sssd.git/src/sss_client, branch sudo Unnamed repository; edit this file 'description' to name the repository. sssd_client: add mutex protected call to the PAC responder 2017-09-22T12:46:21+00:00 Sumit Bose sbose@redhat.com 2017-09-18T13:00:53+00:00 1f331476e7d33bb03cc35a2a9064ee1cc5bed6cf SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder currently uses sss_pac_make_request() which does not protect the communication with the PAC responder with a mutex as e.g. the NSS and PAM clients. If an application using threads loads this plugin via libkrb5 in different threads and is heavily processing Kerberos tickets with PACs chances are that two threads try to communicate with SSSD at once. In this case one of the threads will miss a reply and will wait for it until the default client timeout of 300s is passed. This patch adds a call which uses a mutex to protect the communication which will avoid the 300s delay mentioned above. Resolves: https://pagure.io/SSSD/sssd/issue/3518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
currently uses sss_pac_make_request() which does not protect the
communication with the PAC responder with a mutex as e.g. the NSS and
PAM clients.

If an application using threads loads this plugin via libkrb5 in
different threads and is heavily processing Kerberos tickets with PACs
chances are that two threads try to communicate with SSSD at once. In
this case one of the threads will miss a reply and will wait for it
until the default client timeout of 300s is passed.

This patch adds a call which uses a mutex to protect the communication
which will avoid the 300s delay mentioned above.

Resolves:
https://pagure.io/SSSD/sssd/issue/3518

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
libwbclient: Fix warning statement with no effect 2017-08-22T17:36:20+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-08-22T14:50:23+00:00 aede6a1f4412f133e4b3fd76944f764d76fc4868 src/sss_client/libwbclient/wbc_pam_sssd.c: In function ‘wbcAuthenticateUserEx’: src/sss_client/libwbclient/wbc_pam_sssd.c:52:5: error: statement with no effect [-Werror=unused-value] WBC_ERR_WINBIND_NOT_AVAILABLE; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ src/sss_client/libwbclient/wbc_pam_sssd.c:53:1: error: control reaches end of non-void function [-Werror=return-type] } ^ Related to: https://pagure.io/SSSD/sssd/issue/3461 Reviewed-by: Sumit Bose <sbose@redhat.com> 
src/sss_client/libwbclient/wbc_pam_sssd.c: In function ‘wbcAuthenticateUserEx’:
src/sss_client/libwbclient/wbc_pam_sssd.c:52:5: error: statement with no effect [-Werror=unused-value]
     WBC_ERR_WINBIND_NOT_AVAILABLE;
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sss_client/libwbclient/wbc_pam_sssd.c:53:1: error: control reaches end of non-void function [-Werror=return-type]
 }
 ^

Related to:
https://pagure.io/SSSD/sssd/issue/3461

Reviewed-by: Sumit Bose <sbose@redhat.com>
libwbclient: Change return code for wbcAuthenticateUserEx 2017-08-22T13:37:39+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-08-22T11:09:18+00:00 725d04cd21016dc6092a9f03cd363bb83d7c054c Samba-4.6 change behaviour of few functions New version of code make sure session info for user is stored in cache. It is a performance optimisation to prevent contacting KDC for each session. More details in samba bug https://bugzilla.samba.org/show_bug.cgi?id=11259 Old return code WBC_SSSD_NOT_IMPLEMENTED was translated to NT_STATUS_LOGON_FAILURE which caused many failures. [2017/08/21 11:34:15.044321, 5, pid=27742, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2017/08/21 11:34:15.044330, 5, pid=27742, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:640(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2017/08/21 11:34:15.044349, 4, pid=27742, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/21 11:34:15.044360, 1, pid=27742, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_LOGON_FAILURE Resolves: https://pagure.io/SSSD/sssd/issue/3461 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Samba-4.6 change behaviour of few functions
New version of code make sure session info for user is stored in cache.
It is a performance optimisation to prevent contacting KDC for each
session. More details in samba bug
https://bugzilla.samba.org/show_bug.cgi?id=11259

Old return code WBC_SSSD_NOT_IMPLEMENTED was translated
to NT_STATUS_LOGON_FAILURE which caused many failures.

    [2017/08/21 11:34:15.044321,  5, pid=27742, effective(0, 0), real(0, 0)]
    ../libcli/security/security_token.c:53(security_token_debug)
      Security token: (NULL)
    [2017/08/21 11:34:15.044330,  5, pid=27742, effective(0, 0), real(0, 0)]
    ../source3/auth/token_util.c:640(debug_unix_user_token)
      UNIX token of user 0
      Primary group is 0 and contains 0 supplementary groups
    [2017/08/21 11:34:15.044349,  4, pid=27742, effective(0, 0), real(0, 0)]
    ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
      pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2017/08/21 11:34:15.044360,  1, pid=27742, effective(0, 0), real(0, 0)]
    ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
      Failed to generate session_info (user and group token) for session
    setup: NT_STATUS_LOGON_FAILURE

