From 2e32cb5c8f810c15317570ea64499806f6cec491 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 9 Oct 2024 10:02:21 +0200
Subject: [PATCH 1/8] Move 'nscd' helper functions out of 'utils'

as it's not used anywhere outside 'monitor'.
---
 Makefile.am                  |  3 +--
 src/monitor/monitor.c        | 41 ++----------------------------------
 src/{util => monitor}/nscd.c | 41 +++++++++++++++++++++++++++++++++++-
 src/util/util.h              |  3 ---
 4 files changed, 43 insertions(+), 45 deletions(-)
 rename src/{util => monitor}/nscd.c (67%)

diff --git a/Makefile.am b/Makefile.am
index 2c3ff5f0da0..f13bc3799bf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -633,7 +633,6 @@ SSSD_TOOLS_OBJ = \
     src/tools/common/sss_tools.c \
     src/tools/common/sss_process.c \
     src/confdb/confdb_setup.c \
-    src/util/nscd.c \
     $(NULL)
 
 SSSD_LCL_TOOLS_OBJ = \
@@ -1519,8 +1518,8 @@ endif
 sssd_SOURCES = \
     src/monitor/monitor.c \
     src/monitor/monitor_bootstrap.c \
+    src/monitor/nscd.c \
     src/confdb/confdb_setup.c \
-    src/util/nscd.c \
     $(NULL)
 sssd_LDADD = \
     $(SSSD_LIBS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 75195e54398..f86574d24ae 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -66,11 +66,6 @@
  */
 #define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__"
 
-/* for detecting if NSCD is running */
-#ifndef NSCD_SOCKET_PATH
-#define NSCD_SOCKET_PATH "/var/run/nscd/socket"
-#endif
-
 int cmdline_debug_level;
 int cmdline_debug_timestamps;
 int cmdline_debug_microseconds;
@@ -1895,40 +1890,8 @@ static void monitor_restart_service(struct mt_svc *svc)
     }
 }
 
-static void check_nscd(void)
-{
-    int ret;
-    ret = check_file(NSCD_SOCKET_PATH,
-                     -1, -1, S_IFSOCK, S_IFMT, NULL, false);
-    if (ret == EOK) {
-        ret = sss_nscd_parse_conf(NSCD_CONF_PATH);
-
-        switch (ret) {
-            case ENOENT:
-                sss_log(SSS_LOG_NOTICE,
-                        "NSCD socket was detected. NSCD caching capabilities "
-                        "may conflict with SSSD for users and groups. It is "
-                        "recommended not to run NSCD in parallel with SSSD, "
-                        "unless NSCD is configured not to cache the passwd, "
-                        "group, netgroup and services nsswitch maps.");
-                break;
-
-            case EEXIST:
-                sss_log(SSS_LOG_NOTICE,
-                        "NSCD socket was detected and seems to be configured "
-                        "to cache some of the databases controlled by "
-                        "SSSD [passwd,group,netgroup,services]. It is "
-                        "recommended not to run NSCD in parallel with SSSD, "
-                        "unless NSCD is configured not to cache these.");
-                break;
-
-            case EOK:
-                DEBUG(SSSDBG_TRACE_FUNC, "NSCD socket was detected and it "
-                            "seems to be configured not to interfere with "
-                            "SSSD's caching capabilities\n");
-        }
-    }
-}
+/* from nscd.c */
+void check_nscd(void);
 
 #ifdef BUILD_CONF_SERVICE_USER_SUPPORT
 int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid);
diff --git a/src/util/nscd.c b/src/monitor/nscd.c
similarity index 67%
rename from src/util/nscd.c
rename to src/monitor/nscd.c
index 47a1c023a76..c973a86dece 100644
--- a/src/util/nscd.c
+++ b/src/monitor/nscd.c
@@ -25,6 +25,10 @@
 
 #include "util/util.h"
 
+#ifndef NSCD_SOCKET_PATH
+#define NSCD_SOCKET_PATH "/var/run/nscd/socket"
+#endif
+
 
