sssd.git/src/responder/nss, branch master sssd with jhrozek's patches NSS: Don't ignore backslash in usernames with ldap provider 2015-09-01T06:41:51+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-08-28T05:07:40+00:00 90b8e2e47ecc0dd555cae401a0c9b082d12ab989 The regression was caused by changing default domain regex for ldap provider in ticket #2717 Resolves: https://fedorahosted.org/sssd/ticket/2772 Reviewed-by: Sumit Bose <sbose@redhat.com> 
The regression was caused by changing default domain regex
for ldap provider in ticket #2717

Resolves:
https://fedorahosted.org/sssd/ticket/2772

Reviewed-by: Sumit Bose <sbose@redhat.com>
UTIL: Function 2string for enum sss_cli_command 2015-08-31T16:30:19+00:00 Petr Cech pcech@redhat.com 2015-07-08T11:17:28+00:00 11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Improvement of debug messages.
Instead of:"(0x0400): Running command [17]..."
We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..."
(It's not used in sss_client. There are only hex numbers of commands.)

Resolves:
https://fedorahosted.org/sssd/ticket/2708

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
NSS: Fix use after free 2015-08-20T20:48:28+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-08-07T12:29:45+00:00 b9901fe3d6cfe05cd75a2440c0f9c7985aea36c6 It can happed if there are two domains and user is not found in the first one. ==29279== Invalid read of size 1 ==29279== at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29279== by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2) ==29279== by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191) ==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208) ==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759) ==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802) ==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96) ==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911) ==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114) ==29279== Address 0xbbad240 is 96 bytes inside a block of size 106 free'd ==29279== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29279== by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2) ==29279== by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190) ==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208) ==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759) ==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802) ==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96) ==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911) ==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114) Resolves: https://fedorahosted.org/sssd/ticket/2749 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
It can happed if there are two domains and user is not found
in the first one.

==29279== Invalid read of size 1
==29279==    at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279==    by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2)
==29279==    by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191)
==29279==    by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279==    by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279==    by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279==    by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279==    by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279==    by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279==    by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279==    by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279==    by 0x879A936: std_event_loop_once (tevent_standard.c:114)
==29279==  Address 0xbbad240 is 96 bytes inside a block of size 106 free'd
==29279==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279==    by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2)
==29279==    by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190)
==29279==    by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279==    by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279==    by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279==    by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279==    by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279==    by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279==    by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279==    by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279==    by 0x879A936: std_event_loop_once (tevent_standard.c:114)

Resolves:
https://fedorahosted.org/sssd/ticket/2749

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
NSS: Initgr memory cache should work with fq names 2015-08-05T09:28:37+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-07-13T08:40:06+00:00 dda0258705de7255e6ec54b7f9adbde83a220996 We need to stored two versions of name to the initgroups memory cache. Otherwise it could be stored many times if sssd is configured with case_sensitive = false. It would be impossible to invalidate all version of names after user login. As a result of this wrong user groups could be returned from initgroups memory cache. Therefore we store raw name provided by glibc function and internal sanitized fully qualified name, which is unique for particular user. This patch also increase average space for initgroups because there are also stored two quite long names in case of fq names. Resolves: https://fedorahosted.org/sssd/ticket/2712 Reviewed-by: Michal Židek <mzidek@redhat.com> 
We need to stored two versions of name to the initgroups memory cache.
Otherwise it could be stored many times if sssd is configured with
case_sensitive = false. It would be impossible to invalidate all
version of names after user login. As a result of this wrong user
groups could be returned from initgroups memory cache.

Therefore we store raw name provided by glibc function
and internal sanitized fully qualified name,
which is unique for particular user.

This patch also increase average space for initgroups
because there are also stored two quite long names in case of
fq names.

Resolves:
https://fedorahosted.org/sssd/ticket/2712

Reviewed-by: Michal Židek <mzidek@redhat.com>
mmap: Invalidate initgroups memory cache after any change 2015-08-05T09:28:23+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-08-03T10:58:03+00:00 ea7839cec593b4a7c678fab52ab864518db6699b Initgroups memory cache was invalidated only in case on removed user. it should be invalidated also after changes in group membership. Resolves: https://fedorahosted.org/sssd/ticket/2716 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Initgroups memory cache was invalidated only in case on removed user.
it should be invalidated also after changes in group membership.

