import sssd-2.6.2-2.el9
This commit is contained in:
parent
10810c57cc
commit
42121f97b8
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/sssd-2.6.1.tar.gz
|
||||
SOURCES/sssd-2.6.2.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
7bf04ef18d0997727eb011e3eab6199771f0920f SOURCES/sssd-2.6.1.tar.gz
|
||||
c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
|
||||
|
33
SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
Normal file
33
SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 4 Jan 2022 10:11:49 +0100
|
||||
Subject: [PATCH] ipa: fix reply socket of selinux_child
|
||||
|
||||
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
|
||||
the reply socket of selinux_child from stdout to stderr while switching
|
||||
from exec_child to exec_child_ex. This patch returns the original
|
||||
behavior.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5939
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_selinux.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
||||
index 6f885c0fd..2e0593dd7 100644
|
||||
--- a/src/providers/ipa/ipa_selinux.c
|
||||
+++ b/src/providers/ipa/ipa_selinux.c
|
||||
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
|
||||
if (pid == 0) { /* child */
|
||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
|
||||
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
|
||||
- false, STDIN_FILENO, STDERR_FILENO);
|
||||
+ false, STDIN_FILENO, STDOUT_FILENO);
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
--
|
||||
2.26.3
|
||||
|
1249
SOURCES/0002-po-update-translations.patch
Normal file
1249
SOURCES/0002-po-update-translations.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,42 @@
|
||||
From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 16 Dec 2021 11:14:18 +0100
|
||||
Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the forest root is not part of the return trusted domain objects
|
||||
from the local domain controller we generate an object for further
|
||||
processing. During this processing it is expected that the 'cn'
|
||||
attribute is set and contains the name of the forest root. So far this
|
||||
attribute was missing and it is now added by this patch.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5926
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 0353de76f..0c3f8ac31 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
|
||||
+ state->forest);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
|
||||
&id_val.data, &id_val.length);
|
||||
if (err != IDMAP_SUCCESS) {
|
||||
--
|
||||
2.26.3
|
||||
|
140
SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Normal file
140
SOURCES/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Normal file
@ -0,0 +1,140 @@
|
||||
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Thu, 13 Jan 2022 11:28:30 +0100
|
||||
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD and IPA providers use a common fo_server object for LDAP and
|
||||
Kerberos, which is created with the LDAP data. This means that due to
|
||||
the changes introduced in
|
||||
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
|
||||
the port in use for the Kerberos requests would be the one specified for
|
||||
LDAP, usually the default one (389).
|
||||
|
||||
In order to avoid that, AD and IPA providers shouldn't change the
|
||||
Kerberos port with the one provided for LDAP.
|
||||
|
||||
:fixes: A critical regression that prevented authentication of users via
|
||||
AD and IPA providers was fixed. LDAP port was reused for Kerberos
|
||||
communication and this provider would send incomprehensible information
|
||||
to this port.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5947
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_common.c | 1 +
|
||||
src/providers/ipa/ipa_common.c | 1 +
|
||||
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
|
||||
src/providers/krb5/krb5_common.h | 1 +
|
||||
4 files changed, 23 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index e263444c5..1ca5f8e3a 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
ad_krb5info_file_filter);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
|
||||
index 1509cb1ce..e6c1f9aa4 100644
|
||||
--- a/src/providers/ipa/ipa_common.c
|
||||
+++ b/src/providers/ipa/ipa_common.c
|
||||
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||
index 719ce6a12..5ffa20809 100644
|
||||
--- a/src/providers/krb5/krb5_common.c
|
||||
+++ b/src/providers/krb5/krb5_common.c
|
||||
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *))
|
||||
{
|
||||
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
if (filter == NULL || filter(server) == false) {
|
||||
address = fo_server_address_or_name(tmp_ctx, server);
|
||||
if (address) {
|
||||
- port = fo_get_server_port(server);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(server);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
continue;
|
||||
}
|
||||
|
||||
- port = fo_get_server_port(item);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(item);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(krb5_service,
|
||||
server,
|
||||
+ false,
|
||||
krb5_service->name,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
||||
index 151f446d1..2fd39a751 100644
|
||||
