import sssd-2.7.0-2.el8
This commit is contained in:
parent
920798981e
commit
34487487c1
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/sssd-2.6.2.tar.gz
|
SOURCES/sssd-2.7.0.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
|
e576040289bfeb357ee1b67da0d9a183f25b5acb SOURCES/sssd-2.7.0.tar.gz
|
||||||
|
@ -1,33 +0,0 @@
|
|||||||
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 4 Jan 2022 10:11:49 +0100
|
|
||||||
Subject: [PATCH] ipa: fix reply socket of selinux_child
|
|
||||||
|
|
||||||
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
|
|
||||||
the reply socket of selinux_child from stdout to stderr while switching
|
|
||||||
from exec_child to exec_child_ex. This patch returns the original
|
|
||||||
behavior.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5939
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ipa/ipa_selinux.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
|
||||||
index 6f885c0fd..2e0593dd7 100644
|
|
||||||
--- a/src/providers/ipa/ipa_selinux.c
|
|
||||||
+++ b/src/providers/ipa/ipa_selinux.c
|
|
||||||
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
|
|
||||||
if (pid == 0) { /* child */
|
|
||||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
|
|
||||||
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
|
|
||||||
- false, STDIN_FILENO, STDERR_FILENO);
|
|
||||||
+ false, STDIN_FILENO, STDOUT_FILENO);
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
--
|
|
||||||
2.26.3
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 16 Dec 2021 11:14:18 +0100
|
|
||||||
Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
If the forest root is not part of the return trusted domain objects
|
|
||||||
from the local domain controller we generate an object for further
|
|
||||||
processing. During this processing it is expected that the 'cn'
|
|
||||||
attribute is set and contains the name of the forest root. So far this
|
|
||||||
attribute was missing and it is now added by this patch.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5926
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_subdomains.c | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
||||||
index 0353de76f..0c3f8ac31 100644
|
|
||||||
--- a/src/providers/ad/ad_subdomains.c
|
|
||||||
+++ b/src/providers/ad/ad_subdomains.c
|
|
||||||
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
|
|
||||||
+ state->forest);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
|
|
||||||
&id_val.data, &id_val.length);
|
|
||||||
if (err != IDMAP_SUCCESS) {
|
|
||||||
--
|
|
||||||
2.26.3
|
|
||||||
|
|
@ -1,140 +0,0 @@
|
|||||||
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
Date: Thu, 13 Jan 2022 11:28:30 +0100
|
|
||||||
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
AD and IPA providers use a common fo_server object for LDAP and
|
|
||||||
Kerberos, which is created with the LDAP data. This means that due to
|
|
||||||
the changes introduced in
|
|
||||||
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
|
|
||||||
the port in use for the Kerberos requests would be the one specified for
|
|
||||||
LDAP, usually the default one (389).
|
|
||||||
|
|
||||||
In order to avoid that, AD and IPA providers shouldn't change the
|
|
||||||
Kerberos port with the one provided for LDAP.
|
|
||||||
|
|
||||||
:fixes: A critical regression that prevented authentication of users via
|
|
||||||
AD and IPA providers was fixed. LDAP port was reused for Kerberos
|
|
||||||
communication and this provider would send incomprehensible information
|
|
||||||
to this port.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/5947
|
|
||||||
|
|
||||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_common.c | 1 +
|
|
||||||
src/providers/ipa/ipa_common.c | 1 +
|
|
||||||
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
|
|
||||||
src/providers/krb5/krb5_common.h | 1 +
|
|
||||||
4 files changed, 23 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
||||||
index e263444c5..1ca5f8e3a 100644
|
|
||||||
--- a/src/providers/ad/ad_common.c
|
|
||||||
+++ b/src/providers/ad/ad_common.c
|
|
||||||
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
||||||
if (service->krb5_service->write_kdcinfo) {
|
|
||||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
|
||||||
server,
|
|
||||||
+ true,
|
|
||||||
SSS_KRB5KDC_FO_SRV,
|
|
||||||
ad_krb5info_file_filter);
|
|
||||||
if (ret != EOK) {
|
|
||||||
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
|
|
||||||
index 1509cb1ce..e6c1f9aa4 100644
|
|
||||||
--- a/src/providers/ipa/ipa_common.c
|
|
||||||
+++ b/src/providers/ipa/ipa_common.c
|
|
||||||
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
|
|
||||||
if (service->krb5_service->write_kdcinfo) {
|
|
||||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
|
||||||
server,
|
|
||||||
+ true,
|
|
||||||
SSS_KRB5KDC_FO_SRV,
|
|
||||||
NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
|
||||||
index 719ce6a12..5ffa20809 100644
|
|
||||||
--- a/src/providers/krb5/krb5_common.c
|
|
||||||
+++ b/src/providers/krb5/krb5_common.c
|
|
||||||
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
|
|
||||||
|
|
||||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
|
||||||
struct fo_server *server,
|
|
||||||
+ bool force_default_port,
|
|
||||||
const char *service,
|
|
||||||
bool (*filter)(struct fo_server *))
|
|
||||||
{
|
|
||||||
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
|
||||||
if (filter == NULL || filter(server) == false) {
|
|
||||||
address = fo_server_address_or_name(tmp_ctx, server);
|
|
||||||
if (address) {
|
|
||||||
- port = fo_get_server_port(server);
|
|
||||||
- if (port != 0) {
|
|
||||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
|
||||||
- if (address == NULL) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
- talloc_free(tmp_ctx);
|
|
||||||
- return ENOMEM;
|
|
||||||
+ if (!force_default_port) {
|
|
||||||
+ port = fo_get_server_port(server);
|
|
||||||
+ if (port != 0) {
|
|
||||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
|
||||||
+ if (address == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- port = fo_get_server_port(item);
|
|
||||||
- if (port != 0) {
|
|
||||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
