Merge branch 'master' into test_passkey_part2

Signed-off-by: Madhuri Upadhye <[email protected]>
SSSD · Nov 23, 2023 · d307d9b · d307d9b
2 parents 6d62489 + a997ee7
commit d307d9b
Show file tree

Hide file tree

Showing 44 changed files with 933 additions and 216 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -276,12 +276,22 @@ jobs:
               - /dev/shm
               volumes:
               - ../sssd:/sssd:rw
+            ipa:
+              image: ${REGISTRY}/ci-ipa-devel:${TAG}
+              shm_size: 4G
+              tmpfs:
+              - /dev/shm
+              volumes:
+              - ../sssd:/sssd:rw
 
-    - name: Build SSSD on the client
+    - name: Build SSSD on the client and IPA
       uses: SSSD/sssd-ci-containers/actions/exec@master
       with:
         log-file: build.log
         working-directory: /sssd
+        where: |
+          client
+          ipa
         script: |
           #!/bin/bash
           set -ex
@@ -294,22 +304,35 @@ jobs:
           /sssd/configure --enable-silent-rules
           make rpms
 
-    - name: Install SSSD on the client
+    - name: Install SSSD on the client and IPA
       uses: SSSD/sssd-ci-containers/actions/exec@master
       with:
         log-file: install.log
         user: root
+        where: |
+          client
+          ipa
         script: |
           #!/bin/bash
           set -ex
 
-          dnf remove -y --noautoremove sssd\*
           dnf install -y /dev/shm/sssd/rpmbuild/RPMS/*/*.rpm
           rm -fr /dev/shm/sssd
 
           # We need to reenable sssd-kcm since it was disabled by removing sssd not not enabled again
           systemctl enable --now sssd-kcm.socket
 
+    - name: Restart SSSD on IPA server
+      uses: SSSD/sssd-ci-containers/actions/exec@master
+      with:
+        user: root
+        where: ipa
+        script: |
+          #!/bin/bash
+          set -ex
+
+          systemctl restart sssd || systemctl status sssd
+
     - name: Install system tests dependencies
       shell: bash
       working-directory: ./sssd/src/tests/system

diff --git a/Makefile.am b/Makefile.am
@@ -183,7 +183,7 @@ endif
 if BUILD_SAMBA
 sssdlibexec_PROGRAMS += gpo_child
 endif
-if BUILD_SEMANAGE
+if BUILD_SELINUX
 sssdlibexec_PROGRAMS += selinux_child
 endif
 sssdlibexec_PROGRAMS += p11_child
@@ -1339,7 +1339,7 @@ libsss_semanage_la_LIBADD = \
     $(TALLOC_LIBS) \
     libsss_debug.la \
     $(NULL)
-if BUILD_SEMANAGE
+if BUILD_SELINUX
 libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
 endif
 
@@ -2228,7 +2228,7 @@ FILES_TESTS_LIBS = \
 if BUILD_SELINUX
     FILES_TESTS_LIBS += $(SELINUX_LIBS)
 endif
-if BUILD_SEMANAGE
+if BUILD_SELINUX
     FILES_TESTS_LIBS += $(SEMANAGE_LIBS)
 endif
 
@@ -4580,7 +4580,7 @@ libsss_ipa_la_SOURCES += \
     src/providers/ipa/ipa_sudo_async.c
 endif
 
-if BUILD_SEMANAGE
+if BUILD_SELINUX
 libsss_ipa_la_SOURCES += \
     src/providers/ipa/ipa_selinux.c \
     src/providers/ipa/ipa_selinux_maps.c
@@ -4723,7 +4723,7 @@ ldap_child_LDADD = \
     $(DHASH_LIBS) \
     $(KRB5_LIBS)
 
