diff --git a/.gitignore b/.gitignore index dcf6eb8..45802ae 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.9.6.tar.gz +SOURCES/sssd-2.9.7.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 917a0d0..5305089 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -da2490cf07d91fd340ce87ffc209fc2420ccf60c SOURCES/sssd-2.9.6.tar.gz +b8c9deadb0f0a9b0afdea1dcfc3f0f955f8a7f64 SOURCES/sssd-2.9.7.tar.gz diff --git a/SOURCES/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch b/SOURCES/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch deleted file mode 100644 index fcc2405..0000000 --- a/SOURCES/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 4f9fb5fd301d635ad54bf6d0ef93d6811445c7f9 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 22 May 2024 13:31:06 +0200 -Subject: [PATCH] SYSDB: Use SYSDB_NAME from cached entry when updating users - and groups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The sysdb_store_user() and sysdb_store_group() functinos search for the -entry by name to check if it is already cached. This search considers -SYSDB_ALIAS, added when the domain is case insensitive. If a matching -entry is found use its SYSDB_NAME instead of the passed name. - -It may happen the group is stored in uppercase, but later some server -returns a memberOf attribute in lowercase. When updating the group to -add the memberships the first search will find the entry, but the modify -operation will fail as the group name in the built DN will differ in case. - -Signed-off-by: Samuel Cabrero - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Pavel Březina -(cherry picked from commit d2b734b926e1f23370c9cabd8ba6f07bf6b29a86) - -Reviewed-by: Justin Stephenson ---- - src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ - 1 file changed, 32 insertions(+) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 76f4580aa..32e49d759 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -2615,6 +2615,22 @@ int sysdb_store_user(struct sss_domain_info *domain, - } - } else { - /* the user exists, let's just replace attributes when set */ -+ /* -+ * The sysdb_search_user_by_name() function also matches lowercased -+ * aliases, saved when the domain is case-insensitive. This means that -+ * the stored entry name can differ in capitalization from the search -+ * name. Use the cached entry name to perform the modification because -+ * if name capitalization in entry's DN differs the modify operation -+ * will fail. -+ */ -+ const char *entry_name = -+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -+ if (entry_name != NULL) { -+ name = entry_name; -+ } else { -+ DEBUG(SSSDBG_MINOR_FAILURE, "User '%s' without a name?\n", name); -+ } -+ - ret = sysdb_store_user_attrs(domain, name, uid, gid, gecos, homedir, - shell, orig_dn, attrs, remove_attrs, - cache_timeout, now); -@@ -2849,6 +2865,22 @@ int sysdb_store_group(struct sss_domain_info *domain, - ret = sysdb_store_new_group(domain, name, gid, attrs, - cache_timeout, now); - } else { -+ /* -+ * The sysdb_search_group_by_name() function also matches lowercased -+ * aliases, saved when the domain is case-insensitive. This means that -+ * the stored entry name can differ in capitalization from the search -+ * name. Use the cached entry name to perform the modification because -+ * if name capitalization in entry's DN differs the modify operation -+ * will fail. -+ */ -+ const char *entry_name = -+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -+ if (entry_name != NULL) { -+ name = entry_name; -+ } else { -+ DEBUG(SSSDBG_MINOR_FAILURE, "Group '%s' without a name?\n", name); -+ } -+ - ret = sysdb_store_group_attrs(domain, name, gid, attrs, - cache_timeout, now); - } --- -2.47.0 - diff --git a/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch b/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch new file mode 100644 index 0000000..e23008a --- /dev/null +++ b/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch @@ -0,0 +1,42 @@ +From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 18 Jun 2025 14:30:57 +0200 +Subject: [PATCH 3/4] authtok: add IS_PW_OR_ST_AUTHTOK() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch adds a helper macro to determine if an authtok struct is of +type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is +useful if a password is expected but an authentication token forwarded +by an different PAM module, which is most probably a password, can be +used as well. + +Resolves: https://github.com/SSSD/sssd/issues/7968 + +Reviewed-by: Pavel Březina +Reviewed-by: Shridhar Gadekar +Reviewed-by: Tomáš Halman +(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050) +--- + src/util/authtok.