Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
sssd.33608
0007-bsc1217319-gh5875-gh5956.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0007-bsc1217319-gh5875-gh5956.patch of Package sssd.33608
From 97c1fb4b1fd5e1a1b61eb44f39b2418e003bf8dd Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@redhat.com> Date: Fri, 8 Oct 2021 12:44:37 +0200 Subject: [PATCH 1/7] ad: require name when looking up root domain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To properly identify the forest root domain the name of this domain is needed. It is discovered with a cldap-ping requesting the netlogon attribute. If the name is missing it does not make sense to proceed further because there is currently no other way to determine the forest root domain. Resolves: https://github.com/SSSD/sssd/issues/5820 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit b37e2713a9b86936f5b82a17e47757562900b911) --- src/providers/ad/ad_subdomains.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 3eb49c93f..90973c9ff 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -1342,7 +1342,12 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, return NULL; } - if (forest != NULL && strcasecmp(domain, forest) == 0) { + if (forest == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Name of forest root domain not available, l" + "using cached data, if available.\n"); + ret = EINVAL; + goto immediately; + } else if (strcasecmp(domain, forest) == 0) { state->root_id_ctx = sd_ctx->ad_id_ctx; state->root_domain_attrs = NULL; ret = EOK; -- 2.43.0 From 6c19d7693149de79ab158c89be52d43b7d5ddd82 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@redhat.com> Date: Fri, 8 Oct 2021 13:14:30 +0200 Subject: [PATCH 2/7] ad: move current site and forest name to a more global context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently only during the DNS discovery steps the stored forest and site name are reused to avoid redundant lookups. Since those names are needed in other areas of the code as well it would be good to make them available in a more global context. Resolves: https://github.com/SSSD/sssd/issues/5820 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 4508ef5f7183c640191393605ea163044d9ac267) --- src/providers/ad/ad_cldap_ping.c | 15 ++++++----- src/providers/ad/ad_common.h | 4 +++ src/providers/ad/ad_init.c | 1 + src/providers/ad/ad_srv.c | 33 +++++++++++++---------- src/providers/ad/ad_srv.h | 4 +-- src/providers/ad/ad_subdomains.c | 1 + src/providers/ipa/ipa_subdomains_server.c | 1 + 7 files changed, 37 insertions(+), 22 deletions(-) diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c index 7722af98a..947657fab 100644 --- a/src/providers/ad/ad_cldap_ping.c +++ b/src/providers/ad/ad_cldap_ping.c @@ -601,10 +601,12 @@ struct tevent_req *ad_cldap_ping_send(TALLOC_CTX *mem_ctx, } if (!srv_ctx->renew_site) { - state->site = talloc_strdup(state, srv_ctx->current_site); - state->forest = talloc_strdup(state, srv_ctx->current_forest); - if ((srv_ctx->current_site != NULL && state->site == NULL) - || (srv_ctx->current_forest != NULL && state->forest == NULL)) { + state->site = talloc_strdup(state, srv_ctx->ad_options->current_site); + state->forest = talloc_strdup(state, + srv_ctx->ad_options->current_forest); + if ((srv_ctx->ad_options->current_site != NULL && state->site == NULL) + || (srv_ctx->ad_options->current_forest != NULL + && state->forest == NULL)) { DEBUG(SSSDBG_OP_FAILURE, "Failed to copy current site or forest name.\n"); ret = ENOMEM; @@ -629,9 +631,10 @@ struct tevent_req *ad_cldap_ping_send(TALLOC_CTX *mem_ctx, state->discovery_domain = discovery_domain; /* If possible, lookup the information in the current site first. */ - if (srv_ctx->current_site != NULL) { + if (srv_ctx->ad_options->current_site != NULL) { state->all_tried = false; - domain = ad_site_dns_discovery_domain(state, srv_ctx->current_site, + domain = ad_site_dns_discovery_domain(state, + srv_ctx->ad_options->current_site, discovery_domain); if (domain == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!"); diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 6b274ff66..4994b94f9 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -111,6 +111,10 @@ struct ad_options { /* Dynamic DNS updates */ struct be_resolv_ctx *be_res; struct be_nsupdate_ctx *dyndns_ctx; + + /* Discovered site and forest names */ + const char *current_site; + const char *current_forest; }; errno_t diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index b66d401ae..2d686eca0 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -208,6 +208,7 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx, srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, default_host_dbs, ad_options->id, + ad_options, hostname, ad_domain, ad_site_override); if (srv_ctx == NULL) { diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c index e58c19aac..a10c6a247 100644 --- a/src/providers/ad/ad_srv.c +++ b/src/providers/ad/ad_srv.c @@ -130,6 +130,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, struct be_resolv_ctx *be_res, enum host_database *host_dbs, struct sdap_options *opts, + struct ad_options *ad_options, const char *hostname, const char *ad_domain, const char *ad_site_override) @@ -147,6 +148,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, ctx->host_dbs = host_dbs; ctx->opts = opts; ctx->renew_site = true; + ctx->ad_options = ad_options; ctx->hostname = talloc_strdup(ctx, hostname); if (ctx->hostname == NULL) { @@ -164,18 +166,20 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, goto fail; } - ctx->current_site = talloc_strdup(ctx, ad_site_override); - if (ctx->current_site == NULL) { + ctx->ad_options->current_site = talloc_strdup(ctx->ad_options, + ad_site_override); + if (ctx->ad_options->current_site == NULL) { goto fail; } } else { - ret = sysdb_get_site(ctx, be_ctx->domain, &ctx->current_site); + ret = sysdb_get_site(ctx->ad_options, be_ctx->domain, + &ctx->ad_options->current_site); if (ret != EOK) { /* Not fatal. */ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get current site from cache [%d]: %s\n", ret, sss_strerror(ret)); - ctx->current_site = NULL; + ctx->ad_options->current_site = NULL; } } @@ -203,34 +207,35 @@ ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx, /* Switch forest. */ if (new_forest != NULL - && (ctx->current_forest == NULL - || strcmp(ctx->current_forest, new_forest) != 0)) { - forest = talloc_strdup(ctx, new_forest); + && (ctx->ad_options->current_forest == NULL + || strcmp(ctx->ad_options->current_forest, new_forest) != 0)) { + forest = talloc_strdup(ctx->ad_options, new_forest); if (forest == NULL) { return ENOMEM; } - talloc_zfree(ctx->current_forest); - ctx->current_forest = forest; + talloc_zfree(ctx->ad_options->current_forest); + ctx->ad_options->current_forest = forest; } if (new_site == NULL) { return EOK; } - if (ctx->current_site != NULL && strcmp(ctx->current_site, new_site) == 0) { + if (ctx->ad_options->current_site != NULL + && strcmp(ctx->ad_options->current_site, new_site) == 0) { return EOK; } - site = talloc_strdup(ctx, new_site); + site = talloc_strdup(ctx->ad_options, new_site); if (site == NULL) { return ENOMEM; } - talloc_zfree(ctx->current_site); - ctx->current_site = site; + talloc_zfree(ctx->ad_options->current_site); + ctx->ad_options->current_site = site; - ret = sysdb_set_site(ctx->be_ctx->domain, ctx->current_site); + ret = sysdb_set_site(ctx->be_ctx->domain, ctx->ad_options->current_site); if (ret != EOK) { /* Not fatal. */ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information " diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h index 3c6a779ea..fd70f15a8 100644 --- a/src/providers/ad/ad_srv.h +++ b/src/providers/ad/ad_srv.h @@ -26,11 +26,10 @@ struct ad_srv_plugin_ctx { struct be_resolv_ctx *be_res; enum host_database *host_dbs; struct sdap_options *opts; + struct ad_options *ad_options; const char *hostname; const char *ad_domain; const char *ad_site_override; - const char *current_site; - const char *current_forest; bool renew_site; }; @@ -41,6 +40,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, struct be_resolv_ctx *be_res, enum host_database *host_dbs, struct sdap_options *opts, + struct ad_options *ad_options, const char *hostname, const char *ad_domain, const char *ad_site_override); diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 90973c9ff..4f22eb4aa 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -409,6 +409,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, default_host_dbs, ad_id_ctx->ad_options->id, + ad_id_ctx->ad_options, hostname, ad_domain, ad_site_override); diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index deb2c2cee..aaedf6210 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -342,6 +342,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, default_host_dbs, ad_id_ctx->ad_options->id, + ad_id_ctx->ad_options, id_ctx->server_mode->hostname, ad_domain, ad_site_override); -- 2.43.0 From 994e4151e4d359837be7bec23a4e7a792c0df25f Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@redhat.com> Date: Fri, 8 Oct 2021 13:49:01 +0200 Subject: [PATCH 3/7] ad: use already discovered forest name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the cldap-ping on the current connection does not return a reply with the name of the forest root and the site of the client the stored values from the DNS discovery step are used. Resolves: https://github.com/SSSD/sssd/issues/5820 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 99c4161910e542dd40c740032196d268c4163d07) --- src/providers/ad/ad_subdomains.