rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sssd-2.7.0-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-06-03 22:12:30 +00:00 committed by Stepan Oksanichenko
parent 920798981e
commit 34487487c1
7 changed files with 42 additions and 1472 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.6.2.tar.gz SOURCES/sssd-2.7.0.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz e576040289bfeb357ee1b67da0d9a183f25b5acb SOURCES/sssd-2.7.0.tar.gz

33
SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
View File

@ -1,33 +0,0 @@
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 4 Jan 2022 10:11:49 +0100
Subject: [PATCH] ipa: fix reply socket of selinux_child
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
the reply socket of selinux_child from stdout to stderr while switching
from exec_child to exec_child_ex. This patch returns the original
behavior.
Resolves: https://github.com/SSSD/sssd/issues/5939
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ipa/ipa_selinux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 6f885c0fd..2e0593dd7 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
if (pid == 0) { /* child */
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
- false, STDIN_FILENO, STDERR_FILENO);
+ false, STDIN_FILENO, STDOUT_FILENO);
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
ret, sss_strerror(ret));
return ret;
--
2.26.3

42
SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch
View File

@ -1,42 +0,0 @@
From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Dec 2021 11:14:18 +0100
Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the forest root is not part of the return trusted domain objects
from the local domain controller we generate an object for further
processing. During this processing it is expected that the 'cn'
attribute is set and contains the name of the forest root. So far this
attribute was missing and it is now added by this patch.
Resolves: https://github.com/SSSD/sssd/issues/5926
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 0353de76f..0c3f8ac31 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
goto done;
}
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
+ state->forest);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
+ goto done;
+ }
+
err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
&id_val.data, &id_val.length);
if (err != IDMAP_SUCCESS) {
--
2.26.3

140
SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
View File

@ -1,140 +0,0 @@
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Thu, 13 Jan 2022 11:28:30 +0100
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AD and IPA providers use a common fo_server object for LDAP and
Kerberos, which is created with the LDAP data. This means that due to
the changes introduced in
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
the port in use for the Kerberos requests would be the one specified for
LDAP, usually the default one (389).
In order to avoid that, AD and IPA providers shouldn't change the
Kerberos port with the one provided for LDAP.
:fixes: A critical regression that prevented authentication of users via
AD and IPA providers was fixed. LDAP port was reused for Kerberos
communication and this provider would send incomprehensible information
to this port.
Resolves: https://github.com/SSSD/sssd/issues/5947
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_common.c | 1 +
src/providers/ipa/ipa_common.c | 1 +
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
src/providers/krb5/krb5_common.h | 1 +
4 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index e263444c5..1ca5f8e3a 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
if (service->krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(service->krb5_service,
server,
+ true,
SSS_KRB5KDC_FO_SRV,
ad_krb5info_file_filter);
if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 1509cb1ce..e6c1f9aa4 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
if (service->krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(service->krb5_service,
server,
+ true,
SSS_KRB5KDC_FO_SRV,
NULL);
if (ret != EOK) {
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 719ce6a12..5ffa20809 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
struct fo_server *server,
+ bool force_default_port,
const char *service,
bool (*filter)(struct fo_server *))
{
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
if (filter == NULL || filter(server) == false) {
address = fo_server_address_or_name(tmp_ctx, server);
if (address) {
- port = fo_get_server_port(server);
- if (port != 0) {
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
- if (address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
- talloc_free(tmp_ctx);
- return ENOMEM;
+ if (!force_default_port) {
+ port = fo_get_server_port(server);
+ if (port != 0) {
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+ if (address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
}
}
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
continue;
}
- port = fo_get_server_port(item);
- if (port != 0) {
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
- if (address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
- talloc_free(tmp_ctx);
- return ENOMEM;
+ if (!force_default_port) {
+ port = fo_get_server_port(item);
+ if (port != 0) {
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+ if (address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
}
}
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
if (krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(krb5_service,
server,
+ false,
krb5_service->name,
NULL);
if (ret != EOK) {
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 151f446d1..2fd39a751 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
struct fo_server *server,
+ bool force_default_port,
const char *service,
bool (*filter)(struct fo_server *));
--
2.26.3

1249
SOURCES/0004-po-update-translations.patch
View File

File diff suppressed because it is too large Load Diff

46
SPECS/sssd.spec
View File

@ -18,8 +18,8 @@
%global enable_systemtap_opt --enable-systemtap %global enable_systemtap_opt --enable-systemtap
Name: sssd Name: sssd
Version: 2.6.2 Version: 2.7.0
Release: 3%{?dist} Release: 2%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -27,10 +27,7 @@ URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ### ### Patches ###
Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch #Patch0001:
Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Patch0004: 0004-po-update-translations.patch
### Downstream Patches ### ### Downstream Patches ###
@ -104,6 +101,9 @@ BuildRequires: pam_wrapper
BuildRequires: p11-kit-devel BuildRequires: p11-kit-devel
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: gnutls-utils BuildRequires: gnutls-utils
BuildRequires: jansson-devel
BuildRequires: libcurl-devel
BuildRequires: libjose-devel
BuildRequires: softhsm >= 2.1.0 BuildRequires: softhsm >= 2.1.0
BuildRequires: openssl BuildRequires: openssl
BuildRequires: openssh BuildRequires: openssh
@ -536,6 +536,16 @@ Requires: krb5-libs >= 1.18.2-11
An implementation of a Kerberos KCM server. Use this package if you want to An implementation of a Kerberos KCM server. Use this package if you want to
use the KCM: Kerberos credentials cache. use the KCM: Kerberos credentials cache.
%package idp
Summary: Kerberos plugins and OIDC helper for external identity providers.
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
%description idp
This package provides Kerberos plugins that are required to enable
authentication against external identity providers. Additionally a helper
program to handle the OAuth 2.0 Device Authorization Grant is provided.
%prep %prep
# Update timestamps on the files touched by a patch, to avoid non-equal # Update timestamps on the files touched by a patch, to avoid non-equal
# .pyc/.pyo files across the multilib peers within a build, where "Level" # .pyc/.pyo files across the multilib peers within a build, where "Level"
@ -621,6 +631,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
# Enable krb5 idp plugins by default (when sssd-idp package is installed)
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
# krb5 configuration snippet # krb5 configuration snippet
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
@ -1048,6 +1062,12 @@ done
%{_unitdir}/sssd-kcm.service %{_unitdir}/sssd-kcm.service
%{_mandir}/man8/sssd-kcm.8* %{_mandir}/man8/sssd-kcm.8*
%files idp
%{_libexecdir}/%{servicename}/oidc_child
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
%pre ipa %pre ipa
getent group sssd >/dev/null || groupadd -r sssd getent group sssd >/dev/null || groupadd -r sssd
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
@ -1157,6 +1177,20 @@ fi
%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd.service
%changelog %changelog
* Wed May 18 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-2
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
- Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
- Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
- Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
- Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname()
- Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd
- Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
- Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send
- Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
- Resolves: rhbz#2087745 - 2FA prompting setting ineffective
- Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3 * Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.