import sssd-2.6.2-3.el8

.gitignore

@@ -1 +1 @@
-SOURCES/sssd-2.5.2.tar.gz
+SOURCES/sssd-2.6.2.tar.gz

.sssd.metadata

@@ -1 +1 @@
-680a282289fdfc6e27562e0ac82933ccd1f9574e SOURCES/sssd-2.5.2.tar.gz
+c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz

SOURCES/0001-TOOLS-replace-system-with-execvp.patch

@@ -1,277 +0,0 @@
-From 3861960837b996d959af504a937a03963dc21d62 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 18 Jun 2021 13:17:19 +0200
-Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
- user supplied command
-
-A flaw was found in SSSD, where the sssctl command was vulnerable
-to shell command injection via the logs-fetch and cache-expire
-subcommands. This flaw allows an attacker to trick the root user
-into running a specially crafted sssctl command, such as via sudo,
-to gain root access. The highest threat from this vulnerability is
-to confidentiality, integrity, as well as system availability.
-
-:fixes: CVE-2021-3621
----
- src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
- src/tools/sssctl/sssctl.h      |  2 +-
- src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
- src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
- 4 files changed, 73 insertions(+), 57 deletions(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 2997dbf96..8adaf3091 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
-     return SSSCTL_PROMPT_ERROR;
- }
- 
--errno_t sssctl_run_command(const char *command)
-+errno_t sssctl_run_command(const char *const argv[])
- {
-     int ret;
-+    int wstatus;
- 
--    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
-+    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
- 
--    ret = system(command);
-+    ret = fork();
-     if (ret == -1) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
-         ERROR("Error while executing external command\n");
-         return EFAULT;
--    } else if (WEXITSTATUS(ret) != 0) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
--              command, WEXITSTATUS(ret));
-+    }
-+
-+    if (ret == 0) {
-+        /* cast is safe - see
-+        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
-+        "The statement about argv[] and envp[] being constants ... "
-+        */
-+        execvp(argv[0], discard_const_p(char * const, argv));
-         ERROR("Error while executing external command\n");
--        return EIO;
-+        _exit(1);
-+    } else {
-+        if (waitpid(ret, &wstatus, 0) == -1) {
-+            ERROR("Error while executing external command '%s'\n", argv[0]);
-+            return EFAULT;
-+        } else if (WEXITSTATUS(wstatus) != 0) {
-+            ERROR("Command '%s' failed with [%d]\n",
-+                  argv[0], WEXITSTATUS(wstatus));
-+            return EIO;
-+        }
-     }
- 
-     return EOK;
-@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
- #elif defined(HAVE_SERVICE)
-     switch (action) {
-     case SSSCTL_SVC_START:
--        return sssctl_run_command(SERVICE_PATH" sssd start");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
-     case SSSCTL_SVC_STOP:
--        return sssctl_run_command(SERVICE_PATH" sssd stop");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
-     case SSSCTL_SVC_RESTART:
--        return sssctl_run_command(SERVICE_PATH" sssd restart");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
-     }
- #endif
- 
-diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
-index 0115b2457..599ef6519 100644
---- a/src/tools/sssctl/sssctl.h
-+++ b/src/tools/sssctl/sssctl.h
-@@ -47,7 +47,7 @@ enum sssctl_prompt_result
- sssctl_prompt(const char *message,
-               enum sssctl_prompt_result defval);
- 
--errno_t sssctl_run_command(const char *command);
-+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
- bool sssctl_start_sssd(bool force);
- bool sssctl_stop_sssd(bool force);
- bool sssctl_restart_sssd(bool force);
-diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
-index 8d79b977f..bf2291341 100644
---- a/src/tools/sssctl/sssctl_data.c
-+++ b/src/tools/sssctl/sssctl_data.c
-@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
-         }
-     }
- 
--    ret = sssctl_run_command("sss_override user-export "
--                             SSS_BACKUP_USER_OVERRIDES);
-+    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
-+                                              SSS_BACKUP_USER_OVERRIDES, NULL});
-     if (ret != EOK) {
-         ERROR("Unable to export user overrides\n");
-         return ret;
-     }
- 
--    ret = sssctl_run_command("sss_override group-export "
--                             SSS_BACKUP_GROUP_OVERRIDES);
-+    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
-+                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
-     if (ret != EOK) {
-         ERROR("Unable to export group overrides\n");
-         return ret;
-@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-     }
