sssd.git/src/sss_client, branch sid_index sssd with jhrozek's patches libwbclient-sssd: update interface to version 0.12 2015-05-26T08:32:15+00:00 Sumit Bose sbose@redhat.com 2015-05-15T09:58:05+00:00 d788ec2d8205639dcb560800852d7fe89bcc33f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 1270ffe9f3809f2fd488ef4a320d344ae107ab87) 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1270ffe9f3809f2fd488ef4a320d344ae107ab87)
CLIENT: Clear errno with enabled sss-default-nss-plugin 2015-04-07T12:50:52+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-07T08:53:12+00:00 9e030a229277cfb598fd80e861e6bb0b7cfdec9c Although errno was cleared in function sss_nss_make_request some sss glic functions set errno with value of output argument errnop. Reproducer: * sssd compiled with enabled option sss-default-nss-plugin * sss is the last value in group (/etc/nsswitch.conf) * sssd-client is installed but sssd is stopped. C-program: #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <grp.h> int main(int argc, char *argv[]) { struct group *p_group; setgrent(); while (1) { errno = 0; /* initialize for getgrent() */ p_group = getgrent(); if (p_group == NULL) { if (errno == 0) { break; /* end of groups */ } else { perror("getgrent"); printf("getgrent error %d \n", errno); endgrent(); exit(-2); } } printf("getgrent() OK group(%d) = %s \n", p_group->gr_gid, p_group->gr_name); } exit(0); } Resolves: https://fedorahosted.org/sssd/ticket/2619 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit d51bc5f43fffa516446ef62c2b860be9fa939c9d) 
Although errno was cleared in function sss_nss_make_request
some sss glic functions set errno with value of output argument errnop.

Reproducer:
* sssd compiled with enabled option sss-default-nss-plugin
* sss is the last value in group (/etc/nsswitch.conf)
* sssd-client is installed but sssd is stopped.

C-program:
  #include <stdio.h>
  #include <stdlib.h>
  #include <errno.h>
  #include <grp.h>

  int main(int argc, char *argv[])
  {
      struct group *p_group;

      setgrent();
      while (1) {
          errno = 0;  /* initialize for  getgrent() */
          p_group = getgrent();
          if (p_group == NULL) {
              if (errno == 0) {
                      break;   /* end of groups */
              } else {
                  perror("getgrent");
                  printf("getgrent error %d \n", errno);
                  endgrent();
                  exit(-2);
              }
          }
          printf("getgrent() OK group(%d) = %s \n",
                 p_group->gr_gid, p_group->gr_name);
      }

      exit(0);
  }

Resolves:
https://fedorahosted.org/sssd/ticket/2619

Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit d51bc5f43fffa516446ef62c2b860be9fa939c9d)
PAM: new option pam_account_expired_message 2015-02-23T12:49:53+00:00 Pavel Reichl preichl@redhat.com 2015-02-19T16:17:36+00:00 a81b2ae67c7b011c74c0d37df5bdaef2ef2bbb4a This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit e039f1aefecc65a7b3c2d4a13a612bff1dd367c8) 
This option sets string to be printed when authenticating using SSH
keys and account is expired.

Resolves:
https://fedorahosted.org/sssd/ticket/2050

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e039f1aefecc65a7b3c2d4a13a612bff1dd367c8)
PAM: do not reject abruptly 2015-02-23T12:49:53+00:00 Pavel Reichl preichl@redhat.com 2015-02-12T00:38:16+00:00 325a3a1015a8ce239efa07b2371f2f8db8bf395e If account has expired then pass message. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit a61d6d01a4e89ec14175af135e84f1cac55af748) 
If account has expired then pass message.

Resolves:
https://fedorahosted.org/sssd/ticket/2050

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit a61d6d01a4e89ec14175af135e84f1cac55af748)
Open the PAC socket from krb5_child before dropping root 2015-01-21T10:27:34+00:00 Jakub Hrozek jhrozek@redhat.com 2015-01-20T17:06:49+00:00 bfdd8d2b828d0decb3730879f328bcde95dc584b The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070) 
The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.

https://fedorahosted.org/sssd/ticket/2559

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070)
libwbclient: initialize some return values 2014-12-19T16:45:55+00:00 Sumit Bose sbose@redhat.com 2014-12-19T10:21:41+00:00 082e13dba488ebb2b948d6a362095153714b669f Some callers of libwbclient functions expects the return values are initialized even it the functions returns an error. This patch adds some initializations to meet this requirement. Resolves https://fedorahosted.org/sssd/ticket/2537 Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Some callers of libwbclient functions expects the return values are
initialized even it the functions returns an error. This patch adds some
initializations to meet this requirement.

