[PATCH] Rename SAFEALIGN macros
by Michal Židek
Hi,
about 3 months ago I renamed the SAFEALIGN macros (and added aliases
for backward compatibility) from
SAFEALIGN_COPY_<type>
SAFEALIGN_SET_<type>
to
SAFEALIGN_BUF2VAR_<type>
SAFEALIGN_VAR2BUF_<type>
according to request in ticket
https://fedorahosted.org/sssd/ticket/1772
But, now I think I used wrong new names for these macros, because the
SAFEALIGN_BUF2VAR_<type> is not meant to only copy value from buffer to
variable, it can be used the other way around as well (it is basically
just memcpy with bytes counting). So the original SAFEALIGN_COPY_<> was
IMO much better name for the macro.
The second macro SAFEALIGN_VAR2BUF_<type> is used to SET the buffer at
given address with specified value. This can be used if the
value we copy to buffer is just expression (like 3 + 5), #DEFINEd
constant or literal (so we can not get its address with &, so
SAFEALIGN_COPY_<type> can not be used). The original name of this macro
was
SAFEALIGN_SET_<type>
which was better than the new one. I wrongly interpreted the macros when
creating the new names and realized it now when I wanted to use them.
The reason why the name change was requested is most likely because
SAFEALIGN_SET_UINT32
might look like it should be used when setting uint32_t variable to
a specific value taken from buffer. The parameter 'value' is
expression of type uint32_t and not address to some uint32_t value
in buffer. Another reason why people might have been confused with the
old names was that it was not clear that with SAFEALIGN_SET the 'value'
is not a pointer to value but the value itself. I think this was the
reason why the ticket was created.
So, I would prefer to change the names once again (the new ones are not
used anywhere so far) to the original ones with one little difference.
The SAFEALIGN_SET_<type> will be SAFEALIGN_SETMEM_<type>. It makes more
clear that we want to change memory at given address (and not set some
variable of type <type>).
With additional comments showing the expected types of all arguments,
this should be clear enough and hopefully nobody will be confused in
the future.
Patch is attached.
Thanks
Michal
10 years, 6 months
Question about pam_auth_req and crash from BZ972699
by Lukas Slebodnik
ehlo,
I have a question about struct pam_auth_req and crash from BZ972699
I thought It is a duplicate of upstream ticket
https://fedorahosted.org/sssd/ticket/2018 (use after free)
But I anlysed the core dump and it doe not look like use after free.
I also checked talloc_magic for struct "pam_auth_req" and it is ok.
Here is the definition of structure.
(gdb) ptype preq
type = struct pam_auth_req {
struct cli_ctx *cctx;
struct sss_domain_info *domain;
struct pam_data *pd;
pam_dp_callback_t *callback;
struct ldb_result *res;
_Bool check_provider;
void *data;
} *
And here is output from gdb
(gdb) p *preq
$1 = {cctx = 0x9f90a0, domain = 0x9a3740, pd = 0xa178f0, callback = 0,
res = 0x0, check_provider = false, data = 0x0}
#0 0x0000000000000000 in ?? ()
#1 0x00000000004110d1 in pam_dp_process_reply (pending=0x9d3c00,
ptr=<value optimized out>) at src/responder/pam/pamsrv_dp.c:79
#2 0x00007f1aeb0a661a in complete_pending_call_and_unlock (
connection=0xa1e3a0, pending=0x9d3c00, message=<value optimized out>)
at dbus-connection.c:2234
#3 0x00007f1aeb0a886f in dbus_connection_dispatch (connection=0xa1e3a0)
at dbus-connection.c:4397
#4 0x000000000045425e in sbus_dispatch (ev=0x99d380,
te=<value optimized out>, tv=..., data=<value optimized out>)
at src/sbus/sssd_dbus_connection.c:104
#5 0x00007f1aeb920bd9 in tevent_common_loop_timer_delay (ev=0x99d380)
at ../tevent_timed.c:254
77 dbus_pending_call_unref(pending);
78 dbus_message_unref(msg);
79 preq->callback(preq); <<<<<<< CHASH HERE
80 }
81
sssd_pam crashed because preq->callback was NULL.
