From 2e32cb5c8f810c15317570ea64499806f6cec491 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Wed, 9 Oct 2024 10:02:21 +0200 Subject: [PATCH 1/8] Move 'nscd' helper functions out of 'utils' as it's not used anywhere outside 'monitor'. --- Makefile.am | 3 +-- src/monitor/monitor.c | 41 ++---------------------------------- src/{util => monitor}/nscd.c | 41 +++++++++++++++++++++++++++++++++++- src/util/util.h | 3 --- 4 files changed, 43 insertions(+), 45 deletions(-) rename src/{util => monitor}/nscd.c (67%) diff --git a/Makefile.am b/Makefile.am index 2c3ff5f0da0..f13bc3799bf 100644 --- a/Makefile.am +++ b/Makefile.am @@ -633,7 +633,6 @@ SSSD_TOOLS_OBJ = \ src/tools/common/sss_tools.c \ src/tools/common/sss_process.c \ src/confdb/confdb_setup.c \ - src/util/nscd.c \ $(NULL) SSSD_LCL_TOOLS_OBJ = \ @@ -1519,8 +1518,8 @@ endif sssd_SOURCES = \ src/monitor/monitor.c \ src/monitor/monitor_bootstrap.c \ + src/monitor/nscd.c \ src/confdb/confdb_setup.c \ - src/util/nscd.c \ $(NULL) sssd_LDADD = \ $(SSSD_LIBS) \ diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 75195e54398..f86574d24ae 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -66,11 +66,6 @@ */ #define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__" -/* for detecting if NSCD is running */ -#ifndef NSCD_SOCKET_PATH -#define NSCD_SOCKET_PATH "/var/run/nscd/socket" -#endif - int cmdline_debug_level; int cmdline_debug_timestamps; int cmdline_debug_microseconds; @@ -1895,40 +1890,8 @@ static void monitor_restart_service(struct mt_svc *svc) } } -static void check_nscd(void) -{ - int ret; - ret = check_file(NSCD_SOCKET_PATH, - -1, -1, S_IFSOCK, S_IFMT, NULL, false); - if (ret == EOK) { - ret = sss_nscd_parse_conf(NSCD_CONF_PATH); - - switch (ret) { - case ENOENT: - sss_log(SSS_LOG_NOTICE, - "NSCD socket was detected. NSCD caching capabilities " - "may conflict with SSSD for users and groups. It is " - "recommended not to run NSCD in parallel with SSSD, " - "unless NSCD is configured not to cache the passwd, " - "group, netgroup and services nsswitch maps."); - break; - - case EEXIST: - sss_log(SSS_LOG_NOTICE, - "NSCD socket was detected and seems to be configured " - "to cache some of the databases controlled by " - "SSSD [passwd,group,netgroup,services]. It is " - "recommended not to run NSCD in parallel with SSSD, " - "unless NSCD is configured not to cache these."); - break; - - case EOK: - DEBUG(SSSDBG_TRACE_FUNC, "NSCD socket was detected and it " - "seems to be configured not to interfere with " - "SSSD's caching capabilities\n"); - } - } -} +/* from nscd.c */ +void check_nscd(void); #ifdef BUILD_CONF_SERVICE_USER_SUPPORT int bootstrap_monitor_process(uid_t target_uid, gid_t target_gid); diff --git a/src/util/nscd.c b/src/monitor/nscd.c similarity index 67% rename from src/util/nscd.c rename to src/monitor/nscd.c index 47a1c023a76..c973a86dece 100644 --- a/src/util/nscd.c +++ b/src/monitor/nscd.c @@ -25,6 +25,10 @@ #include "util/util.h" +#ifndef NSCD_SOCKET_PATH +#define NSCD_SOCKET_PATH "/var/run/nscd/socket" +#endif + /* NSCD config file parse and check */ static unsigned int sss_nscd_check_service(char* svc_name) @@ -59,7 +63,7 @@ static unsigned int sss_nscd_check_service(char* svc_name) return ret; } -errno_t sss_nscd_parse_conf(const char *conf_path) +static errno_t sss_nscd_parse_conf(const char *conf_path) { FILE *fp; int ret = EOK; @@ -144,3 +148,38 @@ errno_t sss_nscd_parse_conf(const char *conf_path) return ret; } + +void check_nscd(void) +{ + int ret; + ret = check_file(NSCD_SOCKET_PATH, + -1, -1, S_IFSOCK, S_IFMT, NULL, false); + if (ret == EOK) { + ret = sss_nscd_parse_conf(NSCD_CONF_PATH); + + switch (ret) { + case ENOENT: + sss_log(SSS_LOG_NOTICE, + "NSCD socket was detected. NSCD caching capabilities " + "may conflict with SSSD for users and groups. It is " + "recommended not to run NSCD in parallel with SSSD, " + "unless NSCD is configured not to cache the passwd, " + "group, netgroup and