- 
-     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
--        ret = sssctl_run_command("sss_override user-import "
--                                 SSS_BACKUP_USER_OVERRIDES);
-+        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
-+                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
-         if (ret != EOK) {
-             ERROR("Unable to import user overrides\n");
-             return ret;
-@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-     }
- 
-     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
--        ret = sssctl_run_command("sss_override group-import "
--                                 SSS_BACKUP_GROUP_OVERRIDES);
-+        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
-+                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
-         if (ret != EOK) {
-             ERROR("Unable to import group overrides\n");
-             return ret;
-@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
-                             void *pvt)
- {
-     errno_t ret;
--    char *cmd_args = NULL;
--    const char *cachecmd = SSS_CACHE;
--    char *cmd = NULL;
--    int i;
--
--    if (cmdline->argc == 0) {
--        ret = sssctl_run_command(cachecmd);
--        goto done;
--    }
- 
--    cmd_args = talloc_strdup(tool_ctx, "");
--    if (cmd_args == NULL) {
--        ret = ENOMEM;
--        goto done;
-+    const char **args = talloc_array_size(tool_ctx,
-+                                          sizeof(char *),
-+                                          cmdline->argc + 2);
-+    if (!args) {
-+        return ENOMEM;
-     }
-+    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
-+    args[0] = SSS_CACHE;
-+    args[cmdline->argc + 1] = NULL;
- 
--    for (i = 0; i < cmdline->argc; i++) {
--        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
--        if (i != cmdline->argc - 1) {
--            cmd_args = talloc_strdup_append(cmd_args, " ");
--        }
--    }
--
--    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
--    if (cmd == NULL) {
--        ret = ENOMEM;
--        goto done;
--    }
--
--    ret = sssctl_run_command(cmd);
--
--done:
--    talloc_free(cmd_args);
--    talloc_free(cmd);
-+    ret = sssctl_run_command(args);
- 
-+    talloc_free(args);
-     return ret;
- }
-diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
-index 9ff2be05b..ebb2c4571 100644
---- a/src/tools/sssctl/sssctl_logs.c
-+++ b/src/tools/sssctl/sssctl_logs.c
-@@ -31,6 +31,7 @@
- #include <ldb.h>
- #include <popt.h>
- #include <stdio.h>
-+#include <glob.h>
- 
- #include "util/util.h"
- #include "tools/common/sss_process.h"
-@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- {
-     struct sssctl_logs_opts opts = {0};
-     errno_t ret;
-+    glob_t globbuf;
- 
-     /* Parse command line. */
-     struct poptOption options[] = {
-@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- 
-         sss_signal(SIGHUP);
-     } else {
-+        globbuf.gl_offs = 4;
-+        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+        if (ret != 0) {
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+            return ret;
-+        }
-+        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
-+        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
-+        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
-+        globbuf.gl_pathv[3] = discard_const_p(char, "0");
-+
-         PRINT("Truncating log files...\n");
--        ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
-+        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+        globfree(&globbuf);
-         if (ret != EOK) {
-             ERROR("Unable to truncate log files\n");
-             return ret;
-@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
-                           void *pvt)
- {
-     const char *file;
--    const char *cmd;
-     errno_t ret;
-+    glob_t globbuf;
- 
-     /* Parse command line. */
-     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
-@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
-         return ret;
-     }
- 
--    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
--    if (cmd == NULL) {
--        ERROR("Out of memory!");
-+    globbuf.gl_offs = 3;
-+    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+    if (ret != 0) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+        return ret;
-     }
-+    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
-+    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
-+    globbuf.gl_pathv[2] = discard_const_p(char, file);
- 
-     PRINT("Archiving log files into %s...\n", file);
--    ret = sssctl_run_command(cmd);
-+    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+    globfree(&globbuf);
-     if (ret != EOK) {
-         ERROR("Unable to archive log files\n");
-         return ret;
--- 
-2.26.3
-

SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch

@@ -0,0 +1,33 @@
+From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jan 2022 10:11:49 +0100
+Subject: [PATCH] ipa: fix reply socket of selinux_child
+
+Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
+the reply socket of selinux_child from stdout to stderr while switching
+from exec_child to exec_child_ex. This patch returns the original
+behavior.
+
+Resolves: https://github.com/SSSD/sssd/issues/5939
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/providers/ipa/ipa_selinux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
+index 6f885c0fd..2e0593dd7 100644
+--- a/src/providers/ipa/ipa_selinux.c
++++ b/src/providers/ipa/ipa_selinux.c
+@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
+     if (pid == 0) { /* child */
+         exec_child_ex(state, pipefd_to_child, pipefd_from_child,
+                       SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
+-                      false, STDIN_FILENO, STDERR_FILENO);
++                      false, STDIN_FILENO, STDOUT_FILENO);
+         DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
+               ret, sss_strerror(ret));
+         return ret;
+-- 
+2.26.3
+

SOURCES/0003-ad-filter-trusted-domains.patch

@@ -1,187 +0,0 @@
-From 4c48c4a7792961cf8a228c76975ac370d32904e1 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 6 Oct 2021 13:03:27 +0200
-Subject: [PATCH] ad: filter trusted domains
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The fix for https://github.com/SSSD/sssd/issues/5528 might discover
-domains which are not trusted (one-way trust) or are from a different
-forest (direct trust). Both should be ignored because they are not
-trusted or can currently not be handled properly. This patch filters out
-those domains.
-
-Resolves: https://github.com/SSSD/sssd/issues/5819
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/providers/ad/ad_subdomains.c | 104 +++++++++++++++++++++++++++++--
- 1 file changed, 99 insertions(+), 5 deletions(-)
-
-diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
-index 3eb49c93f..ac463026f 100644
---- a/src/providers/ad/ad_subdomains.c
-+++ b/src/providers/ad/ad_subdomains.c
-@@ -46,6 +46,7 @@
- #define AD_AT_TRUST_PARTNER "trustPartner"
- #define AD_AT_TRUST_ATTRS   "trustAttributes"
- #define AD_AT_DOMAIN_NAME   "cn"
-+#define AD_AT_TRUST_DIRECTION   "trustDirection"
- 
- /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
-  * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
-@@ -69,6 +70,12 @@
- /* do not refresh more often than every 5 seconds for now */
- #define AD_SUBDOMAIN_REFRESH_LIMIT 5
- 
-+/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */
-+#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x00000020
-+
-+/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */
-+#define TRUST_DIRECTION_OUTBOUND 0x00000002
-+
- static void
- ad_disable_gc(struct ad_options *ad_options)
- {
-@@ -646,6 +653,85 @@ done:
-     return ret;
- }
- 
-+/* When reading trusted domains from the local DC we are basically interested
-+ * in domains from the local forest we are trusting, i.e. users from this
-+ * domain can connect to us. To not unnecessarily bloat the list of domains
-+ * and make multi-domain searches slow we filter domains from other forest and
-+ * domains we do not trust.
-+ * In future we might add config options to broaden the scope and allow more
-+ * domains.
-+ * If ad_filter_domains() returns successfully with EOK in input array is not
-+ * valid anymore and should be freed by the caller. */
-+static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx,
-+                                 struct sysdb_attrs **subdomains,
-+                                 size_t num_subdomains,
-+                                 struct sysdb_attrs ***_sd_out,
-+                                 size_t *_num_sd_out)
-+{
-+    int ret;
-+    size_t c;
-+    uint32_t tmp_uint32_t;
-+    const char *value;
-+    struct sysdb_attrs **sd_out;
-+    size_t num_sd_out = 0;
-+
-+    sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *,
-+                               num_subdomains + 1);
-+    if (sd_out == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE,