-if BUILD_SEMANAGE
+if BUILD_SELINUX
 selinux_child_SOURCES = \
     src/providers/ipa/selinux_child.c \
     src/util/sss_semanage.c \
@@ -5531,7 +5531,7 @@ if SSSD_USER
 	chmod 4750 $(DESTDIR)$(sssdlibexecdir)/krb5_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child
 	chmod 4750 $(DESTDIR)$(sssdlibexecdir)/proxy_child
-if BUILD_SEMANAGE
+if BUILD_SELINUX
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/selinux_child
 	chmod 4750 $(DESTDIR)$(sssdlibexecdir)/selinux_child
 endif

diff --git a/configure.ac b/configure.ac
@@ -412,9 +412,6 @@ AM_CONDITIONAL([BUILD_PYTHON_BINDINGS],
 
 AS_IF([test x$HAVE_SELINUX != x], [
     AM_CHECK_SELINUX
-])
-
-AS_IF([test x$HAVE_SEMANAGE != x -a x$HAVE_SELINUX != x], [
     AM_CHECK_SEMANAGE
 ])
 

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -113,7 +113,7 @@ BuildRequires: libdhash-devel >= 0.4.2
 %if %{build_passkey}
 BuildRequires: libfido2-devel
 %endif
-BuildRequires: libini_config-devel >= 1.1
+BuildRequires: libini_config-devel >= 1.3
 BuildRequires: libldb-devel >= %{ldb_version}
 BuildRequires: libnfsidmap-devel
 BuildRequires: libnl3-devel

diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
@@ -465,24 +465,6 @@ AC_DEFUN([WITH_NSCD_CONF],
     AC_DEFINE_UNQUOTED([NSCD_CONF_PATH], ["$NSCD_CONF_PATH"], [NSCD configuration file])
   ])
 
-
-AC_DEFUN([WITH_SEMANAGE],
-  [ AC_ARG_WITH([semanage],
-                [AC_HELP_STRING([--with-semanage],
-                                [Whether to build with SELinux user management support [yes]]
-                               )
-                ],
-                [],
-                with_semanage=yes
-               )
-    if test x"$with_semanage" = xyes; then
-        HAVE_SEMANAGE=1
-        AC_SUBST(HAVE_SEMANAGE)
-        AC_DEFINE_UNQUOTED(HAVE_SEMANAGE, 1, [Build with SELinux support])
-    fi
-    AM_CONDITIONAL([BUILD_SEMANAGE], [test x"$with_semanage" = xyes])
-  ])
-
 AC_DEFUN([WITH_GPO_CACHE_PATH],
   [ AC_ARG_WITH([gpo-cache-path],
                 [AC_HELP_STRING([--with-gpo-cache-path=PATH],