services nsswitch maps."); + break; + + case EEXIST: + sss_log(SSS_LOG_NOTICE, + "NSCD socket was detected and seems to be configured " + "to cache some of the databases controlled by " + "SSSD [passwd,group,netgroup,services]. It is " + "recommended not to run NSCD in parallel with SSSD, " + "unless NSCD is configured not to cache these."); + break; + + case EOK: + DEBUG(SSSDBG_TRACE_FUNC, "NSCD socket was detected and it " + "seems to be configured not to interfere with " + "SSSD's caching capabilities\n"); + } + } +} diff --git a/src/util/util.h b/src/util/util.h index 406c4178589..22ddf28fa6f 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -560,9 +560,6 @@ bool is_valid_domain_name(const char *domain); */ int sss_rand(void); -/* from nscd.c */ -errno_t sss_nscd_parse_conf(const char *conf_path); - /* from sss_tc_utf8.c */ char * sss_tc_utf8_str_tolower(TALLOC_CTX *mem_ctx, const char *s); From 207fe4ee06d6104c087cc9de4e7a9fe074596c79 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Wed, 9 Oct 2024 12:22:19 +0200 Subject: [PATCH 2/8] CONFDB: introduce helper to read a full list of configured services, including implicitly configured --- src/confdb/confdb.c | 129 ++++++++++++++++++++++++++++++++++++++++++ src/confdb/confdb.h | 15 ++++- src/monitor/monitor.c | 124 ++-------------------------------------- 3 files changed, 147 insertions(+), 121 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 252c557ce9a..a9b07436ae7 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -642,6 +642,135 @@ int confdb_get_string_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx, return ret; } +static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx, + char ***_services) +{ + int ret; + char **domain_names; + TALLOC_CTX *tmp_ctx; + size_t c; + char *conf_path; + char *id_provider; + bool add_pac = false; + bool implicit_pac_responder = true; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domain_names); + if (ret == ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "No domains configured!\n"); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error retrieving domains list [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = confdb_get_bool(cdb, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_IMPLICIT_PAC_RESPONDER, true, + &implicit_pac_responder); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to read implicit_pac_responder option, " + "using default 'true'.\n"); + implicit_pac_responder = true; + } + + for (c = 0; domain_names[c] != NULL; c++) { + if (!is_valid_domain_name(domain_names[c])) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Skipping invalid domain name '%s'\n", domain_names[c]); + continue; + } + conf_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, + domain_names[c]); + if (conf_path == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = confdb_get_string(cdb, tmp_ctx, conf_path, + CONFDB_DOMAIN_ID_PROVIDER, NULL, &id_provider); + if (ret == EOK) { + if (id_provider == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "id_provider is not set for " + "domain [%s], trying next domain.\n", domain_names[c]); + continue; + } + + if (strcasecmp(id_provider, "IPA") == 0 + || strcasecmp(id_provider, "AD") == 0) { + if (implicit_pac_responder) { + add_pac = true; + } else { + DEBUG(SSSDBG_CONF_SETTINGS, + "PAC resonder not enabled for id provider [%s] " + "because implicit_pac_responder is set to 'false'.\n", + id_provider); + add_pac = false; + } + } + } else { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get id_provider for " \ + "domain [%s], trying next domain.\n", + domain_names[c]); + } + } + + if (BUILD_WITH_PAC_RESPONDER && add_pac && + !string_in_list("pac", *_services, false)) { + ret = add_string_to_list(mem_ctx, "pac", _services); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_string_to_list failed.