I would like to describe struct pam_auth_req more deeply.
struct pam_auth_req is created in function pam_forwarder
form file "src/responder/pam/pamsrv_cmd.c".
Most of structure members are initialized in this function, but *calback*
is initialized in function pam_dom_forwarder.
1173 if (!NEED_CHECK_PROVIDER(preq->domain->provider)) {
1174 preq->callback = pam_reply; <<<<HERE
1175 ret = LOCAL_pam_handler(preq);
1176 }
1177 else {
1178 preq->callback = pam_reply; <<<<< OR HERE
1179 ret = pam_dp_send_req(preq, SSS_CLI_SOCKET_TIMEOUT/2);
1180 DEBUG(4, ("pam_dp_send_req returned %d\n", ret));
1181 }
1182
There are 3 places where is pam_dom_forwarder called and it is called only
in some condition (pam_check_user_search returned EOK)
Mostly it looks like following lines:
852 ret = pam_check_user_search(preq);
853 if (ret == EOK) {
854 pam_dom_forwarder(preq);
855 }
And my question are:
1. Do we need to initialize pam_auth_req->callback only in function
pam_dom_forwarder?
2. Should we check preq->callback for NULL?
3. Do you have any idea how to reproduce it?
I really don't know what is right solution.
Thank you very much for any ideas.
LS
10 years, 6 months
FreeIPA on Debian
by Dmitri Pal
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
10 years, 7 months
override_homedir exception
by Jean-Baptiste Denis
Hello everydbody,
I'm in a situation where I already have an override_homedir statement in
my sssd configuration (using ldap) but I'd like to honor the
homeDirectory ldap attribute for a (group of eventually) specific user.
I can't find any way to achieve that in the ssd version I'm using
(1.9.2). Did I miss something ? If not, does it look like a reasonabme RFE ?
Regards,
Jean-Baptiste
10 years, 7 months
Announcing SSSD 1.11.0
by Jakub Hrozek
=== SSSD 1.11.0 ===
The SSSD team is proud to announce the final release of version 1.11 of
the System Security Services Daemon.
This release focuses on changes not visible to the end-user. The aim is
to support new features used by the forthcoming version 3.3 of FreeIPA and
targets supporting legacy (non-SSSD) clients in a setup where the FreeIPA
server established a trust relationship with an Active Directory Forest.
As always, the source is available from https://fedorahosted.org/sssd.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses on changes not visible to the end-user. The aim is
to support new features used by the forthcoming version 3.3 of FreeIPA and
targets supporting legacy (non-SSSD) clients in a setup where the FreeIPA
server established a trust relationship with an Active Directory Forest.
- The handling of ID ranges in the providers has been changed to use
a plugin interface where each provider can use a different plugin
- The libsss_idmap library has been enhanced in several ways such as
handling "external mappings" or supporting base RIDs other than 0
- The assumption that subdomain users always have a primary
user-private-group (UPG) has been removed
- When SSSD is running on the IPA server, it is able to perform lookups
for trusted users directly against the AD server using the AD provider
lookups including enumeration and site location
* The sudo integration was made more robust. SSSD is now able to
gracefully handle situations where it is not able to resolve the client
host name or sudo rules have multiple name attributes
* Several nested group membership bugs were fixed
* The PAC responder was made more robust and efficient, modifying
existing cache entries instead of always recreating them.
* The Kerberos provider now supports the new KEYRING ccache type. This
feature depends on yet unreleased libkrb5 and kernel patches.
