From 1b653c21ece4a9716a1ef2027d85a389eb37fbef Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Tue, 5 Jul 2022 11:07:29 +0200 Subject: [PATCH] Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1 Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs) Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization --- .gitignore | 1 + ...c-relax-default-for-pac_check-option.patch | 50 ------- ...ly-check-sub-domains-for-regex-match.patch | 131 ------------------ sources | 2 +- sssd.spec | 13 +- 5 files changed, 11 insertions(+), 186 deletions(-) delete mode 100644 0001-pac-relax-default-for-pac_check-option.patch delete mode 100644 0002-names-only-check-sub-domains-for-regex-match.patch diff --git a/.gitignore b/.gitignore index c9203e4..88d2135 100644 --- a/.gitignore +++ b/.gitignore @@ -97,3 +97,4 @@ sssd-1.2.91.tar.gz /sssd-2.6.2.tar.gz /sssd-2.7.0.tar.gz /sssd-2.7.1.tar.gz +/sssd-2.7.3.tar.gz diff --git a/0001-pac-relax-default-for-pac_check-option.patch b/0001-pac-relax-default-for-pac_check-option.patch deleted file mode 100644 index aeccd2f..0000000 --- a/0001-pac-relax-default-for-pac_check-option.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 26d8601e9b4e35ff89ca9fa72b9db05199096b56 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 8 Jun 2022 10:11:15 +0200 -Subject: [PATCH] pac: relax default for pac_check option -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -PAC might not be always present, especially in IPA environments. So the -default of pac_check should not contain 'pac_present'. - -Resolves: https://github.com/SSSD/sssd/issues/5868 - -Reviewed-by: Iker Pedrosa -Reviewed-by: Pavel Březina -(cherry picked from commit 55e93cf1cf4d61c6de7975cbdc97a723545586c0) ---- - src/confdb/confdb.h | 2 +- - src/man/sssd.conf.5.xml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index d9fe571de..83f6be7f9 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -181,7 +181,7 @@ - #define CONFDB_PAC_LIFETIME "pac_lifetime" - #define CONFDB_PAC_CHECK "pac_check" - #define CONFDB_PAC_CHECK_DEFAULT "no_check" --#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "pac_present, check_upn, check_upn_dns_info_ex" -+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex" - - /* InfoPipe */ - #define CONFDB_IFP_CONF_ENTRY "config/ifp" -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 705447427..e921ba575 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -2298,7 +2298,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit - - - Default: no_check (AD and IPA provider -- 'pac_present, check_upn, check_upn_dns_info_ex') -+ 'check_upn, check_upn_dns_info_ex') - - - --- -2.35.3 - diff --git a/0002-names-only-check-sub-domains-for-regex-match.patch b/0002-names-only-check-sub-domains-for-regex-match.patch deleted file mode 100644 index 7747794..0000000 --- a/0002-names-only-check-sub-domains-for-regex-match.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 536dc9e4f72503942e659ca0dbd022d3dfac148f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 2 Jun 2022 17:02:31 +0200 -Subject: [PATCH] names: only check sub-domains for regex match -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It is allowed to have different regular-expression to split the input -name for different domains. After the regex is evaluated and a domain -name was found in the input it has to be check if the domain name -corresponds to the domain the regex is coming from. - -E.g. with the implicit files provider enabled the file provider might -use a simple default regex while and additional IPA or AD provider will -have a more complex one which e.g. properly handles @-characters in -names. When evaluation in input the simple regex will come first and -will split the name but will miss part of the user name part if the name -contains an @-character. Currently SSSD check if the found domain name -matches any of the know domains or sub-domains which is wrong because -the regex was coming from the files provider and hence it should only -handle its own objects. - -With this patch not all domains are checked but only the current one and -its sub-domains, if any. This behavior is also mentioned in a comment -already in the code. As a result in the above example the check with -the results form the simple regex with fail and then the more complex -regex of the other domain will be used which can split the name -properly. - -Resolves: https://github.com/SSSD/sssd/issues/6055 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman -(cherry picked from commit 