\n"); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +int confdb_get_services_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx, + char ***_result) +{ + int ret; + + ret = confdb_get_string_as_list(cdb, ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_SERVICES, + _result); +#ifdef HAVE_SYSTEMD + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get the explicitly configured services!\n"); + return EINVAL; + } +#else + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "No services configured!\n"); + return EINVAL; + } +#endif + + /* `add_implicit_services()` can handle (*_result == NULL) */ + ret = add_implicit_services(cdb, ctx, _result); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add implicitly configured services\n"); + return EINVAL; + } + + return EOK; +} + int confdb_init(TALLOC_CTX *mem_ctx, struct confdb_ctx **cdb_ctx, const char *confdb_location) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 7457a1214af..633e0bcbc3b 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -731,7 +731,7 @@ int confdb_set_string(struct confdb_ctx *cdb, * @param[in] attribute The name of the attribute to update * @param[out] result A pointer to the retrieved array of strings * - * @return 0 - Successfully retrieved the entry (or used the default) + * @return 0 - Successfully retrieved the entry * @return ENOMEM - There was insufficient memory to complete the operation * @return EINVAL - The section could not be parsed, or the attribute was not * single-valued. @@ -742,6 +742,19 @@ int confdb_get_string_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx, const char *section, const char *attribute, char ***result); +/** + * @brief Convenience function to retrieve a list of configured services, + * including implicitly configured, as a null-terminated array of strings. + * + * @param[in] cdb The connection object to the confdb + * @param[in] ctx The parent memory context for the returned string + * @param[out] _result A pointer to the retrieved array of strings + * + * @return 0 on success, error code otherwise + */ +int confdb_get_services_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx, + char ***_result); + /** * @brief Convenience function to retrieve a list of subsections given a * configuration section name diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index f86574d24ae..a7d5801fb4d 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -669,103 +669,6 @@ static int check_domain_ranges(struct sss_domain_info *domains) return EOK; } -static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx, - char ***_services) -{ - int ret; - char **domain_names; - TALLOC_CTX *tmp_ctx; - size_t c; - char *conf_path; - char *id_provider; - bool add_pac = false; - bool implicit_pac_responder = true; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); - return ENOMEM; - } - - ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domain_names); - if (ret == ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, "No domains configured!\n"); - goto done; - } else if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "Error retrieving domains list [%d]: %s\n", - ret, sss_strerror(ret)); - goto done; - } - - ret = confdb_get_bool(cdb, CONFDB_MONITOR_CONF_ENTRY, - CONFDB_MONITOR_IMPLICIT_PAC_RESPONDER, true, - &implicit_pac_responder); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Failed to read implicit_pac_responder option, " - "using default 'true'.\n"); - implicit_pac_responder = true; - } - - for (c = 0; domain_names[c] != NULL; c++) { - if (!is_valid_domain_name(domain_names[c])) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Skipping invalid domain name '%s'\n", domain_names[c]); - continue; - } - conf_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, - domain_names[c]); - if (conf_path == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); - ret = ENOMEM; - goto done; - } - - ret = confdb_get_string(cdb, tmp_ctx, conf_path, - CONFDB_DOMAIN_ID_PROVIDER, NULL, &id_provider); - if (ret == EOK) { - if (id_provider == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "id_provider is not set for " - "domain [%s], trying next domain.