+ struct kcm_ccache *cc;
+ struct sss_iobuf *iobuf;
+ krb5_creds **cred_list, **cred;
+ const char *key_str;
+
+ if (_expiration == NULL) {
+ return EINVAL;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ key_str = talloc_strndup(tmp_ctx, (const char *) key, key_length);
+ if (key_str == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ iobuf = sss_iobuf_init_readonly(tmp_ctx, sec, sec_length);
+ if (iobuf == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sec_kv_to_ccache_binary(tmp_ctx, key_str, iobuf, &client, &cc);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ cred_list = kcm_cc_unmarshal(tmp_ctx, NULL, cc);
+ if (cred_list == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (cred = cred_list; *cred != NULL; cred++) {
+ if ((*cred)->times.endtime != 0) {
+ expiration = (time_t) (*cred)->times.endtime;
+ break;
+ }
+ }
+
+ *_expiration = expiration;
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+static errno_t local_db_remove_oldest_expired_secret(struct ldb_result *res,
+ struct sss_sec_req *req)
+{
+ struct sss_sec_req *new_req = NULL;
+ const struct ldb_val *val;
+ const struct ldb_val *rdn;
+ struct ldb_message *msg;
+ struct ldb_message_element *elem;
+ struct ldb_dn *basedn;
+ struct ldb_dn *oldest_dn = NULL;
+ time_t oldest_time = time(NULL);
+ time_t expiration;
+ unsigned int i;
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Removing the oldest expired credential\n");
+ /* Between all the messages in result, there is also the key we are
+ * currently treating, but because yet it doesn't have an expiration time,
+ * it will be skipped.
+ */
+ for (i = 0; i < res->count; i++) {
+ msg = res->msgs[i];
+
+ /* Skip cn=default,... or any non cn=... */
+ rdn = ldb_dn_get_rdn_val(msg->dn);
+ if (strcmp(ldb_dn_get_rdn_name(msg->dn), "cn") != 0
+ || strncmp("default", (char *) rdn->data, rdn->length) == 0) {
+ continue;
+ }
+
+ elem = ldb_msg_find_element(msg, SEC_ATTR_SECRET);
+ if (elem != NULL) {
+ if (elem->num_values != 1) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Element %s has %u values. Ignoring it.\n",
+ SEC_ATTR_SECRET, elem->num_values);
+ ret = ERR_MALFORMED_ENTRY;
+ goto done;
+ }
+
+ val = &elem->values[0];
+ ret = get_secret_expiration_time(rdn->data, rdn->length,
+ val->data, val->length,
+ &expiration);
+ if (ret != EOK) {
+ goto done;
+ }
+ if (expiration > 0 && expiration < oldest_time) {
+ oldest_dn = msg->dn;
+ oldest_time = expiration;
+ }
+ }
+ }
+
+ if (oldest_dn == NULL) {
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found no expired credential to remove\n");
+ ret = ERR_NO_MATCHING_CREDS;
+ goto done;
+ }
+
+ new_req = talloc_zero(NULL, struct sss_sec_req);
+ if (new_req == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate the new request\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ basedn = ldb_dn_new(new_req, req->sctx->ldb, req->basedn);
+ if (basedn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create a dn: %s\n", req->basedn);
+ ret = EINVAL;
+ goto done;
+ }
+
+ new_req->basedn = req->basedn;
+ new_req->quota = req->quota;
+ new_req->req_dn = oldest_dn;
+ new_req->sctx = req->sctx;
+ new_req->path = local_dn_to_path(new_req, basedn, oldest_dn);
+ if (new_req->path == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create the path\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ ret = sss_sec_delete(new_req);
+
+done:
+ if (new_req != NULL)
+ talloc_free(new_req);
+
+ return ret;
+}
+
+
static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
struct sss_sec_req *req)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = { NULL };
+ static const char *attrs[] = { SEC_ATTR_SECRET, NULL };
struct ldb_result *res = NULL;
struct ldb_dn *cli_basedn = NULL;
int ret;
@@ -214,13 +376,20 @@ static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
}
if (res->count >= req->quota->max_uid_secrets) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Cannot store any more secrets for this client (basedn %s) "
- "as the maximum allowed limit (%d) has been reached\n",
- ldb_dn_get_linearized(cli_basedn),
- req->quota->max_uid_secrets);
- ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
- goto done;
+ /* We reached the limit. Let's try to removed the
