Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1

Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN
Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)
Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization
This commit is contained in:
Alexey Tikhonov 2022-07-05 11:07:29 +02:00
parent 4a2d3451f2
commit 1b653c21ec
5 changed files with 11 additions and 186 deletions

1
.gitignore vendored
View File

@ -97,3 +97,4 @@ sssd-1.2.91.tar.gz
/sssd-2.6.2.tar.gz /sssd-2.6.2.tar.gz
/sssd-2.7.0.tar.gz /sssd-2.7.0.tar.gz
/sssd-2.7.1.tar.gz /sssd-2.7.1.tar.gz
/sssd-2.7.3.tar.gz

View File

@ -1,50 +0,0 @@
From 26d8601e9b4e35ff89ca9fa72b9db05199096b56 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 8 Jun 2022 10:11:15 +0200
Subject: [PATCH] pac: relax default for pac_check option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
PAC might not be always present, especially in IPA environments. So the
default of pac_check should not contain 'pac_present'.
Resolves: https://github.com/SSSD/sssd/issues/5868
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 55e93cf1cf4d61c6de7975cbdc97a723545586c0)
---
src/confdb/confdb.h | 2 +-
src/man/sssd.conf.5.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index d9fe571de..83f6be7f9 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -181,7 +181,7 @@
#define CONFDB_PAC_LIFETIME "pac_lifetime"
#define CONFDB_PAC_CHECK "pac_check"
#define CONFDB_PAC_CHECK_DEFAULT "no_check"
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "pac_present, check_upn, check_upn_dns_info_ex"
+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
/* InfoPipe */
#define CONFDB_IFP_CONF_ENTRY "config/ifp"
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 705447427..e921ba575 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2298,7 +2298,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</para>
<para>
Default: no_check (AD and IPA provider
- 'pac_present, check_upn, check_upn_dns_info_ex')
+ 'check_upn, check_upn_dns_info_ex')
</para>
</listitem>
</varlistentry>
--
2.35.3