== Packaging changes ==
* The sssd_pac binary was moved to the IPA and AD provider subpackages
from the krb5-common subpackage
== Tickets fixed ==
https://fedorahosted.org/sssd/ticket/1938
[RFE] Add a new call to libsss_idmap to add a new mapping where the first RID is not 0
https://fedorahosted.org/sssd/ticket/1960
[RFE] Add range type for ID mapping in AD to libsss_idmap
https://fedorahosted.org/sssd/ticket/1961
[RFE] Add plugin to LDAP provider to find new ranges
https://fedorahosted.org/sssd/ticket/1962
[RFE] Integrate AD provider lookup code into IPA subdomain user lookup
https://fedorahosted.org/sssd/ticket/1979
[RFE] Add an optional unique range identifier
https://fedorahosted.org/sssd/ticket/1993
[RFE] Add a new option to denote server mode
https://fedorahosted.org/sssd/ticket/1965
man: document that the default access provider in AD provider is "permit"
https://fedorahosted.org/sssd/ticket/1988
[RFE] sss_cache has no option to clear all cached entries of all types
https://fedorahosted.org/sssd/ticket/1997
When resolving a SID, search for groups first, then users
https://fedorahosted.org/sssd/ticket/1998
sssd-ad man page states that ad_server can be an IP address even though SSSD doesn't support that
https://fedorahosted.org/sssd/ticket/2005
SSSD filter out ldap user/group if uid/gid is zero
https://fedorahosted.org/sssd/ticket/2009
Disallow or warn if full_name_format is set to a non-default value when IPA server mode is on
https://fedorahosted.org/sssd/ticket/2023
AD provider in server mode follows referrals
https://fedorahosted.org/sssd/ticket/2025
pysss module linking is broken
https://fedorahosted.org/sssd/ticket/1408
It should be possible to use uid/gid defined in AD instead of SIDs
https://fedorahosted.org/sssd/ticket/1821
Allow using UIDs and GIDs from AD in trust case
https://fedorahosted.org/sssd/ticket/1881
Determine how to map SID to UID/GID based on IdM server configuration
https://fedorahosted.org/sssd/ticket/1942
convert enumeration timer to be_ptask
https://fedorahosted.org/sssd/ticket/1963
[RFE] Implement or Improve enumeration
https://fedorahosted.org/sssd/ticket/1964
[RFE] Enhance IPA SRV plugin to do AD site lookups as well
https://fedorahosted.org/sssd/ticket/1996
PAC responder: update cached user object instead of deleting and recreating them
https://fedorahosted.org/sssd/ticket/2027
Domain Users memberships removed in subsequent lookups in server_mode
https://fedorahosted.org/sssd/ticket/2032
sssd sees gid as 0 for AD trust posix users causing lookup failures
https://fedorahosted.org/sssd/ticket/2035
amend the docs of sss_nss_getnamebysid to make it clear it only works for id_provider=ad
https://fedorahosted.org/sssd/ticket/2044
Update sssd-ad manpage to reflect "trust between domains in single forest are supported"
== Detailed changelog ==
Alexander Bokovoy (3):
* build: fix dependencies for pysss module
* pysss: add pysss.getgrouplist(username)
* pysss: prevent crashing when group is unresolvable
Jakub Hrozek (58):
* Updating the version for the 1.10.1 release
* Bump version to track 1.11 development
* IPA: Add a server mode option
* LDAP: Add utility function sdap_copy_map
* AD: decouple ad_id_ctx initialization
* AD: initialize failover with custom realm, domain and failover service
* IPA: Initialize server mode ctx if server mode is on
* AD: Move storing sdap_domain for subdomain to generic LDAP code
* IPA: Create and remove AD id_ctx for subdomains discovered in server mode
* IPA: Look up AD users directly if IPA server mode is on
* Updating translations for the 1.11 beta1 release
* Bumping the version for the 1.11 beta2 release
* RPM: Move sssd_pac to the krb5-common subpackage
* DB: sysdb_search_user_by_name: search by both name and alias
* LDAP: When resolving a SID, search for groups first, then users
* RPM: Require libsss_idmap from sssd-common
* MAN: clarify the default access provider for AD
* MAN: IP addresss does not work when used for ad_server
* MAN: Clarify the min_id/max_id limits further
* Remove unused be_ctx->sigchld_ctx
* IPA: warn if full_name_format is customized in server mode
* AD: Set the bool value same as default value in opts
* Fix the default FQDN format
* SUDO: realloc with sizeof(uint32_t) when adding uint32_t