+ * oldest expired credential to free some space. */
+ ret = local_db_remove_oldest_expired_secret(res, req);
+ if (ret != EOK) {
+ if (ret == ERR_NO_MATCHING_CREDS) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot store any more secrets for this client (basedn %s) "
+ "as the maximum allowed limit (%d) has been reached\n",
+ ldb_dn_get_linearized(cli_basedn),
+ req->quota->max_uid_secrets);
+ ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
+ }
+ goto done;
+ }
}
ret = EOK;
@@ -808,15 +977,15 @@ errno_t sss_sec_put(struct sss_sec_req *req,
goto done;
}
- ret = local_db_check_number_of_secrets(msg, req);
+ ret = local_db_check_peruid_number_of_secrets(msg, req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "local_db_check_number_of_secrets failed [%d]: %s\n",
+ "local_db_check_peruid_number_of_secrets failed [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
- ret = local_db_check_peruid_number_of_secrets(msg, req);
+ ret = local_db_check_number_of_secrets(msg, req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"local_db_check_number_of_secrets failed [%d]: %s\n",
@@ -905,15 +1074,15 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
- ret = local_db_check_number_of_secrets(msg, req);
+ ret = local_db_check_peruid_number_of_secrets(msg, req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "local_db_check_number_of_secrets failed [%d]: %s\n",
+ "local_db_check_peruid_number_of_secrets failed [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
- ret = local_db_check_peruid_number_of_secrets(msg, req);
+ ret = local_db_check_number_of_secrets(msg, req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"local_db_check_number_of_secrets failed [%d]: %s\n",
--
2.33.0

39
backport-Proxy-Avoid-ldb_modify-failed-error.patch Normal file
View File

@ -0,0 +1,39 @@
From eebb43def9e93c039203993c67148bfdc72c18ad Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Wed, 23 Aug 2023 15:15:26 -0400
Subject: [PATCH] Proxy: Avoid ldb_modify failed error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves the sysdb errors returned in the proxy provider
logs when proxy_fast_alias is True.
This extraneous memset call would overwrite the previously
returned pwd buffer, therefore an attempt was made to update
the user's SYSDB_PWD with an empty value causing the error.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/eebb43def9e93c039203993c67148bfdc72c18ad
Conflict: NA
---
src/providers/proxy/proxy_id.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index db6bbb2f0..9e7722eb0 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -1418,7 +1418,6 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
}
uid = pwd->pw_uid;
- memset(buffer, 0, buflen);
/* Canonicalize the username in case it was actually an alias */
if (ctx->fast_alias == true) {
--
2.33.0

37
backport-cli-caculate-the-wait_time-in-milliseconds.patch Normal file
View File

@ -0,0 +1,37 @@
From a997ee7bd9d259e7faf654cb94145c0135df02f8 Mon Sep 17 00:00:00 2001
From: licunlong <shenxiaogll@163.com>
Date: Fri, 29 Sep 2023 12:24:45 +0800
Subject: [PATCH] cli: caculate the wait_time in milliseconds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The timeout we pass in is 300000ms, and we sleep 1s every
time we get a EAGAIN error, so we need to multiply 1000
for sleep_time.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/a997ee7bd9d259e7faf654cb94145c0135df02f8
Conflict: NA
---
src/sss_client/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 53ff6e8e9..c80c8e74b 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -617,7 +617,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
socklen_t errnosize;
struct pollfd pfd;
- wait_time += sleep_time;
+ wait_time += sleep_time * 1000;
ret = connect(sd, (struct sockaddr *)&nssaddr,
sizeof(nssaddr));
--
2.33.0

140
backport-dyndns-PTR-record-updates-separately.patch Normal file
View File

@ -0,0 +1,140 @@
From f0bba9d5178d18e7b08aaa58375916d111dfeb59 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Tue, 26 Sep 2023 11:05:13 +0200
Subject: [PATCH] dyndns: PTR record updates separately
DNS server does not allow updates for different zones in one
single step. Those updates must be sent separately.
