rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL sssd-2.9.7-4.0.1.el9_7.1

Browse Source
This commit is contained in:
eabdullin 2025-11-27 12:02:27 +00:00
parent f246fd45d3
commit 44b3f3362f
11 changed files with 244 additions and 685 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.9.6.tar.gz
SOURCES/sssd-2.9.7.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
da2490cf07d91fd340ce87ffc209fc2420ccf60c SOURCES/sssd-2.9.6.tar.gz
b8c9deadb0f0a9b0afdea1dcfc3f0f955f8a7f64 SOURCES/sssd-2.9.7.tar.gz

83
SOURCES/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
View File

@ -1,83 +0,0 @@
From 4f9fb5fd301d635ad54bf6d0ef93d6811445c7f9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 22 May 2024 13:31:06 +0200
Subject: [PATCH] SYSDB: Use SYSDB_NAME from cached entry when updating users
and groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The sysdb_store_user() and sysdb_store_group() functinos search for the
entry by name to check if it is already cached. This search considers
SYSDB_ALIAS, added when the domain is case insensitive. If a matching
entry is found use its SYSDB_NAME instead of the passed name.
It may happen the group is stored in uppercase, but later some server
returns a memberOf attribute in lowercase. When updating the group to
add the memberships the first search will find the entry, but the modify
operation will fail as the group name in the built DN will differ in case.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d2b734b926e1f23370c9cabd8ba6f07bf6b29a86)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 76f4580aa..32e49d759 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2615,6 +2615,22 @@ int sysdb_store_user(struct sss_domain_info *domain,
}
} else {
/* the user exists, let's just replace attributes when set */
+ /*
+ * The sysdb_search_user_by_name() function also matches lowercased
+ * aliases, saved when the domain is case-insensitive. This means that
+ * the stored entry name can differ in capitalization from the search
+ * name. Use the cached entry name to perform the modification because
+ * if name capitalization in entry's DN differs the modify operation
+ * will fail.
+ */
+ const char *entry_name =
+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (entry_name != NULL) {
+ name = entry_name;
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "User '%s' without a name?\n", name);
+ }
+
ret = sysdb_store_user_attrs(domain, name, uid, gid, gecos, homedir,
shell, orig_dn, attrs, remove_attrs,
cache_timeout, now);
@@ -2849,6 +2865,22 @@ int sysdb_store_group(struct sss_domain_info *domain,
ret = sysdb_store_new_group(domain, name, gid, attrs,
cache_timeout, now);
} else {
+ /*
+ * The sysdb_search_group_by_name() function also matches lowercased
+ * aliases, saved when the domain is case-insensitive. This means that
+ * the stored entry name can differ in capitalization from the search
+ * name. Use the cached entry name to perform the modification because
+ * if name capitalization in entry's DN differs the modify operation
+ * will fail.
+ */
+ const char *entry_name =
+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (entry_name != NULL) {
+ name = entry_name;
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Group '%s' without a name?\n", name);
+ }
+
ret = sysdb_store_group_attrs(domain, name, gid, attrs,
cache_timeout, now);
}
--
2.47.0

42
SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch Normal file
View File

@ -0,0 +1,42 @@
From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Jun 2025 14:30:57 +0200
Subject: [PATCH 3/4] authtok: add IS_PW_OR_ST_AUTHTOK()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch adds a helper macro to determine if an authtok struct is of
type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is
useful if a password is expected but an authentication token forwarded
by an different PAM module, which is most probably a password, can be
used as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050)
---
src/util/authtok.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/util/authtok.h b/src/util/authtok.h
index b58e9dbbd..acabb7078 100644
--- a/src/util/authtok.h
+++ b/src/util/authtok.h
@@ -28,6 +28,10 @@
sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
|| sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+#define IS_PW_OR_ST_AUTHTOK(tok) ( \
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED)
+
/* Use sss_authtok_* accessor functions instead of struct sss_auth_token
*/
--
2.50.0

