-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rhel-7.5 patches #6
Closed
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Related: https://pagure.io/SSSD/sssd/issue/3496 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 878b0d4)
With this patch the memcache files will not be created when memcache_timeout is set to zero. Resolves: https://pagure.io/SSSD/sssd/issue/3496 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit ffe29e5)
Document that by setting memcache_timeout to 0 the in-memoory cache will be disabled. Related: https://pagure.io/SSSD/sssd/issue/3496 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 1becbb7)
The auto_private_groups option is used to configure the domain->mpg flag which was already set automatically for subdomains, but for some time was not settable by the admin via the configuration file. The new option name, instead of the old magic_private_groups, was chosen purely because this name would hopefully be better understood by admins. The option doesn't do anything yet, it is just added to all the places a new option should be added to. Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit d72ac2c)
Since this confdb definition was completely unused across the codebase, this patch just removes the definition. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 8fab9d6)
This commit allows saving the users in the MPG domain in the SDAP layer. The commit contains the following changes: - abstracts the change where if the primary GID exists in the original object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute, which will allow the original primary GID to be exposed as a secondary group - if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM is added. This will allow to handle LDAP objects that only contain the UID but no GID. Since this is a new use-case, a test is added later - a branch that handles the above is added to sdap_save_user() also for joined domains that set the MPG flag. Previously, only subdomains were handled. - to allow passing GID=0 to the sysdb layer, the range check is relaxed. Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit cdb74b2)
If the primary group GID or the group name is requested before the user is, we need to also search the user space to save the user in the back end which then allows the responder to generate the group from the user entry. Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 057e8af)
…r id_provider=local This commit makes the check when adding an object in a MPG domain stricter in the sense that not only same names are allowed in a MPG domain, but also the same groups are not allowed either. This commit is a backwards-incompatible change, but one that is needed, otherwise requesting the duplicate group first and then requesting the user entry would yield two object when searching by GID. In order to keep backwards-compatibility, this uniqueness is NOT enforced with id_provider=local. This constraint can be removed in the future (or the local provider can be dropped altogether) Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit ac962e2)
Related: https://pagure.io/SSSD/sssd/issue/1872 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 6c802b2)
Let's copy the cr_domain list for each request as this list may be free'd due to a refresh domains request. Resolves: https://pagure.io/SSSD/sssd/issue/3551 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 0f44eef)
Note in the man pages that current version of SSSD does not support host entries in the 'Security filtering' list. Resolves: https://pagure.io/SSSD/sssd/issue/3444 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 6c1661d)
Prior this patch, we remember id_ctx->srv_opts in sudo request to switch the latest usn values. This works fine most of the time but it may cause a crash. If we have two concurrent sudo refresh and one of these fails, it causes failover to try the next server and possibly replacing the old srv_opts with new one and it causes an access after free in the other refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3562 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2ee201d)
To discover Active Directory site for a client we must first contact any directory controller for an LDAP ping. This is done by searching domain-wide DNS tree which may however contain servers that are not reachable from current site and than we face long timeouts or failure. This patch makes sssd remember the last successfuly discovered site and use this for DNS search to lookup a site and forest again similar to what we do when ad_site option is set. Resolves: https://pagure.io/SSSD/sssd/issue/3265 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit f54d202)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e165397)
This can speed up sssd startup. Resolves: https://pagure.io/SSSD/sssd/issue/3265 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit fb0431b)
Let's use one enum for logger type instead of many integers (debug_to_file, debug_to_stderr plus some weird combination for journald). Old variable were also transformed to enum for backward compatibility Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 09e3f0a)
Different binary handled information about logging differently e,g, --debug-to-files --debug-to-stderr And logging to journald was a special case of previous options (!debug_file && !debug_to_stderr). It was also tied to the monitor option "--daemon" and therefore loggind to stderr was used in interactive mode + systemd Type=notify. Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit cb75b27)
Users can set variable DEBUG_LOGGER in environment files (/etc/sysconfig/sssd or /etc/default/sssd; depending on the distribution) to override default logging to files. e.g. DEBUG_LOGGER=--logger=stderr DEBUG_LOGGER=--logger=journald Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit a7277fe)
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 115145f)
Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 18a47bc)