 /* NSCD config file parse and check */
 static unsigned int sss_nscd_check_service(char* svc_name)
@@ -59,7 +63,7 @@ static unsigned int sss_nscd_check_service(char* svc_name)
     return ret;
 }
 
-errno_t sss_nscd_parse_conf(const char *conf_path)
+static errno_t sss_nscd_parse_conf(const char *conf_path)
 {
     FILE *fp;
     int ret = EOK;
@@ -144,3 +148,38 @@ errno_t sss_nscd_parse_conf(const char *conf_path)
 
     return ret;
 }
+
+void check_nscd(void)
+{
+    int ret;
+    ret = check_file(NSCD_SOCKET_PATH,
+                     -1, -1, S_IFSOCK, S_IFMT, NULL, false);
+    if (ret == EOK) {
+        ret = sss_nscd_parse_conf(NSCD_CONF_PATH);
+
+        switch (ret) {
+            case ENOENT:
+                sss_log(SSS_LOG_NOTICE,
+                        "NSCD socket was detected. NSCD caching capabilities "
+                        "may conflict with SSSD for users and groups. It is "
+                        "recommended not to run NSCD in parallel with SSSD, "
+                        "unless NSCD is configured not to cache the passwd, "
+                        "group, netgroup and services nsswitch maps.");
+                break;
+
+            case EEXIST:
+                sss_log(SSS_LOG_NOTICE,
+                        "NSCD socket was detected and seems to be configured "
+                        "to cache some of the databases controlled by "
+                        "SSSD [passwd,group,netgroup,services]. It is "
+                        "recommended not to run NSCD in parallel with SSSD, "
+                        "unless NSCD is configured not to cache these.");
+                break;
+
+            case EOK:
+                DEBUG(SSSDBG_TRACE_FUNC, "NSCD socket was detected and it "
+                            "seems to be configured not to interfere with "
+                            "SSSD's caching capabilities\n");
+        }
+    }
+}
diff --git a/src/util/util.h b/src/util/util.h
index 406c4178589..22ddf28fa6f 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -560,9 +560,6 @@ bool is_valid_domain_name(const char *domain);
  */
 int sss_rand(void);
 
-/* from nscd.c */
-errno_t sss_nscd_parse_conf(const char *conf_path);
-
 /* from sss_tc_utf8.c */
 char *
 sss_tc_utf8_str_tolower(TALLOC_CTX *mem_ctx, const char *s);

From 207fe4ee06d6104c087cc9de4e7a9fe074596c79 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 9 Oct 2024 12:22:19 +0200
Subject: [PATCH 2/8] CONFDB: introduce helper to read a full list of
 configured services,

including implicitly configured
---
 src/confdb/confdb.c   | 129 ++++++++++++++++++++++++++++++++++++++++++
 src/confdb/confdb.h   |  15 ++++-
 src/monitor/monitor.c | 124 ++--------------------------------------
 3 files changed, 147 insertions(+), 121 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 252c557ce9a..a9b07436ae7 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -642,6 +642,135 @@ int confdb_get_string_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx,
     return ret;
 }
 