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 4f22eb4aa..d61d54a85 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -1998,6 +1998,23 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) return; } + if (state->forest == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Forest name was not found, using the one " + "which was already discovered [%s].\n", + state->ad_options->current_forest != NULL ? + state->ad_options->current_forest : + "- not available-"); + if (state->ad_options->current_forest != NULL) { + state->forest = talloc_strdup(state, + state->ad_options->current_forest); + if (state->forest == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to copy forest name.\n"); + tevent_req_error(req, ENOMEM); + return; + } + } + } + realm = dp_opt_get_cstring(state->ad_options->basic, AD_KRB5_REALM); if (realm == NULL) { DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm.\n"); -- 2.43.0 From a3bf619278dec11a40e6b519c6bc46d77c1ffd23 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@redhat.com> Date: Wed, 20 Oct 2021 13:59:40 +0200 Subject: [PATCH 4/7] ad: make ad_srv_plugin_ctx_switch_site() public MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the name of the AD DCs are given explicitly with the ad_server option the forest and site lookups are not done in the discovery phase, which is skipped, but with a netlogon query on the current connection. This patch makes sure the results are stored in the same way as during the discovery step. Resolves: https://github.com/SSSD/sssd/issues/5820 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 918abaf37d7f13d72b29863933e133bcbd24d87c) --- src/providers/ad/ad_common.c | 48 +++++++++++++++++++++ src/providers/ad/ad_common.h | 3 ++ src/providers/ad/ad_domain_info.h | 1 - src/providers/ad/ad_srv.c | 70 ++++++------------------------- src/providers/ad/ad_subdomains.c | 34 ++++++++++++++- 5 files changed, 96 insertions(+), 60 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 23608a81c..e263444c5 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1688,3 +1688,51 @@ done: return ret; } + +errno_t +ad_options_switch_site(struct ad_options *ad_options, struct be_ctx *be_ctx, + const char *new_site, const char *new_forest) +{ + const char *site; + const char *forest; + errno_t ret; + + /* Switch forest. */ + if (new_forest != NULL + && (ad_options->current_forest == NULL + || strcmp(ad_options->current_forest, new_forest) != 0)) { + forest = talloc_strdup(ad_options, new_forest); + if (forest == NULL) { + return ENOMEM; + } + + talloc_zfree(ad_options->current_forest); + ad_options->current_forest = forest; + } + + if (new_site == NULL) { + return EOK; + } + + if (ad_options->current_site != NULL + && strcmp(ad_options->current_site, new_site) == 0) { + return EOK; + } + + site = talloc_strdup(ad_options, new_site); + if (site == NULL) { + return ENOMEM; + } + + talloc_zfree(ad_options->current_site); + ad_options->current_site = site; + + ret = sysdb_set_site(be_ctx->domain, ad_options->current_site); + if (ret != EOK) { + /* Not fatal. */ + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information " + "[%d]: %s\n", ret, sss_strerror(ret)); + } + + return EOK; +} diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 4994b94f9..99cebe2e2 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -252,4 +252,7 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts, errno_t ad_refresh_init(struct be_ctx *be_ctx, struct ad_id_ctx *id_ctx); +errno_t +ad_options_switch_site(struct ad_options *ad_options, struct be_ctx *be_ctx, + const char *new_site, const char *new_forest); #endif /* AD_COMMON_H_ */ diff --git a/src/providers/ad/ad_domain_info.h b/src/providers/ad/ad_domain_info.h index 631e543f5..cf601cff6 100644 --- a/src/providers/ad/ad_domain_info.h +++ b/src/providers/ad/ad_domain_info.h @@ -39,5 +39,4 @@ ad_domain_info_recv(struct tevent_req *req, char **_id, char **_site, char **_forest); - #endif /* _AD_DOMAIN_INFO_H_ */ diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c index a10c6a247..d45f1601e 100644 --- a/src/providers/ad/ad_srv.c +++ b/src/providers/ad/ad_srv.c @@ -196,55 +196,6 @@ fail: return NULL; } -static errno_t -ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx, - const char *new_site, - const char *new_forest) -{ - const char *site; - const char *forest; - errno_t ret; - - /* Switch forest. */ - if (new_forest != NULL - && (ctx->ad_options->current_forest == NULL - || strcmp(ctx->ad_options->current_forest, new_forest) != 0)) { - forest = talloc_strdup(ctx->ad_options, new_forest); - if (forest == NULL) { - return ENOMEM; - } - - talloc_zfree(ctx->ad_options->current_forest); - ctx->ad_options->current_forest = forest; - } - - if (new_site == NULL) { - return EOK; - } - - if (ctx->ad_options->current_site != NULL - && strcmp(ctx->ad_options->current_site, new_site) == 0) { - return EOK; - } - - site = talloc_strdup(ctx->ad_options, new_site); - if (site == NULL) { - return ENOMEM; - } - - talloc_zfree(ctx->ad_options->current_site); - ctx->ad_options->current_site = site; - - ret = sysdb_set_site(ctx->be_ctx->domain, ctx->ad_options->current_site); - if (ret != EOK) { - /* Not fatal. */ - DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information " - "[%d]: %s\n", ret, sss_strerror(ret)); - } - - return EOK; -} - struct ad_srv_plugin_state { struct tevent_context *ev; struct ad_srv_plugin_ctx *ctx; @@ -382,16 +333,19 @@ static void ad_srv_plugin_ping_done(struct tevent_req *subreq) /* Remember current site so it can be used during next lookup so * we can contact directory controllers within a known reachable * site first. */ - ret = ad_srv_plugin_ctx_switch_site(state->ctx, state->site, - state->forest); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set site [%d]: %s\n", - ret, sss_strerror(ret)); - goto done; - } + if (state->site != NULL) { + ret = ad_options_switch_site(state->ctx->ad_options, + state->ctx->be_ctx, + state->site, state->forest); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set site [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } - /* Do not renew the site again unless we go offline. */ - state->ctx->renew_site = false; + /* Do not renew the site again unless we go offline. */ + state->ctx->renew_site = false; + } if (strcmp(state->service, "gc") == 0) { if (state->forest != NULL) { diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index d61d54a85..3a4e6d5ce 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -1983,13 +1983,15 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) const char *realm; char *master_sid; char *flat_name; + char *site = NULL; errno_t ret; + char *ad_site_override = NULL; req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct ad_subdomains_refresh_state); ret = ad_domain_info_recv(subreq, state, &flat_name, &master_sid, - NULL, &state->forest); + &site, &state->forest); talloc_zfree(subreq); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get master domain information " @@ -2015,6 +2017,36 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) } } + /* If the site was not discovered during the DNS discovery, e.g. because + * the server name was given explicitly in sssd.conf, we try to set the + * site here. */ + if (state->ad_options->current_site == NULL) { + /* Ignore AD site found in netlogon attribute if specific site is set in + * configuration file. */ + ad_site_override = dp_opt_get_string(state->ad_options->basic, AD_SITE); + if (ad_site_override != NULL) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Ignoring AD site found by DNS discovery: '%s', " + "using configured value: '%s' instead.\n", + site, ad_site_override); + site = ad_site_override; + } + + if (site != NULL) { + ret = ad_options_switch_site(state->ad_options, state->be_ctx, site, + state->forest); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store forest and site name, " + "will try again after a new lookup.\n"); + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Site name currently not available will try again later. " + "The site name can be added manually my setting 'ad_site' " + "in sssd.conf.\n"); + } + } + realm = dp_opt_get_cstring(state->ad_options->basic, AD_KRB5_REALM); if (realm == NULL) { DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm.\n"); -- 2.43.0 From b06b98466ed91f3e8e76034bed271e00ecb7f24e Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@redhat.com> Date: Fri, 15 Oct 2021 13:39:50 +0200 Subject: [PATCH 5/7] ad: only send cldap-ping to our local domain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since we are using the name of the local domain in the search filter of the CLDAP ping only a DC from the local domain can send a proper reply. DCs from other domains will only return an error so we can skip the CLDAP ping for those domains. Resolves: https://github.com/SSSD/sssd/issues/5822 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 724293d0873ee3229866ae4c13e1c8829375146f) --- src/providers/ad/ad_cldap_ping.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c index 947657fab..c0cd99117 100644 --- a/src/providers/ad/ad_cldap_ping.c +++ b/src/providers/ad/ad_cldap_ping.c @@ -621,6 +621,14 @@ struct tevent_req *ad_cldap_ping_send(TALLOC_CTX *mem_ctx, goto done; } + if (strcmp(srv_ctx->ad_domain, discovery_domain) != 0) { + DEBUG(SSSDBG_TRACE_ALL, "Trying to discover domain [%s] " + "which is not our local domain [%s], skipping CLDAP ping.