failover: proceed normally when no new server is found Multiple failover requests come in same time, the first one will result in collapsing the meta server but multiple resolution of SRV records are triggered. The first one finishes normally but the others won't find any new server thus ends with an error. This patch makes failover to proceed normally even in such case. Resolves: https://fedorahosted.org/sssd/ticket/3131 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sssctl: print active server and server list Resolves: https://fedorahosted.org/sssd/ticket/3069 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

FO: Set port to NOT_WORKING when trying a next server Resolves: https://fedorahosted.org/sssd/ticket/3009 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FO: add fo_get_active_server() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

FO: Use tevent_req_defer_callback() when notifying callers If a fo_resolve_service callback would modify the server->common member in any way, for example by dereferencing the server and lowering the refcount to 0, which would free the common structure, then the next iteration of fo_resolve_service_done would access memory that was already gone. Please see https://tevent.samba.org/group__tevent__request.html#ga09373077d0b39e321a196a86bfebf280 for more details. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FAIL_OVER: Fix warning value computed is not used src/providers/fail_over.c: In function ‘fo_ref_server’: src/providers/fail_over.c:861: warning: value computed is not used Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

FO: Use refcount to keep track of servers returned to callers Resolves: https://fedorahosted.org/sssd/ticket/2829 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FO: Don't free rc-allocated structure Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FO: Also reset the server common data in addition to SRV In a server that is expanded from a SRV query was reset, only it's 'meta-server' status was set to neutral, but the server->common structure still retained its not_working status. This patch also resets the status of the common structure so that both the SRV query and resolving the server are retried next time. Reviewed-by: Sumit Bose <sbose@redhat.com>

FO: Add an API to reset all servers in a single service Required for: https://fedorahosted.org/sssd/ticket/2639 Previously, we had a function that allowed the caller to reset the status of all services in the global fail over context. This patch adds a new function that allows the caller to reset a single service instead. The main user would be IPA subdomain provider that might need to reset the status of an AD trusted domain on demand. Reviewed-by: Sumit Bose <sbose@redhat.com>

Resolv: re-read SRV query every time if its TTL is 0 We should make sure the client re-checks the SRV query each request if the SRV query is 0. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FO: Use SRV TTL in fail over code Resolves: https://fedorahosted.org/sssd/ticket/1884 Removes the hardcoded SRV TTL timeout and uses TTL from the DNS instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Fix debug messages - trailing '.' Fix debug messages where '\n' was wrongly followed by '.'. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

failover: set port status to not working if previous srv lookup failed The meta server status consists of two parts: A) port status - managed by failover mechanism B) SRV lookup status - managed by SRV resolver Both parts are resetted to "neutral" after some time, having B timeout greater than A timeout. We were hitting the following issue: 1. SRV lookup fails (DNS is not reachable), this will set A to "not working and B to "resolve error". Then the next server is tried but fails as well. 2. If SSSD tries to go back online the failover will set A to "neutral" and it will try to resolve SRV again. But B status is still set to "resolve error" since we haven't reached the timeout yet and SRV resolution fails immediately. But the next server is not tried since the port status (A) remains "neutral". This patch sets the port status to "not working" making the failover to continue with the next server as expected. https://fedorahosted.org/sssd/ticket/2390 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

failover: Shorter retry time for failed SRV Until now there was only one timeout used to re-resolve SRV queries. This patch adds new (shorter) timeout that will be used for queries that previously failed. Resolves: https://fedorahosted.org/sssd/ticket/1885 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove unused structures. Reported by: cppcheck 'struct py_sss_transaction', 'struct resolve_get_domain_stat', 'struct sync_op_res' were defined in implementation modules, but they were not used anywhere. Reviewed-by: Michal Žídek <mzidek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Fix formating of variables with type: time_t