It is complicated and in some cases impossible to detect that
PTR updates does not fit into one zone because it often depends
on DNS server configuration.
With this patch PTR record updates are always sent separately.
Resolves: https://github.com/SSSD/sssd/issues/6956
Reviewed-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/f0bba9d5178d18e7b08aaa58375916d111dfeb59
Conflict: NA
---
src/man/sssd-ad.5.xml | 5 +++++
src/man/sssd-ipa.5.xml | 5 +++++
src/providers/be_dyndns.c | 18 +++---------------
src/tests/cmocka/test_dyndns.c | 5 +++++
4 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 65778124b..082e97e52 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -1262,6 +1262,11 @@ ad_gpo_map_deny = +my_pam_service
updated when updating the client's DNS records.
Applicable only when dyndns_update is true.
</para>
+ <para>
+ Note that <emphasis>dyndns_update_per_family</emphasis>
+ parameter does not apply for PTR record updates.
+ Those updates are always sent separately.
+ </para>
<para>
Default: True
</para>
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index aa6ff2380..4802ce866 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -286,6 +286,11 @@
PTR records automatically when forward records
are changed.
</para>
+ <para>
+ Note that <emphasis>dyndns_update_per_family</emphasis>
+ parameter does not apply for PTR record updates.
+ Those updates are always sent separately.
+ </para>
<para>
Default: False (disabled)
</para>
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index 2de9a13a9..2c655ef1e 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -402,7 +402,7 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
}
updateipv4 = talloc_asprintf_append(updateipv4,
- "update add %s %d in PTR %s.\n",
+ "update add %s %d in PTR %s.\nsend\n",
ptr, ttl, hostname);
break;
case AF_INET6:
@@ -415,7 +415,7 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
}
}
updateipv6 = talloc_asprintf_append(updateipv6,
- "update add %s %d in PTR %s.\n",
+ "update add %s %d in PTR %s.\nsend\n",
ptr, ttl, hostname);
break;
}
@@ -426,21 +426,9 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
}
}
- if (update_per_family && updateipv4[0] && updateipv6[0]) {
- /* update per family and both families present */
- return talloc_asprintf_append(update_msg,
- "%s"
- "send\n"
- "%s"
- "send\n",
- updateipv4,
- updateipv6);
- }
-
return talloc_asprintf_append(update_msg,
"%s"
- "%s"
- "send\n",
+ "%s",
updateipv4,
updateipv6);
}
diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c
index 1ef5a9019..7526c16a8 100644
--- a/src/tests/cmocka/test_dyndns.c
+++ b/src/tests/cmocka/test_dyndns.c
@@ -663,11 +663,13 @@ void dyndns_test_create_ptr_msg(void **state)
assert_string_equal(msg,
"\nupdate delete 1.0.168.192.in-addr.arpa. in PTR\n"
"update add 1.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 2.0.168.192.in-addr.arpa. in PTR\n"
"update add 2.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
"send\n"
"update delete 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
"update add 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
"update add 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
"send\n");
@@ -680,10 +682,13 @@ void dyndns_test_create_ptr_msg(void **state)
assert_string_equal(msg,
"\nupdate delete 1.0.168.192.in-addr.arpa. in PTR\n"
"update add 1.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 2.0.168.192.in-addr.arpa. in PTR\n"
"update add 2.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
"update add 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
"update add 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
"send\n");
--
2.33.0

220
backport-ipa-do-not-go-offline-if-group-does-not-have-SID.patch Normal file
View File

@ -0,0 +1,220 @@
From 26047f07c0f7aa61a44543de8674ec7d0904812e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 10 Aug 2023 13:16:51 +0200
Subject: [PATCH] ipa: do not go offline if group does not have SID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This happens during applying overrides on cached group
during initgroups of trusted user. If the group does not
have SID (it's GID is outside the sidgen range), SSSD goes
offline.