When dealing with id_provider not being the same as auth_provider, SSSD has to bind the DN of the user which wants to authenticate with the ldap_default_bind_dn and the password provided by the user. In order to do so, the least intrusive way is just by replacing sdap_connect*() functions by sdap_cli_connect*() functions in the LDAP's auth module. The simple change also allowed us to remove some code that is already executed as part of sdap_cli_connect*() and some functions had their names adapted to reflect better their new purpose. Resolves: https://pagure.io/SSSD/sssd/issue/3451 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit add7286)
This patch makes sss_nss_getpw_readrep() and sss_nss_getgr_readrep() calls which parse SSSD's replies for user and group requests available to other components. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 7449b23)
This patch adds new calls to libsss_nss_idmap to get NSS like user and group information directly from SSSD without using the system's NSS interfaces. Additionally a timeout and a flags options are added which are not available for system's NSS. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 5e66227)
To be able to send the flags to the SSSD responder new request types with an _EX postfix are added which expect and additional 32bit flag field after the name or the id of the requested object. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit cf93f7c)
If SSS_NSS_EX_FLAG_NO_CACHE is set the object is refresh by directly looking it up in the backend. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit ac6b267)
Similar to cache_req_data_set_bypass_cache() cache_req_data_set_bypass_dp() can be used to control how the cache_req framework performs the lookup. If cache_req_data_set_bypass_dp() is used with 'true' only a cache lookup is performed and no request is send to the backend even if no entry was found. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 52e675e)
Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit a7d6ca2)
The patch adds support for the SSS_NSS_EX_FLAG_INVALIDATE_CACHE flag and makes the existing code more flexible and handle additional flags. If SSS_NSS_EX_FLAG_INVALIDATE_CACHE is set the requested object is only looked up in the cache and if it was found on-disk and memory cache entries will be invalidated. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 55f7d80)
The patch adds unit tests for the new *_EX requests with different input types and flags. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 85da8a5)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e54db68)
If CERT_VerifyCertificateNow() is used with 'certificateUsageCheckAllUsages' OCSP checks are skipped even if OCSP was enabled. This patch calls CERT_CheckOCSPStatus() explicitly if OCSP checks are enabled. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 2297cc7)
…sults The function get_object_from_cache() returns an ldb_message that is passed to apply_subdomain_homedir() which expects SYSDB_OBJECTCATEGORY to be present in the message, otherwise it errors out. However, get_object_from_cache() was reading only SYSDB_OBJECTCLASS. This patch changes get_object_from_cache() to ready SYSDB_OBJECTCATEGORY. Resolves: https://pagure.io/SSSD/sssd/issue/3599 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit dc49e07)
To make the *_timeout calls more resilient checks are added if the result parameter is NULL. It will not be used in this case. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> (cherry picked from commit bba068c)
The cache_req code doesn't check the min_id/max_id boundaries for requests by ID. Extending the .lookup_fn function in each plugin that searches by ID for a check that returns non-zero if the entry is out of the range and 0 if not. Resolves: https://pagure.io/SSSD/sssd/issue/3569 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 2af8064)
With certificateUsageCheckAllUsages not only the return code of CERT_VerifyCertificateNow() should be checked but also the usages for which the certificate was verified. The usages checked here will all involve CA signature checks and OCSP checks if OCSP is enabled. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 787ba9c)
ifp_list_ctx_remaining_capacity() might be called multiple times if results from multiple domains are added to the result list. The current use of talloc_zero_array() which was introduced with commit b0b9222 will override results which are already in the list. This causes a regression since it worked before. This patch replaces it with talloc_realloc(). Resolves https://pagure.io/SSSD/sssd/issue/3608 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 510ac19)
When the IPA subdomains code is initialized, the responders send a request to fetch subdomains. This request first stores the list of trusted domains to the cache and then runs the ipa-getkeytab helper. At the same time, the periodical task to update the subdomains is also started. The task founds out that all the trusted domains are already known and finishes the request, which replies to the Data Provider requests as well even while the ipa-getkeytab request is still running. This unblocks requests from the responders, which try to connect to the AD DCs even before the keytab is available, which switches the SSSD status to offline. This patch simply delays the first periodic task in the IPA subdomains code by 10 minutes, thus mitigating the startup race. Resolves: https://pagure.io/SSSD/sssd/issue/3601 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 261a843)
Related to https://pagure.io/SSSD/sssd/issue/3503 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 5b78fff)
If the auto_private_groups option was set in the domain section for direct integration, it only had an effect on the joined domain, not any of the subdomains, so requesting a user from the child domain would look like this: $ id childuser@child.win.trust.test uid=30000(childuser@child.win.trust.test) gid=40000(usergroup@child.win.trust.test) groups=40000(usergroup@child.win.trust.test) The expected result, visible after this patch is: $ id childuser@child.win.trust.test uid=30000(childuser@child.win.trust.test) gid=30000(childuser@child.win.trust.test) groups=30000(childuser@child.win.trust.test),40000(usergroup@child.win.trust.test) Resolves: https://pagure.io/SSSD/sssd/issue/3613 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 29ebf45)
While processing group memberships SSSD might accidentally save builtin or other well known AD groups. With this patch those groups are skipped similar as e.g. in sdap_save_group(). Resolves: https://pagure.io/SSSD/sssd/issue/3610 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit c36a66b)
