import sssd-2.6.2-2.el9

2022-03-01 07:55:00 -05:00 · 2022-03-01 07:55:00 -05:00 · 42121f97b8
commit 42121f97b8
parent 10810c57cc
7 changed files with 1503 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/sssd-2.6.1.tar.gz
+SOURCES/sssd-2.6.2.tar.gz
--- a/.sssd.metadata
+++ b/.sssd.metadata
@ -1 +1 @@
-7bf04ef18d0997727eb011e3eab6199771f0920f SOURCES/sssd-2.6.1.tar.gz
+c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
--- a/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
+++ b/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
@ -0,0 +1,33 @@
 From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Tue, 4 Jan 2022 10:11:49 +0100
 Subject: [PATCH] ipa: fix reply socket of selinux_child
 Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
 the reply socket of selinux_child from stdout to stderr while switching
 from exec_child to exec_child_ex. This patch returns the original
 behavior.
 Resolves: https://github.com/SSSD/sssd/issues/5939
 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
 ---
 src/providers/ipa/ipa_selinux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
 index 6f885c0fd..2e0593dd7 100644
 --- a/src/providers/ipa/ipa_selinux.c
 +++ b/src/providers/ipa/ipa_selinux.c
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
     if (pid == 0) { /* child */
         exec_child_ex(state, pipefd_to_child, pipefd_from_child,
                       SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
 -                      false, STDIN_FILENO, STDERR_FILENO);
 +                      false, STDIN_FILENO, STDOUT_FILENO);
         DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
               ret, sss_strerror(ret));
         return ret;
 -- 
 2.26.3
--- a/SOURCES/0002-po-update-translations.patch
+++ b/SOURCES/0002-po-update-translations.patch
--- a/SOURCES/0003-ad-add-required-cn-attribute-to-subdomain-object.patch
+++ b/SOURCES/0003-ad-add-required-cn-attribute-to-subdomain-object.patch
@ -0,0 +1,42 @@
 From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Thu, 16 Dec 2021 11:14:18 +0100
 Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If the forest root is not part of the return trusted domain objects
 from the local domain controller we generate an object for further
 processing. During this processing it is expected that the 'cn'
 attribute is set and contains the name of the forest root. So far this
 attribute was missing and it is now added by this patch.
 Resolves: https://github.com/SSSD/sssd/issues/5926
 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
 ---
 src/providers/ad/ad_subdomains.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
 index 0353de76f..0c3f8ac31 100644
 --- a/src/providers/ad/ad_subdomains.c
 +++ b/src/providers/ad/ad_subdomains.c
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
         goto done;
     }
 +    ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
 +                                 state->forest);
 +    if (ret != EOK) {
 +        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
 +        goto done;
 +    }
 +
     err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
                                    &id_val.data, &id_val.length);
     if (err != IDMAP_SUCCESS) {
 -- 
 2.26.3
--- a/SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
+++ b/SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
@ -0,0 +1,140 @@
 From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Thu, 13 Jan 2022 11:28:30 +0100
 Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 AD and IPA providers use a common fo_server object for LDAP and
 Kerberos, which is created with the LDAP data. This means that due to
 the changes introduced in
 https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
 the port in use for the Kerberos requests would be the one specified for
 LDAP, usually the default one (389).
 In order to avoid that, AD and IPA providers shouldn't change the
 Kerberos port with the one provided for LDAP.
 :fixes: A critical regression that prevented authentication of users via
 AD and IPA providers was fixed. LDAP port was reused for Kerberos
 communication and this provider would send incomprehensible information
 to this port.