Only SSSD running in server_mode is affected.
This patch ignores error in single group and rather continues
processing the remaining groups.
Resolves: https://github.com/SSSD/sssd/issues/6942
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/26047f07c0f7aa61a44543de8674ec7d0904812e
Conflict: NA
---
src/providers/ipa/ipa_id.c | 97 +++++++++----------
src/tests/system/tests/test_trust_identity.py | 61 ++++++++++++
2 files changed, 109 insertions(+), 49 deletions(-)
create mode 100644 src/tests/system/tests/test_trust_identity.py
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
index 636e07965..fcac56ce2 100644
--- a/src/providers/ipa/ipa_id.c
+++ b/src/providers/ipa/ipa_id.c
@@ -291,66 +291,65 @@ static int ipa_initgr_get_overrides_step(struct tevent_req *req)
int ret;
struct tevent_req *subreq;
const char *ipa_uuid;
+ const char *dn;
struct ipa_initgr_get_overrides_state *state = tevent_req_data(req,
struct ipa_initgr_get_overrides_state);
- DEBUG(SSSDBG_TRACE_LIBS,
- "Processing group %zu/%zu\n", state->group_idx, state->group_count);
+ for (; state->group_idx < state->group_count; state->group_idx++) {
+ dn = ldb_dn_get_linearized(state->groups[state->group_idx]->dn);
- if (state->group_idx >= state->group_count) {
- return EOK;
- }
+ DEBUG(SSSDBG_TRACE_LIBS, "Processing group %s (%zu/%zu)\n",
+ dn, state->group_idx, state->group_count);
- ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx],
- state->groups_id_attr, NULL);
- if (ipa_uuid == NULL) {
- /* This should never happen, the search filter used to get the list
- * of groups includes "uuid=*"
- */
- DEBUG(SSSDBG_OP_FAILURE,
- "The group %s has no UUID attribute %s, error!\n",
- ldb_dn_get_linearized(state->groups[state->group_idx]->dn),
- state->groups_id_attr);
- return EINVAL;
- }
+ ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx],
+ state->groups_id_attr, NULL);
+ if (ipa_uuid == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "The group %s has no UUID attribute %s, error!\n",
+ dn, state->groups_id_attr);
+ continue;
+ }
- talloc_free(state->ar); /* Avoid spiking memory with many groups */
+ talloc_free(state->ar); /* Avoid spiking memory with many groups */
- if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) {
- ret = get_dp_id_data_for_uuid(state, ipa_uuid,
- state->user_dom->name, &state->ar);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
- return ret;
- }
- } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) {
- ret = get_dp_id_data_for_sid(state, ipa_uuid,
- state->user_dom->name, &state->ar);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
- return ret;
+ if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) {
+ ret = get_dp_id_data_for_uuid(state, ipa_uuid,
+ state->user_dom->name, &state->ar);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
+ return ret;
+ }
+ } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) {
+ ret = get_dp_id_data_for_sid(state, ipa_uuid,
+ state->user_dom->name, &state->ar);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
+ return ret;
+ }
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n",
+ state->groups_id_attr);
+ return EINVAL;
}
- } else {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n",
- state->groups_id_attr);
- return EINVAL;
- }
- DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s\n", ipa_uuid);
+ DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s: %s\n", dn, ipa_uuid);
- subreq = ipa_get_ad_override_send(state, state->ev,
- state->ipa_ctx->sdap_id_ctx,
- state->ipa_ctx->ipa_options,