Always set port status to neutral when resetting service. We did not set port status for metaservers (srv servers) in fo_reset_services(). Fixes: https://fedorahosted.org/sssd/ticket/1933

failover: if expanded server is marked as neutral, invoke srv collapse https://fedorahosted.org/sssd/ticket/1947 Otherwise we will do the SRV expansion once again: 1. leaving the old servers in server list 2. meta server is not inserted back in the list, the newly found servers are inserted behind meta server, meta server is orphaned and the new servers are forgotten

collapse_srv_lookup may free the server, make it clear from the API https://fedorahosted.org/sssd/ticket/1947

failover: return error when SRV lookup returned only duplicates https://fedorahosted.org/sssd/ticket/1947 Otherwise we risk that the meta server is removed from the server list, but without a chance to return, because there may be no fo_server with srv_data = meta. Also if state->meta->next is NULL (it is still orphaned because we try to errornously expand it without invoking collapse first), state->out will be NULL and SSSD will crash. New error code: ERR_SRV_DUPLICATES

failover: do not return invalid pointer when server is already present https://fedorahosted.org/sssd/ticket/1947

FO: Check the return value of send_fn

failover: set state->out when meta server remains in SRV_RESOLVE_ERROR https://fedorahosted.org/sssd/ticket/1886

Use deep copy for dns_domain and discovery_domain https://fedorahosted.org/sssd/ticket/1929

FO: Fix setting status of duplicates

DNS sites support - replace SRV lookup code with a plugin call https://fedorahosted.org/sssd/ticket/1032 Removes hard coded SRV lookup code with a plugin call. This patch breaks SRV lookups as there is currently no plugin in use. It is fixed in next patch.

fail over - add function to insert multiple servers to the list

DNS sites support - SRV lookup plugin interface https://fedorahosted.org/sssd/ticket/1032 Introduces two new error codes: - ERR_SRV_NOT_FOUND - ERR_SRV_LOOKUP_ERROR Since id_provider is authoritative in case of SRV plugin choise, ability to override the selected pluging during runtime is not desirable. We rely on the fact that id_provider is initialized before all other providers, thus the plugin is set correctly.

try primary server after retry_timeout + 1 seconds when switching to backup https://fedorahosted.org/sssd/ticket/1679 The problem is when we are about to reset the server status, we don't get through the timeout (30 seconds) because the "switch to primary server" task is scheduled 30 seconds after fall back to a backup server. Thus the server status remains "not working" and is resetted after another 30 seconds. We need to make sure that the server status is tried after the timeout period. retry_timeout is currently hardcoded to 30, thus the change in man page.

Bad debug message when no dns_discovery_domain specified. https://fedorahosted.org/sssd/ticket/920

FO: Check server validity before setting status The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364

FO: Return EAGAIN if there are more servers to try The caller should issue a next request, which would just shortcut with ENOENT.

FO: Don't retry the same server if it's not working

Duplicate detection in fail over did not work. https://fedorahosted.org/sssd/ticket/1472

Don't use server after SRV data collapsed

Always mark SRV servers as primary https://fedorahosted.org/sssd/ticket/1459

Failover: Return last tried server if it's still being tried In the failover, we treat both KDC and LDAP on the IPA server as a single "port", numbered 0. This was done in order to make sure that the SSSD always talks to the same server for both LDAP and Kerberos. However, this clever hack breaks when the IPA provider needs to establish an GSSAPI encrypted LDAP connection because we're asking the fail over code to yield a server while no server has yet been marked as tried. This triggers a fail over for the KDC, so in effect, the TGT is received from second server. If the second server is not available for some reason, the whole provider goes offline. The fail over needs to detect that the server asked for is still being resolved and return the same pointer.

Don't call fo_set_{server,port}_status for SRV servers This bug was producing harmless, but annoying error messages.

Primary server support: basic support in failover code Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.