+static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx,
+                                     char ***_services)
+{
+    int ret;
+    char **domain_names;
+    TALLOC_CTX *tmp_ctx;
+    size_t c;
+    char *conf_path;
+    char *id_provider;
+    bool add_pac = false;
+    bool implicit_pac_responder = true;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+        return ENOMEM;
+    }
+
+    ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domain_names);
+    if (ret == ENOENT) {
+        DEBUG(SSSDBG_OP_FAILURE, "No domains configured!\n");
+        goto done;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Error retrieving domains list [%d]: %s\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    ret = confdb_get_bool(cdb, CONFDB_MONITOR_CONF_ENTRY,
+                          CONFDB_MONITOR_IMPLICIT_PAC_RESPONDER, true,
+                          &implicit_pac_responder);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Failed to read implicit_pac_responder option, "
+              "using default 'true'.\n");
+        implicit_pac_responder = true;
+    }
+
+    for (c = 0; domain_names[c] != NULL; c++) {
+        if (!is_valid_domain_name(domain_names[c])) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Skipping invalid domain name '%s'\n", domain_names[c]);
+            continue;
+        }
+        conf_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL,
+                                    domain_names[c]);
+        if (conf_path == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+            ret = ENOMEM;
+            goto done;
+        }
+
+        ret = confdb_get_string(cdb, tmp_ctx, conf_path,
+                                CONFDB_DOMAIN_ID_PROVIDER, NULL, &id_provider);
+        if (ret == EOK) {
+            if (id_provider == NULL) {
+                DEBUG(SSSDBG_OP_FAILURE, "id_provider is not set for "
+                      "domain [%s], trying next domain.\n", domain_names[c]);
+                continue;
+            }
+
+            if (strcasecmp(id_provider, "IPA") == 0
+                        || strcasecmp(id_provider, "AD") == 0) {
+                if (implicit_pac_responder) {
+                    add_pac = true;
+                } else {
+                    DEBUG(SSSDBG_CONF_SETTINGS,
+                          "PAC resonder not enabled for id provider [%s] "
+                          "because implicit_pac_responder is set to 'false'.\n",
+                          id_provider);
+                    add_pac = false;
+                }
+            }
+        } else {
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to get id_provider for " \
+                                      "domain [%s], trying next domain.\n",
+                                      domain_names[c]);
+        }
+    }
+
+    if (BUILD_WITH_PAC_RESPONDER && add_pac &&
+        !string_in_list("pac", *_services, false)) {
+        ret = add_string_to_list(mem_ctx, "pac", _services);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "add_string_to_list failed.\n");
+            goto done;
+        }
+    }
+
+    ret = EOK;
+
+done:
+    talloc_free(tmp_ctx);
+
+    return ret;
+}
+
+int confdb_get_services_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx,
+                                char ***_result)
+{
+    int ret;
+
+    ret = confdb_get_string_as_list(cdb, ctx,
+                                    CONFDB_MONITOR_CONF_ENTRY,
+                                    CONFDB_MONITOR_ACTIVE_SERVICES,
+                                    _result);
+#ifdef HAVE_SYSTEMD
+    if (ret != EOK && ret != ENOENT) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Failed to get the explicitly configured services!\n");
+        return EINVAL;
+    }
+#else
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "No services configured!\n");
+        return EINVAL;
+    }
+#endif
+
+    /* `add_implicit_services()` can handle (*_result == NULL) */
+    ret = add_implicit_services(cdb, ctx, _result);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to add implicitly configured services\n");
+        return EINVAL;
+    }
+
+    return EOK;
+}
+
 int confdb_init(TALLOC_CTX *mem_ctx,
                 struct confdb_ctx **cdb_ctx,
                 const char *confdb_location)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 7457a1214af..633e0bcbc3b 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -731,7 +731,7 @@ int confdb_set_string(struct confdb_ctx *cdb,
  * @param[in] attribute The name of the attribute to update
  * @param[out] result A pointer to the retrieved array of strings
  *
- * @return 0 - Successfully retrieved the entry (or used the default)
+ * @return 0 - Successfully retrieved the entry
  * @return ENOMEM - There was insufficient memory to complete the operation
  * @return EINVAL - The section could not be parsed, or the attribute was not
  *                  single-valued.
@@ -742,6 +742,19 @@ int confdb_get_string_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx,
                               const char *section, const char *attribute,
                               char ***result);
 
+/**
+ * @brief Convenience function to retrieve a list of configured services,
+ * including implicitly configured, as a null-terminated array of strings.
+ *
+ * @param[in] cdb The connection object to the confdb
+ * @param[in] ctx The parent memory context for the returned string
+ * @param[out] _result A pointer to the retrieved array of strings
+ *
+ * @return 0 on success, error code otherwise
+ */
+int confdb_get_services_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx,
+                                char ***_result);
+
 /**
  * @brief Convenience function to retrieve a list of subsections given a
  * configuration section name
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index f86574d24ae..a7d5801fb4d 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -669,103 +669,6 @@ static int check_domain_ranges(struct sss_domain_info *domains)
     return EOK;
 }
 