- state->realm,
- state->ipa_ctx->view_name,
- state->ar);
- if (subreq == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");
- return ENOMEM;
+ subreq = ipa_get_ad_override_send(state, state->ev,
+ state->ipa_ctx->sdap_id_ctx,
+ state->ipa_ctx->ipa_options,
+ state->realm,
+ state->ipa_ctx->view_name,
+ state->ar);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");
+ return ENOMEM;
+ }
+ tevent_req_set_callback(subreq,
+ ipa_initgr_get_overrides_override_done, req);
+ return EAGAIN;
}
- tevent_req_set_callback(subreq,
- ipa_initgr_get_overrides_override_done, req);
- return EAGAIN;
+
+ return EOK;
}
static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq)
diff --git a/src/tests/system/tests/test_trust_identity.py b/src/tests/system/tests/test_trust_identity.py
new file mode 100644
index 000000000..9076b8724
--- /dev/null
+++ b/src/tests/system/tests/test_trust_identity.py
@@ -0,0 +1,61 @@
+"""
+Identity of trusted users and groups.
+
+:requirement: IDM-SSSD-REQ: Testing SSSD in IPA Provider
+"""
+
+from __future__ import annotations
+
+import pytest
+from sssd_test_framework.roles.generic import GenericADProvider
+from sssd_test_framework.roles.ipa import IPA
+from sssd_test_framework.topology import KnownTopologyGroup
+
+
+@pytest.mark.importance("low")
+@pytest.mark.ticket(jira="RHEL-3925", gh=6942)
+@pytest.mark.topology(KnownTopologyGroup.IPATrust)
+def test_trust_identity__group_without_sid(ipa: IPA, trusted: GenericADProvider):
+ """
+ :title: Subdomain goes offline if IPA group is missing SID
+ :setup:
+ 1. Create IPA external group "external-group" and add AD user "Administrator" as a member
+ 2. Create IPA posix group "posix-group" and add "external-group" as a member
+ 3. Clear SSSD cache and logs on IPA server
+ 4. Restart SSSD on IPA server
+ :steps:
+ 1. Resolve user "Administrator@addomain"
+ 2. Expire user "Administrator@addomain"
+ 3. Resolve user "Administrator@addomain"
+ 4. Run "sssctl domain-status addomain"
+ :expectedresults:
+ 1. User is resolved and member of posix-group
+ 2. User is expired in SSSD cache
+ 3. User is resolved and member of posix-group
+ 4. The Active Directory domain is still online
+ :customerscenario: True
+ """
+ username = trusted.fqn("administrator")
+ external = ipa.group("external-group").add(external=True).add_member(username)
+ ipa.group("posix-group").add(gid=5001).add_member(external)
+
+ ipa.sssd.clear(db=True, memcache=True, logs=True)
+ ipa.sssd.restart()
+
+ # Cache trusted user
+ result = ipa.tools.id(username)
+ assert result is not None
+ assert result.user.name == username
+ assert result.memberof("posix-group")
+
+ # Expire the user and resolve it again, this will trigger the affected code path
+ ipa.sssctl.cache_expire(user=username)
+ result = ipa.tools.id(username)
+ assert result is not None
+ assert result.user.name == username
+ assert result.memberof("posix-group")
+
+ # Check that SSSD did not go offline
+ status = ipa.sssctl.domain_status(trusted.domain, online=True)
+ assert "online status: offline" not in status.stdout.lower()
+ assert "online status: online" in status.stdout.lower()
--
2.33.0

407
backport-sss_iface-do-not-add-cli_id-to-chain-key.patch Normal file
View File

@ -0,0 +1,407 @@
From 1e5dfc187c7659cca567d2f7d5592e72794ef13c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 4 Sep 2023 14:12:58 +0200
Subject: [PATCH] sss_iface: do not add cli_id to chain key
Otherwise we only chain identical requests from the same client
which effectively renders chaining not functional.