93
SOURCES/0002-KCM-fix-memory-leak.patch
View File

@ -1,93 +0,0 @@
From 6aba9a7dd2261c19f053d5fbd5358fdaf335b807 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 5 Feb 2025 08:59:49 +0100
Subject: [PATCH] KCM: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The copy of 'secret' argument - `secret_val.data` - was left hanging
on `sss_sec_ctx`, effectively resulting in a memory leak.
But this copy isn't actually required as this data isn't modified in
below operations.
This is a backport of https://github.com/SSSD/sssd/pull/7823
:fixes:'sssd_kcm' memory leak was fixed.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/responder/kcm/secrets/secrets.c | 28 ++++++++++++----------------
1 file changed, 12 insertions(+), 16 deletions(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 730fa68b6..d1a9672d5 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -953,7 +953,7 @@ errno_t sss_sec_put(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val;
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
int ret;
if (req == NULL || secret == NULL) {
@@ -1002,13 +1002,11 @@ errno_t sss_sec_put(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -1050,7 +1048,7 @@ errno_t sss_sec_update(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val;
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
int ret;
if (req == NULL || secret == NULL) {
@@ -1099,13 +1097,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
/* FIXME - should we have a lastUpdate timestamp? */
ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL);
if (ret != LDB_SUCCESS) {
@@ -1115,6 +1106,11 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_MINOR_FAILURE,
--
2.47.0

104
SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch Normal file
View File

@ -0,0 +1,104 @@
From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 10 Jun 2025 14:22:19 +0200
Subject: [PATCH 4/4] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to
handle credentials forwarded by other PAM modules. Before it was
unconditionally assumed that it is a password and hence
SSS_AUTHTOK_TYPE_PASSWORD was used.
When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were
already handled but currently offline use-cases fail because here only
SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch
SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline
credentials as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48)
---
src/providers/krb5/krb5_auth.c | 11 +++++++----
src/providers/krb5/krb5_child.c | 4 ++++
.../krb5/krb5_delayed_online_authentication.c | 2 +-
src/responder/pam/pamsrv_cmd.c | 1 +
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 07e4d807f..fb2f58869 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
domain->cache_credentials_min_ff_length);
ret = EINVAL;
}
- } else if (sss_authtok_get_type(pd->authtok) ==
- SSS_AUTHTOK_TYPE_PASSWORD) {
+ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
+ /* At this point we can be sure that
+ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because
+ * krb5_auth_store_creds() is not called if 2FA/otp was used,
+ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication.
+ */
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
} else {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n",
@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
if (kr->is_offline) {
if (dp_opt_get_bool(kr->krb5_ctx->opts,
KRB5_STORE_PASSWORD_IF_OFFLINE)
- && sss_authtok_get_type(pd->authtok)
- == SSS_AUTHTOK_TYPE_PASSWORD) {
+ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
krb5_auth_cache_creds(state->kr->krb5_ctx,
state->domain,
state->be_ctx->cdb,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 5830305a0..21ec38627 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
if (kerr != 0) {
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+ if (kerr == EAGAIN) {
+ kerr = KRB5_KDC_UNREACH;
+ }
+
/* Special case for IPA password migration */
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
&& kerr == KRB5_PREAUTH_FAILED
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index f88d8ab9b..1fac986a6 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
return EINVAL;
}
- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid authtok for user [%s].\n", pd->user);
return EINVAL;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index d4cb421f4..c6a436069 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
switch (sss_authtok_get_type(authtok)) {
case SSS_AUTHTOK_TYPE_PASSWORD:
+ case SSS_AUTHTOK_TYPE_PAM_STACKED:
ret = sss_authtok_get_password(authtok, password, NULL);
break;
case SSS_AUTHTOK_TYPE_2FA:
--
2.50.0