Move some debug lines to new debug log levels * These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113

Return correct resolv_status on resolver timeout https://fedorahosted.org/sssd/ticket/1274

Only do one cycle when resolving a server https://fedorahosted.org/sssd/ticket/1214

Failover: Introduce a per-service timeout https://fedorahosted.org/sssd/ticket/976

Do not touch resolve_service_state in fo_resolve_service_done

Multiline macro cleanup This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.

fo_get_server_name() getter for a server name Allows to be more concise in tests and more defensive in resolve callbacks

Rename fo_get_server_name to fo_get_server_str_name

Switch resolver to using resolv_hostent and honor TTL

Fix minor typo in error message https://fedorahosted.org/sssd/ticket/825

Set same status for duplicate servers

Remove detection of duplicates from SRV result processing

Do not attempt to resolve nameless servers The failover code is not strictly in charge of resolving. Its main function is to provide a server to connect to for a service. It is legal, although not currently used, to have a server that has no name (server->common == NULL). In this case, no resolving should be done and it is assumed that the failover user, which are the SSSD back ends in our case, would perform any resolving out of band, perhaps using the user_data attribute of fo_server structure.

Run callbacks if server IP changes

Always expire host name resolution The previous version of the patch only expired a resolved host name if the port was being reset. We want to always expire it so we notice IP address changes even if the previous server is still up.

Prevent segfault in failover code

Reset server status after timeout https://fedorahosted.org/sssd/ticket/809

Rename dns_domain to discovery domain for fo_add_srv_server()

Allow fallback to SSSD domain For backwards-compatibility with older versions of the SSSD (such as 1.2.x), we need to be able to have our DNS SRV record lookup be capable of falling back to using the SSSD domain name as the DNS discovery domain. This patch modifies our DNS lookups so that they behave as follows: If dns_discovery_domain is specified, it is considered authoritative. No other discovery domains will be attempted. If dns_discovery_domain is not specified, we first attempt to look up the SRV records using the domain portion of the machine's hostname. If this returns "NOTFOUND", we will try performing an SRV record query using the SSSD domain name as the DNS discovery domain. https://fedorahosted.org/sssd/ticket/754

Rename SRV_NOT_RESOLVED to SRV_RESOLVE_ERROR

Use the right status when resetting service discovery

Fix incorrect return value on failure in resolve_get_domain_send() https://fedorahosted.org/sssd/ticket/721

Fix improper NULL check in fo_add_srv_server() https://fedorahosted.org/sssd/ticket/717

Run checks before resetting offline state Before setting the backend to online during a reset offline request the check_online method if the ID provider is called. If the check_online method returns that the ID provider is still not reachable the backend stays offline. Otherwise the backend is switched to online and the related callbacks are run. Additionally the check online test is called during the res_init request because a change in /etc/resolve.conf might also make a server reachable which was assumed offline before.

Allow protocol fallback for SRV queries https://fedorahosted.org/sssd/ticket/691

fix typo in get_server_status()

Fixed small issue in memory context hierarchy In fail_over.c, there was a small bug causing subrequest to have wrong parent memory context. This patch fixes it.

Return proper error value when SRV lookup fails Fixes: #587

Add an interface to try next fail-over server after connection to the active server was unexpectedly dropped.

Added an interface to query number of configured (and currently resolved through SRV records) failover servers.

Add dns_discovery_domain option The service discovery used to use the SSSD domain name to perform DNS queries. This is not an optimal solution, for example from the point of view of authconfig. This patch introduces a new option "dns_discovery_domain" that allows to set the domain part of a DNS SRV query. If this option is not set, the default behavior is to use the domain part of the machine's hostname. Fixes: #479

Fix Incorrect NULL check in get_server_common() Fixes: #518

Fix potential NULL dereference in fail_over.c Fixes: #505

Fix uninitialized variable

Support SRV servers in failover Adds a new failover API call fo_add_srv_server that allows the caller to specify a server that is later resolved into a list of specific servers using SRV requests. Also adds a new failover option that specifies how often should the servers resolved from SRV query considered valid until we need a refresh. The "real" servers to connect to are returned to the user as usual, using the fo_resolve_service_{send,recv} calls. Make SRV resolution work with c-ares 1.6

Remove freed server_common entities from list

Treat server names as case-insensitive in failover code

Restrict family lookups Adds a new option that tells resolver which address family to prefer or use exclusively. Fixes: #404

Rename server/ directory to src/ Also update BUILD.txt