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/authtok.h b/src/util/authtok.h +index b58e9dbbd..acabb7078 100644 +--- a/src/util/authtok.h ++++ b/src/util/authtok.h +@@ -28,6 +28,10 @@ + sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ + || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) + ++#define IS_PW_OR_ST_AUTHTOK(tok) ( \ ++ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \ ++ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED) ++ + + /* Use sss_authtok_* accessor functions instead of struct sss_auth_token + */ +-- +2.50.0 + diff --git a/SOURCES/0002-KCM-fix-memory-leak.patch b/SOURCES/0002-KCM-fix-memory-leak.patch deleted file mode 100644 index f899f57..0000000 --- a/SOURCES/0002-KCM-fix-memory-leak.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 6aba9a7dd2261c19f053d5fbd5358fdaf335b807 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 5 Feb 2025 08:59:49 +0100 -Subject: [PATCH] KCM: fix memory leak -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The copy of 'secret' argument - `secret_val.data` - was left hanging -on `sss_sec_ctx`, effectively resulting in a memory leak. -But this copy isn't actually required as this data isn't modified in -below operations. - -This is a backport of https://github.com/SSSD/sssd/pull/7823 - -:fixes:'sssd_kcm' memory leak was fixed. - -Reviewed-by: Alejandro López -Reviewed-by: Justin Stephenson ---- - src/responder/kcm/secrets/secrets.c | 28 ++++++++++++---------------- - 1 file changed, 12 insertions(+), 16 deletions(-) - -diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c -index 730fa68b6..d1a9672d5 100644 ---- a/src/responder/kcm/secrets/secrets.c -+++ b/src/responder/kcm/secrets/secrets.c -@@ -953,7 +953,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, - size_t secret_len) - { - struct ldb_message *msg; -- struct ldb_val secret_val; -+ const struct ldb_val secret_val = { .length = secret_len, .data = secret }; - int ret; - - if (req == NULL || secret == NULL) { -@@ -1002,13 +1002,11 @@ errno_t sss_sec_put(struct sss_sec_req *req, - goto done; - } - -- secret_val.length = secret_len; -- secret_val.data = talloc_memdup(req->sctx, secret, secret_len); -- if (!secret_val.data) { -- ret = ENOMEM; -- goto done; -- } -- -+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data -+ * but rather copies a pointer under the hood. -+ * This is fine since no operations modifying this data are performed -+ * below and 'msg' is freed before function returns. -+ */ - ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, -@@ -1050,7 +1048,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, - size_t secret_len) - { - struct ldb_message *msg; -- struct ldb_val secret_val; -+ const struct ldb_val secret_val = { .length = secret_len, .data = secret }; - int ret; - - if (req == NULL || secret == NULL) { -@@ -1099,13 +1097,6 @@ errno_t sss_sec_update(struct sss_sec_req *req, - goto done; - } - -- secret_val.length = secret_len; -- secret_val.data = talloc_memdup(req->sctx, secret, secret_len); -- if (!secret_val.data) { -- ret = ENOMEM; -- goto done; -- } -- - /* FIXME - should we have a lastUpdate timestamp? */ - ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { -@@ -1115,6 +1106,11 @@ errno_t sss_sec_update(struct sss_sec_req *req, - goto done; - } - -+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data -+ * but rather copies a pointer under the hood. -+ * This is fine since no operations modifying this data are performed -+ * below and 'msg' is freed before function returns. -+ */ - ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL); - if (ret != LDB_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, --- -2.47.0 - diff --git a/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch b/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch new file mode 100644 index 0000000..98e3788 --- /dev/null +++ b/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch @@ -0,0 +1,104 @@ +From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 