Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1

Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs) Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization
2022-07-05 11:07:29 +02:00 · 2022-07-05 11:07:29 +02:00 · 1b653c21ec
commit 1b653c21ec
parent 4a2d3451f2
5 changed files with 11 additions and 186 deletions
--- a/.gitignore
+++ b/.gitignore
@ -97,3 +97,4 @@ sssd-1.2.91.tar.gz
 /sssd-2.6.2.tar.gz
 /sssd-2.7.0.tar.gz
 /sssd-2.7.1.tar.gz
+/sssd-2.7.3.tar.gz
--- a/0001-pac-relax-default-for-pac_check-option.patch
+++ b/0001-pac-relax-default-for-pac_check-option.patch
@ -1,50 +0,0 @@
-From 26d8601e9b4e35ff89ca9fa72b9db05199096b56 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 8 Jun 2022 10:11:15 +0200
-Subject: [PATCH] pac: relax default for pac_check option
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-PAC might not be always present, especially in IPA environments. So the
-default of pac_check should not contain 'pac_present'.
-
-Resolves: https://github.com/SSSD/sssd/issues/5868
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 55e93cf1cf4d61c6de7975cbdc97a723545586c0)
---
- src/confdb/confdb.h     | 2 +-
- src/man/sssd.conf.5.xml | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index d9fe571de..83f6be7f9 100644
--- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -181,7 +181,7 @@
- #define CONFDB_PAC_LIFETIME "pac_lifetime"
- #define CONFDB_PAC_CHECK "pac_check"
- #define CONFDB_PAC_CHECK_DEFAULT "no_check"
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "pac_present, check_upn, check_upn_dns_info_ex"
-+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
- 
- /* InfoPipe */
- #define CONFDB_IFP_CONF_ENTRY "config/ifp"
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 705447427..e921ba575 100644
--- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -2298,7 +2298,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
-                         </para>
-                         <para>
-                             Default: no_check (AD and IPA provider
-                            'pac_present, check_upn, check_upn_dns_info_ex')
-+                            'check_upn, check_upn_dns_info_ex')
-                         </para>
-                     </listitem>
-                 </varlistentry>
-- 
-2.35.3
-
--- a/0002-names-only-check-sub-domains-for-regex-match.patch
+++ b/0002-names-only-check-sub-domains-for-regex-match.patch
@ -1,131 +0,0 @@
-From 536dc9e4f72503942e659ca0dbd022d3dfac148f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 2 Jun 2022 17:02:31 +0200
-Subject: [PATCH] names: only check sub-domains for regex match
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It is allowed to have different regular-expression to split the input
-name for different domains. After the regex is evaluated and a domain
-name was found in the input it has to be check if the domain name
-corresponds to the domain the regex is coming from.
-
-E.g. with the implicit files provider enabled the file provider might
-use a simple default regex while and additional IPA or AD provider will
-have a more complex one which e.g. properly handles @-characters in
-names. When evaluation in input the simple regex will come first and
-will split the name but will miss part of the user name part if the name
-contains an @-character. Currently SSSD check if the found domain name
-matches any of the know domains or sub-domains which is wrong because
-the regex was coming from the files provider and hence it should only
-handle its own objects.
-
-With this patch not all domains are checked but only the current one and
-its sub-domains, if any. This behavior is also mentioned in a comment
-already in the code. As a result in the above example the check with
-the results form the simple regex with fail and then the more complex
-regex of the other domain will be used which can split the name
-properly.
-
-Resolves: https://github.com/SSSD/sssd/issues/6055
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 9656516b9af2b3ea4627eab42f11c7667564020f)
---
- src/tests/cmocka/test_fqnames.c | 50 +++++++++++++++++++++++++++++++++
- src/util/usertools.c            |  2 +-
- 2 files changed, 51 insertions(+), 1 deletion(-)
-
-diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
-index 406ef55a9..5de4faf9a 100644
--- a/src/tests/cmocka/test_fqnames.c
-+++ b/src/tests/cmocka/test_fqnames.c
-@@ -318,6 +318,41 @@ static int parse_name_test_setup(void **state)
-     return 0;
- }
- 
-+static int parse_name_test_two_names_ctx_setup(void **state)
-+{