* KRB5: Do not send PAC in server mode
* LDAP: Use domain-specific name where appropriate
* Updating translations for the 1.11 beta2 release
* Bumping the version for the 1.11 beta3 release
* Use GID if subdomain is not MPG
* PAM: Check negcache when searching for fully qualified users, too
* PAM: Set negcache if user is not found after provider check
* Use the correct resolv timeout
* Remove unused constant
* AD: Use the correct include guard
* UTIL: Remove obsolete compat macros
* KRB5: Formatting changes
* KRB5: Do not log to syslog on each login
* MAN: AD provider only supports trusted domains from the same forest
* PAC: Skip SIDs that cannot be resolved to domain
* IPA: Enable AD sites when in server mode
* DB: Update sss_domain_info with new updated data
* DB: remove unused realm parameter from sysdb_master_domain_add_info
* LDAP: Add enum_{users,groups}_recv to follow the tevent_req style
* LDAP: Remove unused constant
* LDAP: Move the ldap enum request to its own reusable module
* LDAP: Convert enumeration to the ptask API
* LDAP: Make cleanup synchronous
* LDAP: Make the cleanup task reusable for subdomains
* LDAP: Make sdap_id_setup_tasks reusable for subdomains
* SYSDB: Store enumerate flag for subdomain
* Read enumerate state for subdomains from cache
* Add a new option to control subdomain enumeration
* IPA: enable enumeration if parent domain enumerates in server mode
* NSS: Descend into subdomains if enumerate=true
* IPA: Add forgotten declaration
* DP: Use the correct type for DBus boolean
* Updating translations for the 1.11.0 release
* Updating the version for the 1.11.0 release
Jim Collins (1):
* ldap: only update shadowLastChange when password change is successful
Lukas Slebodnik (35):
* BUILD: Use pkg-config to detect cmocka
* Return right directory name for dircache
* Use conditional build for retrieving ccache.
* Remove unused function parameter
* Every time use permissive control in function memberof_mod.
* Fix clang format string warning.
* Use functionm ldb_dn_get_linearized to format struct ldb_dn
* Add mising argument required by format string
* Remove unused memory context from function unpack_authtok
* Fix warnings: uninitialized variable
* Fix autotols warnings: macro xyz not found in library
* Fix possible dereference of a NULL pointer.
* Every time release allocated memory in function py_sss_getgrouplist
* Prevent using uninitialized "group_name" in done section.
* Remove unused memory context
* SSH: Ensure that cmd_ctx->name will not be NULL.
* Add script make_srpm.sh to dist tarball.
* NSS: allow removing entries from netgroup hash table
* NSS: Clear cached netgroups if a request comes in from the sss_cache
* Enable removing nonexisting dn in sdap_handle_account_info
* proxy: Alocate auth tokens in struct authtok_conv
* Check whether servername is not empty string.
* Remove include recursion
* Remove include recursion
* Use brackets around macros.
* Fix memory leak insss_krb5_get_error_message
* mmap_cache: Skip records which doesn't have same hash
* mmap_cache: Use stricter check for hash keys.
* UTIL: Create new wraper header file sss_endian.h
* CLIENT: Fix non gnu sss_strnlen implementation
* MONITOR: Move function declaration out of conditional build
* UTIL: Explicitly include header file sys/socket.h
* MEMBEROF: Remove temporary workaround
* IPA_HBAC: Explicitelly include header file time.h
* CONFIGURE: Get rid of bashism
Michal Zidek (16):
* sss_cache: Add option to invalidate all entries
* Always set port status to neutral when resetting service.
* Missing space in debug message
* Remove unused constant.
* Set default DNS resolution timeout to 6 seconds.
* Lower timeout to contact DNS server
* resolv-tests failing with memory leak
* ldap, krb5: More descriptive msg on chpass failure.
* mmap_cache: Check if slot and name_ptr are not invalid.
* mmap_cache: Check data->name value in client code
* mmap_cache: Remove triple checks in client code.
* mmap_cache: Off by one error.
* mmap_cache: Use better checks for corrupted mc in responder
* mmap_cache: Store corrupted mmap cache before reset
* mmap_cache: Use sss_atomic_write_s instead of write.
* pam: Bad debug message format and parameter.