…bdomain UPNs There was a typo in code that read the UPN suffixes from the subdomain ldb_message. As a result, the UPN suffixes from the first domain were always consulted for all domains. Related to: https://pagure.io/SSSD/sssd/issue/3431 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit a8a3fcb)
Check return values and make sure the mutex is released in case of errors. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3e32cb2)
freeipa-deskprofile-plugin can have both user and host category set as "all" and when it happens, no users and groups or hosts or hostgroups are going to be set. Let's treat this expected (but so far missed) situation on SSSD side. Resolves: https://pagure.io/SSSD/sssd/issue/3449 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit b72e444)
If SELinux policy is not managed at all, don't call any SELinux user handling functions and instead return that no update is needed. Pair-Programmed-With: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3618 (cherry picked from commit 450b472)
Add sss_ prefix to del_seuser and set_seuser for consistency with sss_get_seuser. Also sss_ prefix makes it clear that these functions come from SSSD. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3618 (cherry picked from commit 6b9c38d)
Fix explains how auto_private_groups affects subdomains. a. POSIX sudomains, gets inherited to subdomain. b. ID-mapping subdomains, already enabled. Resolves: https://pagure.io/SSSD/sssd/issue/3627 Reviewed-by: Rob Crittenden <rcritten@redhat.com> (cherry picked from commit 52ae767)
Each ad_id_ctx structure which represents a trusted AD domain contains a list of sdap_domain structures representing all the other domains. This is used to e.g. be able to reach another domain's ad_id_ctx and use its LDAP connection. However, the sdap search call that was searching for trusted domains in the forest that the root domain knows about, was unconditionally using the first sdap_domain structure in the list linked from the root_domain's ad_id_ctx structure. It should be noted that this search only happens in case the machine is joined to one of the non-root domains in the forest and searches the root domain explicitly. In case sdap_domain structures linked from the ad_id_ctx representing the root domain were ordered so that the first sdap_domain in the list was representing a different domain than the one linked from the ad_id_ctx, the sdap search would have used a wrong search base derived from the unexpected sdap_domain which would result in a referral being returned. This patch explicitly looks up the sdap_domain structure that corresponds to the root domain. Resolves: https://pagure.io/SSSD/sssd/issue/3594 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 9ac0712)
Related to https://pagure.io/SSSD/sssd/issue/3639 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit db52090)
Related to https://pagure.io/SSSD/sssd/issue/3639 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e6ad16e)
abbra
pushed a commit
to abbra/sssd
that referenced
this pull request
Feb 22, 2018
While debugging rhbz#1396912 a deadlock on sssd_be was noticed[0] and it's been caused by the use of non async-signal-safe functions from the signal_handler (please, see man 7 signal for more info about which are the async-signal-safe functions that can be used). In order to work this situation around a pipe has been added to the watchdog_ctx structure and, in case of clock screw, a single byte is written to this pipe (which is an async-signal-safe operation) and the logic currently done by the timer handler to reset the watchdog will be done inside the fd handler in a safe way. With this patch we ended up losing some debug messages as orderly_shutdown() has been replaced by kill(-getpgrp(), SIGTERM) (or _exit(1) considering the cases where setting up the process group during the server_setup() has failed). Personally I don't think is worth the trouble to try to log those messages properly in this specific case. It's really worth to mention that a proper fix the clock screw situation should be implemented on samba's side, by having tevent using monotonic (or boottime) clock. [0]: [root@dusan ~]# pstack 17922 #0 __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95 jhrozek#1 0x00007fe707d04f93 in _L_lock_14932 () from /lib64/libc.so.6 jhrozek#2 0x00007fe707d02013 in __GI___libc_malloc (bytes=140630248638304, bytes@entry=15) at malloc.c:2891 jhrozek#3 0x00007fe707d0888a in __GI___strdup (s=0x7fe707dff4f7 "/etc/localtime") at strdup.c:42 jhrozek#4 0x00007fe707d31b61 in tzset_internal (always=<optimized out>, explicit=explicit@entry=1) at tzset.c:438 jhrozek#5 0x00007fe707d32523 in __tz_convert (timer=timer@entry=0x7ffcd5d2b090, use_localtime=use_localtime@entry=1, tp=tp@entry=0x7fe708041d40 <_tmbuf>) at tzset.c:621 jhrozek#6 0x00007fe707d30521 in __GI_localtime (t=t@entry=0x7ffcd5d2b090) at localtime.c:42 SSSD#7 0x00007fe70886c7b0 in sss_vdebug_fn (file=<optimized out>, line=<optimized out>, function=0x7fe70bff27f0 <__FUNCTION__.9379> "watchdog_handler", level=16, flags=flags@entry=0, format=format@entry=0x7fe70bff2760 "Watchdog timer overflow, killing process!\n", ap=ap@entry=0x7ffcd5d2b130) at src/util/debug.c:248 SSSD#8 0x00007fe70886c995 in sss_debug_fn (file=file@entry=0x7fe70bff263b "src/util/util_watchdog.c", line=line@entry=82, function=function@entry=0x7fe70bff27f0 <__FUNCTION__.9379> "watchdog_handler", level=level@entry=16, format=format@entry=0x7fe70bff2760 "Watchdog timer overflow, killing process!