10 Jun 2025 14:22:19 +0200 +Subject: [PATCH 4/4] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to +handle credentials forwarded by other PAM modules. Before it was +unconditionally assumed that it is a password and hence +SSS_AUTHTOK_TYPE_PASSWORD was used. + +When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were +already handled but currently offline use-cases fail because here only +SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch +SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline +credentials as well. + +Resolves: https://github.com/SSSD/sssd/issues/7968 + +Reviewed-by: Pavel Březina +Reviewed-by: Shridhar Gadekar +Reviewed-by: Tomáš Halman +(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48) +--- + src/providers/krb5/krb5_auth.c | 11 +++++++---- + src/providers/krb5/krb5_child.c | 4 ++++ + .../krb5/krb5_delayed_online_authentication.c | 2 +- + src/responder/pam/pamsrv_cmd.c | 1 + + 4 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c +index 07e4d807f..fb2f58869 100644 +--- a/src/providers/krb5/krb5_auth.c ++++ b/src/providers/krb5/krb5_auth.c +@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, + domain->cache_credentials_min_ff_length); + ret = EINVAL; + } +- } else if (sss_authtok_get_type(pd->authtok) == +- SSS_AUTHTOK_TYPE_PASSWORD) { ++ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) { ++ /* At this point we can be sure that ++ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because ++ * krb5_auth_store_creds() is not called if 2FA/otp was used, ++ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication. ++ */ + ret = sss_authtok_get_password(pd->authtok, &password, NULL); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n", +@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq) + if (kr->is_offline) { + if (dp_opt_get_bool(kr->krb5_ctx->opts, + KRB5_STORE_PASSWORD_IF_OFFLINE) +- && sss_authtok_get_type(pd->authtok) +- == SSS_AUTHTOK_TYPE_PASSWORD) { ++ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) { + krb5_auth_cache_creds(state->kr->krb5_ctx, + state->domain, + state->be_ctx->cdb, +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 5830305a0..21ec38627 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + ++ if (kerr == EAGAIN) { ++ kerr = KRB5_KDC_UNREACH; ++ } ++ + /* Special case for IPA password migration */ + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE + && kerr == KRB5_PREAUTH_FAILED +diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c +index f88d8ab9b..1fac986a6 100644 +--- a/src/providers/krb5/krb5_delayed_online_authentication.c ++++ b/src/providers/krb5/krb5_delayed_online_authentication.c +@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, + return EINVAL; + } + +- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { ++ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid authtok for user [%s].\n", pd->user); + return EINVAL; +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index d4cb421f4..c6a436069 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, + + switch (sss_authtok_get_type(authtok)) { + case SSS_AUTHTOK_TYPE_PASSWORD: ++ case SSS_AUTHTOK_TYPE_PAM_STACKED: + ret = sss_authtok_get_password(authtok, password, NULL); + break; + case SSS_AUTHTOK_TYPE_2FA: +-- +2.50.0 + diff --git a/SOURCES/0003-KCM-another-memory-leak-fixed.patch b/SOURCES/0003-KCM-another-memory-leak-fixed.patch deleted file mode 100644 index 922fbdc..0000000 --- a/SOURCES/0003-KCM-another-memory-leak-fixed.patch +++ /dev/null @@ -1,59 +0,0 @@ -From e7c76df8c0fa4a361c433684553ba1384166a564 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 12 Feb 2025 11:30:22 +0100 -Subject: [PATCH] KCM: another memory leak fixed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -``` -... - talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0 - talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90 - talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520 -... -``` - -Reviewed-by: Alejandro López -(cherry picked from commit 9e72bc242b600158d7920b2b98644efa42fd1ffa) ---- - src/responder/kcm/kcmsrv_ccache.