 Resolves: https://github.com/SSSD/sssd/issues/5947
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
 ---
 src/providers/ad/ad_common.c     |  1 +
 src/providers/ipa/ipa_common.c   |  1 +
 src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
 src/providers/krb5/krb5_common.h |  1 +
 4 files changed, 23 insertions(+), 14 deletions(-)
 diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
 index e263444c5..1ca5f8e3a 100644
 --- a/src/providers/ad/ad_common.c
 +++ b/src/providers/ad/ad_common.c
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
     if (service->krb5_service->write_kdcinfo) {
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
                                                  server,
 +                                                 true,
                                                  SSS_KRB5KDC_FO_SRV,
                                                  ad_krb5info_file_filter);
         if (ret != EOK) {
 diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
 index 1509cb1ce..e6c1f9aa4 100644
 --- a/src/providers/ipa/ipa_common.c
 +++ b/src/providers/ipa/ipa_common.c
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
     if (service->krb5_service->write_kdcinfo) {
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
                                                  server,
 +                                                 true,
                                                  SSS_KRB5KDC_FO_SRV,
                                                  NULL);
         if (ret != EOK) {
 diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
 index 719ce6a12..5ffa20809 100644
 --- a/src/providers/krb5/krb5_common.c
 +++ b/src/providers/krb5/krb5_common.c
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
                                            struct fo_server *server,
 +                                           bool force_default_port,
                                            const char *service,
                                            bool (*filter)(struct fo_server *))
 {
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
     if (filter == NULL || filter(server) == false) {
         address = fo_server_address_or_name(tmp_ctx, server);
         if (address) {
 -            port = fo_get_server_port(server);
 -            if (port != 0) {
 -                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
 -                if (address == NULL) {
 -                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 -                    talloc_free(tmp_ctx);
 -                    return ENOMEM;
 +            if (!force_default_port) {
 +                port = fo_get_server_port(server);
 +                if (port != 0) {
 +                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
 +                    if (address == NULL) {
 +                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 +                        talloc_free(tmp_ctx);
 +                        return ENOMEM;
 +                    }
                 }
             }
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
                 continue;
             }
 -            port = fo_get_server_port(item);
 -            if (port != 0) {
 -                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
 -                if (address == NULL) {
 -                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 -                    talloc_free(tmp_ctx);
 -                    return ENOMEM;
 +            if (!force_default_port) {
 +                port = fo_get_server_port(item);
 +                if (port != 0) {
 +                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
 +                    if (address == NULL) {
 +                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 +                        talloc_free(tmp_ctx);
 +                        return ENOMEM;
 +                    }
                 }
             }
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
     if (krb5_service->write_kdcinfo) {
         ret = write_krb5info_file_from_fo_server(krb5_service,
                                                  server,
 +                                                 false,
                                                  krb5_service->name,
                                                  NULL);
         if (ret != EOK) {
 diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
 index 151f446d1..2fd39a751 100644
 --- a/src/providers/krb5/krb5_common.h
 +++ b/src/providers/krb5/krb5_common.h
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
                                            struct fo_server *server,
 +                                           bool force_default_port,