Resolves https://fedorahosted.org/sssd/ticket/2537

Reviewed-by: Pavel Reichl <preichl@redhat.com>
PAM: Missing argument to domains= should fail auth 2014-12-13T22:00:15+00:00 Jakub Hrozek jhrozek@redhat.com 2014-12-10T11:02:47+00:00 134bff159119b0f62492133983ba637957e26fab When the administrator sets the domains= list, he usually wants to restrict the set of domains. An empty list is an undefined configuration and it's safer to fail then. https://fedorahosted.org/sssd/ticket/2516 Reviewed-by: Pavel Reichl <preichl@redhat.com> 
When the administrator sets the domains= list, he usually wants to
restrict the set of domains. An empty list is an undefined configuration
and it's safer to fail then.

https://fedorahosted.org/sssd/ticket/2516

Reviewed-by: Pavel Reichl <preichl@redhat.com>
sss_client: Work around glibc bug 2014-12-08T20:47:36+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-11-18T11:02:10+00:00 5bb0c0596765dd5dd1973b7fc2d1e830bca3e345 glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL. The sss nss plugin is present in nsswitch by default on some platforms due to glibc caching and problem with long living applications (e.g. GNOME). But sssd needn't be configuread and it cause problems in some programs. In this situation, the SSSD nss plugin should behave as if it was functioning but had no data even thought sssd is not running. The errors have to be passed from nss plugin up to the user with minimal moidiffication. Thanks to Stephen Gallagher for initial patch. Resolves: https://fedorahosted.org/sssd/ticket/2439 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL.

The sss nss plugin is present in nsswitch by default on some platforms
due to glibc caching and problem with long living applications (e.g. GNOME).
But sssd needn't be configuread and it cause problems in some programs.
In this situation, the SSSD nss plugin should behave as if it was functioning
but had no data even thought sssd is not running. The errors have to be passed
from nss plugin up to the user with minimal moidiffication.

Thanks to Stephen Gallagher for initial patch.

Resolves:
https://fedorahosted.org/sssd/ticket/2439

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sss_client: Fix race condition in memory cache 2014-11-24T19:54:00+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-11-21T10:28:36+00:00 6a60e29468fc6b4043a4dc52d3aab73e8465db70 Thread safe initialisation was fixed in ticket #2380, but there is still race condition in reinitialisation. If caches is invalidated with command sss_cache -U (-G or -E) then client code will need to reinitialize fast memory cache. Let say we have two threads. The 1st thread find out that memory cache should be reinitialized; therefore the fast memory cached is unmapped and context destroyed. In the same time, 2nd thread tried to check header of memory cache whether it is initialized and valid. As a result of previously unmapped memory the 2nd thread access out of bound memory (SEGFAULT). The destroying of fast memory cache cannot be done any time. We need to be sure that there isn't any other thread which uses mmaped memory. The new counter of active threads was added for this purpose. The state of fast memory cache was converted from boolean to three value state (UNINITIALIZED, INITIALIZED, RECYCLED) UNINITIALIZED - the fast memory cache need to be initialized. - if there is a problem with initialisation the state will not change - after successful initialisation, the state will change to INITIALIZED INITIALIZED - if the cahe was invalidated or there is any other problem was detected in memory cache header the state will change to RECYCLED and memory cache IS NOT destroyed. RECYCLED - nothing will be done is there are any active threads which may use the data from mmaped memory - if there aren't active threads the fast memory cahe is destroyed and state is changed to UNINITIALIZED. https://fedorahosted.org/sssd/ticket/2445 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Thread safe initialisation was fixed in ticket #2380, but there is
still race condition in reinitialisation.

If caches is invalidated with command sss_cache -U (-G or -E) then
client code will need to reinitialize fast memory cache.
Let say we have two threads. The 1st thread find out that memory cache
should be reinitialized; therefore the fast memory cached is unmapped
and context destroyed. In the same time, 2nd thread tried to check
header of memory cache whether it is initialized and valid. As a result
of previously unmapped memory the 2nd thread access
out of bound memory (SEGFAULT).

The destroying of fast memory cache cannot be done any time. We need
to be sure that there isn't any other thread which uses mmaped memory.
The new counter of active threads was added for this purpose. The state
of fast memory cache was converted from boolean to three value state
(UNINITIALIZED, INITIALIZED, RECYCLED)
UNINITIALIZED
    - the fast memory cache need to be initialized.
    - if there is a problem with initialisation the state will not change
    - after successful initialisation, the state will change to INITIALIZED
INITIALIZED
    - if the cahe was invalidated or there is any other problem was
      detected in memory cache header the state will change to RECYCLED
      and memory cache IS NOT destroyed.
RECYCLED
    - nothing will be done is there are any active threads which may use
      the data from mmaped memory
    - if there aren't active threads the fast memory cahe is destroyed and
      state is changed to UNINITIALIZED.

https://fedorahosted.org/sssd/ticket/2445

Reviewed-by: Michal Židek <mzidek@redhat.com>
sss_client: Extract destroying of mmap cache to function 2014-11-24T19:53:54+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-11-21T13:00:23+00:00 19f6a6733b5c6cf7dd2f6f746cfa5c787706331c Reviewed-by: Michal Židek <mzidek@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>