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c -index 6e4ea64e0..4f4f8b46a 100644 ---- a/src/responder/kcm/kcmsrv_ccache.c -+++ b/src/responder/kcm/kcmsrv_ccache.c -@@ -404,7 +404,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { -- goto done; -+ goto fail; - } - - for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) { -@@ -417,7 +417,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, - cred_list[i] = kcm_cred_to_krb5(krb_context, cred); - if (cred_list[i] == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n"); -- goto done; -+ goto fail; - } - } - -@@ -426,8 +426,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, - - talloc_steal(mem_ctx, cred_list); - -+ talloc_free(tmp_ctx); - return cred_list; --done: -+ -+fail: - talloc_free(tmp_ctx); - return NULL; - #endif --- -2.47.0 - diff --git a/SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch b/SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch new file mode 100644 index 0000000..60d3d0d --- /dev/null +++ b/SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch @@ -0,0 +1,39 @@ +commit 9939c39d1949fad48af2f0b43c788bad0809e310 +Author: Sumit Bose +Date: Fri Oct 10 12:57:40 2025 +0200 + + krb5: disable Kerberos localauth an2ln plugin for AD/IPA + + If a client is joined to AD or IPA SSSD's localauth plugin can handle + the mapping of Kerberos principals to local accounts. In case it cannot + map the Kerberos principals libkrb5 is currently configured to fall back + to the default localauth plugins 'default', 'rule', 'names', + 'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). + All plugins except 'an2ln' require some explicit configuration by either + the administrator or the local user. To avoid some unexpected mapping is + done by the 'an2ln' plugin this patch disables it in the configuration + snippets for SSSD's localauth plugin. + + Resolves: https://github.com/SSSD/sssd/issues/8021 + + :relnote: After startup SSSD already creates a Kerberos configuration + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin + if the AD or IPA providers are used. This enables SSSD's localauth plugin. + Starting with this release the an2ln plugin is disabled in the + configuration snippet as well. If this file or its content are included in + the Kerberos configuration it will fix CVE-2025-11561. + + Reviewed-by: Alexey Tikhonov + Reviewed-by: Pavel Březina + +diff -up sssd-2.9.7/src/util/domain_info_utils.c.orig sssd-2.9.7/src/util/domain_info_utils.c +--- sssd-2.9.7/src/util/domain_info_utils.c.orig 2025-05-20 16:51:32.000000000 +0200 ++++ sssd-2.9.7/src/util/domain_info_utils.c 2025-10-20 10:55:54.008139333 +0200 +@@ -751,6 +751,7 @@ done: + #define LOCALAUTH_PLUGIN_CONFIG \ + "[plugins]\n" \ + " localauth = {\n" \ ++" disable = an2ln\n" \ + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ + " }\n" + diff --git a/SOURCES/0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch b/SOURCES/0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch deleted file mode 100644 index d9fc4c7..0000000 --- a/SOURCES/0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch +++ /dev/null @@ -1,441 +0,0 @@ -From addb1a78106cab8a85f8f6c56d79e84b5abd0d5e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 14 Feb 2025 21:15:16 +0100 -Subject: [PATCH] SYSDB: don't add group members if 'ignore_group_members == - true' -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: https://github.com/SSSD/sssd/issues/7793 - -Reviewed-by: Alejandro López -Reviewed-by: Sumit Bose -(cherry picked from commit 281d9c3ed66ee28a9572433a629eb0d72525ca46) ---- - src/db/sysdb.h | 51 ++++++--- - src/db/sysdb_search.c | 6 +- - src/db/sysdb_views.c | 10 +- - src/tests/cmocka/test_responder_cache_req.c | 112 +++++++------------- - src/tests/cmocka/test_sysdb_ts_cache.c | 6 +- - src/tools/sss_override.c | 2 +- - 6 files changed, 90 insertions(+), 97 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 55c6437f2..fb1ced009 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -276,19 +276,44 @@ - SYSDB_ORIG_DN, \ - NULL} - --#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \ -- SYSDB_MEMBERUID, \ -- SYSDB_MEMBER, \ -- SYSDB_GHOST, \ -- SYSDB_DEFAULT_ATTRS, \ -- SYSDB_SID_STR, \ -- SYSDB_OVERRIDE_DN, \ -- SYSDB_OVERRIDE_OBJECT_DN, \ -- SYSDB_DEFAULT_OVERRIDE_NAME, \ -- SYSDB_UUID, \ -- ORIGINALAD_PREFIX SYSDB_NAME, \ -- ORIGINALAD_PREFIX SYSDB_GIDNUM, \ -- NULL} -+/* Strictly speaking it should return 'const char * const *' but -+ * that gets really unreadable. -+ */ -+__attribute__((always_inline)) -+static