From 4b4375f35d0451d95a73919bd59696409b9ac3bb Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Fri, 7 Nov 2025 07:11:12 +0000
Subject: [PATCH] import OL sssd-2.10.2-3.0.1.el10_0.3

---
 ...beros-localauth-an2ln-plugin-for-AD-.patch | 49 +++++++++++++++++++
 ...0448-restore-default-debug-sss_cache.patch | 26 ++++++++++
 sssd.spec                                     | 10 +++-
 3 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
 create mode 100644 2002-orabug32810448-restore-default-debug-sss_cache.patch

diff --git a/0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch b/0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
new file mode 100644
index 0000000..98ccfbd
--- /dev/null
+++ b/0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
@@ -0,0 +1,49 @@
+From e9da1315ec32e2eb65e4159b2318f8a756768b9d Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 10 Oct 2025 12:57:40 +0200
+Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a client is joined to AD or IPA SSSD's localauth plugin can handle
+the mapping of Kerberos principals to local accounts. In case it cannot
+map the Kerberos principals libkrb5 is currently configured to fall back
+to the default localauth plugins 'default', 'rule', 'names',
+'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
+All plugins except 'an2ln' require some explicit configuration by either
+the administrator or the local user. To avoid some unexpected mapping is
+done by the 'an2ln' plugin this patch disables it in the configuration
+snippets for SSSD's localauth plugin.
+
+Resolves: https://github.com/SSSD/sssd/issues/8021
+
+:relnote: After startup SSSD already creates a Kerberos configuration
+ snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
+ if the AD or IPA providers are used. This enables SSSD's localauth plugin.
+ Starting with this release the an2ln plugin is disabled in the
+ configuration snippet as well. If this file or its content are included in
+ the Kerberos configuration it will fix CVE-2025-11561.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
+---
+ src/util/domain_info_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index 79400e901..4a27e8123 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -747,6 +747,7 @@ done:
+ #define LOCALAUTH_PLUGIN_CONFIG \
+ "[plugins]\n" \
+ " localauth = {\n" \
++"  disable = an2ln\n" \
+ "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+ " }\n"
+ 
+-- 
+2.51.0
+
diff --git a/2002-orabug32810448-restore-default-debug-sss_cache.patch b/2002-orabug32810448-restore-default-debug-sss_cache.patch
new file mode 100644
index 0000000..0d56be5
--- /dev/null
+++ b/2002-orabug32810448-restore-default-debug-sss_cache.patch
@@ -0,0 +1,26 @@
+From: Alex Burmashev <alexander.burmashev@oracle.com>
+Date: Tue, 04 May 2021 13:31:41 +0100
+Subject: [PATCH] restore default debug level for sss_cache
+
+We want only fatal failures to be logged, otherwise in some conditions log is.
+flooded with unneeded "errors"
+
+Resolves: https://github.com/SSSD/sssd/issues/5488
+
+Orabug: 32810448
+Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
+
+Patch migrated from ol8 to ol9 without any modification
+Signed-off-by: Darren Archibald <darren.archibald@oracle.com>
+diff -uNr a/src/tools/sss_cache.c b/src/tools/sss_cache.c
+--- a/src/tools/sss_cache.c     2024-06-26 02:11:39.000000000 -0700
++++ b/src/tools/sss_cache.c     2024-09-05 16:17:12.686336046 -0700
+@@ -722,7 +722,7 @@
+     struct cache_tool_ctx *ctx = NULL;
+     int idb = INVALIDATE_NONE;
+     struct input_values values = { 0 };
+-    int debug = SSSDBG_TOOLS_DEFAULT;
++    int debug = SSSDBG_FATAL_FAILURE;
+     errno_t ret = EOK;
+
+     poptContext pc = NULL;
diff --git a/sssd.spec b/sssd.spec
index c56e263..6847dbf 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -57,17 +57,19 @@
 
 Name: sssd
 Version: 2.10.2
-Release: 3%{?dist}.2
+Release: 3.0.1%{?dist}.3
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
 Source0: https://github.com/SSSD/sssd/releases/download/2.10.2/sssd-2.10.2.tar.gz
 Source1: sssd.sysusers
+Patch2002: 2002-orabug32810448-restore-default-debug-sss_cache.patch
 
 ### Patches ###
 Patch0001: 0001-KCM-fix-memory-leak.patch
 Patch0002: 0002-KCM-another-memory-leak-fixed.patch
 Patch0003: 0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
+Patch0004: 0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
 
 ### Dependencies ###
 
@@ -1118,6 +1120,12 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Thu Nov 06 2025 EL Errata <el-errata_ww@oracle.com> - 2.10.2-3.0.1.3
+- Restore default debug level for sss_cache [Orabug: 32810448]
+
+* Mon Oct 20 2025 Masahiro Matsuya <mmatsuya@redhat.com> - 2.10.2-3.3
+- Resolves: RHEL-120286 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-10.0.z]
+
 * Mon Apr  7 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.10.2-3.2
 - Resolves: RHEL-79158 - Disk cache failure with large db sizes