sssd.git/src/sss_client, branch nonroot sssd with jhrozek's patches sss_client: Fix race condition in memory cache 2014-11-24T19:54:00+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-11-21T10:28:36+00:00 6a60e29468fc6b4043a4dc52d3aab73e8465db70 Thread safe initialisation was fixed in ticket #2380, but there is still race condition in reinitialisation. If caches is invalidated with command sss_cache -U (-G or -E) then client code will need to reinitialize fast memory cache. Let say we have two threads. The 1st thread find out that memory cache should be reinitialized; therefore the fast memory cached is unmapped and context destroyed. In the same time, 2nd thread tried to check header of memory cache whether it is initialized and valid. As a result of previously unmapped memory the 2nd thread access out of bound memory (SEGFAULT). The destroying of fast memory cache cannot be done any time. We need to be sure that there isn't any other thread which uses mmaped memory. The new counter of active threads was added for this purpose. The state of fast memory cache was converted from boolean to three value state (UNINITIALIZED, INITIALIZED, RECYCLED) UNINITIALIZED - the fast memory cache need to be initialized. - if there is a problem with initialisation the state will not change - after successful initialisation, the state will change to INITIALIZED INITIALIZED - if the cahe was invalidated or there is any other problem was detected in memory cache header the state will change to RECYCLED and memory cache IS NOT destroyed. RECYCLED - nothing will be done is there are any active threads which may use the data from mmaped memory - if there aren't active threads the fast memory cahe is destroyed and state is changed to UNINITIALIZED. https://fedorahosted.org/sssd/ticket/2445 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Thread safe initialisation was fixed in ticket #2380, but there is
still race condition in reinitialisation.

If caches is invalidated with command sss_cache -U (-G or -E) then
client code will need to reinitialize fast memory cache.
Let say we have two threads. The 1st thread find out that memory cache
should be reinitialized; therefore the fast memory cached is unmapped
and context destroyed. In the same time, 2nd thread tried to check
header of memory cache whether it is initialized and valid. As a result
of previously unmapped memory the 2nd thread access
out of bound memory (SEGFAULT).

The destroying of fast memory cache cannot be done any time. We need
to be sure that there isn't any other thread which uses mmaped memory.
The new counter of active threads was added for this purpose. The state
of fast memory cache was converted from boolean to three value state
(UNINITIALIZED, INITIALIZED, RECYCLED)
UNINITIALIZED
    - the fast memory cache need to be initialized.
    - if there is a problem with initialisation the state will not change
    - after successful initialisation, the state will change to INITIALIZED
INITIALIZED
    - if the cahe was invalidated or there is any other problem was
      detected in memory cache header the state will change to RECYCLED
      and memory cache IS NOT destroyed.
RECYCLED
    - nothing will be done is there are any active threads which may use
      the data from mmaped memory
    - if there aren't active threads the fast memory cahe is destroyed and
      state is changed to UNINITIALIZED.

https://fedorahosted.org/sssd/ticket/2445

Reviewed-by: Michal Židek <mzidek@redhat.com>
sss_client: Extract destroying of mmap cache to function 2014-11-24T19:53:54+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-11-21T13:00:23+00:00 19f6a6733b5c6cf7dd2f6f746cfa5c787706331c Reviewed-by: Michal Židek <mzidek@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>
PAM: Remove authtok from PAM stack with OTP 2014-11-07T14:12:52+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-10-20T20:21:25+00:00 2368a0fc19bcd56581eccd8397289e4513a383a5 We remove the password from the PAM stack when OTP is used to make sure that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore and have to request a password on their own. Resolves: https://fedorahosted.org/sssd/ticket/2287 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> 
We remove the password from the PAM stack when OTP is used to make sure
that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore
and have to request a password on their own.

Resolves:
    https://fedorahosted.org/sssd/ticket/2287

Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
sss_nss_idmap: add sss_nss_getorigbyname() 2014-10-14T16:29:11+00:00 Sumit Bose sbose@redhat.com 2014-10-09T19:05:34+00:00 0d01e4f6cc21d8ca0e4fafe59c7cbfa1459fa47e This patch adds an interface to the new SSS_NSS_GETORIGBYNAME request of the nss responder to libsss_nss_idmap. The main use case for this new call is to replace sss_nss_getsidbyname() in the extdom plugin on the FreeIPA server to get more information about the given object than just the SID which is not available with the default POSIX interfaces. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
This patch adds an interface to the new SSS_NSS_GETORIGBYNAME request of
the nss responder to libsss_nss_idmap.

The main use case for this new call is to replace sss_nss_getsidbyname()
in the extdom plugin on the FreeIPA server to get more information about
the given object than just the SID which is not available with the
default POSIX interfaces.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
nss: add SSS_NSS_GETORIGBYNAME request 2014-10-14T16:29:01+00:00 Sumit Bose sbose@redhat.com 2014-10-09T13:13:55+00:00 229c292143dcd4120acb022682b5b7d0aca622dd This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
This patch adds a new request to the nss responder which follows the
same flow as a SSS_NSSGETSIDBYNAME request but returns more data than
just the SID. The data is returned as pairs of \0-terminated strings
where the first string is the sysdb attribute name and the second the
corresponding value.

The main use case is on the FreeIPA server to make additional user and
group data available to the extdom plugin which then send this data to
SSSD running on FreeIPA clients.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
PAM: Add domains= option to pam_sss 2014-09-29T16:27:16+00:00 Daniel Gollub dgollub at brocade.com 2014-09-27T11:06:44+00:00 663fd9bcdcc6b299785ba3434532cd7e6c462bff Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Design document:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM

Fixes:
https://fedorahosted.org/sssd/ticket/1021

Signed-off-by: Pavel Reichl <preichl@redhat.com>

Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
libwbclient: avoid collision with Samba version 2014-09-08T18:09:46+00:00 Sumit Bose sbose@redhat.com 2014-09-05T10:30:43+00:00 f3c85d900c4663854cc7bbae7d9f77867ed1f69b Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Doxygen: replace <pre> with markdown table 2014-09-02T12:33:05+00:00 Sumit Bose sbose@redhat.com 2014-08-29T08:44:00+00:00 316ff9ad6f959443ddadd54e9fe9ebf6c8052214 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
NFSv4 client: (private) headers from libnfsidmap 2014-09-02T08:56:40+00:00 Noam Meltzer tsnoam@gmail.com 2014-06-27T05:44:36+00:00 4466604d78e5ffd017e69e6861f7d78242b351fb The private headers are needed in order to: nfsidmap_internal.h: * definition of struct trans_func * prototype for logger function cfg.h + queue.h: * prototype(s) for accessing rpc.idmpad configuration file Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Roland Mainz <rmainz@redhat.com> 
The private headers are needed in order to:
nfsidmap_internal.h:
* definition of struct trans_func
* prototype for logger function
cfg.h + queue.h:
* prototype(s) for accessing rpc.idmpad configuration file

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
NEW CLIENT: plugin for NFSv4 rpc.idmapd 2014-09-02T08:56:07+00:00 Noam Meltzer tsnoam@gmail.com 2014-06-27T05:44:35+00:00 e9553c2961fa4f25b9d004a6a65b90837a13d8e1 Implementation of design document: https://fedorahosted.org/sssd/wiki/DesignDocs/rpc.idmapd%20plugin Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Roland Mainz <rmainz@redhat.com> 
Implementation of design document:
https://fedorahosted.org/sssd/wiki/DesignDocs/rpc.idmapd%20plugin

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>