\n", + discovery_domain, srv_ctx->ad_domain); + ret = EOK; + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Sending CLDAP ping\n"); state->ev = ev; -- 2.43.0 From f716f923ea5be8a97f04c77cbc3a3891048b1005 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@redhat.com> Date: Tue, 16 Nov 2021 15:01:20 +0100 Subject: [PATCH 6/7] cldap: use dns_resolver_server_timeout timeout for cldap ping MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently the cldap ping is using the ldap_search_timeout since it is basically a LDAP search operation. However, the default of ldap_search_timeout is 6s which is quite a long time for the discovery of the AD DCs where the cldap ping is a part of. The default even collides which the default of dns_resolver_timeout which might easily lead to failures during the discovery phase. To avoid the addition of a new option this patch is using dns_resolver_server_timeout, which has a default of 1000ms (1s), as new timeout for the clapd ping. Since the original purpose of the timeout is the waiting time for a reply from a DNS server and both DNS and cldap by default use UDP I think reusing the option here is justified. Resolves: https://github.com/SSSD/sssd/issues/5875 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit c0941810fc3c3d74a00697349723f14e2f6bbdd2) --- src/man/sssd.conf.5.xml | 4 ++++ src/providers/ad/ad_cldap_ping.c | 10 +++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index d2e43dd49..6a4c8c386 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -3426,6 +3426,10 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit SSSD would try to talk to DNS server before trying next DNS server. </para> + <para> + The AD provider will use this option for the + CLDAP ping timeouts as well. + </para> <para> Please see the section <quote>FAILOVER</quote> for more information about the service diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c index c0cd99117..285286bfa 100644 --- a/src/providers/ad/ad_cldap_ping.c +++ b/src/providers/ad/ad_cldap_ping.c @@ -39,6 +39,7 @@ struct ad_cldap_ping_dc_state { struct tevent_context *ev; struct sdap_options *opts; + struct be_resolv_ctx *be_res; struct fo_server_info *dc; struct sdap_handle *sh; const char *ad_domain; @@ -72,6 +73,7 @@ static struct tevent_req *ad_cldap_ping_dc_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->opts = opts; + state->be_res = be_res; state->dc = dc; state->ad_domain = ad_domain; @@ -103,6 +105,7 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq) char *filter; int timeout; errno_t ret; + div_t timeout_int; req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct ad_cldap_ping_dc_state); @@ -127,7 +130,12 @@ static void ad_cldap_ping_dc_connect_done(struct tevent_req *subreq) goto done; } - timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); + /* DP_RES_OPT_RESOLVER_SERVER_TIMEOUT is in milli-seconds and + * sdap_get_generic_send() expects seconds */ + timeout_int = div(dp_opt_get_int(state->be_res->opts, + DP_RES_OPT_RESOLVER_SERVER_TIMEOUT), + 1000); + timeout = (timeout_int.quot > 0) ? timeout_int.quot : 1; subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, "", LDAP_SCOPE_BASE, filter, attrs, NULL, 0, timeout, false); -- 2.43.0 From 4717db38c59d9c10938ba016aeac22ba6a7d4578 Mon Sep 17 00:00:00 2001 From: Tomas Halman <thalman@redhat.com> Date: Wed, 12 Jan 2022 15:31:20 +0100 Subject: [PATCH 7/7] ad: do not write kdc info file for GC lookup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit :fixes: When authenticating AD users, backtrace was triggered even though everything was working correctly. This was caused by a search in the global catalog. Servers from the global catalog are filtered out of the list before writing the KDC info file. With this fix, SSSD does not attempt to write to the KDC info file when performing a GC lookup. Resolves: https://github.com/SSSD/sssd/issues/5956 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 2b0bd0b30b7d12f77a5f37d0ad676c482901faec) --- src/providers/ad/ad_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index e263444c5..1a1e2f0a3 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1084,7 +1084,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server) goto done; } - if (service->krb5_service->write_kdcinfo) { + if (service->krb5_service->write_kdcinfo && !(sdata != NULL && sdata->gc)) { + /* write KDC info file only if this is not GC lookup */ ret = write_krb5info_file_from_fo_server(service->krb5_service, server, SSS_KRB5KDC_FO_SRV, -- 2.43.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