59
SOURCES/0003-KCM-another-memory-leak-fixed.patch
View File

@ -1,59 +0,0 @@
From e7c76df8c0fa4a361c433684553ba1384166a564 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 12 Feb 2025 11:30:22 +0100
Subject: [PATCH] KCM: another memory leak fixed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
```
...
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520
...
```
Reviewed-by: Alejandro López <allopez@redhat.com>
(cherry picked from commit 9e72bc242b600158d7920b2b98644efa42fd1ffa)
---
src/responder/kcm/kcmsrv_ccache.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index 6e4ea64e0..4f4f8b46a 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -404,7 +404,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
- goto done;
+ goto fail;
}
for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) {
@@ -417,7 +417,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
cred_list[i] = kcm_cred_to_krb5(krb_context, cred);
if (cred_list[i] == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
- goto done;
+ goto fail;
}
}
@@ -426,8 +426,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
talloc_steal(mem_ctx, cred_list);
+ talloc_free(tmp_ctx);
return cred_list;
-done:
+
+fail:
talloc_free(tmp_ctx);
return NULL;
#endif
--
2.47.0

39
SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch Normal file
View File

@ -0,0 +1,39 @@
commit 9939c39d1949fad48af2f0b43c788bad0809e310
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 10 12:57:40 2025 +0200
krb5: disable Kerberos localauth an2ln plugin for AD/IPA
If a client is joined to AD or IPA SSSD's localauth plugin can handle
the mapping of Kerberos principals to local accounts. In case it cannot
map the Kerberos principals libkrb5 is currently configured to fall back
to the default localauth plugins 'default', 'rule', 'names',
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
All plugins except 'an2ln' require some explicit configuration by either
the administrator or the local user. To avoid some unexpected mapping is
done by the 'an2ln' plugin this patch disables it in the configuration
snippets for SSSD's localauth plugin.
Resolves: https://github.com/SSSD/sssd/issues/8021
:relnote: After startup SSSD already creates a Kerberos configuration
snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
if the AD or IPA providers are used. This enables SSSD's localauth plugin.
Starting with this release the an2ln plugin is disabled in the
configuration snippet as well. If this file or its content are included in
the Kerberos configuration it will fix CVE-2025-11561.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
diff -up sssd-2.9.7/src/util/domain_info_utils.c.orig sssd-2.9.7/src/util/domain_info_utils.c
--- sssd-2.9.7/src/util/domain_info_utils.c.orig 2025-05-20 16:51:32.000000000 +0200
+++ sssd-2.9.7/src/util/domain_info_utils.c 2025-10-20 10:55:54.008139333 +0200
@@ -751,6 +751,7 @@ done:
#define LOCALAUTH_PLUGIN_CONFIG \
"[plugins]\n" \
" localauth = {\n" \
+" disable = an2ln\n" \
" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
" }\n"