-+              "Failed to allocate memory for sub-domain list.\n");
-+        return ENOMEM;
-+    }
-+
-+    for (c = 0; c < num_subdomains; c++) {
-+        ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER,
-+                                     &value);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
-+            talloc_free(sd_out);
-+            return ret;
-+        }
-+
-+        /* Ignore direct trusts to domains from other forests
-+         * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not
-+         * trust (TRUST_DIRECTION_OUTBOUND is not set) */
-+
-+        tmp_uint32_t = 0;
-+        ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS,
-+                                       &tmp_uint32_t);
-+        if (ret != EOK
-+                || (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) {
-+            DEBUG(SSSDBG_FUNC_DATA,
-+                  "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n",
-+                  value);
-+            continue;
-+        }
-+
-+        tmp_uint32_t = 0;
-+        ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION,
-+                                       &tmp_uint32_t);
-+        if (ret != EOK
-+                || (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) {
-+            DEBUG(SSSDBG_FUNC_DATA,
-+                  "TRUST_DIRECTION_OUTBOUND not set for [%s].\n",
-+                  value);
-+            continue;
-+        }
-+
-+        sd_out[num_sd_out] = subdomains[c];
-+        num_sd_out++;
-+    }
-+
-+    for (c = 0; c < num_sd_out; c++) {
-+        sd_out[c] = talloc_steal(sd_out, sd_out[c]);
-+    }
-+
-+    *_sd_out = sd_out;
-+    *_num_sd_out = num_sd_out;
-+
-+    return EOK;
-+}
-+
- /* How many times we keep a domain not found during searches before it will be
-  * removed. */
- #define MAX_NOT_FOUND 6
-@@ -1125,7 +1211,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)
-     errno_t ret;
-     const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
-                             AD_AT_SID, AD_AT_TRUST_TYPE,
--                            AD_AT_TRUST_ATTRS, NULL };
-+                            AD_AT_TRUST_ATTRS, AD_AT_TRUST_DIRECTION, NULL };
- 
-     req = tevent_req_callback_data(subreq, struct tevent_req);
-     state = tevent_req_data(req, struct ad_get_slave_domain_state);
-@@ -1333,7 +1419,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
-     struct sdap_options *opts;
-     errno_t ret;
-     const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
--                            AD_AT_SID, AD_AT_TRUST_TYPE,
-+                            AD_AT_SID, AD_AT_TRUST_TYPE, AD_AT_TRUST_DIRECTION,
-                             AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL };
- 
-     req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state);
-@@ -1411,13 +1497,15 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
-     struct ad_get_root_domain_state *state;
-     errno_t ret;
-     bool has_changes = false;
-+    struct sysdb_attrs **unfiltered_reply;
-+    size_t unfiltered_reply_count;
- 
-     req = tevent_req_callback_data(subreq, struct tevent_req);
-     state = tevent_req_data(req, struct ad_get_root_domain_state);
- 
-     ret = sdap_search_bases_return_first_recv(subreq, state,
--                                              &state->reply_count,
--                                              &state->reply);
-+                                              &unfiltered_reply_count,
-+                                              &unfiltered_reply);
-     talloc_zfree(subreq);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information "
-@@ -1425,7 +1513,13 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
-         goto done;
-     }
- 
--    find_domain(state->reply_count, state->reply, state->forest);
-+    ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count,
-+                            &state->reply, &state->reply_count);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE,
-+              "Failed to filter list of returned domains.\n");
-+        goto done;
-+    }
- 
-     if (state->reply_count == 0
-             || find_domain(state->reply_count, state->reply,
--- 
-2.26.3
-

SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch

@@ -0,0 +1,140 @@
+From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Thu, 13 Jan 2022 11:28:30 +0100
+Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AD and IPA providers use a common fo_server object for LDAP and
+Kerberos, which is created with the LDAP data. This means that due to
+the changes introduced in
+https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
+the port in use for the Kerberos requests would be the one specified for
+LDAP, usually the default one (389).
+
+In order to avoid that, AD and IPA providers shouldn't change the
+Kerberos port with the one provided for LDAP.
+
+:fixes: A critical regression that prevented authentication of users via
+AD and IPA providers was fixed. LDAP port was reused for Kerberos
+communication and this provider would send incomprehensible information
+to this port.
+
+Resolves: https://github.com/SSSD/sssd/issues/5947
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ad/ad_common.c     |  1 +
+ src/providers/ipa/ipa_common.c   |  1 +
+ src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
+ src/providers/krb5/krb5_common.h |  1 +
+ 4 files changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
+index e263444c5..1ca5f8e3a 100644
+--- a/src/providers/ad/ad_common.c
++++ b/src/providers/ad/ad_common.c
+@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
+     if (service->krb5_service->write_kdcinfo) {
+         ret = write_krb5info_file_from_fo_server(service->krb5_service,
+                                                  server,
++                                                 true,
+                                                  SSS_KRB5KDC_FO_SRV,
+                                                  ad_krb5info_file_filter);
+         if (ret != EOK) {
+diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
+index 1509cb1ce..e6c1f9aa4 100644
+--- a/src/providers/ipa/ipa_common.c
++++ b/src/providers/ipa/ipa_common.c
+@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
+     if (service->krb5_service->write_kdcinfo) {
+         ret = write_krb5info_file_from_fo_server(service->krb5_service,
+                                                  server,
++                                                 true,
+                                                  SSS_KRB5KDC_FO_SRV,
+                                                  NULL);
+         if (ret != EOK) {
+diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
+index 719ce6a12..5ffa20809 100644
+--- a/src/providers/krb5/krb5_common.c
++++ b/src/providers/krb5/krb5_common.c
+@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
+ 
+ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
+                                            struct fo_server *server,
++                                           bool force_default_port,
+                                            const char *service,
+                                            bool (*filter)(struct fo_server *))
+ {
+@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
+     if (filter == NULL || filter(server) == false) {
+         address = fo_server_address_or_name(tmp_ctx, server);
+         if (address) {
+-            port = fo_get_server_port(server);
+-            if (port != 0) {
+-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+-                if (address == NULL) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+-                    talloc_free(tmp_ctx);
+-                    return ENOMEM;
++            if (!force_default_port) {
++                port = fo_get_server_port(server);
++                if (port != 0) {
++                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
++                    if (address == NULL) {
++                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
++                        talloc_free(tmp_ctx);
++                        return ENOMEM;
++                    }
+                 }
+             }
+ 
+@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
+                 continue;
+             }
+ 
+-            port = fo_get_server_port(item);
+-            if (port != 0) {
+-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+-                if (address == NULL) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+-                    talloc_free(tmp_ctx);
+-                    return ENOMEM;
++            if (!force_default_port) {
++                port = fo_get_server_port(item);
++                if (port != 0) {
++                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
++                    if (address == NULL) {
++                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
++                        talloc_free(tmp_ctx);
++                        return ENOMEM;
++                    }
+                 }
+             }
+ 
+@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
+     if (krb5_service->write_kdcinfo) {
+         ret = write_krb5info_file_from_fo_server(krb5_service,
+                                                  server,
++                                                 false,
+                                                  krb5_service->name,
+                                                  NULL);
+         if (ret != EOK) {
+diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
+index 151f446d1..2fd39a751 100644
+--- a/src/providers/krb5/krb5_common.h
++++ b/src/providers/krb5/krb5_common.h
+@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
+ 
+ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
+                                            struct fo_server *server,
++                                           bool force_default_port,
+                                            const char *service,
+                                            bool (*filter)(struct fo_server *));
+ 
+-- 
+2.26.3
+

SOURCES/0004-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch

@@ -1,62 +0,0 @@
-From bb94a18f0f0cba1e9fb5abf78b995d69e5f3c559 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 18 Oct 2021 12:29:06 +0200
-Subject: [PATCH] cache_req: return success for autofs when ENOENT is returned
- from provider
-
-The receive function should return true if data provider lookup was
-successfull and false if there was an error. "Not found" result is
-considered a successful lookup, only failure to perform a search
-should result in false return code.
-
-Resolves: https://github.com/SSSD/sssd/issues/5832
-
-Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
----
- .../common/cache_req/plugins/cache_req_autofs_entry_by_name.c   | 2 +-
- .../common/cache_req/plugins/cache_req_autofs_map_by_name.c     | 2 +-
- .../common/cache_req/plugins/cache_req_autofs_map_entries.c     | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-index 0dc6a585a..788b6708c 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-@@ -97,7 +97,7 @@ cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq,
- 
-     ret = sbus_call_dp_autofs_GetEntry_recv(subreq);
- 
--    if (ret == ERR_MISSING_DP_TARGET) {
-+    if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
-         ret = EOK;
-     }
- 
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-index 6a665c58e..5d82641cc 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-@@ -93,7 +93,7 @@ cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq,
- 
-     ret = sbus_call_dp_autofs_GetMap_recv(subreq);
- 
--    if (ret == ERR_MISSING_DP_TARGET) {
-+    if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
-         ret = EOK;
-     }
- 
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-index 46776b980..29f289723 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-@@ -125,7 +125,7 @@ cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq,
- 
-     ret = sbus_call_dp_autofs_Enumerate_recv(subreq);
- 
--    if (ret == ERR_MISSING_DP_TARGET) {
-+    if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
-         ret = EOK;
-     }
- 
--- 
-2.26.3
-