-static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx,
-                                     char ***_services)
-{
-    int ret;
-    char **domain_names;
-    TALLOC_CTX *tmp_ctx;
-    size_t c;
-    char *conf_path;
-    char *id_provider;
-    bool add_pac = false;
-    bool implicit_pac_responder = true;
-
-    tmp_ctx = talloc_new(NULL);
-    if (tmp_ctx == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
-        return ENOMEM;
-    }
-
-    ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domain_names);
-    if (ret == ENOENT) {
-        DEBUG(SSSDBG_OP_FAILURE, "No domains configured!\n");
-        goto done;
-    } else if (ret != EOK) {
-        DEBUG(SSSDBG_FATAL_FAILURE, "Error retrieving domains list [%d]: %s\n",
-              ret, sss_strerror(ret));
-        goto done;
-    }
-
-    ret = confdb_get_bool(cdb, CONFDB_MONITOR_CONF_ENTRY,
-                          CONFDB_MONITOR_IMPLICIT_PAC_RESPONDER, true,
-                          &implicit_pac_responder);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE,
-              "Failed to read implicit_pac_responder option, "
-              "using default 'true'.\n");
-        implicit_pac_responder = true;
-    }
-
-    for (c = 0; domain_names[c] != NULL; c++) {
-        if (!is_valid_domain_name(domain_names[c])) {
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "Skipping invalid domain name '%s'\n", domain_names[c]);
-            continue;
-        }
-        conf_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL,
-                                    domain_names[c]);
-        if (conf_path == NULL) {
-            DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
-            ret = ENOMEM;
-            goto done;
-        }
-
-        ret = confdb_get_string(cdb, tmp_ctx, conf_path,
-                                CONFDB_DOMAIN_ID_PROVIDER, NULL, &id_provider);
-        if (ret == EOK) {
-            if (id_provider == NULL) {
-                DEBUG(SSSDBG_OP_FAILURE, "id_provider is not set for "
-                      "domain [%s], trying next domain.\n", domain_names[c]);
-                continue;
-            }
-
-            if (strcasecmp(id_provider, "IPA") == 0
-                        || strcasecmp(id_provider, "AD") == 0) {
-                if (implicit_pac_responder) {
-                    add_pac = true;
-                } else {
-                    DEBUG(SSSDBG_CONF_SETTINGS,
-                          "PAC resonder not enabled for id provider [%s] "
-                          "because implicit_pac_responder is set to 'false'.\n",
-                          id_provider);
-                    add_pac = false;
-                }
-            }
-        } else {
-            DEBUG(SSSDBG_OP_FAILURE, "Failed to get id_provider for " \
-                                      "domain [%s], trying next domain.\n",
-                                      domain_names[c]);
-        }
-    }
-
-    if (BUILD_WITH_PAC_RESPONDER && add_pac &&
-        !string_in_list("pac", *_services, false)) {
-        ret = add_string_to_list(mem_ctx, "pac", _services);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_OP_FAILURE, "add_string_to_list failed.\n");
-            goto done;
-        }
-    }
-
-    ret = EOK;
-
-done:
-    talloc_free(tmp_ctx);
-
-    return ret;
-}
-
 static char *check_service(char *service)
 {
     const char * const *known_services = get_known_services();
@@ -888,29 +791,10 @@ static int get_monitor_config(struct mt_ctx *ctx)
     char *badsrv = NULL;
     int i;
 