\n") at src/util/debug.c:284 SSSD#9 0x00007fe70bfdb409 in watchdog_handler (sig=<optimized out>) at src/util/util_watchdog.c:81 SSSD#10 <signal handler called> SSSD#11 0x00007fe707cff664 in _int_malloc (av=av@entry=0x7fe70803c760 <main_arena>, bytes=bytes@entry=151) at malloc.c:3494 SSSD#12 0x00007fe707d01fbc in __GI___libc_malloc (bytes=bytes@entry=151) at malloc.c:2893 SSSD#13 0x00007fe708450749 in __talloc_with_prefix (prefix_len=0, size=55, context=0x7fe718373210) at ../talloc.c:668 SSSD#14 __talloc (size=55, context=0x7fe718373210) at ../talloc.c:708 SSSD#15 _talloc_named_const (name=0x7fe70bb7015d "../common/ldb_pack.c:425", size=55, context=0x7fe718373210) at ../talloc.c:865 SSSD#16 talloc_named_const (context=<optimized out>, size=size@entry=55, name=name@entry=0x7fe70bb7015d "../common/ldb_pack.c:425") at ../talloc.c:1606 SSSD#17 0x00007fe70bb61803 in ldb_unpack_data_only_attr_list (ldb=ldb@entry=0x7fe70e4d52c0, data=data@entry=0x7ffcd5d2b990, message=0x7fe7184aa1e0, list=list@entry=0x0, list_size=list_size@entry=0, nb_elements_in_db=nb_elements_in_db@entry=0x0) at ../common/ldb_pack.c:425 SSSD#18 0x00007fe70bb61a7d in ldb_unpack_data (ldb=ldb@entry=0x7fe70e4d52c0, data=data@entry=0x7ffcd5d2b990, message=<optimized out>) at ../common/ldb_pack.c:470 SSSD#19 0x00007fe6fdc29b46 in ltdb_parse_data_unpack (key=..., data=..., private_data=0x7ffcd5d2ba70) at ../ldb_tdb/ldb_search.c:249 SSSD#20 0x00007fe70a5e0a24 in tdb_parse_data (tdb=tdb@entry=0x7fe70e4eaa10, key=..., offset=15619748, len=414772, parser=parser@entry=0x7fe6fdc29b10 <ltdb_parse_data_unpack>, private_data=private_data@entry=0x7ffcd5d2ba70) at ../common/io.c:637 SSSD#21 0x00007fe70a5dc1fc in tdb_parse_record (tdb=0x7fe70e4eaa10, key=..., parser=parser@entry=0x7fe6fdc29b10 <ltdb_parse_data_unpack>, private_data=private_data@entry=0x7ffcd5d2ba70) at ../common/tdb.c:253 SSSD#22 0x00007fe6fdc29e7b in ltdb_search_dn1 (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183c4940, msg=msg@entry=0x7fe7184aa1e0) at ../ldb_tdb/ldb_search.c:287 SSSD#23 0x00007fe6fdc2acbb in ltdb_dn_list_load (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183c4940, list=list@entry=0x7fe7183c3a30) at ../ldb_tdb/ldb_index.c:181 SSSD#24 0x00007fe6fdc2bbbb in ltdb_index_add1 (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183bf3e0 "name=testuser7045@domain.com,cn=users,cn=DOMAIN.COM,cn=sysdb", v_idx=v_idx@entry=0, el=<optimized out>, el=<optimized out>) at ../ldb_tdb/ldb_index.c:1134 SSSD#25 0x00007fe6fdc2c62c in ltdb_index_add_el (el=0x7fe7184aa3e0, dn=0x7fe7183bf3e0 "name=testuser7045@domain.com,cn=users,cn=DOMAIN.COM,cn=sysdb", module=0x7fe70e4eab50) at ../ldb_tdb/ldb_index.c:1180 SSSD#26 ltdb_index_add_element (module=module@entry=0x7fe70e4eab50, dn=<optimized out>, el=el@entry=0x7fe7184aa3e0) at ../ldb_tdb/ldb_index.c:1290 SSSD#27 0x00007fe6fdc290bb in ltdb_modify_internal (module=module@entry=0x7fe70e4eab50, msg=0x7fe7183bf0c0, req=req@entry=0x7fe7183bdc10) at ../ldb_tdb/ldb_tdb.c:903 SSSD#28 0x00007fe6fdc2958a in ltdb_modify (ctx=0x7fe7183c2950, ctx=0x7fe7183c2950) at ../ldb_tdb/ldb_tdb.c:998 SSSD#29 ltdb_callback (ev=<optimized out>, te=<optimized out>, t=..., private_data=<optimized out>) at ../ldb_tdb/ldb_tdb.c:1380 SSSD#30 0x00007fe708664b4f in tevent_common_loop_timer_delay (ev=ev@entry=0x7fe70e4d2890) at ../tevent_timed.c:341 SSSD#31 0x00007fe708665b5a in epoll_event_loop_once (ev=0x7fe70e4d2890, location=<optimized out>) at ../tevent_epoll.c:911 SSSD#32 0x00007fe708664257 in std_event_loop_once (ev=0x7fe70e4d2890, location=0x7fe70bb72ec5 "../common/ldb.c:631") at ../tevent_standard.c:114 SSSD#33 0x00007fe70866040d in _tevent_loop_once (ev=ev@entry=0x7fe70e4d2890, location=location@entry=0x7fe70bb72ec5 "../common/ldb.c:631") at ../tevent.c:533 SSSD#34 0x00007fe70bb6bc4f in ldb_wait (handle=0x7fe7183c4530, type=<optimized out>) at ../common/ldb.c:631 SSSD#35 0x00007fe70bb6c793 in ldb_autotransaction_request (ldb=0x7fe70e4d52c0, req=0x7fe7183bdc10) at ../common/ldb.c:573 SSSD#36 0x00007fe70bb6d263 in ldb_modify (ldb=ldb@entry=0x7fe70e4d52c0, message=<optimized out>) at ../common/ldb.c:1655 SSSD#37 0x00007fe70bfa2ab5 in sysdb_set_cache_entry_attr (ldb=0x7fe70e4d52c0, entry_dn=entry_dn@entry=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bf680, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1159 SSSD#38 0x00007fe70bfa304d in sysdb_rep_ts_entry_attr (sysdb=0x7fe70e4eadd0, attrs=0x7fe7183bf680, entry_dn=0x7fe7183c4760) at src/db/sysdb_ops.c:1218 SSSD#39 sysdb_set_ts_entry_attr (sysdb=sysdb@entry=0x7fe70e4eadd0, entry_dn=entry_dn@entry=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1248 SSSD#40 0x00007fe70bfa4aa9 in sysdb_set_entry_attr (sysdb=0x7fe70e4eadd0, entry_dn=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1199 SSSD#41 0x00007fe70bfa4b5f in sysdb_set_user_attr (domain=domain@entry=0x7fe70e4d62f0, name=name@entry=0x7fe7183c01f0 "testuser7045@domain.com", attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1285 SSSD#42 0x00007fe70bfa58c3 in sysdb_add_user (domain=domain@entry=0x7fe70e4d62f0, name=name@entry=0x7fe7183c01f0 "testuser7045@domain.com", uid=uid@entry=1415408147, gid=<optimized out>, gid@entry=1415400513, gecos=gecos@entry=0x7fe710465d00 "Test User7045", homedir=homedir@entry=0x0, shell=shell@entry=0x0, orig_dn=orig_dn@entry=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", attrs=attrs@entry=0x7fe7183bb840, cache_timeout=cache_timeout@entry=5400, now=now@entry=1481105315) at src/db/sysdb_ops.c:1928 SSSD#43 0x00007fe70bfab271 in sysdb_store_new_user (now=1481105315, cache_timeout=5400, attrs=0x7fe7183bb840, orig_dn=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", shell=0x0, homedir=0x0, gecos=0x7fe710465d00 "Test User7045", gid=1415400513, uid=1415408147, name=0x7fe7183c01f0 "testuser7045@domain.com", domain=0x7fe70e4d62f0) at src/db/sysdb_ops.c:2549 SSSD#44 sysdb_store_user (domain=domain@entry=0x7fe70e4d62f0, name=0x7fe7183c01f0 "testuser7045@domain.com", pwd=pwd@entry=0x0, uid=1415408147, gid=1415400513, gecos=gecos@entry=0x7fe710465d00 "Test User7045", homedir=homedir@entry=0x0, shell=shell@entry=0x0, orig_dn=orig_dn@entry=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", attrs=attrs@entry=0x7fe7183bb840, remove_attrs=0x7fe7183c08a0, cache_timeout=cache_timeout@entry=5400, now=now@entry=1481105315) at src/db/sysdb_ops.c:2499 SSSD#45 0x00007fe6fba0d9f9 in sdap_save_user (memctx=memctx@entry=0x7fe70e544ee0, opts=opts@entry=0x7fe70e518400, dom=dom@entry=0x7fe70e4d62f0, attrs=<optimized out>, _usn_value=_usn_value@entry=0x7ffcd5d2c260, now=now@entry=1481105315) at src/providers/ldap/sdap_async_users.c:509 SSSD#46 0x00007fe6fba0df9a in sdap_save_users (memctx=memctx@entry=0x7fe70e544e40, sysdb=0x7fe70e4eadd0, dom=0x7fe70e4d62f0, opts=0x7fe70e518400, users=<optimized out>, num_users=10006, _usn_value=_usn_value@entry=0x7fe70e544e60) at src/providers/ldap/sdap_async_users.c:572 SSSD#47 0x00007fe6fba0e460 in sdap_get_users_done (subreq=<optimized out>) at src/providers/ldap/sdap_async_users.c:938 SSSD#48 0x00007fe6fba0c9d5 in sdap_search_user_process (subreq=0x0) at src/providers/ldap/sdap_async_users.c:814 SSSD#49 0x00007fe6fba07379 in generic_ext_search_handler (subreq=0x0, opts=<optimized out>) at src/providers/ldap/sdap_async.c:1689 SSSD#50 0x00007fe6fba0991b in sdap_get_generic_op_finished (op=<optimized out>, reply=<optimized out>, error=<optimized out>, pvt=<optimized out>) at src/providers/ldap/sdap_async.c:1621 SSSD#51 0x00007fe6fba083cd in sdap_process_message (ev=<optimized out>, sh=<optimized out>, msg=0x7fe70e5f9ce0) at src/providers/ldap/sdap_async.c:353 SSSD#52 sdap_process_result (ev=<optimized out>, pvt=<optimized out>) at src/providers/ldap/sdap_async.c:197 SSSD#53 0x00007fe708664b4f in tevent_common_loop_timer_delay (ev=ev@entry=0x7fe70e4cbc30) at ../tevent_timed.c:341 SSSD#54 0x00007fe708665b5a in epoll_event_loop_once (ev=0x7fe70e4cbc30, location=<optimized out>) at ../tevent_epoll.c:911 SSSD#55 0x00007fe708664257 in std_event_loop_once (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent_standard.c:114 SSSD#56 0x00007fe70866040d in _tevent_loop_once (ev=ev@entry=0x7fe70e4cbc30, location=location@entry=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent.c:533 SSSD#57 0x00007fe7086605ab in tevent_common_loop_wait (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent.c:637 SSSD#58 0x00007fe7086641f7 in std_event_loop_wait (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent_standard.c:140 SSSD#59 0x00007fe70bfd1993 in server_loop (main_ctx=0x7fe70e4cd080) at src/util/server.c:702 SSSD#60 0x00007fe70c84cb82 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:587 Resolves: https://fedorahosted.org/sssd/ticket/3266 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
Resolves: https://pagure.io/SSSD/sssd/issue/3648 DOWNSTREAM: Resolves: rhbz#000666 - FooBar Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Compilers that don't support fallthrough will end up with an empty SSS_ATTRIBUTE_FALLTHROUGH define and just see a semicolon. The probably will warn that there are double semicolons in the code. Merges: https://pagure.io/SSSD/sssd/pull-request/3645 Signed-off-by: Andreas Schneider <asn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 1ef36a8)
The rpm macro systemd_requires is even in el7 and using this macro nicer then using different requires (systemd-units vs systemd) There is a plan to remove provides for systemd-units from rawhide. systemd was added to BuildRequires because it provides rpm macros /usr/lib/rpm/macros.d/macros.systemd and it is unreliable to rely on indirect dependency between systemd-devel and systemd sh$ rpm --eval "%{?systemd_requires}" Requires(post): systemd Requires(preun): systemd Requires(postun): systemd sh$ rpm -q --whatprovides systemd-units systemd-237-1.fc28.x86_64 sh$ rpm -qf /usr/lib/rpm/macros.d/macros.systemd systemd-237-1.fc28.x86_64 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 274ee29) DOWNSTREAM: Related: rhbz000667 - BarFoo Foo Bar Bla
jhrozek
pushed a commit
that referenced
this pull request
May 29, 2018
The function getpwnam_r is indirectly used ins selinux_child on few places. (in libselinux and libsemanage) There is not any reason why we should block nss calls with sssd. It is a child process and loop cannot be created. (BTW it is also allowed in krb_child and proxy_child) #0 _nss_sss_getpwnam_r (name=0x55c0e6471a50 "user4_2", result=0x7ffe9ab0d05, buffer=0x55c0e64741a0 "\200é\256\177\177", buflen=1024, errnop=0x7f7fafbcdb08) at src/sss_client/nss_passwd.c:132 #1 0x00007f7fae7ad48f in __getpwnam_r (name=name@entry=0x55c0e6471a50 "user4_2", resbuf=resbuf@entry=0x7ffe9ab0d050, buffer=buffer@entry=0x55c0e64741a0 "\200é\256\177\177", buflen=buflen@entry=1024, result=result@entry=0x7ffe9ab0d048) at ../nss/getXXbyYY_r.c:316 #2 0x00007f7faeabc9e2 in get_default_gid (name=0x55c0e6471a50 "user4_2") at seusers.c:105 #3 getseuserbyname (name=0x55c0e6471a50 "user4_2", r_seuser=0x7ffe9ab0d0f0, r_level=0x7ffe9ab0d0f8) at seusers.c:186 #4 0x000055c0e5126d02 in seuser_needs_update (ibuf=0x55c0e64718e0) at src/providers/ipa/selinux_child.c:175 #5 main (argc=<optimized out>, argv=<optimized out>) at src/providers/ipa/selinux_child.c:332 #0 _nss_sss_getpwnam_r (name=0x55c0e647dda0 "user3_1", result=0x7ffe9ab0cce0, buffer=0x55c0e6482180 "\240AG\346\300U", buflen=1024, errnop=0x7f7fafbcdb08) at src/sss_client/nss_passwd.c:132 #1 0x00007f7fae7ad48f in __getpwnam_r (name=name@entry=0x55c0e647dda0 "user3_1", resbuf=resbuf@entry=0x7ffe9ab0cce0, buffer=buffer@entry=0x55c0e6482180 "\240AG\346\300U", buflen=buflen@entry=1024, result=result@entry=0x7ffe9ab0ccd8) at ../nss/getXXbyYY_r.c:316 #2 0x00007f7faece29b3 in add_user (head=head@entry=0x7ffe9ab0ce28, user=user@entry=0x55c0e64b5930, name=name@entry=0x55c0e647dda0 "user3_1", sename=sename@entry=0x55c0e647bdc0 "staff_u", selogin=selogin@entry=0x55c0e647dda0 "user3_1", s=<optimized out>) at genhomedircon.c:999 #3 0x00007f7faece334c in get_users (errors=<synthetic pointer>, s=0x7ffe9ab0ce70) at genhomedircon.c:1167 #4 write_gen_home_dir_context (homedir_context_tpl=0x55c0e647d3d0, user_context_tpl=0x55c0e647a870, username_context_tpl=0x0, out=0x55c0e646fa80, s=0x7ffe9ab0ce70) at genhomedircon.c:1205 #5 write_context_file (out=<optimized out>, s=0x7ffe9ab0ce70) at genhomedircon.c:1317 #6 semanage_genhomedircon (sh=sh@entry=0x55c0e6476380, policydb=<optimized out>, usepasswd=<optimized out>, ignoredirs=<optimized out>) at genhomedircon.c:1382 SSSD#7 0x00007f7faecdfb95 in semanage_direct_commit (sh=0x55c0e6476380) at direct_api.c:1575 SSSD#8 0x00007f7faece4d6d in semanage_commit (sh=0x55c0e6476380) at handle.c:426 SSSD#9 0x000055c0e5127cf8 in sss_set_seuser (login_name=0x55c0e6471a5 "user4_2", seuser_name=0x55c0e6471960 "staff_u", mls=<optimized out>) at src/util/sss_semanage.c:335 SSSD#10 0x000055c0e5126eea in sc_set_seuser (mls=0x55c0e64719d0 "s0-s0:c0.c1023", seuser_name=0x55c0e6471960 "staff_u", login_name=0x55c0e6471a50 "user4_2") at src/providers/ipa/selinux_child.c:162 SSSD#11 main (argc=<optimized out>, argv=<optimized out>) at src/providers/ipa/selinux_child.c:334 Merges: https://pagure.io/SSSD/sssd/pull-request/3732 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
jhrozek
pushed a commit