441
SOURCES/0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
View File

@ -1,441 +0,0 @@
From addb1a78106cab8a85f8f6c56d79e84b5abd0d5e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 14 Feb 2025 21:15:16 +0100
Subject: [PATCH] SYSDB: don't add group members if 'ignore_group_members ==
true'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7793
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 281d9c3ed66ee28a9572433a629eb0d72525ca46)
---
src/db/sysdb.h | 51 ++++++---
src/db/sysdb_search.c | 6 +-
src/db/sysdb_views.c | 10 +-
src/tests/cmocka/test_responder_cache_req.c | 112 +++++++-------------
src/tests/cmocka/test_sysdb_ts_cache.c | 6 +-
src/tools/sss_override.c | 2 +-
6 files changed, 90 insertions(+), 97 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 55c6437f2..fb1ced009 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -276,19 +276,44 @@
SYSDB_ORIG_DN, \
NULL}
-#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \
- SYSDB_MEMBERUID, \
- SYSDB_MEMBER, \
- SYSDB_GHOST, \
- SYSDB_DEFAULT_ATTRS, \
- SYSDB_SID_STR, \
- SYSDB_OVERRIDE_DN, \
- SYSDB_OVERRIDE_OBJECT_DN, \
- SYSDB_DEFAULT_OVERRIDE_NAME, \
- SYSDB_UUID, \
- ORIGINALAD_PREFIX SYSDB_NAME, \
- ORIGINALAD_PREFIX SYSDB_GIDNUM, \
- NULL}
+/* Strictly speaking it should return 'const char * const *' but
+ * that gets really unreadable.
+ */
+__attribute__((always_inline))
+static inline const char **SYSDB_GRSRC_ATTRS(const struct sss_domain_info *domain)
+{
+ static const char * __SYSDB_GRSRC_ATTRS_NO_MEMBERS[] = {
+ SYSDB_NAME, SYSDB_GIDNUM,
+ SYSDB_DEFAULT_ATTRS,
+ SYSDB_SID_STR,
+ SYSDB_OVERRIDE_DN,
+ SYSDB_OVERRIDE_OBJECT_DN,
+ SYSDB_DEFAULT_OVERRIDE_NAME,
+ SYSDB_UUID,
+ NULL
+ };
+ static const char * __SYSDB_GRSRC_ATTRS_WITH_MEMBERS[] = {
+ SYSDB_NAME, SYSDB_GIDNUM,
+ SYSDB_MEMBERUID,
+ SYSDB_MEMBER,
+ SYSDB_GHOST,
+ SYSDB_DEFAULT_ATTRS,
+ SYSDB_SID_STR,
+ SYSDB_OVERRIDE_DN,
+ SYSDB_OVERRIDE_OBJECT_DN,
+ SYSDB_DEFAULT_OVERRIDE_NAME,
+ SYSDB_UUID,
+ ORIGINALAD_PREFIX SYSDB_NAME,
+ ORIGINALAD_PREFIX SYSDB_GIDNUM,
+ NULL
+ };
+
+ if (domain && domain->ignore_group_members) {
+ return __SYSDB_GRSRC_ATTRS_NO_MEMBERS;
+ } else {
+ return __SYSDB_GRSRC_ATTRS_WITH_MEMBERS;
+ }
+}
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
SYSDB_NETGROUP_MEMBER, \
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index e4c53b853..7f34ddbcb 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1176,7 +1176,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *fmt_filter;
char *sanitized_name;
struct ldb_dn *base_dn;
@@ -1378,7 +1378,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
struct ldb_dn *base_dn;
struct ldb_result *res = NULL;
int ret;
- static const char *default_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **default_attrs = SYSDB_GRSRC_ATTRS(domain);
const char **attrs = NULL;
tmp_ctx = talloc_new(NULL);
@@ -1484,7 +1484,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *filter = NULL;
const char *ts_filter = NULL;
const char *base_filter;
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 19c10977b..71f627974 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -1237,7 +1237,7 @@ errno_t sysdb_search_group_override_by_name(TALLOC_CTX *mem_ctx,
struct ldb_result **override_obj,
struct ldb_result **orig_obj)
{
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
return sysdb_search_override_by_name(mem_ctx, domain, name,
SYSDB_GROUP_NAME_OVERRIDE_FILTER,
@@ -1253,7 +1253,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
{
TALLOC_CTX *tmp_ctx;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain);
const char **attrs;
struct ldb_dn *base_dn;
struct ldb_result *override_res;
@@ -1417,7 +1417,7 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain,
struct ldb_message *override;
uint64_t uid;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); /* members don't matter */
const char **attrs;
struct attr_map {
const char *attr;
@@ -1551,6 +1551,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
char *val;
struct sss_domain_info *orig_dom;
+ if (domain->ignore_group_members) {
+ return EOK;
+ }
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index fe69a9dfd..c665e1adb 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -3282,10 +3282,8 @@ void test_object_by_sid_user_multiple_domains_notfound(void **state)
void test_object_by_sid_group_cache_valid(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
@@ -3298,10 +3296,8 @@ void test_object_by_sid_group_cache_valid(void **state)
void test_object_by_sid_group_cache_expired(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
@@ -3320,10 +3316,8 @@ void test_object_by_sid_group_cache_expired(void **state)
void test_object_by_sid_group_cache_midpoint(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