Ondrej Kos (9):
* Do not copy special files when creating homedir
* KRB5_CHILD: Fix handling of get_password return code
* Do not try to set password when authtok_length is zero
* KRB: Handle empty password gracefully
* KRB: Replace multiple calls with variable
* TOOLS: Update all services with sss_debuglevel
* Clarify that getnamebysid currently works only with ipa/ad id_provider
* AD: Cast SASL callbacks to propper type
* DP: Notify propperly when removing PAC responder
Pavel Březina (13):
* remove unused variable
* print hint about password complexity when new password is rejected
* dyndns timeout test: catch SIGCHLD handler events
* SIGCHLD handler: do not call callback when pvt data where freed
* Fix netgroup lookup when using fully qualified name
* sudo: skip rule on error instead of failing completely
* sudo: print better debug message when a rule has multiple cn values
* simple access provider: allow fully qualified names
* add simple access provider init test
* sudo: continue if we are unable to resolve fqdn
* sudo: do not fail to store the rule if we can't read usn
* sudo: do not strdup usn on ENOENT
* sss_packet_grow: correctly pad packet length to 512B
Simo Sorce (5):
* Add a commit template
* sssd_ad: Add hackish workaround for sasl ad_compat
* proxy: Allow initgroup to return NOTFOUND
* krb5_common: Refactor to use a talloc temp context
* BUILD: Remove unnecessary patch and configure opts
Stephen Gallagher (14):
* Move pre and post scripts to sssd-common
* Remove sysv->systemd upgrade routines
* Move sssd_pac binary to the IPA and AD providers
* Netgroups should ignore the 'use_fully_qualified_names' setting
* BUILD: Fix contrib build macros to display warnings
* gitignore: Add Eclipse project files to ignore list
* KRB5: Add new #define for collection cache types
* KRB5: Refactor cc_*_check_existing
* KRB5: Only set active and valid on success
* KRB5: Add low-level debugging to sss_get_ccache_name_for_principal
* KRB5: Remove unnecessary call to become_user()
* KRB5: Add support for KEYRING cache type
* BUILD: Ignore translations when building RPMs
* krb5: Fetch ccname template from krb5.conf
Sumit Bose (36):
* idmap: allow first RID to be set
* idmap: add optional unique range id
* idmap: add option to indicate external_mapping
* idmap: allow NULL domain sid for external mappings
* idmap: add calls to check if ID mapping conforms to ranges
* idmap: add sss_idmap_domain_has_algorithmic_mapping
* Add cmocka based tests for libsss_idmap
* Add now options ldap_min_id and ldap_max_id
* SDAP IDMAP: Add configured domain to idmap context
* Allow different methods to find new domains for idmapping
* Add sdap_idmap_domain_has_algorithmic_mapping()
* Replace SDAP_ID_MAPPING checks with sdap_idmap_domain_has_algorithmic_mapping
* Add ipa_idmap_init()
* Add support for new ipaRangeType attribute
* Replace new_subdomain() with find_subdomain_by_name()
* IPA: read ranges before subdomains
* Save mpg state for subdomains
* Read mpg state for subdomains from cache
* Fix memory context for a state member
* Fix memory context for hash entries
* ipa_s2n_get_user_done: free group_attrs as well
* ipa_s2n_get_user_done: make sure ALIAS name is lower case
* sdap_get_initgr_done: use the right SID to get a GID
* sdap_save_user: save original primary GID of subdomain users
* fill_initgr: add original primary GID if available
* sdap_add_incomplete_groups: use fully qualified name if needed
* save_rfc2307bis_user_memberships: use fq names for subdomains
* sysdb_add_incomplete_group: store SID string is available
* check_cc_validity: make sure _valid is always set
* PAC: if user entry already exists keep it
* PAC: do not create users with missing GID
* PAC: handle non-POSIX groups in cache
* PAC: read user DN instead of constructing it
* PAC: do not fail if a single group cannot be added/removed
* PAC: use SID instead of GID to search for groups
* ipa-server-mode: add IPA group memberships to AD users
Yuri Chornoivan (1):
* Fix two minor typos
10 years, 7 months