From 4cdadec076f335ecb2bce44b7022f50ef444ae37 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 17 Jan 2022 20:04:23 +0100 Subject: [PATCH] Resolves: rhbz#2035244 - AD Domain in the AD Forest Missing after sssd latest update Resolves: rhbz#2041560 - sssd does not use kerberos port that is set. --- ...red-cn-attribute-to-subdomain-object.patch | 42 ++++++ ...D-and-IPA-don-t-change-Kerberos-port.patch | 140 ++++++++++++++++++ sssd.spec | 12 +- 3 files changed, 191 insertions(+), 3 deletions(-) create mode 100644 0003-ad-add-required-cn-attribute-to-subdomain-object.patch create mode 100644 0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch diff --git a/0003-ad-add-required-cn-attribute-to-subdomain-object.patch b/0003-ad-add-required-cn-attribute-to-subdomain-object.patch new file mode 100644 index 0000000..2ff9888 --- /dev/null +++ b/0003-ad-add-required-cn-attribute-to-subdomain-object.patch @@ -0,0 +1,42 @@ +From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 16 Dec 2021 11:14:18 +0100 +Subject: [PATCH] ad: add required 'cn' attribute to subdomain object +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the forest root is not part of the return trusted domain objects +from the local domain controller we generate an object for further +processing. During this processing it is expected that the 'cn' +attribute is set and contains the name of the forest root. So far this +attribute was missing and it is now added by this patch. + +Resolves: https://github.com/SSSD/sssd/issues/5926 + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_subdomains.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 0353de76f..0c3f8ac31 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) + goto done; + } + ++ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME, ++ state->forest); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); ++ goto done; ++ } ++ + err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id, + &id_val.data, &id_val.length); + if (err != IDMAP_SUCCESS) { +-- +2.26.3 + diff --git a/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch b/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch new file mode 100644 index 0000000..07f55b0 --- /dev/null +++ b/0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch @@ -0,0 +1,140 @@ +From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 13 Jan 2022 11:28:30 +0100 +Subject: [PATCH] krb5: AD and IPA don't change Kerberos port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AD and IPA providers use a common fo_server object for LDAP and +Kerberos, which is created with the LDAP data. This means that due to +the changes introduced in +https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f +the port in use for the Kerberos requests would be the one specified for +LDAP, usually the default one (389). + +In order to avoid that, AD and IPA providers shouldn't change the +Kerberos port with the one provided for LDAP. + +:fixes: A critical regression that prevented authentication of users via +AD and IPA providers was fixed. LDAP port was reused for Kerberos +communication and this provider would send incomprehensible information +to this port. + +Resolves: https://github.com/SSSD/sssd/issues/5947 + +Signed-off-by: Iker Pedrosa + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_common.c | 1 + + src/providers/ipa/ipa_common.c | 1 + + src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++------------- + src/providers/krb5/krb5_common.h | 1 + + 4 files changed, 23 insertions(+), 14 deletions(-) + +diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c +index e263444c5..1ca5f8e3a 100644 +--- a/src/providers/ad/ad_common.c ++++ b/src/providers/ad/ad_common.c +@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server) + if (service->krb5_service->write_kdcinfo) { + ret = write_krb5info_file_from_fo_server(service->krb5_service, + server, ++ true, + SSS_KRB5KDC_FO_SRV, + ad_krb5info_file_filter); + if (ret != EOK) { +diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c +index 1509cb1ce..e6c1f9aa4 100644 +--- a/src/providers/ipa/ipa_common.c ++++ b/src/providers/ipa/ipa_common.c +@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server) + if (service->krb5_service->write_kdcinfo) { + ret = write_krb5info_file_from_fo_server(service->krb5_service, + server, ++ true, + SSS_KRB5KDC_FO_SRV, + NULL); + if (ret != EOK) { +diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c +index 719ce6a12..5ffa20809 100644 +--- a/src/providers/krb5/krb5_common.c ++++ b/src/providers/krb5/krb5_common.c +@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv + + errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, + struct fo_server *server, ++ bool force_default_port, + const char *service, + bool (*filter)(struct fo_server *)) + { +@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, + if (filter == NULL || filter(server) == false) { + address = fo_server_address_or_name(tmp_ctx, server); + if (address) { +- port = fo_get_server_port(server); +- if (port != 0) { +- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); +- if (address == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); +- talloc_free(tmp_ctx); +- return ENOMEM; ++ if (!force_default_port) { ++ port = fo_get_server_port(server); ++ if (port != 0) { ++ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); ++ if (address == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); ++ talloc_free(tmp_ctx); ++ return ENOMEM; ++ } + } + } + +@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, + continue; + } + +- port = fo_get_server_port(item); +- if (port != 0) { +- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); +- if (address == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); +- talloc_free(tmp_ctx); +- return ENOMEM; ++ if (!force_default_port) { ++ port = fo_get_server_port(item); ++ if (port != 0) { ++ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port); ++ if (address == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); ++ talloc_free(tmp_ctx); ++ return ENOMEM; ++ } + } + } + +@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) + if (krb5_service->write_kdcinfo) { + ret = write_krb5info_file_from_fo_server(krb5_service, + server, ++ false, + krb5_service->name, + NULL); + if (ret != EOK) { +diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h +index 151f446d1..2fd39a751 100644 +--- a/src/providers/krb5/krb5_common.h ++++ b/src/providers/krb5/krb5_common.h +@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service, + + errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service, + struct fo_server *server, ++ bool force_default_port, + const char *service, + bool (*filter)(struct fo_server *)); + +-- +2.26.3 + diff --git a/sssd.spec b/sssd.spec index d8c846d..8503a30 100644 --- a/sssd.spec +++ b/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.6.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -36,6 +36,8 @@ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{versio ### Patches ### Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch Patch0002: 0002-po-update-translations.patch +Patch0003: 0003-ad-add-required-cn-attribute-to-subdomain-object.patch +Patch0004: 0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch ### Dependencies ### @@ -79,7 +81,7 @@ BuildRequires: gettext-devel BuildRequires: gnutls-utils BuildRequires: keyutils-libs-devel BuildRequires: krb5-devel -BuildRequires: krb5-libs >= 1.18.2 +BuildRequires: krb5-libs >= 1.18.2-11 BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: libdhash-devel >= 0.4.2 BuildRequires: libini_config-devel >= 1.1 @@ -472,7 +474,7 @@ Library to map certificates to users based on rules Summary: An implementation of a Kerberos KCM server License: GPLv3+ Requires: sssd-common = %{version}-%{release} -Requires: krb5-libs >= 1.18.2 +Requires: krb5-libs >= 1.18.2-11 %{?systemd_requires} %description kcm @@ -1036,6 +1038,10 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Jan 17 2022 Alexey Tikhonov - 2.6.2-2 +- Resolves: rhbz#2035244 - AD Domain in the AD Forest Missing after sssd latest update +- Resolves: rhbz#2041560 - sssd does not use kerberos port that is set. + * Mon Jan 03 2022 Alexey Tikhonov - 2.6.2-1 - Resolves: rhbz#2011224 - Rebase SSSD for RHEL 9.0-GA - Resolves: rhbz#2017390 - [sssd] RHEL 9.0 GA Tier 0 Localization