Resolves: https://github.com/SSSD/sssd/issues/6911
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/1e5dfc187c7659cca567d2f7d5592e72794ef13c
Conflict: NA
---
src/sss_iface/sbus_sss_client_async.c | 12 +++----
src/sss_iface/sbus_sss_interface.h | 24 ++++++-------
src/sss_iface/sbus_sss_keygens.c | 50 +++++++++++++--------------
src/sss_iface/sbus_sss_keygens.h | 10 +++---
src/sss_iface/sss_iface.xml | 12 +++----
5 files changed, 54 insertions(+), 54 deletions(-)
diff --git a/src/sss_iface/sbus_sss_client_async.c b/src/sss_iface/sbus_sss_client_async.c
index 042d1b7b3..5ca925283 100644
--- a/src/sss_iface/sbus_sss_client_async.c
+++ b/src/sss_iface/sbus_sss_client_async.c
@@ -1861,7 +1861,7 @@ sbus_call_dp_autofs_Enumerate_send
const char * arg_mapname,
uint32_t arg_cli_id)
{
- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
+ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
busname, object_path, "sssd.DataProvider.Autofs", "Enumerate", arg_dp_flags, arg_mapname, arg_cli_id);
}
@@ -1883,7 +1883,7 @@ sbus_call_dp_autofs_GetEntry_send
const char * arg_entryname,
uint32_t arg_cli_id)
{
- return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2_3,
+ return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2,
busname, object_path, "sssd.DataProvider.Autofs", "GetEntry", arg_dp_flags, arg_mapname, arg_entryname, arg_cli_id);
}
@@ -1904,7 +1904,7 @@ sbus_call_dp_autofs_GetMap_send
const char * arg_mapname,
uint32_t arg_cli_id)
{
- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
+ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
busname, object_path, "sssd.DataProvider.Autofs", "GetMap", arg_dp_flags, arg_mapname, arg_cli_id);
}
@@ -2142,7 +2142,7 @@ sbus_call_dp_dp_getAccountDomain_send
const char * arg_filter,
uint32_t arg_cli_id)
{
- return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2_3,
+ return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2,
busname, object_path, "sssd.dataprovider", "getAccountDomain", arg_dp_flags, arg_entry_type, arg_filter, arg_cli_id);
}
@@ -2170,7 +2170,7 @@ sbus_call_dp_dp_getAccountInfo_send
const char * arg_extra,
uint32_t arg_cli_id)
{
- return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4_5,
+ return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4,
busname, object_path, "sssd.dataprovider", "getAccountInfo", arg_dp_flags, arg_entry_type, arg_filter, arg_domain, arg_extra, arg_cli_id);
}
@@ -2267,7 +2267,7 @@ sbus_call_dp_dp_resolverHandler_send
const char * arg_filter_value,
uint32_t arg_cli_id)
{
- return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3_4,
+ return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3,
busname, object_path, "sssd.dataprovider", "resolverHandler", arg_dp_flags, arg_entry_type, arg_filter_type, arg_filter_value, arg_cli_id);
}
diff --git a/src/sss_iface/sbus_sss_interface.h b/src/sss_iface/sbus_sss_interface.h
index fc86c71d9..5b4d1c362 100644
--- a/src/sss_iface/sbus_sss_interface.h
+++ b/src/sss_iface/sbus_sss_interface.h
@@ -166,7 +166,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler), (data)); \
})
@@ -177,7 +177,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler_send), (handler_recv), (data)); \
})
@@ -188,7 +188,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
NULL, \
_sbus_sss_invoke_in_ussu_out__send, \
- _sbus_sss_key_ussu_0_1_2_3, \
+ _sbus_sss_key_ussu_0_1_2, \
(handler), (data)); \
})
@@ -199,7 +199,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
NULL, \