diff --git a/src/external/libini_config.m4 b/src/external/libini_config.m4
@@ -1,46 +1,9 @@
-PKG_CHECK_MODULES(INI_CONFIG_V0, [
-    ini_config >= 0.6.1], [
-
-        INI_CONFIG_CFLAGS="$INI_CONFIG_V0_CFLAGS"
-        INI_CONFIG_LIBS="$INI_CONFIG_V0_LIBS"
-        HAVE_LIBINI_CONFIG_V0=1
-        AC_DEFINE_UNQUOTED(HAVE_LIBINI_CONFIG_V0, 1, [libini_config version 0.6.1 or greater])
-        PKG_CHECK_MODULES(INI_CONFIG_V1, [
-            ini_config >= 1.0.0], [
-
-                INI_CONFIG_CFLAGS="$INI_CONFIG_V1_CFLAGS"
-                INI_CONFIG_LIBS="$INI_CONFIG_V1_LIBS"
-                HAVE_LIBINI_CONFIG_V1=1
-                AC_DEFINE_UNQUOTED(HAVE_LIBINI_CONFIG_V1, 1, [libini_config version 1.0.0 or greater])
-                PKG_CHECK_MODULES(INI_CONFIG_V1_1, [
-                    ini_config >= 1.1.0], [
-
-                        INI_CONFIG_CFLAGS="$INI_CONFIG_V1_1_CFLAGS"
-                        INI_CONFIG_LIBS="$INI_CONFIG_V1_1_LIBS"
-                        HAVE_LIBINI_CONFIG_V1_1=1
-                        AC_DEFINE_UNQUOTED(HAVE_LIBINI_CONFIG_V1_1, 1, [libini_config version 1.1.0 or greater])
-                        PKG_CHECK_MODULES(INI_CONFIG_V1_3, [
-                            ini_config >= 1.3.0], [
-
-                                INI_CONFIG_CFLAGS="$INI_CONFIG_V1_3_CFLAGS"
-                                INI_CONFIG_LIBS="$INI_CONFIG_V1_3_LIBS"
-                                HAVE_LIBINI_CONFIG_V1_3=1
-                                AC_DEFINE_UNQUOTED(HAVE_LIBINI_CONFIG_V1_3, 1,
-                                                   [libini_config version 1.3.0 or greater])
-                            ], [
-                                AC_MSG_WARN([libini_config-devel >= 1.3.0 not available, using older version])
-                            ]
-                        )
-                    ], [
-                        AC_MSG_WARN([libini_config-devel >= 1.1.0 not available, using older version])
-                    ]
-                )
-            ], [
-                AC_MSG_WARN([libini_config-devel >= 1.0.0 not available, using older version])
-            ]
-        )
+PKG_CHECK_MODULES(INI_CONFIG_V1_3, [
+    ini_config >= 1.3.0], [
+        INI_CONFIG_CFLAGS="$INI_CONFIG_V1_3_CFLAGS"
+        INI_CONFIG_LIBS="$INI_CONFIG_V1_3_LIBS"
     ], [
-        AC_MSG_ERROR([Please install libini_config-devel])
+        AC_MSG_ERROR([Please install libini_config-devel version 1.3.0 or greater])
     ]
 )
 

diff --git a/src/external/samba.m4 b/src/external/samba.m4
@@ -38,16 +38,6 @@ without them. In this case, you will need to execute configure script
 with argument --without-samba
     ]]))
 
-    if test x"$HAVE_LIBINI_CONFIG_V1_1" != x1; then
-        AC_MSG_ERROR([[Please install libini_config development libraries
-v1.1.0, or newer. libini_config libraries are necessary for building ipa
-provider, as well as for building gpo-based access control in ad provider. If
-you do not want to build these providers it is possible to build SSSD without
-them. In this case, you will need to execute configure script with argument
---without-samba
-        ]])
-    fi
-
     AC_ARG_WITH([smb-idmap-interface-version],
                 [AC_HELP_STRING([--with-smb-idmap-interface-version=[5|6]],
                                 [Idmap interface version of installed Samba]

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -70,8 +70,7 @@
         <para>
             The configuration file <filename>sssd.conf</filename> will
             include configuration snippets using the include directory
-            <filename>conf.d</filename>. This feature is available if
-            SSSD was compiled with libini version 1.3.0 or later.
+            <filename>conf.d</filename>.
         </para>
 
         <para>

diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
@@ -34,13 +34,13 @@ memcache_delete_entry_by_name(struct sss_nss_ctx *nss_ctx,
 
     switch (type) {
     case SSS_MC_PASSWD:
-        ret = sss_mmap_cache_pw_invalidate(nss_ctx->pwd_mc_ctx, name);
+        ret = sss_mmap_cache_pw_invalidate(&nss_ctx->pwd_mc_ctx, name);
         break;
     case SSS_MC_GROUP:
-        ret = sss_mmap_cache_gr_invalidate(nss_ctx->grp_mc_ctx, name);
+        ret = sss_mmap_cache_gr_invalidate(&nss_ctx->grp_mc_ctx, name);
         break;
     case SSS_MC_INITGROUPS:
-        ret = sss_mmap_cache_initgr_invalidate(nss_ctx->initgr_mc_ctx, name);
+        ret = sss_mmap_cache_initgr_invalidate(&nss_ctx->initgr_mc_ctx, name);
         break;
     default:
         return EINVAL;
@@ -66,10 +66,10 @@ memcache_delete_entry_by_id(struct sss_nss_ctx *nss_ctx,
 