Resolves:
https://pagure.io/SSSD/sssd/issue/3461

Reviewed-by: Sumit Bose <sbose@redhat.com>
libwbclient-sssd: update interface to version 0.14 2017-08-03T09:17:52+00:00 Sumit Bose sbose@redhat.com 2017-07-07T09:15:20+00:00 d1b2a3394e496f749151ccd5aca29507ca69214b The main change is a new member of the wbcAuthErrorInfo struct. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
The main change is a new member of the wbcAuthErrorInfo struct.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Moving headers used by both server and client to special folder 2017-08-03T09:08:15+00:00 AmitKumar amitkuma@redhat.com 2017-07-22T23:49:27+00:00 3996e391054a1c02ab62e1541ae21a8204bd5d0a These are the header files which are used by both client and server: src/util/io.h src/util/murmurhash3.h src/util/util_safealign.h This patch is about moving these header files to special folder (src/shared). It will be easier to identify these headers when looking for them in the src tree. util_safalign.h is renamed as safalign.h because util_ namespace is appropriate when this file belonged to the util's folder which is no longer the case. Resolves: https://pagure.io/SSSD/sssd/issue/1898 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
These are the header files which are used by both client and server:
src/util/io.h
src/util/murmurhash3.h
src/util/util_safealign.h

This patch is about moving these header files to special folder
(src/shared). It will be easier to identify these headers when looking
for them in the src tree.
util_safalign.h is renamed as safalign.h because util_ namespace is
appropriate when this file belonged to the util's folder which is no
longer the case.

Resolves:
https://pagure.io/SSSD/sssd/issue/1898

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
pam_sss: Fix leaking of memory in case of failures 2017-06-13T08:25:24+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-06-05T07:43:46+00:00 818d01b4a0d332fff06db33c0c985b8c0f1417c7 Found by coverity. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Found by coverity.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
pam_sss: Fix checking of empty string cert_user 2017-06-05T15:09:27+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-06-02T09:56:55+00:00 c62dc2ac02253e130991db0f6acd60ce1a2753f1 src/sss_client/pam_sss.c: In function ‘eval_response’: src/sss_client/pam_sss.c:998:64: error: comparison between pointer and zero character constant [-Werror=pointer-compare] if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') { ^~ src/sss_client/pam_sss.c:998:50: note: did you mean to dereference the pointer? if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') { ^ src/sss_client/pam_sss.c:1010:42: error: comparison between pointer and zero character constant [-Werror=pointer-compare] && pi->cert_user != '\0') { ^~ src/sss_client/pam_sss.c:1010:28: note: did you mean to dereference the pointer? && pi->cert_user != '\0') { Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
src/sss_client/pam_sss.c: In function ‘eval_response’:
src/sss_client/pam_sss.c:998:64: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
                 if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') {
                                                                ^~
src/sss_client/pam_sss.c:998:50: note: did you mean to dereference the pointer?
                 if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') {
                                                  ^
src/sss_client/pam_sss.c:1010:42: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
                         && pi->cert_user != '\0') {
                                          ^~
src/sss_client/pam_sss.c:1010:28: note: did you mean to dereference the pointer?
                         && pi->cert_user != '\0') {

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT 2017-06-01T14:20:30+00:00 Sumit Bose sbose@redhat.com 2017-05-08T14:01:26+00:00 a192a1d72e92dae3e71e062b333e51a5095a0395 The new response type SSS_PAM_CERT_INFO_WITH_HINT is equivalent to SSS_PAM_CERT_INFO but tells pam_sss to prompt for an option user name as well. Resolves: https://pagure.io/SSSD/sssd/issue/3395 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
The new response type SSS_PAM_CERT_INFO_WITH_HINT is equivalent to
SSS_PAM_CERT_INFO but tells pam_sss to prompt for an option user name as
well.

Resolves:
https://pagure.io/SSSD/sssd/issue/3395

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
ssh tools: Split connect and communication phases 2017-04-28T17:10:22+00:00 Simo Sorce simo@redhat.com 2017-04-25T19:19:13+00:00 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 We can fallback after a connect error, but we cannot easily fall back once we start sending data as we may have consumed part of the buffer so reconnecting and sending what's left would not make sense. Therefore we now fallback on connect errors, but we issue a hard fail if error happens after communication has been established. Resolves: https://pagure.io/SSSD/sssd/issue/1498 Merges: https://pagure.io/SSSD/sssd/pull-request/3383 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
We can fallback after a connect error, but we cannot easily fall back
once we start sending data as we may have consumed part of the buffer so
reconnecting and sending what's left would not make sense.

Therefore we now fallback on connect errors, but we issue a hard fail if
error happens after communication has been established.

Resolves:
https://pagure.io/SSSD/sssd/issue/1498

Merges: https://pagure.io/SSSD/sssd/pull-request/3383

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
ssh tools: Fix issues with multiple IP addresses 2017-04-28T17:10:17+00:00 Simo Sorce simo@redhat.com 2017-04-25T14:00:15+00:00 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Cycle through all resolved address until one succeed or all fail. This is needed for dual stack systems where either IPv4 or IPv6 are improperly configured or selectively filtered at some point along the route. Resolves: https://pagure.io/SSSD/sssd/issue/1498 Merges: https://pagure.io/SSSD/sssd/pull-request/3383 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Cycle through all resolved address until one succeed or all fail.
This is needed for dual stack systems where either IPv4 or IPv6 are
improperly configured or selectively filtered at some point along the
route.

Resolves:
https://pagure.io/SSSD/sssd/issue/1498

Merges: https://pagure.io/SSSD/sssd/pull-request/3383

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>