_sbus_sss_invoke_in_ussu_out__send, \
- _sbus_sss_key_ussu_0_1_2_3, \
+ _sbus_sss_key_ussu_0_1_2, \
(handler_send), (handler_recv), (data)); \
})
@@ -210,7 +210,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler), (data)); \
})
@@ -221,7 +221,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler_send), (handler_recv), (data)); \
})
@@ -522,7 +522,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
NULL, \
_sbus_sss_invoke_in_uusu_out_qus_send, \
- _sbus_sss_key_uusu_0_1_2_3, \
+ _sbus_sss_key_uusu_0_1_2, \
(handler), (data)); \
})
@@ -533,7 +533,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
NULL, \
_sbus_sss_invoke_in_uusu_out_qus_send, \
- _sbus_sss_key_uusu_0_1_2_3, \
+ _sbus_sss_key_uusu_0_1_2, \
(handler_send), (handler_recv), (data)); \
})
@@ -544,7 +544,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
NULL, \
_sbus_sss_invoke_in_uusssu_out_qus_send, \
- _sbus_sss_key_uusssu_0_1_2_3_4_5, \
+ _sbus_sss_key_uusssu_0_1_2_3_4, \
(handler), (data)); \
})
@@ -555,7 +555,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
NULL, \
_sbus_sss_invoke_in_uusssu_out_qus_send, \
- _sbus_sss_key_uusssu_0_1_2_3_4_5, \
+ _sbus_sss_key_uusssu_0_1_2_3_4, \
(handler_send), (handler_recv), (data)); \
})
@@ -632,7 +632,7 @@
&_sbus_sss_args_sssd_dataprovider_resolverHandler, \
NULL, \
_sbus_sss_invoke_in_uuusu_out_qus_send, \
- _sbus_sss_key_uuusu_0_1_2_3_4, \
+ _sbus_sss_key_uuusu_0_1_2_3, \
(handler), (data)); \
})
@@ -643,7 +643,7 @@
&_sbus_sss_args_sssd_dataprovider_resolverHandler, \
NULL, \
_sbus_sss_invoke_in_uuusu_out_qus_send, \
- _sbus_sss_key_uuusu_0_1_2_3_4, \
+ _sbus_sss_key_uuusu_0_1_2_3, \
(handler_send), (handler_recv), (data)); \
})
diff --git a/src/sss_iface/sbus_sss_keygens.c b/src/sss_iface/sbus_sss_keygens.c
index 1bffc1360..0bded60f8 100644
--- a/src/sss_iface/sbus_sss_keygens.c
+++ b/src/sss_iface/sbus_sss_keygens.c
@@ -90,87 +90,87 @@ _sbus_sss_key_ussu_0_1
}
const char *
-_sbus_sss_key_ussu_0_1_2_3
+_sbus_sss_key_ussu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_ussu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
const char *
-_sbus_sss_key_usu_0_1_2
+_sbus_sss_key_usu_0_1
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_usu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2);
+ sbus_req->path, args->arg0, args->arg1);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2);
+ sbus_req->path, args->arg0, args->arg1);
}
const char *
-_sbus_sss_key_uusssu_0_1_2_3_4_5
+_sbus_sss_key_uusssu_0_1_2_3_4
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusssu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
}
const char *
-_sbus_sss_key_uusu_0_1_2_3
+_sbus_sss_key_uusu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
const char *
-_sbus_sss_key_uuusu_0_1_2_3_4
+_sbus_sss_key_uuusu_0_1_2_3
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uuusu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
}
diff --git a/src/sss_iface/sbus_sss_keygens.h b/src/sss_iface/sbus_sss_keygens.h
index 8f09b46de..7e42c2c53 100644
--- a/src/sss_iface/sbus_sss_keygens.h
+++ b/src/sss_iface/sbus_sss_keygens.h
@@ -49,31 +49,31 @@ _sbus_sss_key_ussu_0_1
struct _sbus_sss_invoker_args_ussu *args);
const char *
-_sbus_sss_key_ussu_0_1_2_3
+_sbus_sss_key_ussu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_ussu *args);
const char *
-_sbus_sss_key_usu_0_1_2
+_sbus_sss_key_usu_0_1
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_usu *args);
const char *
-_sbus_sss_key_uusssu_0_1_2_3_4_5
