From 460a59ec3d24a82ee3ba488b38e481835500f34e Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 22 Oct 2019 10:04:39 -0700 Subject: [PATCH] Backport PR #904 to fix RHBZ #1757224 --- ...KCM-Set-kdc_offset-to-zero-initially.patch | 41 +++++++++++++++++++ sssd.spec | 11 ++++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 0001-KCM-Set-kdc_offset-to-zero-initially.patch diff --git a/0001-KCM-Set-kdc_offset-to-zero-initially.patch b/0001-KCM-Set-kdc_offset-to-zero-initially.patch new file mode 100644 index 0000000..7973969 --- /dev/null +++ b/0001-KCM-Set-kdc_offset-to-zero-initially.patch @@ -0,0 +1,41 @@ +From 2c9bdcf579e430fa8f7e5595a17cf7242adb5216 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 11 Oct 2019 09:20:20 +0200 +Subject: [PATCH] KCM: Set kdc_offset to zero initially +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://pagure.io/SSSD/sssd/issue/4100 + +KCM assumed that the client library would always set the KDC offset, but +that's not always the case, especially when using multiple krb contexts +from the client application: + https://bugzilla.redhat.com/show_bug.cgi?id=1757224#c64 + +Heimdal also creates ccaches with zero kdc_offset: + https://github.com/heimdal/heimdal/commit/9f58896af958ae5e6e3ebde8c48dad4eda841986 +so we should do the same.. + +Reviewed-by: Michal Židek +Reviewed-by: Robbie Harwood +--- + src/responder/kcm/kcmsrv_ccache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index e24da9aa2..66e2752ba 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -82,7 +82,7 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx, + + cc->owner.uid = cli_creds_get_uid(owner); + cc->owner.gid = cli_creds_get_gid(owner); +- cc->kdc_offset = INT32_MAX; ++ cc->kdc_offset = 0; + + talloc_set_destructor(cc, kcm_cc_destructor); + *_cc = cc; +-- +2.23.0 + diff --git a/sssd.spec b/sssd.spec index 768b5ad..e220eff 100644 --- a/sssd.spec +++ b/sssd.spec @@ -36,7 +36,7 @@ Name: sssd Version: 2.2.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://pagure.io/SSSD/sssd/ @@ -44,6 +44,11 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz ### Patches ### +# Fix KCM cached tickets behaving as if expired shortly after issue +# https://github.com/SSSD/sssd/pull/904 +# https://bugzilla.redhat.com/show_bug.cgi?id=1757224 +Patch0: 0001-KCM-Set-kdc_offset-to-zero-initially.patch + ### Downstream only patches ### Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -1067,6 +1072,10 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Tue Oct 22 2019 Adam Williamson - 2.2.2-2 +- Resolves: rhbz#1757224 - Tickets act like they're expiring prematurely + when using KCM cache + * Wed Sep 11 2019 Michal Židek - 2.2.2-1 - Update to latest released upstream version - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_2.html