     switch (type) {
     case SSS_MC_PASSWD:
-        ret = sss_mmap_cache_pw_invalidate_uid(nss_ctx->pwd_mc_ctx, (uid_t)id);
+        ret = sss_mmap_cache_pw_invalidate_uid(&nss_ctx->pwd_mc_ctx, (uid_t)id);
         break;
     case SSS_MC_GROUP:
-        ret = sss_mmap_cache_gr_invalidate_gid(nss_ctx->grp_mc_ctx, (gid_t)id);
+        ret = sss_mmap_cache_gr_invalidate_gid(&nss_ctx->grp_mc_ctx, (gid_t)id);
         break;
     default:
         return EINVAL;

diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
@@ -78,7 +78,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
 
     if (ret == ENOENT || res->count == 0) {
         /* The user is gone. Invalidate the mc record */
-        ret = sss_mmap_cache_pw_invalidate(nctx->pwd_mc_ctx, delete_name);
+        ret = sss_mmap_cache_pw_invalidate(&nctx->pwd_mc_ctx, delete_name);
         if (ret != EOK && ret != ENOENT) {
             DEBUG(SSSDBG_CRIT_FAILURE,
                   "Internal failure in memory cache code: %d [%s]\n",
@@ -125,7 +125,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
         for (i = 0; i < gnum; i++) {
             id = groups[i];
 
-            ret = sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, id);
+            ret = sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, id);
             if (ret != EOK && ret != ENOENT) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       "Internal failure in memory cache code: %d [%s]\n",
@@ -134,7 +134,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx,
         }
 
         to_sized_string(delete_name, fq_name);
-        ret = sss_mmap_cache_initgr_invalidate(nctx->initgr_mc_ctx,
+        ret = sss_mmap_cache_initgr_invalidate(&nctx->initgr_mc_ctx,
                                                delete_name);
         if (ret != EOK && ret != ENOENT) {
             DEBUG(SSSDBG_CRIT_FAILURE,
@@ -208,7 +208,7 @@ sss_nss_memorycache_invalidate_group_by_id(TALLOC_CTX *mem_ctx,
     DEBUG(SSSDBG_TRACE_LIBS,
           "Invalidating group %u from memory cache\n", gid);
 
-    sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid);
+    sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, gid);
 
     return EOK;
 }

diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
@@ -19,6 +19,7 @@
 */
 
 #include "responder/nss/nss_protocol.h"
+#include "util/sss_format.h"
 
 static errno_t
 sss_nss_get_grent(TALLOC_CTX *mem_ctx,
@@ -402,9 +403,16 @@ sss_nss_protocol_fill_initgr(struct sss_nss_ctx *nss_ctx,
     ret = sysdb_search_group_by_origgid(NULL, domain, orig_gid, NULL,
                                         &primary_group_msg);
     if (ret != EOK) {
-        DEBUG((ret == ENOENT ? SSSDBG_FUNC_DATA : SSSDBG_MINOR_FAILURE),
-              "Unable to find primary gid [%d]: %s\n",
-              ret, sss_strerror(ret));
+        if (ret == ENOENT) {
+            DEBUG(SSSDBG_FUNC_DATA,
+                  "There is no override for group %" SPRIgid "\n",
+                  orig_gid);
+        } else {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Unable to find the original group id attribute for %" SPRIgid
+                  ". Assuming there is none. [%d] %s\n",
+                  orig_gid, ret, sss_strerror(ret));
+        }
         /* Just continue with what we have. */
     } else {
         orig_gid = ldb_msg_find_attr_as_uint64(primary_group_msg, SYSDB_GIDNUM,