|
||||||
- if (address == NULL) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
- talloc_free(tmp_ctx);
|
|
||||||
- return ENOMEM;
|
|
||||||
+ if (!force_default_port) {
|
|
||||||
+ port = fo_get_server_port(item);
|
|
||||||
+ if (port != 0) {
|
|
||||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
|
||||||
+ if (address == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
|
|
||||||
if (krb5_service->write_kdcinfo) {
|
|
||||||
ret = write_krb5info_file_from_fo_server(krb5_service,
|
|
||||||
server,
|
|
||||||
+ false,
|
|
||||||
krb5_service->name,
|
|
||||||
NULL);
|
|
||||||
if (ret != EOK) {
|
|
||||||
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
|
||||||
index 151f446d1..2fd39a751 100644
|
|
||||||
--- a/src/providers/krb5/krb5_common.h
|
|
||||||
+++ b/src/providers/krb5/krb5_common.h
|
|
||||||
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
|
|
||||||
|
|
||||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
|
||||||
struct fo_server *server,
|
|
||||||
+ bool force_default_port,
|
|
||||||
const char *service,
|
|
||||||
bool (*filter)(struct fo_server *));
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.3
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -18,8 +18,8 @@
|
|||||||
%global enable_systemtap_opt --enable-systemtap
|
%global enable_systemtap_opt --enable-systemtap
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.6.2
|
Version: 2.7.0
|
||||||
Release: 3%{?dist}
|
Release: 2%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -27,10 +27,7 @@ URL: https://github.com/SSSD/sssd
|
|||||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
|
#Patch0001:
|
||||||
Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
|
|
||||||
Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
|
|
||||||
Patch0004: 0004-po-update-translations.patch
|
|
||||||
|
|
||||||
### Downstream Patches ###
|
### Downstream Patches ###
|
||||||
|
|
||||||
@ -104,6 +101,9 @@ BuildRequires: pam_wrapper
|
|||||||
BuildRequires: p11-kit-devel
|
BuildRequires: p11-kit-devel
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: gnutls-utils
|
BuildRequires: gnutls-utils
|
||||||
|
BuildRequires: jansson-devel
|
||||||
|
BuildRequires: libcurl-devel
|
||||||
|
BuildRequires: libjose-devel
|
||||||
BuildRequires: softhsm >= 2.1.0
|
BuildRequires: softhsm >= 2.1.0
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl
|
||||||
BuildRequires: openssh
|
BuildRequires: openssh
|
||||||
@ -536,6 +536,16 @@ Requires: krb5-libs >= 1.18.2-11
|
|||||||
An implementation of a Kerberos KCM server. Use this package if you want to
|
An implementation of a Kerberos KCM server. Use this package if you want to
|
||||||
use the KCM: Kerberos credentials cache.
|
use the KCM: Kerberos credentials cache.
|
||||||
|
|
||||||
|
%package idp
|
||||||
|
Summary: Kerberos plugins and OIDC helper for external identity providers.
|
||||||
|
License: GPLv3+
|
||||||
|
Requires: sssd-common = %{version}-%{release}
|
||||||
|
|
||||||
|
%description idp
|
||||||
|
This package provides Kerberos plugins that are required to enable
|
||||||
|
authentication against external identity providers. Additionally a helper
|
||||||
|
program to handle the OAuth 2.0 Device Authorization Grant is provided.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||||||
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
||||||
@ -621,6 +631,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
|
|||||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
||||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||||
|
|
||||||
|
# Enable krb5 idp plugins by default (when sssd-idp package is installed)
|
||||||
|
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
|
||||||
|
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||||
|
|
||||||
# krb5 configuration snippet
|
# krb5 configuration snippet
|
||||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
|
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
|
||||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||||
@ -1048,6 +1062,12 @@ done
|
|||||||
%{_unitdir}/sssd-kcm.service
|
%{_unitdir}/sssd-kcm.service
|
||||||
%{_mandir}/man8/sssd-kcm.8*
|
%{_mandir}/man8/sssd-kcm.8*
|
||||||
|
|
||||||
|
%files idp
|
||||||
|
%{_libexecdir}/%{servicename}/oidc_child
|
||||||
|
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
|
||||||
|
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
|
||||||
|
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||||
|
|
||||||
%pre ipa
|
%pre ipa
|
||||||
getent group sssd >/dev/null || groupadd -r sssd
|
getent group sssd >/dev/null || groupadd -r sssd
|
||||||
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
|
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
|
||||||
@ -1157,6 +1177,20 @@ fi
|
|||||||
%systemd_postun_with_restart sssd.service
|
%systemd_postun_with_restart sssd.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed May 18 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-2
|
||||||
|
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||||
|
- Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
|
||||||
|
- Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
|
||||||
|
- Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
|
||||||
|
- Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname()
|
||||||
|
- Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd
|
||||||
|
- Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
|
||||||
|
- Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send
|
||||||
|
- Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker
|
||||||
|
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
|
||||||
|
- Resolves: rhbz#2087745 - 2FA prompting setting ineffective
|
||||||
|
- Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language
|
||||||
|
|
||||||
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
|
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
|
||||||
- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
|
- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
|
||||||
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
|
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
|
||||||
|
Loading…
Reference in New Issue
Block a user