View File

@ -1,131 +0,0 @@
From 536dc9e4f72503942e659ca0dbd022d3dfac148f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 2 Jun 2022 17:02:31 +0200
Subject: [PATCH] names: only check sub-domains for regex match
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It is allowed to have different regular-expression to split the input
name for different domains. After the regex is evaluated and a domain
name was found in the input it has to be check if the domain name
corresponds to the domain the regex is coming from.
E.g. with the implicit files provider enabled the file provider might
use a simple default regex while and additional IPA or AD provider will
have a more complex one which e.g. properly handles @-characters in
names. When evaluation in input the simple regex will come first and
will split the name but will miss part of the user name part if the name
contains an @-character. Currently SSSD check if the found domain name
matches any of the know domains or sub-domains which is wrong because
the regex was coming from the files provider and hence it should only
handle its own objects.
With this patch not all domains are checked but only the current one and
its sub-domains, if any. This behavior is also mentioned in a comment
already in the code. As a result in the above example the check with
the results form the simple regex with fail and then the more complex
regex of the other domain will be used which can split the name
properly.
Resolves: https://github.com/SSSD/sssd/issues/6055
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 9656516b9af2b3ea4627eab42f11c7667564020f)
---
src/tests/cmocka/test_fqnames.c | 50 +++++++++++++++++++++++++++++++++
src/util/usertools.c | 2 +-
2 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
index 406ef55a9..5de4faf9a 100644
--- a/src/tests/cmocka/test_fqnames.c
+++ b/src/tests/cmocka/test_fqnames.c
@@ -318,6 +318,41 @@ static int parse_name_test_setup(void **state)
return 0;
}
+static int parse_name_test_two_names_ctx_setup(void **state)
+{
+ struct parse_name_test_ctx *test_ctx;
+ struct sss_names_ctx *nctx1 = NULL;
+ struct sss_names_ctx *nctx2 = NULL;
+ struct sss_domain_info *dom;
+ int ret;
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context, struct parse_name_test_ctx);
+ assert_non_null(test_ctx);
+
+ ret = sss_names_init_from_args(test_ctx, SSS_DEFAULT_RE,
+ "%1$s@%2$s", &nctx1);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_names_init_from_args(test_ctx, SSS_IPA_AD_DEFAULT_RE,
+ "%1$s@%2$s", &nctx2);
+ assert_int_equal(ret, EOK);
+
+ test_ctx->dom = create_test_domain(test_ctx, DOMNAME, FLATNAME,
+ NULL, nctx1);
+ assert_non_null(test_ctx->dom);
+
+ dom = create_test_domain(test_ctx, DOMNAME2, FLATNAME2,
+ NULL, nctx2);
+ assert_non_null(dom);
+ DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *);
+
+ check_leaks_push(test_ctx);
+ *state = test_ctx;
+ return 0;
+}
+
static int parse_name_test_teardown(void **state)
{
struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -448,6 +483,18 @@ void test_init_nouser(void **state)
assert_int_not_equal(ret, EOK);
}
+void test_different_regexps(void **state)
+{
+ struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
+ struct parse_name_test_ctx);
+ parse_name_check(test_ctx, NAME"@"DOMNAME, NULL, EOK, NAME, DOMNAME);
+ parse_name_check(test_ctx, NAME"@"DOMNAME2, NULL, EOK, NAME, DOMNAME2);
+ parse_name_check(test_ctx, NAME"@WITH_AT@"DOMNAME2, NULL, EOK, NAME"@WITH_AT", DOMNAME2);
+ parse_name_check(test_ctx, FLATNAME"\\"NAME, NULL, EOK, FLATNAME"\\"NAME, NULL);
+ parse_name_check(test_ctx, FLATNAME2"\\"NAME, NULL, EOK, NAME, DOMNAME2);
+ parse_name_check(test_ctx, FLATNAME2"\\"NAME"@WITH_AT", NULL, EOK, NAME"@WITH_AT", DOMNAME2);
+}
+
void sss_parse_name_fail(void **state)
{
struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -502,6 +549,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(sss_parse_name_fail,
parse_name_test_setup,
parse_name_test_teardown),
+ cmocka_unit_test_setup_teardown(test_different_regexps,
+ parse_name_test_two_names_ctx_setup,
+ parse_name_test_teardown),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 511fb2d5d..91df7129e 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -321,7 +321,7 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name(
return dom;
}
- return find_domain_by_name(dom, dmatch, true);
+ return find_domain_by_name_ex(dom, dmatch, true, SSS_GND_SUBDOMAINS);
}
int sss_parse_name_for_domains(TALLOC_CTX *memctx,
--
2.35.3

View File

@ -1 +1 @@
SHA512 (sssd-2.7.1.tar.gz) = 12b5972512488ce3588406511f5414ccec2d8042655bc9e04bc4acf3dbbe9679d6288b50e38e9c06280564b76cff7268ed4b44ae2692cd2a989f4edbe717884a SHA512 (sssd-2.7.3.tar.gz) = c7f62030be2a8305509b2e30271977a848ab79dcaf87734c7b71ca3f173679a9e850e6533e8e71c44ae76d2dbc3a2b6e2c46a755fe6b3ec21debbddf90958d35

View File

@ -26,16 +26,15 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd Name: sssd
Version: 2.7.1 Version: 2.7.3
Release: 2%{?dist} Release: 1%{?dist}
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
URL: https://github.com/SSSD/sssd/ URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ### ### Patches ###
Patch0001: 0001-pac-relax-default-for-pac_check-option.patch #Patch0001:
Patch0002: 0002-names-only-check-sub-domains-for-regex-match.patch
### Dependencies ### ### Dependencies ###
@ -1060,6 +1059,12 @@ fi
%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd.service
%changelog %changelog
* Tue Jul 5 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-1
- Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
- Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN
- Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)
- Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization
* Mon Jun 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.1-2 * Mon Jun 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.1-2
- Resolves: rhbz#2073095 - Harden kerberos ticket validation (additional patch) - Resolves: rhbz#2073095 - Harden kerberos ticket validation (additional patch)
- Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol (additional patch) - Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol (additional patch)