SOURCES/0005-MONITOR-reduce-logs-severity-around-signalling-and-t.patch

@@ -1,81 +0,0 @@
-From 01ff8155baea989c42664985ea939cb93beb31e7 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 1 Oct 2021 18:01:21 +0200
-Subject: [PATCH] MONITOR: reduce logs severity around signalling and
- termination of services to avoid useless in those cases backtraces
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/monitor/monitor.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
-index 42def7451..b5fee7e7a 100644
---- a/src/monitor/monitor.c
-+++ b/src/monitor/monitor.c
-@@ -655,7 +655,7 @@ static int service_signal(struct mt_svc *svc,
-          * order a service to reload that hasn't started
-          * yet.
-          */
--        DEBUG(SSSDBG_CRIT_FAILURE,
-+        DEBUG(SSSDBG_IMPORTANT_INFO,
-               "Could not signal service [%s].\n", svc->name);
-         return EIO;
-     }
-@@ -684,8 +684,8 @@ static void service_signal_done(struct tevent_req *req)
-         return;
-     }
- 
--    DEBUG(SSSDBG_FATAL_FAILURE, "Unable to signal service [%d]: %s\n",
--          ret, sss_strerror(ret));
-+    DEBUG(ret == ENOENT ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
-+          "Unable to signal service [%d]: %s\n", ret, sss_strerror(ret));
- }
- 
- static int service_signal_dns_reload(struct mt_svc *svc)
-@@ -1363,14 +1363,14 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
-         }
- 
-         killed = false;
--        DEBUG(SSSDBG_CRIT_FAILURE,
-+        DEBUG(SSSDBG_IMPORTANT_INFO,
-               "Terminating [%s][%d]\n", svc->name, svc->pid);
-         do {
-             errno = 0;
-             kret = kill(-svc->pid, SIGTERM);
-             if (kret < 0) {
-                 error = errno;
--                DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n",
-+                DEBUG(SSSDBG_MINOR_FAILURE, "Couldn't terminate [%s][%d]: [%s]\n",
-                           svc->name, svc->pid, strerror(error));
-             }
- 
-@@ -1384,7 +1384,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
-                     if (error == ECHILD) {
-                         killed = true;
-                     } else if (error != EINTR) {
--                        DEBUG(SSSDBG_FATAL_FAILURE,
-+                        DEBUG(SSSDBG_IMPORTANT_INFO,
-                               "[%d][%s] while waiting for [%s]\n",
-                                   error, strerror(error), svc->name);
-                         /* Forcibly kill this child */
-@@ -1394,13 +1394,13 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
-                 } else if (pid != 0) {
-                     error = 0;
-                     if (WIFEXITED(status)) {
--                        DEBUG(SSSDBG_CRIT_FAILURE,
-+                        DEBUG(SSSDBG_IMPORTANT_INFO,
-                               "Child [%s] exited gracefully\n", svc->name);
-                     } else if (WIFSIGNALED(status)) {
--                        DEBUG(SSSDBG_CRIT_FAILURE,
-+                        DEBUG(SSSDBG_IMPORTANT_INFO,
-                               "Child [%s] terminated with a signal\n", svc->name);
-                     } else {
--                        DEBUG(SSSDBG_CRIT_FAILURE,
-+                        DEBUG(SSSDBG_IMPORTANT_INFO,
-                               "Child [%s] did not exit cleanly\n", svc->name);
-                         /* Forcibly kill this child */
-                         kill(-svc->pid, SIGKILL);
--- 
-2.26.3
-