9656516b9af2b3ea4627eab42f11c7667564020f) ---- - src/tests/cmocka/test_fqnames.c | 50 +++++++++++++++++++++++++++++++++ - src/util/usertools.c | 2 +- - 2 files changed, 51 insertions(+), 1 deletion(-) - -diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c -index 406ef55a9..5de4faf9a 100644 ---- a/src/tests/cmocka/test_fqnames.c -+++ b/src/tests/cmocka/test_fqnames.c -@@ -318,6 +318,41 @@ static int parse_name_test_setup(void **state) - return 0; - } - -+static int parse_name_test_two_names_ctx_setup(void **state) -+{ -+ struct parse_name_test_ctx *test_ctx; -+ struct sss_names_ctx *nctx1 = NULL; -+ struct sss_names_ctx *nctx2 = NULL; -+ struct sss_domain_info *dom; -+ int ret; -+ -+ assert_true(leak_check_setup()); -+ -+ test_ctx = talloc_zero(global_talloc_context, struct parse_name_test_ctx); -+ assert_non_null(test_ctx); -+ -+ ret = sss_names_init_from_args(test_ctx, SSS_DEFAULT_RE, -+ "%1$s@%2$s", &nctx1); -+ assert_int_equal(ret, EOK); -+ -+ ret = sss_names_init_from_args(test_ctx, SSS_IPA_AD_DEFAULT_RE, -+ "%1$s@%2$s", &nctx2); -+ assert_int_equal(ret, EOK); -+ -+ test_ctx->dom = create_test_domain(test_ctx, DOMNAME, FLATNAME, -+ NULL, nctx1); -+ assert_non_null(test_ctx->dom); -+ -+ dom = create_test_domain(test_ctx, DOMNAME2, FLATNAME2, -+ NULL, nctx2); -+ assert_non_null(dom); -+ DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *); -+ -+ check_leaks_push(test_ctx); -+ *state = test_ctx; -+ return 0; -+} -+ - static int parse_name_test_teardown(void **state) - { - struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, -@@ -448,6 +483,18 @@ void test_init_nouser(void **state) - assert_int_not_equal(ret, EOK); - } - -+void test_different_regexps(void **state) -+{ -+ struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, -+ struct parse_name_test_ctx); -+ parse_name_check(test_ctx, NAME"@"DOMNAME, NULL, EOK, NAME, DOMNAME); -+ parse_name_check(test_ctx, NAME"@"DOMNAME2, NULL, EOK, NAME, DOMNAME2); -+ parse_name_check(test_ctx, NAME"@WITH_AT@"DOMNAME2, NULL, EOK, NAME"@WITH_AT", DOMNAME2); -+ parse_name_check(test_ctx, FLATNAME"\\"NAME, NULL, EOK, FLATNAME"\\"NAME, NULL); -+ parse_name_check(test_ctx, FLATNAME2"\\"NAME, NULL, EOK, NAME, DOMNAME2); -+ parse_name_check(test_ctx, FLATNAME2"\\"NAME"@WITH_AT", NULL, EOK, NAME"@WITH_AT", DOMNAME2); -+} -+ - void sss_parse_name_fail(void **state) - { - struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, -@@ -502,6 +549,9 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(sss_parse_name_fail, - parse_name_test_setup, - parse_name_test_teardown), -+ cmocka_unit_test_setup_teardown(test_different_regexps, -+ parse_name_test_two_names_ctx_setup, -+ parse_name_test_teardown), - }; - - /* Set debug level to invalid value so we can decide if -d 0 was used. */ -diff --git a/src/util/usertools.c b/src/util/usertools.c -index 511fb2d5d..91df7129e 100644 ---- a/src/util/usertools.c -+++ b/src/util/usertools.c -@@ -321,7 +321,7 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name( - return dom; - } - -- return find_domain_by_name(dom, dmatch, true); -+ return find_domain_by_name_ex(dom, dmatch, true, SSS_GND_SUBDOMAINS); - } - - int sss_parse_name_for_domains(TALLOC_CTX *memctx, --- -2.35.3 - diff --git a/sources b/sources index d0a3c9f..1ea2f13 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.7.1.tar.gz) = 12b5972512488ce3588406511f5414ccec2d8042655bc9e04bc4acf3dbbe9679d6288b50e38e9c06280564b76cff7268ed4b44ae2692cd2a989f4edbe717884a +SHA512 (sssd-2.7.3.tar.gz) = c7f62030be2a8305509b2e30271977a848ab79dcaf87734c7b71ca3f173679a9e850e6533e8e71c44ae76d2dbc3a2b6e2c46a755fe6b3ec21debbddf90958d35 diff --git a/sssd.spec b/sssd.spec index 4ec2bae..b1c0884 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,16 +26,15 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.7.1 -Release: 2%{?dist} +Version: 2.7.3 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-pac-relax-default-for-pac_check-option.patch -Patch0002: 0002-names-only-check-sub-domains-for-regex-match.patch +#Patch0001: ### Dependencies ### @@ -1060,6 +1059,12 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Tue Jul 5 2022 Alexey Tikhonov - 2.7.3-1 +- Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1 +- Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN +- Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs) +- Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization + * Mon Jun 13 2022 Alexey Tikhonov - 2.7.1-2 - Resolves: rhbz#2073095 - Harden kerberos ticket validation (additional patch) - Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol (additional patch)