-    ret = confdb_get_string_as_list(ctx->cdb, ctx,
-                                    CONFDB_MONITOR_CONF_ENTRY,
-                                    CONFDB_MONITOR_ACTIVE_SERVICES,
-                                    &ctx->services);
-
-#ifdef HAVE_SYSTEMD
-    if (ret != EOK && ret != ENOENT) {
-        DEBUG(SSSDBG_FATAL_FAILURE,
-              "Failed to get the explicitly configured services!\n");
-        return EINVAL;
-    }
-#else
-    if (ret != EOK) {
-        DEBUG(SSSDBG_FATAL_FAILURE, "No services configured!\n");
-        return EINVAL;
-    }
-#endif
-
-    ret = add_implicit_services(ctx->cdb, ctx, &ctx->services);
+    ret = confdb_get_services_as_list(ctx->cdb, ctx,
+                                      &ctx->services);
     if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "Failed to add implicit configured "
-                                 "services. Some functionality might "
-                                 "be missing\n");
+        return ret;
     }
 
     badsrv = check_services(ctx->services);
@@ -1652,7 +1536,7 @@ static void monitor_sbus_connected(struct tevent_req *req)
          *  expires) */
         ret = add_services_startup_timeout(ctx);
     } else {
-        DEBUG(SSSDBG_FATAL_FAILURE, "No providers configured.");
+        DEBUG(SSSDBG_FATAL_FAILURE, "No providers configured.\n");
         ret = ERR_INVALID_CONFIG;
     }
 

From 057d801b1ac2f0cd6f8c8ea69f686edec003e8bb Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 9 Oct 2024 12:56:39 +0200
Subject: [PATCH 3/8] IFP: use new helper to retrieve services list

This still won't handle socket activated services, but should
take care of implicitly configured services at least.
---
 src/responder/ifp/ifp_components.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/responder/ifp/ifp_components.c b/src/responder/ifp/ifp_components.c
index c6b98374eae..0ee7ca24b7d 100644
--- a/src/responder/ifp/ifp_components.c
+++ b/src/responder/ifp/ifp_components.c
@@ -487,7 +487,6 @@ ifp_component_get_enabled(TALLOC_CTX *mem_ctx,
 {
     TALLOC_CTX *tmp_ctx;
     enum component_type type;
-    const char *param = NULL;
     char **values;
     char *name;
     errno_t ret;
@@ -513,15 +512,16 @@ ifp_component_get_enabled(TALLOC_CTX *mem_ctx,
         ret = EOK;
         goto done;
     case COMPONENT_RESPONDER:
-        param = CONFDB_MONITOR_ACTIVE_SERVICES;
+        ret = confdb_get_services_as_list(ctx->rctx->cdb, tmp_ctx, &values);
         break;
     case COMPONENT_BACKEND:
-        param = CONFDB_MONITOR_ACTIVE_DOMAINS;
+        ret = confdb_get_string_as_list(ctx->rctx->cdb, tmp_ctx,
+                                        CONFDB_MONITOR_CONF_ENTRY,
+                                        CONFDB_MONITOR_ACTIVE_DOMAINS,
+                                        &values);
         break;
     }
 
-    ret = confdb_get_string_as_list(ctx->rctx->cdb, tmp_ctx,
-                                    CONFDB_MONITOR_CONF_ENTRY, param, &values);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve configuration option"
               "[%d]: %s\n", ret, sss_strerror(ret));

From c1a1edc36c69328a4891df549b357e969e4dbe22 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 9 Oct 2024 13:12:54 +0200
Subject: [PATCH 4/8] socket_activated_responders: check confdb

(instead of sssd.conf) using new helper to take into
account implictly configured services.

Resolves: https://github.com/SSSD/sssd/issues/5013
---
 Makefile.am                                   |  1 +
 .../sssd_check_socket_activated_responders.c  | 49 +++----------------
 2 files changed, 7 insertions(+), 43 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index f13bc3799bf..839b25eae0e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2004,6 +2004,7 @@ endif
 if HAVE_SYSTEMD_UNIT
 sssd_check_socket_activated_responders_SOURCES = \
     src/tools/sssd_check_socket_activated_responders.c \
+    src/tools/common/sss_tools.c \
     $(NULL)
 sssd_check_socket_activated_responders_CFLAGS = \
     $(AM_CFLAGS) \
diff --git a/src/tools/sssd_check_socket_activated_responders.c b/src/tools/sssd_check_socket_activated_responders.c
index dddc02ee24e..5753c2c6c21 100644
--- a/src/tools/sssd_check_socket_activated_responders.c
+++ b/src/tools/sssd_check_socket_activated_responders.c
@@ -24,73 +24,36 @@
 #include <stdio.h>
 