-+    struct parse_name_test_ctx *test_ctx;
-+    struct sss_names_ctx *nctx1 = NULL;
-+    struct sss_names_ctx *nctx2 = NULL;
-+    struct sss_domain_info *dom;
-+    int ret;
-+
-+    assert_true(leak_check_setup());
-+
-+    test_ctx = talloc_zero(global_talloc_context, struct parse_name_test_ctx);
-+    assert_non_null(test_ctx);
-+
-+    ret = sss_names_init_from_args(test_ctx, SSS_DEFAULT_RE,
-+                                   "%1$s@%2$s", &nctx1);
-+    assert_int_equal(ret, EOK);
-+
-+    ret = sss_names_init_from_args(test_ctx, SSS_IPA_AD_DEFAULT_RE,
-+                                   "%1$s@%2$s", &nctx2);
-+    assert_int_equal(ret, EOK);
-+
-+    test_ctx->dom = create_test_domain(test_ctx, DOMNAME, FLATNAME,
-+                                       NULL, nctx1);
-+    assert_non_null(test_ctx->dom);
-+
-+    dom = create_test_domain(test_ctx, DOMNAME2, FLATNAME2,
-+                                       NULL, nctx2);
-+    assert_non_null(dom);
-+    DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *);
-+
-+    check_leaks_push(test_ctx);
-+    *state = test_ctx;
-+    return 0;
-+}
-+
- static int parse_name_test_teardown(void **state)
- {
-     struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
-@@ -448,6 +483,18 @@ void test_init_nouser(void **state)
-     assert_int_not_equal(ret, EOK);
- }
- 
-+void test_different_regexps(void **state)
-+{
-+    struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
-+                                                     struct parse_name_test_ctx);
-+    parse_name_check(test_ctx, NAME"@"DOMNAME, NULL, EOK, NAME, DOMNAME);
-+    parse_name_check(test_ctx, NAME"@"DOMNAME2, NULL, EOK, NAME, DOMNAME2);
-+    parse_name_check(test_ctx, NAME"@WITH_AT@"DOMNAME2, NULL, EOK, NAME"@WITH_AT", DOMNAME2);
-+    parse_name_check(test_ctx, FLATNAME"\\"NAME, NULL, EOK, FLATNAME"\\"NAME, NULL);
-+    parse_name_check(test_ctx, FLATNAME2"\\"NAME, NULL, EOK, NAME, DOMNAME2);
-+    parse_name_check(test_ctx, FLATNAME2"\\"NAME"@WITH_AT", NULL, EOK, NAME"@WITH_AT", DOMNAME2);
-+}
-+
- void sss_parse_name_fail(void **state)
- {
-     struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
-@@ -502,6 +549,9 @@ int main(int argc, const char *argv[])
-         cmocka_unit_test_setup_teardown(sss_parse_name_fail,
-                                         parse_name_test_setup,
-                                         parse_name_test_teardown),
-+        cmocka_unit_test_setup_teardown(test_different_regexps,
-+                                        parse_name_test_two_names_ctx_setup,
-+                                        parse_name_test_teardown),
-     };
- 
-     /* Set debug level to invalid value so we can decide if -d 0 was used. */
-diff --git a/src/util/usertools.c b/src/util/usertools.c
-index 511fb2d5d..91df7129e 100644
--- a/src/util/usertools.c
-+++ b/src/util/usertools.c
-@@ -321,7 +321,7 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name(
-         return dom;
-     }
- 
-    return find_domain_by_name(dom, dmatch, true);
-+    return find_domain_by_name_ex(dom, dmatch, true, SSS_GND_SUBDOMAINS);
- }
- 
- int sss_parse_name_for_domains(TALLOC_CTX *memctx,
-- 
-2.35.3
-
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (sssd-2.7.1.tar.gz) = 12b5972512488ce3588406511f5414ccec2d8042655bc9e04bc4acf3dbbe9679d6288b50e38e9c06280564b76cff7268ed4b44ae2692cd2a989f4edbe717884a
+SHA512 (sssd-2.7.3.tar.gz) = c7f62030be2a8305509b2e30271977a848ab79dcaf87734c7b71ca3f173679a9e850e6533e8e71c44ae76d2dbc3a2b6e2c46a755fe6b3ec21debbddf90958d35
--- a/sssd.spec
+++ b/sssd.spec
@ -26,16 +26,15 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})

 Name: sssd
-Version: 2.7.1
-Release: 2%{?dist}
+Version: 2.7.3
+Release: 1%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz

 ### Patches ###
-Patch0001: 0001-pac-relax-default-for-pac_check-option.patch
-Patch0002: 0002-names-only-check-sub-domains-for-regex-match.patch
+#Patch0001:

 ### Dependencies ###

@ -1060,6 +1059,12 @@ fi
 %systemd_postun_with_restart sssd.service

 %changelog
+* Tue Jul  5 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-1
+- Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
+- Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN
+- Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)
+- Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization
+
 * Mon Jun 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.1-2
 - Resolves: rhbz#2073095 - Harden kerberos ticket validation (additional patch)
 - Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol (additional patch)