that referenced
this pull request
Jan 20, 2019
While debugging rhbz#1396912 a deadlock on sssd_be was noticed[0] and it's been caused by the use of non async-signal-safe functions from the signal_handler (please, see man 7 signal for more info about which are the async-signal-safe functions that can be used). In order to work this situation around a pipe has been added to the watchdog_ctx structure and, in case of clock screw, a single byte is written to this pipe (which is an async-signal-safe operation) and the logic currently done by the timer handler to reset the watchdog will be done inside the fd handler in a safe way. With this patch we ended up losing some debug messages as orderly_shutdown() has been replaced by kill(-getpgrp(), SIGTERM) (or _exit(1) considering the cases where setting up the process group during the server_setup() has failed). Personally I don't think is worth the trouble to try to log those messages properly in this specific case. It's really worth to mention that a proper fix the clock screw situation should be implemented on samba's side, by having tevent using monotonic (or boottime) clock. [0]: [root@dusan ~]# pstack 17922 #0 __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95 #1 0x00007fe707d04f93 in _L_lock_14932 () from /lib64/libc.so.6 #2 0x00007fe707d02013 in __GI___libc_malloc (bytes=140630248638304, bytes@entry=15) at malloc.c:2891 #3 0x00007fe707d0888a in __GI___strdup (s=0x7fe707dff4f7 "/etc/localtime") at strdup.c:42 #4 0x00007fe707d31b61 in tzset_internal (always=<optimized out>, explicit=explicit@entry=1) at tzset.c:438 #5 0x00007fe707d32523 in __tz_convert (timer=timer@entry=0x7ffcd5d2b090, use_localtime=use_localtime@entry=1, tp=tp@entry=0x7fe708041d40 <_tmbuf>) at tzset.c:621 #6 0x00007fe707d30521 in __GI_localtime (t=t@entry=0x7ffcd5d2b090) at localtime.c:42 SSSD#7 0x00007fe70886c7b0 in sss_vdebug_fn (file=<optimized out>, line=<optimized out>, function=0x7fe70bff27f0 <__FUNCTION__.9379> "watchdog_handler", level=16, flags=flags@entry=0, format=format@entry=0x7fe70bff2760 "Watchdog timer overflow, killing process!\n", ap=ap@entry=0x7ffcd5d2b130) at src/util/debug.c:248 SSSD#8 0x00007fe70886c995 in sss_debug_fn (file=file@entry=0x7fe70bff263b "src/util/util_watchdog.c", line=line@entry=82, function=function@entry=0x7fe70bff27f0 <__FUNCTION__.9379> "watchdog_handler", level=level@entry=16, format=format@entry=0x7fe70bff2760 "Watchdog timer overflow, killing process!\n") at src/util/debug.c:284 SSSD#9 0x00007fe70bfdb409 in watchdog_handler (sig=<optimized out>) at src/util/util_watchdog.c:81 SSSD#10 <signal handler called> SSSD#11 0x00007fe707cff664 in _int_malloc (av=av@entry=0x7fe70803c760 <main_arena>, bytes=bytes@entry=151) at malloc.c:3494 SSSD#12 0x00007fe707d01fbc in __GI___libc_malloc (bytes=bytes@entry=151) at malloc.c:2893 SSSD#13 0x00007fe708450749 in __talloc_with_prefix (prefix_len=0, size=55, context=0x7fe718373210) at ../talloc.c:668 SSSD#14 __talloc (size=55, context=0x7fe718373210) at ../talloc.c:708 SSSD#15 _talloc_named_const (name=0x7fe70bb7015d "../common/ldb_pack.c:425", size=55, context=0x7fe718373210) at ../talloc.c:865 SSSD#16 talloc_named_const (context=<optimized out>, size=size@entry=55, name=name@entry=0x7fe70bb7015d "../common/ldb_pack.c:425") at ../talloc.c:1606 SSSD#17 0x00007fe70bb61803 in ldb_unpack_data_only_attr_list (ldb=ldb@entry=0x7fe70e4d52c0, data=data@entry=0x7ffcd5d2b990, message=0x7fe7184aa1e0, list=list@entry=0x0, list_size=list_size@entry=0, nb_elements_in_db=nb_elements_in_db@entry=0x0) at ../common/ldb_pack.c:425 SSSD#18 0x00007fe70bb61a7d in ldb_unpack_data (ldb=ldb@entry=0x7fe70e4d52c0, data=data@entry=0x7ffcd5d2b990, message=<optimized out>) at ../common/ldb_pack.c:470 SSSD#19 0x00007fe6fdc29b46 in ltdb_parse_data_unpack (key=..., data=..., private_data=0x7ffcd5d2ba70) at ../ldb_tdb/ldb_search.c:249 SSSD#20 0x00007fe70a5e0a24 in tdb_parse_data (tdb=tdb@entry=0x7fe70e4eaa10, key=..., offset=15619748, len=414772, parser=parser@entry=0x7fe6fdc29b10 <ltdb_parse_data_unpack>, private_data=private_data@entry=0x7ffcd5d2ba70) at ../common/io.c:637 SSSD#21 0x00007fe70a5dc1fc in tdb_parse_record (tdb=0x7fe70e4eaa10, key=..., parser=parser@entry=0x7fe6fdc29b10 <ltdb_parse_data_unpack>, private_data=private_data@entry=0x7ffcd5d2ba70) at ../common/tdb.c:253 SSSD#22 0x00007fe6fdc29e7b in ltdb_search_dn1 (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183c4940, msg=msg@entry=0x7fe7184aa1e0) at ../ldb_tdb/ldb_search.c:287 SSSD#23 0x00007fe6fdc2acbb in ltdb_dn_list_load (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183c4940, list=list@entry=0x7fe7183c3a30) at ../ldb_tdb/ldb_index.c:181 SSSD#24 0x00007fe6fdc2bbbb in ltdb_index_add1 (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183bf3e0 "name=testuser7045@domain.com,cn=users,cn=DOMAIN.COM,cn=sysdb", v_idx=v_idx@entry=0, el=<optimized out>, el=<optimized out>) at ../ldb_tdb/ldb_index.c:1134 SSSD#25 0x00007fe6fdc2c62c in ltdb_index_add_el (el=0x7fe7184aa3e0, dn=0x7fe7183bf3e0 "name=testuser7045@domain.com,cn=users,cn=DOMAIN.COM,cn=sysdb", module=0x7fe70e4eab50) at ../ldb_tdb/ldb_index.c:1180 SSSD#26 ltdb_index_add_element (module=module@entry=0x7fe70e4eab50, dn=<optimized out>, el=el@entry=0x7fe7184aa3e0) at ../ldb_tdb/ldb_index.c:1290 SSSD#27 0x00007fe6fdc290bb in ltdb_modify_internal (module=module@entry=0x7fe70e4eab50, msg=0x7fe7183bf0c0, req=req@entry=0x7fe7183bdc10) at ../ldb_tdb/ldb_tdb.c:903 SSSD#28 0x00007fe6fdc2958a in ltdb_modify (ctx=0x7fe7183c2950, ctx=0x7fe7183c2950) at ../ldb_tdb/ldb_tdb.c:998 SSSD#29 ltdb_callback (ev=<optimized out>, te=<optimized out>, t=..., private_data=<optimized out>) at ../ldb_tdb/ldb_tdb.c:1380 SSSD#30 0x00007fe708664b4f in tevent_common_loop_timer_delay (ev=ev@entry=0x7fe70e4d2890) at ../tevent_timed.c:341 SSSD#31 0x00007fe708665b5a in epoll_event_loop_once (ev=0x7fe70e4d2890, location=<optimized out>) at ../tevent_epoll.c:911 SSSD#32 0x00007fe708664257 in std_event_loop_once (ev=0x7fe70e4d2890, location=0x7fe70bb72ec5 "../common/ldb.c:631") at ../tevent_standard.c:114 SSSD#33 0x00007fe70866040d in _tevent_loop_once (ev=ev@entry=0x7fe70e4d2890, location=location@entry=0x7fe70bb72ec5 "../common/ldb.c:631") at ../tevent.c:533 SSSD#34 0x00007fe70bb6bc4f in ldb_wait (handle=0x7fe7183c4530, type=<optimized