 #include "util/util.h"
-#include "util/sss_ini.h"
 #include "confdb/confdb.h"
+#include "common/sss_tools.h"
 
 static errno_t check_socket_activated_responder(const char *responder)
 {
     errno_t ret;
-    char *services = NULL;
-    const char *str;
     TALLOC_CTX *tmp_ctx;
-    struct sss_ini *init_data;
+    struct confdb_ctx *confdb;
+    char **services = NULL;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
         return ENOMEM;
     }
 
-    init_data = sss_ini_new(tmp_ctx);
-    if (init_data == NULL) {
-        ret = ENOMEM;
-        goto done;
-    }
-
-    ret = sss_ini_read_sssd_conf(init_data,
-                                 SSSD_CONFIG_FILE,
-                                 CONFDB_DEFAULT_CONFIG_DIR);
+    ret = sss_tool_confdb_init(tmp_ctx, &confdb);
     if (ret != EOK) {
-        DEBUG(SSSDBG_DEFAULT,
-              "Failed to read configuration: [%d] [%s]. No reason to run "
-              "a responder if SSSD isn't configured.",
-              ret,
-              sss_strerror(ret));
         goto done;
     }
 
-    ret = sss_ini_get_cfgobj(init_data, "sssd", "services");
-
+    ret = confdb_get_services_as_list(confdb, tmp_ctx, &services);
     if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "sss_ini_get_cfgobj() failed [%d].\n", ret);
-        goto done;
-    }
-
-    ret = sss_ini_check_config_obj(init_data);
-    if (ret == ENOENT) {
-        /* In case there's no services' line at all, just return EOK. */
-        ret = EOK;
         goto done;
     }
 
-    services = sss_ini_get_string_config_value(init_data, &ret);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "sss_ini_get_string_config_value() failed [%d]\n",
-              ret);
-        goto done;
-    }
-
-    str = strstr(services, responder);
-    if (str != NULL) {
+    if (string_in_list(responder, services, false)) {
         ret = EEXIST;
-        goto done;
     }
 
-    ret = EOK;
-
 done:
-    free(services);
     talloc_free(tmp_ctx);
 
     return ret;

From 4173b6a113d080992726c3c6e5fb0b456a7124ec Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 9 Oct 2024 13:36:51 +0200
Subject: [PATCH 5/8] socket_activated_responders: log to syslog instead of
 stdout

Otherwise logs of 'ExecStartPre' command are lost.
---
 src/tools/sssd_check_socket_activated_responders.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/tools/sssd_check_socket_activated_responders.c b/src/tools/sssd_check_socket_activated_responders.c
index 5753c2c6c21..a31c43491ef 100644
--- a/src/tools/sssd_check_socket_activated_responders.c
+++ b/src/tools/sssd_check_socket_activated_responders.c
@@ -93,14 +93,13 @@ int main(int argc, const char *argv[])
 
     ret = check_socket_activated_responder(responder);
     if (ret != EOK) {
-        DEBUG(SSSDBG_DEFAULT,
-              "Misconfiguration found for the %s responder.\n"
-              "The %s responder has been configured to be socket-activated "
-              "but it's still mentioned in the services' line in %s.\n"
-              "Please, consider either adjusting your services' line in %s "
-              "or disabling the %s's socket by calling:\n"
+        sss_log(SSS_LOG_ERR,
+              "Misconfiguration found for the '%s' responder.\n"
+              "It has been configured to be socket-activated but "
+              "it's still mentioned in the services' line of the config file.\n"
+              "Please consider either adjusting services' line "
+              "or disabling the socket by calling:\n"
               "\"systemctl disable sssd-%s.socket\"",
-              responder, responder, SSSD_CONFIG_FILE, SSSD_CONFIG_FILE,
               responder, responder);
         goto done;
     }