inline const char **SYSDB_GRSRC_ATTRS(const struct sss_domain_info *domain) -+{ -+ static const char * __SYSDB_GRSRC_ATTRS_NO_MEMBERS[] = { -+ SYSDB_NAME, SYSDB_GIDNUM, -+ SYSDB_DEFAULT_ATTRS, -+ SYSDB_SID_STR, -+ SYSDB_OVERRIDE_DN, -+ SYSDB_OVERRIDE_OBJECT_DN, -+ SYSDB_DEFAULT_OVERRIDE_NAME, -+ SYSDB_UUID, -+ NULL -+ }; -+ static const char * __SYSDB_GRSRC_ATTRS_WITH_MEMBERS[] = { -+ SYSDB_NAME, SYSDB_GIDNUM, -+ SYSDB_MEMBERUID, -+ SYSDB_MEMBER, -+ SYSDB_GHOST, -+ SYSDB_DEFAULT_ATTRS, -+ SYSDB_SID_STR, -+ SYSDB_OVERRIDE_DN, -+ SYSDB_OVERRIDE_OBJECT_DN, -+ SYSDB_DEFAULT_OVERRIDE_NAME, -+ SYSDB_UUID, -+ ORIGINALAD_PREFIX SYSDB_NAME, -+ ORIGINALAD_PREFIX SYSDB_GIDNUM, -+ NULL -+ }; -+ -+ if (domain && domain->ignore_group_members) { -+ return __SYSDB_GRSRC_ATTRS_NO_MEMBERS; -+ } else { -+ return __SYSDB_GRSRC_ATTRS_WITH_MEMBERS; -+ } -+} - - #define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \ - SYSDB_NETGROUP_MEMBER, \ -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index e4c53b853..7f34ddbcb 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -1176,7 +1176,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - struct ldb_result **_res) - { - TALLOC_CTX *tmp_ctx; -- static const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - const char *fmt_filter; - char *sanitized_name; - struct ldb_dn *base_dn; -@@ -1378,7 +1378,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx, - struct ldb_dn *base_dn; - struct ldb_result *res = NULL; - int ret; -- static const char *default_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **default_attrs = SYSDB_GRSRC_ATTRS(domain); - const char **attrs = NULL; - - tmp_ctx = talloc_new(NULL); -@@ -1484,7 +1484,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx, - struct ldb_result **_res) - { - TALLOC_CTX *tmp_ctx; -- static const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - const char *filter = NULL; - const char *ts_filter = NULL; - const char *base_filter; -diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c -index 19c10977b..71f627974 100644 ---- a/src/db/sysdb_views.c -+++ b/src/db/sysdb_views.c -@@ -1237,7 +1237,7 @@ errno_t sysdb_search_group_override_by_name(TALLOC_CTX *mem_ctx, - struct ldb_result **override_obj, - struct ldb_result **orig_obj) - { -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - - return sysdb_search_override_by_name(mem_ctx, domain, name, - SYSDB_GROUP_NAME_OVERRIDE_FILTER, -@@ -1253,7 +1253,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx, - { - TALLOC_CTX *tmp_ctx; - static const char *user_attrs[] = SYSDB_PW_ATTRS; -- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); - const char **attrs; - struct ldb_dn *base_dn; - struct ldb_result *override_res; -@@ -1417,7 +1417,7 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain, - struct ldb_message *override; - uint64_t uid; - static const char *user_attrs[] = SYSDB_PW_ATTRS; -- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); /* members don't matter */ - const char **attrs; - struct attr_map { - const char *attr; -@@ -1551,6 +1551,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain, - char *val; - struct sss_domain_info *orig_dom; - -+ if (domain->ignore_group_members) { -+ return EOK; -+ } -+ - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c -index fe69a9dfd..c665e1adb 100644 ---- a/src/tests/cmocka/test_responder_cache_req.c -+++ b/src/tests/cmocka/test_responder_cache_req.c -@@ -3282,10 +3282,8 @@ void test_object_by_sid_user_multiple_domains_notfound(void **state) - - void test_object_by_sid_group_cache_valid(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); -@@ -3298,10 +3296,8 @@ void test_object_by_sid_group_cache_valid(void **state) - - void test_object_by_sid_group_cache_expired(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); -@@ -3320,10 +3316,8 @@ void test_object_by_sid_group_cache_expired(void **state) - - void test_object_by_sid_group_cache_midpoint(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); -@@ -3341,12 +3335,10 @@ void test_object_by_sid_group_cache_midpoint(void **state) - - void test_object_by_sid_group_ncache(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - errno_t ret; - -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -- - /* Setup user. */ - ret = sss_ncache_set_sid(test_ctx->ncache, false, test_ctx->tctx->dom, groups[0].sid); - assert_int_equal(ret, EOK); -@@ -3359,10 +3351,8 @@ void test_object_by_sid_group_ncache(void **state) - - void test_object_by_sid_group_missing_found(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3380,10 +3370,8 @@ void test_object_by_sid_group_missing_found(void **state) - - void test_object_by_sid_group_missing_notfound(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3397,17 +3385,13 @@ void test_object_by_sid_group_missing_notfound(void **state) - - void test_object_by_sid_group_multiple_domains_found(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- struct sss_domain_info *domain = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -- -- /* Setup user. */ -- domain = find_domain_by_name(test_ctx->tctx->dom, -- "responder_cache_req_test_d", true); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom, -+ "responder_cache_req_test_d", true); - assert_non_null(domain); -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - -+ /* Setup user. */ - prepare_group(domain, &groups[0], 1000, time(NULL)); - - /* Mock values. */ -@@ -3423,10 +3407,8 @@ void test_object_by_sid_group_multiple_domains_found(void **state) - - void test_object_by_sid_group_multiple_domains_notfound(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return_always(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3605,10 +3587,8 @@ void test_object_by_id_user_multiple_domains_notfound(void **state) - - void test_object_by_id_group_cache_valid(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); -@@ -3620,10 +3600,8 @@ void test_object_by_id_group_cache_valid(void **state) - - void test_object_by_id_group_cache_expired(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); -@@ -3641,10 +3619,8 @@ void test_object_by_id_group_cache_expired(void **state) - - void test_object_by_id_group_cache_midpoint(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); -@@ -3661,12 +3637,10 @@ void test_object_by_id_group_cache_midpoint(void **state) - - void test_object_by_id_group_ncache(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - errno_t ret; - -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -- - /* Setup group. We explicitly add the UID into BOTH UID and GID - * namespaces, because otherwise the cache_req plugin would - * search the Data Provider anyway, because it can't be sure -@@ -3693,10 +3667,8 @@ void test_object_by_id_group_ncache(void **state) - - void test_object_by_id_group_missing_found(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3713,10 +3685,8 @@ void test_object_by_id_group_missing_found(void **state) - - void test_object_by_id_group_missing_notfound(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3729,17 +3699,13 @@ void test_object_by_id_group_missing_notfound(void **state) - - void test_object_by_id_group_multiple_domains_found(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- struct sss_domain_info *domain = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -- -- /* Setup user. */ -- domain = find_domain_by_name(test_ctx->tctx->dom, -- "responder_cache_req_test_d", true); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom, -+ "responder_cache_req_test_d", true); - assert_non_null(domain); -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - -+ /* Setup user. */ - prepare_group(domain, &groups[0], 1000, time(NULL)); - - /* Mock values. */ -@@ -3755,10 +3721,8 @@ void test_object_by_id_group_multiple_domains_found(void **state) - - void test_object_by_id_group_multiple_domains_notfound(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return_always(__wrap_sss_dp_get_account_send, test_ctx); -diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c -index 24b26d950..f349b7061 100644 ---- a/src/tests/cmocka/test_sysdb_ts_cache.c -+++ b/src/tests/cmocka/test_sysdb_ts_cache.c -@@ -694,7 +694,7 @@ static void test_sysdb_getgr_merges(void **state) - struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, - struct sysdb_ts_test_ctx); - struct sysdb_attrs *group_attrs = NULL; -- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - char *filter = NULL; - struct ldb_result *res = NULL; - size_t msgs_count; -@@ -783,7 +783,7 @@ static void test_merge_ldb_results(void **state) - int ret; - struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, - struct