out>) at ../common/ldb.c:631 SSSD#35 0x00007fe70bb6c793 in ldb_autotransaction_request (ldb=0x7fe70e4d52c0, req=0x7fe7183bdc10) at ../common/ldb.c:573 SSSD#36 0x00007fe70bb6d263 in ldb_modify (ldb=ldb@entry=0x7fe70e4d52c0, message=<optimized out>) at ../common/ldb.c:1655 SSSD#37 0x00007fe70bfa2ab5 in sysdb_set_cache_entry_attr (ldb=0x7fe70e4d52c0, entry_dn=entry_dn@entry=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bf680, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1159 SSSD#38 0x00007fe70bfa304d in sysdb_rep_ts_entry_attr (sysdb=0x7fe70e4eadd0, attrs=0x7fe7183bf680, entry_dn=0x7fe7183c4760) at src/db/sysdb_ops.c:1218 SSSD#39 sysdb_set_ts_entry_attr (sysdb=sysdb@entry=0x7fe70e4eadd0, entry_dn=entry_dn@entry=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1248 SSSD#40 0x00007fe70bfa4aa9 in sysdb_set_entry_attr (sysdb=0x7fe70e4eadd0, entry_dn=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1199 SSSD#41 0x00007fe70bfa4b5f in sysdb_set_user_attr (domain=domain@entry=0x7fe70e4d62f0, name=name@entry=0x7fe7183c01f0 "testuser7045@domain.com", attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1285 SSSD#42 0x00007fe70bfa58c3 in sysdb_add_user (domain=domain@entry=0x7fe70e4d62f0, name=name@entry=0x7fe7183c01f0 "testuser7045@domain.com", uid=uid@entry=1415408147, gid=<optimized out>, gid@entry=1415400513, gecos=gecos@entry=0x7fe710465d00 "Test User7045", homedir=homedir@entry=0x0, shell=shell@entry=0x0, orig_dn=orig_dn@entry=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", attrs=attrs@entry=0x7fe7183bb840, cache_timeout=cache_timeout@entry=5400, now=now@entry=1481105315) at src/db/sysdb_ops.c:1928 SSSD#43 0x00007fe70bfab271 in sysdb_store_new_user (now=1481105315, cache_timeout=5400, attrs=0x7fe7183bb840, orig_dn=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", shell=0x0, homedir=0x0, gecos=0x7fe710465d00 "Test User7045", gid=1415400513, uid=1415408147, name=0x7fe7183c01f0 "testuser7045@domain.com", domain=0x7fe70e4d62f0) at src/db/sysdb_ops.c:2549 SSSD#44 sysdb_store_user (domain=domain@entry=0x7fe70e4d62f0, name=0x7fe7183c01f0 "testuser7045@domain.com", pwd=pwd@entry=0x0, uid=1415408147, gid=1415400513, gecos=gecos@entry=0x7fe710465d00 "Test User7045", homedir=homedir@entry=0x0, shell=shell@entry=0x0, orig_dn=orig_dn@entry=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", attrs=attrs@entry=0x7fe7183bb840, remove_attrs=0x7fe7183c08a0, cache_timeout=cache_timeout@entry=5400, now=now@entry=1481105315) at src/db/sysdb_ops.c:2499 SSSD#45 0x00007fe6fba0d9f9 in sdap_save_user (memctx=memctx@entry=0x7fe70e544ee0, opts=opts@entry=0x7fe70e518400, dom=dom@entry=0x7fe70e4d62f0, attrs=<optimized out>, _usn_value=_usn_value@entry=0x7ffcd5d2c260, now=now@entry=1481105315) at src/providers/ldap/sdap_async_users.c:509 SSSD#46 0x00007fe6fba0df9a in sdap_save_users (memctx=memctx@entry=0x7fe70e544e40, sysdb=0x7fe70e4eadd0, dom=0x7fe70e4d62f0, opts=0x7fe70e518400, users=<optimized out>, num_users=10006, _usn_value=_usn_value@entry=0x7fe70e544e60) at src/providers/ldap/sdap_async_users.c:572 SSSD#47 0x00007fe6fba0e460 in sdap_get_users_done (subreq=<optimized out>) at src/providers/ldap/sdap_async_users.c:938 SSSD#48 0x00007fe6fba0c9d5 in sdap_search_user_process (subreq=0x0) at src/providers/ldap/sdap_async_users.c:814 SSSD#49 0x00007fe6fba07379 in generic_ext_search_handler (subreq=0x0, opts=<optimized out>) at src/providers/ldap/sdap_async.c:1689 SSSD#50 0x00007fe6fba0991b in sdap_get_generic_op_finished (op=<optimized out>, reply=<optimized out>, error=<optimized out>, pvt=<optimized out>) at src/providers/ldap/sdap_async.c:1621 SSSD#51 0x00007fe6fba083cd in sdap_process_message (ev=<optimized out>, sh=<optimized out>, msg=0x7fe70e5f9ce0) at src/providers/ldap/sdap_async.c:353 SSSD#52 sdap_process_result (ev=<optimized out>, pvt=<optimized out>) at src/providers/ldap/sdap_async.c:197 SSSD#53 0x00007fe708664b4f in tevent_common_loop_timer_delay (ev=ev@entry=0x7fe70e4cbc30) at ../tevent_timed.c:341 SSSD#54 0x00007fe708665b5a in epoll_event_loop_once (ev=0x7fe70e4cbc30, location=<optimized out>) at ../tevent_epoll.c:911 SSSD#55 0x00007fe708664257 in std_event_loop_once (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent_standard.c:114 SSSD#56 0x00007fe70866040d in _tevent_loop_once (ev=ev@entry=0x7fe70e4cbc30, location=location@entry=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent.c:533 SSSD#57 0x00007fe7086605ab in tevent_common_loop_wait (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent.c:637 SSSD#58 0x00007fe7086641f7 in std_event_loop_wait (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent_standard.c:140 SSSD#59 0x00007fe70bfd1993 in server_loop (main_ctx=0x7fe70e4cd080) at src/util/server.c:702 SSSD#60 0x00007fe70c84cb82 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:587 Resolves: https://fedorahosted.org/sssd/ticket/3266 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> (cherry picked from commit e6a5f8c)
jhrozek
pushed a commit
that referenced
this pull request
Jul 1, 2019
The function remove_duplicate_group_members might return EOK also in the middle of function but return parameter was not set with right data. Processing continued in the function save_group but there was a dereference of NULL pointer. Introduced in: https://pagure.io/SSSD/sssd/issue/3931 Crash: (gdb) bt #0 0x00007fb4ce4a9ac5 in save_group (sysdb=sysdb@entry=0x55c9a0efb230, dom=dom@entry=0x55c9a0efb420, grp=grp@entry=0x55c9a0f370f0, real_name=0x55c9a0f47340 "nobody@ldap", alias=alias@entry=0x0) at src/providers/proxy/proxy_id.c:748 #1 0x00007fb4ce4aa600 in get_gr_gid (mem_ctx=mem_ctx@entry=0x55c9a0f38be0, sysdb=sysdb@entry=0x55c9a0efb230, dom=dom@entry=0x55c9a0efb420, gid=99, now=<optimized out>, ctx=<optimized out>) at src/providers/proxy/proxy_id.c:1160 #2 0x00007fb4ce4ac9e5 in get_initgr_groups_process (pwd=0x55c9a0f384a0, pwd=0x55c9a0f384a0, dom=0x55c9a0efb420, sysdb=0x55c9a0efb230, ctx=0x55c9a0f048e0, memctx=0x55c9a0f38be0) at src/providers/proxy/proxy_id.c:1553 #3 get_initgr (i_name=<optimized out>, dom=0x55c9a0efb420, sysdb=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1461 #4 proxy_account_info (domain=0x55c9a0efb420, be_ctx=<optimized out>, data=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1659 #5 proxy_account_info_handler_send (mem_ctx=<optimized out>, id_ctx=0x55c9a0f048e0, data=<optimized out>, params=0x55c9a0f39790) at src/providers/proxy/proxy_id.c:1758 #6 0x000055c99fc67677 in file_dp_request (_dp_req=<synthetic pointer>, req=0x55c9a0f39470, request_data=<optimized out>, dp_flags=1, method=DPM_ACCOUNT_HANDLER, target=DPT_ID, name=<optimized out>, domainname=0x55c9a0f39190 "LDAP", provider=0x55c9a0efe0e0, mem_ctx=<optimized out>) at src/providers/data_provider/dp_request.c:250 SSSD#7 dp_req_send (mem_ctx=0x55c9a0f37b60, provider=provider@entry=0x55c9a0efe0e0, domain=domain@entry=0x55c9a0f39190 "LDAP", name=<optimized out>, target=target@entry=DPT_ID, method=method@entry=DPM_ACCOUNT_HANDLER, dp_flags=dp_flags@entry=1, request_data=0x55c9a0f37c00, _request_name=0x55c9a0f37b60) at src/providers/data_provider/dp_request.c:295 SSSD#8 0x000055c99fc6a132 in dp_get_account_info_send (mem_ctx=<optimized out>, ev=0x55c9a0eddbc0, sbus_req=<optimized out>, provider=0x55c9a0efe0e0, dp_flags=1, entry_type=<optimized out>, filter=0x55c9a0f358d0 "name=nobody@ldap", domain=0x55c9a0f39190 "LDAP", extra=0x55c9a0f354a0 "") at src/providers/data_provider/dp_target_id.c:528 SSSD#9 0x00007fb4da35265b in _sbus_sss_invoke_in_uusss_out_qus_step (ev=0x55c9a0eddbc0, te=<optimized out>, tv=..., private_data=<optimized out>) at src/sss_iface/sbus_sss_invokers.c:2847 SSSD#10 0x00007fb4d9cfb1cf in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0 SSSD#11 0x00007fb4d9cfb339 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0 SSSD#12 0x00007fb4d9cfc2f9 in epoll_event_loop_once () from /lib64/libtevent.so.0 SSSD#13 0x00007fb4d9cfa7b7 in std_event_loop_once () from /lib64/libtevent.so.0 SSSD#14 0x00007fb4d9cf5b5d in _tevent_loop_once () from /lib64/libtevent.so.0 SSSD#15 0x00007fb4d9cf5d8b in tevent_common_loop_wait () from /lib64/libtevent.so.0 SSSD#16 0x00007fb4d9cfa757 in std_event_loop_wait () from /lib64/libtevent.so.0 SSSD#17 0x00007fb4dd955ac3 in server_loop (main_ctx=0x55c9a0edf090) at src/util/server.c:724 SSSD#18 0x000055c99fc59760 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:747 (gdb) l (gdb) bt #0 0x00007fb4ce4a9ac5 in save_group (sysdb=sysdb@entry=0x55c9a0efb230, dom=dom@entry=0x55c9a0efb420, grp=grp@entry=0x55c9a0f370f0, real_name=0x55c9a0f47340 "nobody@ldap", alias=alias@entry=0x0) at src/providers/proxy/proxy_id.c:748 #1 0x00007fb4ce4aa600 in get_gr_gid (mem_ctx=mem_ctx@entry=0x55c9a0f38be0, sysdb=sysdb@entry=0x55c9a0efb230, dom=dom@entry=0x55c9a0efb420, gid=99, now=<optimized out>, ctx=<optimized out>) at src/providers/proxy/proxy_id.c:1160 #2 0x00007fb4ce4ac9e5 in get_initgr_groups_process (pwd=0x55c9a0f384a0, pwd=0x55c9a0f384a0, dom=0x55c9a0efb420, sysdb=0x55c9a0efb230, ctx=0x55c9a0f048e0, memctx=0x55c9a0f38be0) at src/providers/proxy/proxy_id.c:1553 #3 get_initgr (i_name=<optimized out>, dom=0x55c9a0efb420, sysdb=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1461 #4 proxy_account_info (domain=0x55c9a0efb420, be_ctx=<optimized out>, data=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1659 #5 proxy_account_info_handler_send (mem_ctx=<optimized out>, id_ctx=0x55c9a0f048e0, data=<optimized out>, params=0x55c9a0f39790) at src/providers/proxy/proxy_id.c:1758 #6 0x000055c99fc67677 in file_dp_request (_dp_req=<synthetic pointer>, req=0x55c9a0f39470, request_data=<optimized out>, dp_flags=1, method=DPM_ACCOUNT_HANDLER, target=DPT_ID, name=<optimized out>, domainname=0x55c9a0f39190 "LDAP", provider=0x55c9a0efe0e0, mem_ctx=<optimized out>) at src/providers/data_provider/dp_request.c:250 SSSD#7 dp_req_send (mem_ctx=0x55c9a0f37b60, provider=provider@entry=0x55c9a0efe0e0, domain=domain@entry=0x55c9a0f39190 "LDAP", name=<optimized out>, target=target@entry=DPT_ID, method=method@entry=DPM_ACCOUNT_HANDLER, dp_flags=dp_flags@entry=1, request_data=0x55c9a0f37c00, _request_name=0x55c9a0f37b60) at src/providers/data_provider/dp_request.c:295 SSSD#8 0x000055c99fc6a132 in dp_get_account_info_send (mem_ctx=<optimized out>, ev=0x55c9a0eddbc0, sbus_req=<optimized out>, provider=0x55c9a0efe0e0, dp_flags=1, entry_type=<optimized out>, filter=0x55c9a0f358d0 "name=nobody@ldap", domain=0x55c9a0f39190 "LDAP", extra=0x55c9a0f354a0 "") at src/providers/data_provider/dp_target_id.c:528 SSSD#9 0x00007fb4da35265b in _sbus_sss_invoke_in_uusss_out_qus_step (ev=0x55c9a0eddbc0, te=<optimized out>, tv=..., private_data=<optimized out>) at src/sss_iface/sbus_sss_invokers.c:2847 SSSD#10 0x00007fb4d9cfb1cf in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0 SSSD#11 0x00007fb4d9cfb339 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0 SSSD#12 0x00007fb4d9cfc2f9 in epoll_event_loop_once () from /lib64/libtevent.so.0 SSSD#13 0x00007fb4d9cfa7b7 in std_event_loop_once () from /lib64/libtevent.so.0 SSSD#14 0x00007fb4d9cf5b5d in _tevent_loop_once () from /lib64/libtevent.so.0 SSSD#15 0x00007fb4d9cf5d8b in tevent_common_loop_wait () from /lib64/libtevent.so.0 SSSD#16 0x00007fb4d9cfa757 in std_event_loop_wait () from /lib64/libtevent.so.0 SSSD#17 0x00007fb4dd955ac3 in server_loop (main_ctx=0x55c9a0edf090) at src/util/server.c:724 SSSD#18 0x000055c99fc59760 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:747 (gdb) l 733 ret = remove_duplicate_group_members(tmp_ctx, grp, &ngroup); 734 if (ret != EOK) { 735 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to remove duplicate group member s\n"); 736 goto done; 737 } 738 739 DEBUG_GR_MEM(SSSDBG_TRACE_LIBS, ngroup); 740 741 ret = sysdb_transaction_start(sysdb); 742 if (ret != EOK) { 743 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); 744 goto done; 745 } 746 in_transaction = true; 747 748 if (ngroup->gr_mem && ngroup->gr_mem[0]) { 749 attrs = sysdb_new_attrs(tmp_ctx); 750 if (!attrs) { 751 DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n"); 752 ret = ENOMEM; (gdb) p ngroup $1 = (struct group *) 0x0 743 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); 744 goto done; 745 } 746 in_transaction = true; 747 748 if (ngroup->gr_mem && ngroup->gr_mem[0]) { 749 attrs = sysdb_new_attrs(tmp_ctx); 750 if (!attrs) { 751 DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n"); 752 ret = ENOMEM; (gdb) p ngroup $1 = (struct group *) 0x0 Merges: https://pagure.io/SSSD/sssd/pull-request/4036 Resolves: https://pagure.io/SSSD/sssd/issue/4037 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.