From 2cffd8291ef1d0c3b4be981b590058bdd2c34eaf Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 9 Oct 2024 17:16:43 +0200
Subject: [PATCH 6/8] TESTS:INTG: 'implicit files domain' not supported

since 501e05f46252ba6e097983a871c92b3896b596f2
---
 src/tests/intg/test_files_provider.py | 23 -----------------------
 1 file changed, 23 deletions(-)

diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index c318d733cda..ba33e83b692 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -1216,18 +1216,6 @@ def test_realloc_groups(setup_gr_with_canary, files_domain_only):
     realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK * 3)
 
 
-# Files domain autoconfiguration tests
-@pytest.mark.skipif(not have_files_provider(),
-                    reason="'files provider' disabled, skipping")
-def test_no_sssd_domain(add_user_with_canary, no_sssd_domain):
-    """
-    Test that if no sssd domain is configured, sssd will add the implicit one
-    """
-    res, user = sssd_getpwnam_sync(USER1["name"])
-    assert res == NssReturnCode.SUCCESS
-    assert user == USER1
-
-
 @pytest.mark.skipif(not have_files_provider(),
                     reason="'files provider' disabled, skipping")
 def test_proxy_to_files_domain_only(add_user_with_canary,
@@ -1239,17 +1227,6 @@ def test_proxy_to_files_domain_only(add_user_with_canary,
     assert res == NssReturnCode.NOTFOUND
 
 
-@pytest.mark.skipif(not have_files_provider(),
-                    reason="'files provider' disabled, skipping")
-def test_no_files_domain(add_user_with_canary, no_files_domain):
-    """
-    Test that if no files domain is configured, sssd will add the implicit one
-    """
-    res, user = sssd_getpwnam_sync(USER1["name"])
-    assert res == NssReturnCode.SUCCESS
-    assert user == USER1
-
-
 @pytest.mark.skipif(not have_files_provider(),
                     reason="'files provider' disabled, skipping")
 def test_disable_files_domain(add_user_with_canary, disabled_files_domain):

From a0176b375afb9b3dc06d874ce9ffa1e106a54190 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 9 Oct 2024 20:01:32 +0200
Subject: [PATCH 7/8] CONFDB: don't hard fail in add_implicit_services()

if no explicitly configured domains found.

There are might be 'enable_files_domain = true' or app domains that
are expanded later.
---
 src/confdb/confdb.c   | 3 ++-
 src/monitor/monitor.c | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index a9b07436ae7..7515da45d05 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -662,7 +662,8 @@ static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx
 
     ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domain_names);
     if (ret == ENOENT) {
-        DEBUG(SSSDBG_OP_FAILURE, "No domains configured!\n");
+        /* confdb_expand_app_domains() wasn't called yet, so this might be ok */
+        ret = EOK;
         goto done;
     } else if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE, "Error retrieving domains list [%d]: %s\n",
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index a7d5801fb4d..e17b0e4169c 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2016,7 +2016,11 @@ int main(int argc, const char *argv[])
     }
 
     monitor->cdb = main_ctx->confdb_ctx;
-    get_monitor_config(monitor);
+    ret = get_monitor_config(monitor);
+    if (ret != EOK) {
+        ret = 1;
+        goto out;
+    }
     monitor->is_daemon = !opt_interactive;
     monitor->parent_pid = main_ctx->parent_pid;
     monitor->ev = main_ctx->event_ctx;

From 0eb64b641812f52c8d2e43cc2c9f43d1c19ec8d7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 11 Oct 2024 11:45:44 +0200
Subject: [PATCH 8/8] CONFDB: mistype fix

---
 src/confdb/confdb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 7515da45d05..593400ac264 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -710,7 +710,7 @@ static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx
                     add_pac = true;
                 } else {
                     DEBUG(SSSDBG_CONF_SETTINGS,
-                          "PAC resonder not enabled for id provider [%s] "
+                          "PAC responder not enabled for id provider [%s] "
                           "because implicit_pac_responder is set to 'false'.\n",
                           id_provider);
                     add_pac = false;