@@ -3341,12 +3335,10 @@ void test_object_by_sid_group_cache_midpoint(void **state)
void test_object_by_sid_group_ncache(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
errno_t ret;
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
/* Setup user. */
ret = sss_ncache_set_sid(test_ctx->ncache, false, test_ctx->tctx->dom, groups[0].sid);
assert_int_equal(ret, EOK);
@@ -3359,10 +3351,8 @@ void test_object_by_sid_group_ncache(void **state)
void test_object_by_sid_group_missing_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3380,10 +3370,8 @@ void test_object_by_sid_group_missing_found(void **state)
void test_object_by_sid_group_missing_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3397,17 +3385,13 @@ void test_object_by_sid_group_missing_notfound(void **state)
void test_object_by_sid_group_multiple_domains_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- struct sss_domain_info *domain = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
- /* Setup user. */
- domain = find_domain_by_name(test_ctx->tctx->dom,
- "responder_cache_req_test_d", true);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
assert_non_null(domain);
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ /* Setup user. */
prepare_group(domain, &groups[0], 1000, time(NULL));
/* Mock values. */
@@ -3423,10 +3407,8 @@ void test_object_by_sid_group_multiple_domains_found(void **state)
void test_object_by_sid_group_multiple_domains_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3605,10 +3587,8 @@ void test_object_by_id_user_multiple_domains_notfound(void **state)
void test_object_by_id_group_cache_valid(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
@@ -3620,10 +3600,8 @@ void test_object_by_id_group_cache_valid(void **state)
void test_object_by_id_group_cache_expired(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
@@ -3641,10 +3619,8 @@ void test_object_by_id_group_cache_expired(void **state)
void test_object_by_id_group_cache_midpoint(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
@@ -3661,12 +3637,10 @@ void test_object_by_id_group_cache_midpoint(void **state)
void test_object_by_id_group_ncache(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
errno_t ret;
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
/* Setup group. We explicitly add the UID into BOTH UID and GID
* namespaces, because otherwise the cache_req plugin would
* search the Data Provider anyway, because it can't be sure
@@ -3693,10 +3667,8 @@ void test_object_by_id_group_ncache(void **state)
void test_object_by_id_group_missing_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3713,10 +3685,8 @@ void test_object_by_id_group_missing_found(void **state)
void test_object_by_id_group_missing_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3729,17 +3699,13 @@ void test_object_by_id_group_missing_notfound(void **state)
void test_object_by_id_group_multiple_domains_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- struct sss_domain_info *domain = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
- /* Setup user. */
- domain = find_domain_by_name(test_ctx->tctx->dom,
- "responder_cache_req_test_d", true);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
assert_non_null(domain);
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ /* Setup user. */
prepare_group(domain, &groups[0], 1000, time(NULL));
/* Mock values. */
@@ -3755,10 +3721,8 @@ void test_object_by_id_group_multiple_domains_found(void **state)
void test_object_by_id_group_multiple_domains_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
index 24b26d950..f349b7061 100644
--- a/src/tests/cmocka/test_sysdb_ts_cache.c
+++ b/src/tests/cmocka/test_sysdb_ts_cache.c
@@ -694,7 +694,7 @@ static void test_sysdb_getgr_merges(void **state)
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
struct sysdb_attrs *group_attrs = NULL;
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
char *filter = NULL;
struct ldb_result *res = NULL;
size_t msgs_count;
@@ -783,7 +783,7 @@ static void test_merge_ldb_results(void **state)
int ret;
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
char *filter;
struct ldb_result *res;
struct ldb_result *res1;
@@ -856,7 +856,7 @@ static void test_group_bysid(void **state)
int ret;
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
struct sysdb_attrs *group_attrs = NULL;
struct ldb_result *res;
struct ldb_message *msg = NULL;
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index cfd8f17fa..a20859c4d 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -1218,7 +1218,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
size_t count;
size_t i;
errno_t ret;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *fqname;
char *name;
--
2.47.0

26
SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch Normal file
View File

@ -0,0 +1,26 @@
From: Alex Burmashev <alexander.burmashev@oracle.com>
Date: Tue, 04 May 2021 13:31:41 +0100
Subject: [PATCH] restore default debug level for sss_cache
We want only fatal failures to be logged, otherwise in some conditions log is.
flooded with unneeded "errors"
Resolves: https://github.com/SSSD/sssd/issues/5488
Orabug: 32810448
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Patch migrated from ol8 to ol9 without any modification
Signed-off-by: Darren Archibald <darren.archibald@oracle.com>
diff -ruN sssd-2.4.0.orig/src/tools/sss_cache.c sssd-2.4.0/src/tools/sss_cache.c
--- sssd-2.4.0.orig/src/tools/sss_cache.c 2021-06-29 12:48:07.035970021 -0700
+++ sssd-2.4.0/src/tools/sss_cache.c 2021-06-29 13:11:23.126918933 -0700
@@ -709,7 +709,7 @@
struct cache_tool_ctx *ctx = NULL;
int idb = INVALIDATE_NONE;
struct input_values values = { 0 };
- int debug = SSSDBG_TOOLS_DEFAULT;
+ int debug = SSSDBG_FATAL_FAILURE;
errno_t ret = EOK;
poptContext pc = NULL;

38
SPECS/sssd.spec
View File

@ -26,18 +26,18 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
Name: sssd
Version: 2.9.6
Release: 4%{?dist}.2
Version: 2.9.7
Release: 4.0.1%{?dist}.1
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
Patch0002: 0002-KCM-fix-memory-leak.patch
Patch0003: 0003-KCM-another-memory-leak-fixed.patch
Patch0004: 0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
Patch0001: 0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
Patch0002: 0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
Patch0003: 0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch
Patch2002: 2002-orabug32810448-restore-default-debug-sss_cache.patch
### Dependencies ###
@ -1087,6 +1087,31 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Fri Nov 14 2025 EL Errata <el-errata_ww@oracle.com> - 2.9.7-4.0.1.1
- Restore default debug level for sss_cache [Orabug: 32810448]
* Fri Oct 17 2025 Tomas Halman <thalman@redhat.com - 2.9.7.4.1
- Resolves: RHEL-120298 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation
on AD-joined Linux systems
* Thu Aug 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-4
- Related: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]
Patch used to fix this ticket causes a regression (RHEL-106987) and is being reverted.
* Mon Jul 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-3
- Resolves: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]
- Resolves: RHEL-103434 - cache_credentials = true not working
* Wed Jun 11 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-2
- Related: RHEL-89873 - Rebase Samba to the latest 4.22.x release
* Tue May 20 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-1
- Resolves: RHEL-92622 - Rebase SSSD for RHEL 9.7
- Resolves: RHEL-87205 - SSSD fails to connect with ipv4_first when on a machine with only IPv6 and server is dual-stack [rhel-9]
- Resolves: RHEL-73906 - OAuth2 using UPN attribute from Entra ID
- Resolves: RHEL-92590 - SSSD LDAPU1 Mapping braces problem [rhel-9]
- Resolves: RHEL-90136 - backport https://github.com/SSSD/sssd/pull/7649
* Mon Apr 7 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.2
- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
@ -1188,7 +1213,6 @@ fi
- Resolves: rhbz#2234829 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working)
- Resolves: rhbz#2236119 - dbus and crond getting terminated with SIGBUS in sss_client code
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
- Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system