sysdb_ts_test_ctx); -- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - char *filter; - struct ldb_result *res; - struct ldb_result *res1; -@@ -856,7 +856,7 @@ static void test_group_bysid(void **state) - int ret; - struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, - struct sysdb_ts_test_ctx); -- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - struct sysdb_attrs *group_attrs = NULL; - struct ldb_result *res; - struct ldb_message *msg = NULL; -diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c -index cfd8f17fa..a20859c4d 100644 ---- a/src/tools/sss_override.c -+++ b/src/tools/sss_override.c -@@ -1218,7 +1218,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx, - size_t count; - size_t i; - errno_t ret; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - const char *fqname; - char *name; - --- -2.47.0 - diff --git a/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch b/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch new file mode 100644 index 0000000..fbf8d90 --- /dev/null +++ b/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch @@ -0,0 +1,26 @@ +From: Alex Burmashev +Date: Tue, 04 May 2021 13:31:41 +0100 +Subject: [PATCH] restore default debug level for sss_cache + +We want only fatal failures to be logged, otherwise in some conditions log is. +flooded with unneeded "errors" + +Resolves: https://github.com/SSSD/sssd/issues/5488 + +Orabug: 32810448 +Signed-off-by: Alex Burmashev + +Patch migrated from ol8 to ol9 without any modification +Signed-off-by: Darren Archibald +diff -ruN sssd-2.4.0.orig/src/tools/sss_cache.c sssd-2.4.0/src/tools/sss_cache.c +--- sssd-2.4.0.orig/src/tools/sss_cache.c 2021-06-29 12:48:07.035970021 -0700 ++++ sssd-2.4.0/src/tools/sss_cache.c 2021-06-29 13:11:23.126918933 -0700 +@@ -709,7 +709,7 @@ + struct cache_tool_ctx *ctx = NULL; + int idb = INVALIDATE_NONE; + struct input_values values = { 0 }; +- int debug = SSSDBG_TOOLS_DEFAULT; ++ int debug = SSSDBG_FATAL_FAILURE; + errno_t ret = EOK; + + poptContext pc = NULL; diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 9edf02e..910b8d7 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,18 +26,18 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}) Name: sssd -Version: 2.9.6 -Release: 4%{?dist}.2 +Version: 2.9.7 +Release: 4.0.1%{?dist}.1 Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch -Patch0002: 0002-KCM-fix-memory-leak.patch -Patch0003: 0003-KCM-another-memory-leak-fixed.patch -Patch0004: 0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch +Patch0001: 0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch +Patch0002: 0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch +Patch0003: 0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch +Patch2002: 2002-orabug32810448-restore-default-debug-sss_cache.patch ### Dependencies ### @@ -1087,6 +1087,31 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Fri Nov 14 2025 EL Errata - 2.9.7-4.0.1.1 +- Restore default debug level for sss_cache [Orabug: 32810448] + +* Fri Oct 17 2025 Tomas Halman - 2.9.7-4 +- Related: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9] + Patch used to fix this ticket causes a regression (RHEL-106987) and is being reverted. + +* Mon Jul 14 2025 Alexey Tikhonov - 2.9.7-3 +- Resolves: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9] +- Resolves: RHEL-103434 - cache_credentials = true not working + +* Wed Jun 11 2025 Alexey Tikhonov - 2.9.7-2 +- Related: RHEL-89873 - Rebase Samba to the latest 4.22.x release + +* Tue May 20 2025 Alexey Tikhonov - 2.9.7-1 +- Resolves: RHEL-92622 - Rebase SSSD for RHEL 9.7 +- Resolves: RHEL-87205 - SSSD fails to connect with ipv4_first when on a machine with only IPv6 and server is dual-stack [rhel-9] +- Resolves: RHEL-73906 - OAuth2 using UPN attribute from Entra ID +- Resolves: RHEL-92590 - SSSD LDAPU1 Mapping braces problem [rhel-9] +- Resolves: RHEL-90136 - backport https://github.com/SSSD/sssd/pull/7649 + * Mon Apr 7 2025 Alexey Tikhonov - 2.9.6-4.2 - Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9] @@ -1188,7 +1213,6 @@ fi - Resolves: rhbz#2234829 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working) - Resolves: rhbz#2236119 - dbus and crond getting terminated with SIGBUS in sss_client code - * Mon Jul 10 2023 Alexey Tikhonov - 2.9.1-2 - Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system