Merge branch 'master' into 20250408-subtle-write-issue-unixd

Cargo.lock

@@ -1600,12 +1600,12 @@ dependencies = [
 
 [[package]]
 name = "fs4"
-version = "0.12.0"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c29c30684418547d476f0b48e84f4821639119c483b1eccd566c8cd0cd05f521"
+checksum = "8640e34b88f7652208ce9e88b1a37a2ae95227d84abec377ccd3c5cfeb141ed4"
 dependencies = [
- "rustix 0.38.44",
+ "rustix 1.0.3",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]

Cargo.toml

@@ -173,7 +173,7 @@ dhat = "0.3.3"
 dyn-clone = "^1.0.17"
 fernet = "^0.2.1"
 filetime = "^0.2.24"
-fs4 = "^0.12.0"
+fs4 = "^0.13.0"
 futures = "^0.3.31"
 futures-util = { version = "^0.3.30", features = ["sink"] }
 gix = { version = "0.64.0", default-features = false }

scripts/install_ubuntu_dependencies.sh

@@ -21,6 +21,8 @@ ${SUDOCMD} apt-get update &&
         cmake \
         build-essential \
         jq \
+        lld \
+        clang \
         tpm-udev
 
 if [ -z "${PACKAGING}" ]; then
@@ -73,10 +75,6 @@ if [ -z "$(which cargo)" ]; then
     ERROR=1
 fi
 
-if [ $ERROR -eq 0 ] && [ -z "$(which cross)" ]; then
-    echo "You don't have cross installed! Installing it now..."
-    cargo install -f cross
-fi
 if [ $ERROR -eq 0 ] && [ -z "$(which cargo-deb)" ]; then
     echo "You don't have cargo-deb installed! Installing it now..."
     cargo install -f cargo-deb

server/daemon/src/main.rs

@@ -465,13 +465,13 @@ async fn start_daemon(opt: KanidmdParser, config: Configuration) -> ExitCode {
         return ExitCode::FAILURE;
     }
 
-    match &opt.commands {
+    let lock_was_setup = match &opt.commands {
         // we aren't going to touch the DB so we can carry on
         KanidmdOpt::ShowReplicationCertificate { .. }
         | KanidmdOpt::RenewReplicationCertificate { .. }
         | KanidmdOpt::RefreshReplicationConsumer { .. }
         | KanidmdOpt::RecoverAccount { .. }
-        | KanidmdOpt::HealthCheck(_) => (),
+        | KanidmdOpt::HealthCheck(_) => None,
         _ => {
             // Okay - Lets now create our lock and go.
             #[allow(clippy::expect_used)]
@@ -482,24 +482,53 @@ async fn start_daemon(opt: KanidmdParser, config: Configuration) -> ExitCode {
 
             let flock = match File::create(&klock_path) {
                 Ok(flock) => flock,
-                Err(e) => {
+                Err(err) => {
-                    error!("ERROR: Refusing to start - unable to create kanidmd exclusive lock at {} - {:?}", klock_path.display(), e);
+                    error!(
+                        "ERROR: Refusing to start - unable to create kanidmd exclusive lock at {}",
+                        klock_path.display()
+                    );
+                    error!(?err);
                     return ExitCode::FAILURE;
                 }
             };
 
             match flock.try_lock_exclusive() {
-                Ok(()) => debug!("Acquired kanidm exclusive lock"),
+                Ok(true) => debug!("Acquired kanidm exclusive lock"),
-                Err(e) => {
+                Ok(false) => {
-                    error!("ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {} - {:?}", klock_path.display(), e);
+                    error!(
+                        "ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {}",
+                        klock_path.display()
+                    );
                     error!("Is another kanidmd process running?");
                     return ExitCode::FAILURE;
                 }
+                Err(err) => {
+                    error!(
+                        "ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {}",
+                        klock_path.display()
+                    );
+                    error!(?err);
+                    return ExitCode::FAILURE;
+                }
             };
+
+            Some(klock_path)
+        }
+    };
+
+    let result_code = kanidm_main(config, opt).await;
+
+    if let Some(klock_path) = lock_was_setup {
+        if let Err(reason) = std::fs::remove_file(&klock_path) {
+            warn!(
+                ?reason,
+                "WARNING: Unable to clean up kanidmd exclusive lock at {}",
+                klock_path.display()
+            );
         }
     }
 
-    kanidm_main(config, opt).await
+    result_code
 }
 
 fn main() -> ExitCode {

unix_integration/common/src/unix_config.rs

@@ -458,6 +458,16 @@ impl UnixdConfig {
 
     fn apply_from_config_v2(self, config: ConfigV2) -> Result<Self, UnixIntegrationError> {
         let kanidm_config = if let Some(kconfig) = config.kanidm {
+            match &kconfig.pam_allowed_login_groups {
+                None => {
+                    error!("You have a 'kanidm' section in the config but an empty pam_allowed_login_groups set. USERS CANNOT AUTH.")
+                }
+                Some(groups) => {
+                    if groups.is_empty() {
+                        error!("You have a 'kanidm' section in the config but an empty pam_allowed_login_groups set. USERS CANNOT AUTH.");
+                    }
+                }
+            }
             Some(KanidmConfig {
                 conn_timeout: kconfig.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
                 request_timeout: kconfig.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
@@ -465,6 +475,9 @@ impl UnixdConfig {
                 map_group: kconfig.map_group,
             })
         } else {
+            error!(
+                "You are using a version 2 config without a 'kanidm' section. USERS CANNOT AUTH."
+            );
             None
         };