--- a/src/providers/krb5/krb5_common.h
|
||||
+++ b/src/providers/krb5/krb5_common.h
|
||||
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *));
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
@ -26,15 +26,18 @@
|
||||
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
|
||||
|
||||
Name: sssd
|
||||
Version: 2.6.1
|
||||
Release: 1%{?dist}
|
||||
Version: 2.6.2
|
||||
Release: 2%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://github.com/SSSD/sssd/
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
#Patch0001:
|
||||
Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
|
||||
Patch0002: 0002-po-update-translations.patch
|
||||
Patch0003: 0003-ad-add-required-cn-attribute-to-subdomain-object.patch
|
||||
Patch0004: 0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
@ -43,7 +46,7 @@ Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-ipa = %{version}-%{release}
|
||||
Requires: sssd-krb5 = %{version}-%{release}
|
||||
Requires: sssd-ldap = %{version}-%{release}
|
||||
Suggests: sssd-proxy = %{version}-%{release}
|
||||
Requires: sssd-proxy = %{version}-%{release}
|
||||
Suggests: logrotate
|
||||
Suggests: python3-sssdconfig = %{version}-%{release}
|
||||
Suggests: sssd-dbus = %{version}-%{release}
|
||||
@ -78,6 +81,7 @@ BuildRequires: gettext-devel
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: keyutils-libs-devel
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: krb5-libs >= 1.18.2-11
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: libdhash-devel >= 0.4.2
|
||||
BuildRequires: libini_config-devel >= 1.1
|
||||
@ -137,6 +141,7 @@ License: GPLv3+
|
||||
# Requires
|
||||
# due to ABI changes in 1.1.30/1.2.0
|
||||
Requires: libldb >= %{ldb_version}
|
||||
Requires: libtevent >= 0.11.0
|
||||
Requires: sssd-client%{?_isa} = %{version}-%{release}
|
||||
Requires: (libsss_sudo = %{version}-%{release} if sudo)
|
||||
Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
|
||||
@ -194,8 +199,9 @@ Requires: sssd-common = %{version}-%{release}
|
||||
Requires: python3-sss = %{version}-%{release}
|
||||
Requires: python3-sssdconfig = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
# for logger=journald support with sss_analyze
|
||||
Requires: python3-systemd
|
||||
Suggests: sssd-dbus
|
||||
Requires: sssd-dbus
|
||||
|
||||
%description tools
|
||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||
@ -468,6 +474,7 @@ Library to map certificates to users based on rules
|
||||
Summary: An implementation of a Kerberos KCM server
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: krb5-libs >= 1.18.2-11
|
||||
%{?systemd_requires}
|
||||
|
||||
%description kcm
|
||||
@ -510,6 +517,10 @@ autoreconf -ivf
|
||||
%{nil}
|
||||
|
||||
%make_build all docs runstatedir=%{_rundir}
|
||||
make -C po ja.gmo
|
||||
make -C po fr.gmo
|
||||
make -C po ko.gmo
|
||||
make -C po zh_CN.gmo
|
||||
|
||||
sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
|
||||
|
||||
@ -520,7 +531,7 @@ unset CK_TIMEOUT_MULTIPLIER
|
||||
|
||||
%install
|
||||
|
||||
%py3_shebang_fix src/tools/analyzer/sss_analyze.py
|
||||
%py3_shebang_fix src/tools/analyzer/sss_analyze
|
||||
|
||||
%make_install
|
||||
|
||||
@ -540,6 +551,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||
|
||||
# krb5 configuration snippet
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
|
||||
# Create directory for cifs-idmap alternative
|
||||
# Otherwise this directory could not be owned by sssd-client
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
|
||||
@ -766,6 +781,9 @@ done
|
||||
%license COPYING
|
||||
%{_libdir}/%{name}/libsss_krb5.so
|
||||
%{_mandir}/man5/sssd-krb5.5*
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
%dir %{_datadir}/sssd/krb5-snippets
|
||||
%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
|
||||
|
||||
%files common-pac
|
||||
%license COPYING
|
||||
@ -843,6 +861,7 @@ done
|
||||
%{_sbindir}/sss_debuglevel
|
||||
%{_sbindir}/sss_seed
|
||||
%{_sbindir}/sssctl
|
||||
%{_libexecdir}/%{servicename}/sss_analyze
|
||||
%{python3_sitelib}/sssd/
|
||||
%{_mandir}/man8/sss_obfuscate.8*
|
||||
%{_mandir}/man8/sss_override.8*
|
||||
@ -1019,6 +1038,18 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
|
||||
- Resolves: rhbz#2035244 - AD Domain in the AD Forest Missing after sssd latest update
|
||||
- Resolves: rhbz#2041560 - sssd does not use kerberos port that is set.
|
||||
|
||||
* Mon Jan 03 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
|
||||
- Resolves: rhbz#2011224 - Rebase SSSD for RHEL 9.0-GA
|
||||
- Resolves: rhbz#2017390 - [sssd] RHEL 9.0 GA Tier 0 Localization
|
||||
- Resolves: rhbz#2013263 - [RHEL9] Add ability to parse child log files
|
||||
- Resolves: rhbz#2013262 - [RHEL9] Add tevent chain ID logic into responders
|
||||
- Resolves: rhbz#1992432 - Add client certificate validation D-Bus API
|
||||
- Resolves: rhbz#1940517 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
|
||||
|
||||
* Mon Dec 06 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-1
|
||||
- Resolves: rhbz#2011224 - Rebase SSSD for RHEL 9.0-GA
|
||||
- Resolves: rhbz#1966201 - sssd: incorrect checks on length values during packet decoding in unpack_authtok()
|
||||
|
Loading…
Reference in New Issue
Block a user