SOURCES/0006-DEBUG-avoid-backtrace-dups.patch

@@ -1,145 +0,0 @@
-From bb8da4303851642318b626aad507ab7c39f6a80d Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Mon, 1 Nov 2021 20:09:02 +0100
-Subject: [PATCH] DEBUG: avoid backtrace dups.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In case the same error(s) is repeated again and again repeating the same
-backtrace doesn't add much value. In this case let's add just a note.
-
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
----
- src/util/debug.c           |  4 +--
- src/util/debug_backtrace.c | 51 +++++++++++++++++++++++++++++++++++---
- 2 files changed, 50 insertions(+), 5 deletions(-)
-
-diff --git a/src/util/debug.c b/src/util/debug.c
-index 7c03fb7df..953123718 100644
---- a/src/util/debug.c
-+++ b/src/util/debug.c
-@@ -42,7 +42,7 @@
- void sss_debug_backtrace_init(void);
- void sss_debug_backtrace_vprintf(int level, const char *format, va_list ap);
- void sss_debug_backtrace_printf(int level, const char *format, ...);
--void sss_debug_backtrace_endmsg(int level);
-+void sss_debug_backtrace_endmsg(const char *file, long line, int level);
- 
- const char *debug_prg_name = "sssd";
- 
-@@ -359,7 +359,7 @@ void sss_vdebug_fn(const char *file,
-     if (flags & APPEND_LINE_FEED) {
-         sss_debug_backtrace_printf(level, "\n");
-     }
--    sss_debug_backtrace_endmsg(level);
-+    sss_debug_backtrace_endmsg(file, line, level);
- }
- 
- void sss_debug_fn(const char *file,
-diff --git a/src/util/debug_backtrace.c b/src/util/debug_backtrace.c
-index d99325ab6..e376f815b 100644
---- a/src/util/debug_backtrace.c
-+++ b/src/util/debug_backtrace.c
-@@ -30,6 +30,9 @@ extern FILE *_sss_debug_file;
- static const unsigned SSS_DEBUG_BACKTRACE_DEFAULT_SIZE = 100*1024; /* bytes */
- static const unsigned SSS_DEBUG_BACKTRACE_LEVEL        = SSSDBG_BE_FO;
- 
-+/* Size of locations history to keep to avoid duplicating backtraces */
-+#define SSS_DEBUG_BACKTRACE_LOCATIONS 5
-+
- 
- /*                     -->
-  * ring buffer = [*******t...\n............e000]
-@@ -46,12 +49,21 @@ static struct {
-     char     *buffer;  /* buffer start */
-     char     *end;     /* end data border */
-     char     *tail;    /* tail of "current" message */
-+
-+    /* locations where last backtraces happened */
-+    struct {
-+        const char *file;
-+        long        line;
-+    } locations[SSS_DEBUG_BACKTRACE_LOCATIONS];
-+    unsigned last_location_idx;
- } _bt;
- 
- 
- static inline bool _all_levels_enabled(void);
- static inline bool _backtrace_is_enabled(int level);
- static inline bool _is_trigger_level(int level);
-+static void _store_location(const char *file, long line);
-+static bool _is_recent_location(const char *file, long line);
- static void _backtrace_vprintf(const char *format, va_list ap);
- static void _backtrace_printf(const char *format, ...);
- static void _backtrace_dump(void);
-@@ -75,6 +87,8 @@ void sss_debug_backtrace_init(void)
-     _bt.enabled     = true;
-     _bt.initialized = true;
- 
-+    /* locations[] & last_location_idx are zero-initialized */
-+
-     _backtrace_printf("   *  ");
- }
- 
-@@ -116,7 +130,7 @@ void sss_debug_backtrace_printf(int level, const char *format, ...)
- }
- 
- 
--void sss_debug_backtrace_endmsg(int level)
-+void sss_debug_backtrace_endmsg(const char *file, long line, int level)
- {
-     if (DEBUG_IS_SET(level)) {
-         _debug_fflush();
-@@ -124,7 +138,16 @@ void sss_debug_backtrace_endmsg(int level)
- 
-     if (_backtrace_is_enabled(level)) {
-         if (_is_trigger_level(level)) {
--            _backtrace_dump();
-+            if (!_is_recent_location(file, line)) {
-+                _backtrace_dump();
-+                _store_location(file, line);
-+            } else {
-+                fprintf(_sss_debug_file ? _sss_debug_file : stderr,
-+                        "   *  ... skipping repetitive backtrace ...\n");
-+                /* and reset */
-+                _bt.end  = _bt.buffer;
-+                _bt.tail = _bt.buffer;
-+            }
-         }
-         _backtrace_printf("   *  ");
-     }
-@@ -191,7 +214,29 @@ static inline bool _backtrace_is_enabled(int level)
- }
- 
- 
-- /* prints to buffer */
-+static void _store_location(const char *file, long line)
-+{
-+    _bt.last_location_idx = (_bt.last_location_idx + 1) % SSS_DEBUG_BACKTRACE_LOCATIONS;
-+     /* __FILE__ is a character string literal with static storage duration. */
-+    _bt.locations[_bt.last_location_idx].file = file;
-+    _bt.locations[_bt.last_location_idx].line = line;
-+}
-+
-+
-+static bool _is_recent_location(const char *file, long line)
-+{
-+    for (unsigned idx = 0; idx < SSS_DEBUG_BACKTRACE_LOCATIONS; ++idx) {
-+        if ((line == _bt.locations[idx].line) &&
-+            (_bt.locations[idx].file != NULL) &&
-+            (strcmp(file, _bt.locations[idx].file) == 0)) {
-+            return true;
-+        }
-+    }
-+    return false;
-+}
-+
-+
-+/* prints to buffer */
- static void _backtrace_vprintf(const char *format, va_list ap)
- {
-     int buff_tail_size = _bt.size - (_bt.tail - _bt.buffer);
--- 
-2.26.3
-