\n", domain_names[c]); - continue; - } - - if (strcasecmp(id_provider, "IPA") == 0 - || strcasecmp(id_provider, "AD") == 0) { - if (implicit_pac_responder) { - add_pac = true; - } else { - DEBUG(SSSDBG_CONF_SETTINGS, - "PAC resonder not enabled for id provider [%s] " - "because implicit_pac_responder is set to 'false'.\n", - id_provider); - add_pac = false; - } - } - } else { - DEBUG(SSSDBG_OP_FAILURE, "Failed to get id_provider for " \ - "domain [%s], trying next domain.\n", - domain_names[c]); - } - } - - if (BUILD_WITH_PAC_RESPONDER && add_pac && - !string_in_list("pac", *_services, false)) { - ret = add_string_to_list(mem_ctx, "pac", _services); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "add_string_to_list failed.\n"); - goto done; - } - } - - ret = EOK; - -done: - talloc_free(tmp_ctx); - - return ret; -} - static char *check_service(char *service) { const char * const *known_services = get_known_services(); @@ -888,29 +791,10 @@ static int get_monitor_config(struct mt_ctx *ctx) char *badsrv = NULL; int i; - ret = confdb_get_string_as_list(ctx->cdb, ctx, - CONFDB_MONITOR_CONF_ENTRY, - CONFDB_MONITOR_ACTIVE_SERVICES, - &ctx->services); - -#ifdef HAVE_SYSTEMD - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_FATAL_FAILURE, - "Failed to get the explicitly configured services!\n"); - return EINVAL; - } -#else - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "No services configured!\n"); - return EINVAL; - } -#endif - - ret = add_implicit_services(ctx->cdb, ctx, &ctx->services); + ret = confdb_get_services_as_list(ctx->cdb, ctx, + &ctx->services); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Failed to add implicit configured " - "services. Some functionality might " - "be missing\n"); + return ret; } badsrv = check_services(ctx->services); @@ -1652,7 +1536,7 @@ static void monitor_sbus_connected(struct tevent_req *req) * expires) */ ret = add_services_startup_timeout(ctx); } else { - DEBUG(SSSDBG_FATAL_FAILURE, "No providers configured."); + DEBUG(SSSDBG_FATAL_FAILURE, "No providers configured.\n"); ret = ERR_INVALID_CONFIG; } From 057d801b1ac2f0cd6f8c8ea69f686edec003e8bb Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Wed, 9 Oct 2024 12:56:39 +0200 Subject: [PATCH 3/8] IFP: use new helper to retrieve services list This still won't handle socket activated services, but should take care of implicitly configured services at least. --- src/responder/ifp/ifp_components.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/responder/ifp/ifp_components.c b/src/responder/ifp/ifp_components.c index c6b98374eae..0ee7ca24b7d 100644 --- a/src/responder/ifp/ifp_components.c +++ b/src/responder/ifp/ifp_components.c @@ -487,7 +487,6 @@ ifp_component_get_enabled(TALLOC_CTX *mem_ctx, { TALLOC_CTX *tmp_ctx; enum component_type type; - const char *param = NULL; char **values; char *name; errno_t ret; @@ -513,15 +512,16 @@ ifp_component_get_enabled(TALLOC_CTX *mem_ctx, ret = EOK; goto done; case COMPONENT_RESPONDER: - param = CONFDB_MONITOR_ACTIVE_SERVICES; + ret = confdb_get_services_as_list(ctx->rctx->cdb, tmp_ctx, &values); break; case COMPONENT_BACKEND: - param = CONFDB_MONITOR_ACTIVE_DOMAINS; + ret = confdb_get_string_as_list(ctx->rctx->cdb, tmp_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + &values); break; } - ret = confdb_get_string_as_list(ctx->rctx->cdb, tmp_ctx, - CONFDB_MONITOR_CONF_ENTRY, param, &values); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve configuration option" "[%d]: %s\n", ret, sss_strerror(ret)); From c1a1edc36c69328a4891df549b357e969e4dbe22 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Wed, 9 Oct 2024 13:12:54 +0200 Subject: [PATCH 4/8] socket_activated_responders: check confdb (instead of sssd.conf) using new helper to take into account implictly configured services. Resolves: https://github.com/SSSD/sssd/issues/5013 --- Makefile.am | 1 + .../sssd_check_socket_activated_responders.c | 49 +++---------------- 2 files changed, 7 insertions(+), 43 deletions(-) diff --git a/Makefile.am b/Makefile.am index f13bc3799bf..839b25eae0e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2004,6 +2004,7 @@ endif if HAVE_SYSTEMD_UNIT sssd_check_socket_activated_responders_SOURCES = \ src/tools/sssd_check_socket_activated_responders.c \ + src/tools/common/sss_tools.c \ $(NULL) sssd_check_socket_activated_responders_CFLAGS = \ $(AM_CFLAGS) \ diff --git a/src/tools/sssd_check_socket_activated_responders.c b/src/tools/sssd_check_socket_activated_responders.c index dddc02ee24e..5753c2c6c21 100644 --- a/src/tools/sssd_check_socket_activated_responders.c +++ b/src/tools/sssd_check_socket_activated_responders.c @@ -24,73 +24,36 @@ #include <stdio.h> #include "util/util.h" -#include "util/sss_ini.h" #include "confdb/confdb.h" +#include "common/sss_tools.h" static errno_t check_socket_activated_responder(const char *responder) { errno_t ret; - char *services = NULL; - const char *str; TALLOC_CTX *tmp_ctx; - struct sss_ini *init_data; + struct confdb_ctx *confdb; + char **services = NULL; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { return ENOMEM; } - init_data = sss_ini_new(tmp_ctx); - if (init_data == NULL) { - ret = ENOMEM; - goto done; - } - - ret = sss_ini_read_sssd_conf(init_data, - SSSD_CONFIG_FILE, - CONFDB_DEFAULT_CONFIG_DIR); + ret = sss_tool_confdb_init(tmp_ctx, &confdb); if (ret != EOK) { - DEBUG(SSSDBG_DEFAULT, - "Failed to read configuration: [%d] [%s]. No reason to run " - "a responder if SSSD isn't configured.", - ret, - sss_strerror(ret)); goto done; } - ret = sss_ini_get_cfgobj(init_data, "sssd", "services"); - + ret = confdb_get_services_as_list(confdb, tmp_ctx, &services); if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "sss_ini_get_cfgobj() failed [%d].\n", ret); - goto done; - } - - ret = sss_ini_check_config_obj(init_data); - if (ret == ENOENT) { - /* In case there's no services' line at all, just return EOK. */ - ret = EOK; goto done; } - services = sss_ini_get_string_config_value(init_data, &ret); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "sss_ini_get_string_config_value() failed [%d]\n", - ret); - goto done; - } - - str = strstr(services, responder); - if (str != NULL) { + if (string_in_list(responder, services, false)) { ret = EEXIST; - goto done; } - ret = EOK; - done: - free(services); talloc_free(tmp_ctx); return ret; From 4173b6a113d080992726c3c6e5fb0b456a7124ec Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Wed, 9 Oct 2024 13:36:51 +0200 Subject: [PATCH 5/8] socket_activated_responders: log to syslog instead of stdout Otherwise logs of 'ExecStartPre' command are lost. --- src/tools/sssd_check_socket_activated_responders.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/tools/sssd_check_socket_activated_responders.c b/src/tools/sssd_check_socket_activated_responders.c index 5753c2c6c21..a31c43491ef 100644 --- a/src/tools/sssd_check_socket_activated_responders.c +++ b/src/tools/sssd_check_socket_activated_responders.c @@ -93,14 +93,13 @@ int main(int argc, const char *argv[]) ret = check_socket_activated_responder(responder); if (ret != EOK) { - DEBUG(SSSDBG_DEFAULT, - "Misconfiguration found for the %s responder.\n" - "The %s responder has been configured to be socket-activated " - "but it's still mentioned in the services' line in %s.\n" - "Please, consider either adjusting your services' line in %s " - "or disabling the %s's socket by calling:\n" + sss_log(SSS_LOG_ERR, + "Misconfiguration found for the '%s' responder.\n" + "It has been configured to be socket-activated but " + "it's still mentioned in the services' line of the config file.