                                            const char *service,
                                            bool (*filter)(struct fo_server *));
 -- 
 2.26.3
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@ -26,15 +26,18 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
 Name: sssd
-Version: 2.6.1
+Version: 2.6.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 ### Patches ###
-#Patch0001:
+Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
 Patch0002: 0002-po-update-translations.patch
 Patch0003: 0003-ad-add-required-cn-attribute-to-subdomain-object.patch
 Patch0004: 0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
 ### Dependencies ###
@ -43,7 +46,7 @@ Requires: sssd-common = %{version}-%{release}
 Requires: sssd-ipa = %{version}-%{release}
 Requires: sssd-krb5 = %{version}-%{release}
 Requires: sssd-ldap = %{version}-%{release}
-Suggests: sssd-proxy = %{version}-%{release}
+Requires: sssd-proxy = %{version}-%{release}
 Suggests: logrotate
 Suggests: python3-sssdconfig = %{version}-%{release}
 Suggests: sssd-dbus = %{version}-%{release}
@ -78,6 +81,7 @@ BuildRequires: gettext-devel
 BuildRequires: gnutls-utils
 BuildRequires: keyutils-libs-devel
 BuildRequires: krb5-devel
 BuildRequires: krb5-libs >= 1.18.2-11
 BuildRequires: libcmocka-devel >= 1.0.0
 BuildRequires: libdhash-devel >= 0.4.2
 BuildRequires: libini_config-devel >= 1.1
@ -137,6 +141,7 @@ License: GPLv3+
 # Requires
 # due to ABI changes in 1.1.30/1.2.0
 Requires: libldb >= %{ldb_version}
 Requires: libtevent >= 0.11.0
 Requires: sssd-client%{?_isa} = %{version}-%{release}
 Requires: (libsss_sudo = %{version}-%{release} if sudo)
 Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
@ -194,8 +199,9 @@ Requires: sssd-common = %{version}-%{release}
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
 # for logger=journald support with sss_analyze
 Requires: python3-systemd
-Suggests: sssd-dbus
+Requires: sssd-dbus
 %description tools
 Provides userspace tools for manipulating users, groups, and nested groups in
@ -468,6 +474,7 @@ Library to map certificates to users based on rules
 Summary: An implementation of a Kerberos KCM server
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
 Requires: krb5-libs >= 1.18.2-11
 %{?systemd_requires}
 %description kcm
@ -510,6 +517,10 @@ autoreconf -ivf
    %{nil}
 %make_build all docs runstatedir=%{_rundir}
 make -C po ja.gmo
 make -C po fr.gmo
 make -C po ko.gmo
 make -C po zh_CN.gmo
 sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
@ -520,7 +531,7 @@ unset CK_TIMEOUT_MULTIPLIER
 %install
-%py3_shebang_fix src/tools/analyzer/sss_analyze.py
+%py3_shebang_fix src/tools/analyzer/sss_analyze
 %make_install
@ -540,6 +551,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
 # krb5 configuration snippet
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 # Create directory for cifs-idmap alternative
 # Otherwise this directory could not be owned by sssd-client
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
@ -766,6 +781,9 @@ done
 %license COPYING
 %{_libdir}/%{name}/libsss_krb5.so
 %{_mandir}/man5/sssd-krb5.5*
 %config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 %dir %{_datadir}/sssd/krb5-snippets
 %{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
 %files common-pac
 %license COPYING
@ -843,6 +861,7 @@ done
 %{_sbindir}/sss_debuglevel
 %{_sbindir}/sss_seed
 %{_sbindir}/sssctl
 %{_libexecdir}/%{servicename}/sss_analyze
 %{python3_sitelib}/sssd/
 %{_mandir}/man8/sss_obfuscate.8*
 %{_mandir}/man8/sss_override.8*
@ -1019,6 +1038,18 @@ fi
 %systemd_postun_with_restart sssd.service
 %changelog
 * Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
 - Resolves: rhbz#2035244 - AD Domain in the AD Forest Missing after sssd latest update
 - Resolves: rhbz#2041560 - sssd does not use kerberos port that is set.
 * Mon Jan 03 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
 - Resolves: rhbz#2011224 - Rebase SSSD for RHEL 9.0-GA
 - Resolves: rhbz#2017390 - [sssd] RHEL 9.0 GA Tier 0 Localization
 - Resolves: rhbz#2013263 - [RHEL9] Add ability to parse child log files
 - Resolves: rhbz#2013262 - [RHEL9] Add tevent chain ID logic into responders
 - Resolves: rhbz#1992432 - Add client certificate validation D-Bus API
 - Resolves: rhbz#1940517 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
 * Mon Dec 06 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-1
 - Resolves: rhbz#2011224 - Rebase SSSD for RHEL 9.0-GA
 - Resolves: rhbz#1966201 - sssd: incorrect checks on length values during packet decoding in unpack_authtok()
`@ -1 +1 @@`
	`SOURCES/sssd-2.6.1.tar.gz`	`SOURCES/sssd-2.6.2.tar.gz`
`@ -1 +1 @@`
	`7bf04ef18d0997727eb011e3eab6199771f0920f SOURCES/sssd-2.6.1.tar.gz`	`c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz`