Commit Graph

4 Commits

Author SHA1 Message Date
Adam Sampson
0e6fe5e728 lib: rename Prog to shadow_progname, with only one definition
The build was failing with duplicate symbol errors with -fno-common.
This is the default in GCC 10 and later, and explicitly enabled in some
distributions to catch problems like this. There were two causes:

- Prog and shadow_logfd were defined in a header file that was included
  in multiple other files. Fix this by defining them once in
  shadowlog.c, and having extern declarations in the header.

- Most of the tools (except id/nologin) also define a Prog variable,
  which is not intended to alias the one in the library. Fix
  this by renaming Prog in the library to shadow_progname, which also
  matches the new accessor functions for it.
2021-12-25 22:41:58 +00:00
Serge Hallyn
79157cbad8 Make shadow_logfd and Prog not extern
Closes #444
Closes #465

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-23 15:18:07 -06:00
ikerexxe
87257a49a1 lib/sssd: redirect warning message to file
Instead of printing warning in stderr print it to file. This way the
user is not spammed with unnecessary messages when updating packages.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749001
2020-10-02 16:09:42 +02:00
Jakub Hrozek
4aaf05d72e Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
    passwd: sss files
    group:  sss files

The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.

Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.

More details about why Fedora chose to use sss before files can be found
on e.g.:
    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html

Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
    getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.

This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-13 14:20:02 +02:00