Resolves:
https://fedorahosted.org/sssd/ticket/2716

Reviewed-by: Michal Židek <mzidek@redhat.com>
mmap_cache: "Override" functions for initgr mmap cache 2015-08-05T09:28:19+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-07-16T15:00:12+00:00 225dc6914cdc8920b02a129b98ece1ed97b99c03 Functions sss_mc_get_strs_offset and sss_mc_get_strs_len provides data about strings for individual memory caches (passwd, ...) Their are used in generic responder mmap cache code to find a record in mmap cache (sss_mc_find_record). Data provided from functions sss_mc_get_* are used for checking the validity of record. So in case of corrupted record the whole mmap cache can be invalidated. Functions sss_mc_get_strs_offset and sss_mc_get_strs_len did not provide data for initgroups mmap cache and therefore particular record could not be invalidated. Resolves: https://fedorahosted.org/sssd/ticket/2716 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Functions sss_mc_get_strs_offset and sss_mc_get_strs_len provides
data about strings for individual memory caches (passwd, ...)
Their are used in generic responder mmap cache code to find a record
in mmap cache (sss_mc_find_record). Data provided from functions sss_mc_get_*
are used for checking the validity of record. So in case of corrupted record
the whole mmap cache can be invalidated.

Functions sss_mc_get_strs_offset and sss_mc_get_strs_len did not provide
data for initgroups mmap cache and therefore particular record could not be
invalidated.

Resolves:
https://fedorahosted.org/sssd/ticket/2716

Reviewed-by: Michal Židek <mzidek@redhat.com>
mmap_cache: Rename variables 2015-08-05T09:28:11+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-07-16T14:54:00+00:00 39b31427e2d11ca318df11fd48db33a7cc610aa7 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>
nss: use negative cache for sid-by-id requests 2015-07-27T20:03:52+00:00 Sumit Bose sbose@redhat.com 2015-07-22T13:34:32+00:00 c2cc00e8d70c4df880d76093d4b0e3ee7f2ee23f Since requests by ID are not assized to a specific domain SSSD might check the ID in domains where the ID does not exists even if the ID is already in the sysdb cache of the right domain. For requests where already a memory cache is available like e.g. getpwuid() and getgrgid() this has no negative impact because the requests are answered directly from the cache most of the time without hitting SSSD. As long as there is no use-case which does not use the memory cache those requests do not need an update. But for request like sid-by-id where currently no memory cache is available there are quite some additional costs especially for trusted domains. Resolves https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Since requests by ID are not assized to a specific domain SSSD might
check the ID in domains where the ID does not exists even if the ID is
already in the sysdb cache of the right domain. For requests where
already a memory cache is available like e.g. getpwuid() and getgrgid()
this has no negative impact because the requests are answered directly
from the cache most of the time without hitting SSSD. As long as there
is no use-case which does not use the memory cache those requests do not
need an update.

But for request like sid-by-id where currently no memory cache is
available there are quite some additional costs especially for trusted
domains.

Resolves https://fedorahosted.org/sssd/ticket/2731

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
negcache: allow domain name for UID and GID 2015-07-27T20:03:42+00:00 Sumit Bose sbose@redhat.com 2015-07-22T12:21:52+00:00 e1aed98d7c195f844ac8e85050d04f3ca5f899b3 Related to https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Related to https://fedorahosted.org/sssd/ticket/2731

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
nss_check_name_of_well_known_sid() improve name splitting 2015-07-16T13:26:29+00:00 Sumit Bose sbose@redhat.com 2015-07-14T12:41:34+00:00 4f1897ad419790834573643e88ac03e6c5c1c4be Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Currently in the default configuration
nss_check_name_of_well_known_sid() can only split fully-qualified names
in the user@domain.name style. DOM\user style names will cause an error
and terminate the whole request.

With this patch both styles can be handled by default, additionally if
the name could not be split nss_check_name_of_well_known_sid() returns
ENOENT which can be handled more gracefully by the caller.

Resolves https://fedorahosted.org/sssd/ticket/2717

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>