+_sbus_sss_key_uusssu_0_1_2_3_4
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusssu *args);
const char *
-_sbus_sss_key_uusu_0_1_2_3
+_sbus_sss_key_uusu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusu *args);
const char *
-_sbus_sss_key_uuusu_0_1_2_3_4
+_sbus_sss_key_uuusu_0_1_2_3
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uuusu *args);
diff --git a/src/sss_iface/sss_iface.xml b/src/sss_iface/sss_iface.xml
index 6709c4e48..82c65aa0b 100644
--- a/src/sss_iface/sss_iface.xml
+++ b/src/sss_iface/sss_iface.xml
@@ -91,18 +91,18 @@
<method name="GetMap">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
- <arg name="cli_id" type="u" direction="in" key="3" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
<method name="GetEntry">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
<arg name="entryname" type="s" direction="in" key="3" />
- <arg name="cli_id" type="u" direction="in" key="4" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
<method name="Enumerate">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
- <arg name="cli_id" type="u" direction="in" key="3" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
</interface>
@@ -133,7 +133,7 @@
<arg name="entry_type" type="u" direction="in" key="2" />
<arg name="filter_type" type="u" direction="in" key="3" />
<arg name="filter_value" type="s" direction="in" key="4" />
- <arg name="cli_id" type="u" direction="in" key="5" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="error_message" type="s" direction="out" />
@@ -150,7 +150,7 @@
<arg name="filter" type="s" direction="in" key="3" />
<arg name="domain" type="s" direction="in" key="4" />
<arg name="extra" type="s" direction="in" key="5" />
- <arg name="cli_id" type="u" direction="in" key="6" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="error_message" type="s" direction="out" />
@@ -159,7 +159,7 @@
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="entry_type" type="u" direction="in" key="2" />
<arg name="filter" type="s" direction="in" key="3" />
- <arg name="cli_id" type="u" direction="in" key="4" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="domain_name" type="s" direction="out" />
--
2.33.0

12
sssd.spec
View File

@ -1,6 +1,6 @@
Name: sssd
Version: 2.6.1
Release: 11
Release: 12
Summary: System Security Services Daemon
License: GPLv3+ and LGPLv3+
URL: https://pagure.io/SSSD/sssd/
@ -36,6 +36,13 @@ Patch6026: backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch
Patch6027: backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch
Patch6028: backport-CONFDB-check-the-return-values.patch
Patch6029: backport-UTILS-swap-order-of-seteuid-setegid.patch
Patch6030: backport-sss_iface-do-not-add-cli_id-to-chain-key.patch
Patch6031: backport-KCM-Remove-the-oldest-expired-credential-if-no-more-.patch
Patch6032: backport-Proxy-Avoid-ldb_modify-failed-error.patch
Patch6033: backport-cli-caculate-the-wait_time-in-milliseconds.patch
Patch6034: backport-dyndns-PTR-record-updates-separately.patch
Patch6035: backport-ipa-do-not-go-offline-if-group-does-not-have-SID.patch
Patch6036: backport-KCM-Display-in-the-log-the-limit-as-set-by-the-user.patch
Requires: python3-sssd = %{version}-%{release}
Requires: libldb
@ -543,6 +550,9 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Tue Nov 28 2023 wangcheng <wangcheng156@huawei.com> - 2.6.1-12
- backport upstream patches
* Fri Sep 22 2023 fuanan <fuanan3@h-partners.com> - 2.6.1-11
- backport upstream patches