\n" + "Please consider either adjusting services' line " + "or disabling the socket by calling:\n" "\"systemctl disable sssd-%s.socket\"", - responder, responder, SSSD_CONFIG_FILE, SSSD_CONFIG_FILE, responder, responder); goto done; } From 2cffd8291ef1d0c3b4be981b590058bdd2c34eaf Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Wed, 9 Oct 2024 17:16:43 +0200 Subject: [PATCH 6/8] TESTS:INTG: 'implicit files domain' not supported since 501e05f46252ba6e097983a871c92b3896b596f2 --- src/tests/intg/test_files_provider.py | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py index c318d733cda..ba33e83b692 100644 --- a/src/tests/intg/test_files_provider.py +++ b/src/tests/intg/test_files_provider.py @@ -1216,18 +1216,6 @@ def test_realloc_groups(setup_gr_with_canary, files_domain_only): realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK * 3) -# Files domain autoconfiguration tests -@pytest.mark.skipif(not have_files_provider(), - reason="'files provider' disabled, skipping") -def test_no_sssd_domain(add_user_with_canary, no_sssd_domain): - """ - Test that if no sssd domain is configured, sssd will add the implicit one - """ - res, user = sssd_getpwnam_sync(USER1["name"]) - assert res == NssReturnCode.SUCCESS - assert user == USER1 - - @pytest.mark.skipif(not have_files_provider(), reason="'files provider' disabled, skipping") def test_proxy_to_files_domain_only(add_user_with_canary, @@ -1239,17 +1227,6 @@ def test_proxy_to_files_domain_only(add_user_with_canary, assert res == NssReturnCode.NOTFOUND -@pytest.mark.skipif(not have_files_provider(), - reason="'files provider' disabled, skipping") -def test_no_files_domain(add_user_with_canary, no_files_domain): - """ - Test that if no files domain is configured, sssd will add the implicit one - """ - res, user = sssd_getpwnam_sync(USER1["name"]) - assert res == NssReturnCode.SUCCESS - assert user == USER1 - - @pytest.mark.skipif(not have_files_provider(), reason="'files provider' disabled, skipping") def test_disable_files_domain(add_user_with_canary, disabled_files_domain): From a0176b375afb9b3dc06d874ce9ffa1e106a54190 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Wed, 9 Oct 2024 20:01:32 +0200 Subject: [PATCH 7/8] CONFDB: don't hard fail in add_implicit_services() if no explicitly configured domains found. There are might be 'enable_files_domain = true' or app domains that are expanded later. --- src/confdb/confdb.c | 3 ++- src/monitor/monitor.c | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index a9b07436ae7..7515da45d05 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -662,7 +662,8 @@ static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx ret = confdb_get_enabled_domain_list(cdb, tmp_ctx, &domain_names); if (ret == ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, "No domains configured!\n"); + /* confdb_expand_app_domains() wasn't called yet, so this might be ok */ + ret = EOK; goto done; } else if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "Error retrieving domains list [%d]: %s\n", diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index a7d5801fb4d..e17b0e4169c 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -2016,7 +2016,11 @@ int main(int argc, const char *argv[]) } monitor->cdb = main_ctx->confdb_ctx; - get_monitor_config(monitor); + ret = get_monitor_config(monitor); + if (ret != EOK) { + ret = 1; + goto out; + } monitor->is_daemon = !opt_interactive; monitor->parent_pid = main_ctx->parent_pid; monitor->ev = main_ctx->event_ctx; From 0eb64b641812f52c8d2e43cc2c9f43d1c19ec8d7 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikhono@redhat.com> Date: Fri, 11 Oct 2024 11:45:44 +0200 Subject: [PATCH 8/8] CONFDB: mistype fix --- src/confdb/confdb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 7515da45d05..593400ac264 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -710,7 +710,7 @@ static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx add_pac = true; } else { DEBUG(SSSDBG_CONF_SETTINGS, - "PAC resonder not enabled for id provider [%s] " + "PAC responder not enabled for id provider [%s] " "because implicit_pac_responder is set to 'false'.\n", id_provider); add_pac = false;