SOURCES/0007-cache_req-cache_first-fix-for-fully-qualified-names.patch

@@ -1,131 +0,0 @@
-From 26654d3e5f5882dd1681116cb49228d108351d48 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 12 Aug 2021 09:27:57 +0200
-Subject: [PATCH] cache_req: cache_first fix for fully-qualified names
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-With commit b572871236a7f9059d375a5ab1bff8cbfd519956 "cache_req:
-introduce cache_behavior enumeration" the processing of cache and
-backend lookups was refactored. Unfortunately this introduce an issue
-when looking up users or groups with a fully-qualified name and the
-'cache_first = True' option is set.
-
-In the old code the case when a domain name is available was handle
-before the cache_first first option was evaluated and cache_req was
-instructed to first look in the cache and then call the backend if the
-object is not available or expired, i.e. the default behavior. Since
-only a single domain is involved this is in agreement with 'cache_first
-= True' and only a single iteration is needed.
-
-In the new code the cache_first option is evaluated before the presence
-of a domain name is checked and as a result even for single domain
-searches the first cache_req iteration is only looking at the cache and
-will not call the backend. This means the now for searches with a
-fully-qualified name a second iteration is needed if the object was not
-found in the cache.
-
-Unfortunately the old exit condition that if a domain name is present
-only a single iteration is needed is still present in the new code which
-effectively makes requests with fully-qualified named only search the
-cache and never call the backends. This patch removes the exit condition
-and does a second iteration for fully-qualified names as well if
-'cache_first = True' is set.
-
-Resolves: https://github.com/SSSD/sssd/issues/5744
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/responder/common/cache_req/cache_req.c  |  3 +-
- src/tests/cmocka/test_responder_cache_req.c | 53 +++++++++++++++++++++
- 2 files changed, 54 insertions(+), 2 deletions(-)
-
-diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
-index 750d655c1..56ec077f3 100644
---- a/src/responder/common/cache_req/cache_req.c
-+++ b/src/responder/common/cache_req/cache_req.c
-@@ -1331,8 +1331,7 @@ static errno_t cache_req_select_domains(struct tevent_req *req,
- 
-     state = tevent_req_data(req, struct cache_req_state);
- 
--    if ((state->cr->cache_behavior != CACHE_REQ_CACHE_FIRST)
--        || (domain_name != NULL)) {
-+    if (state->cr->cache_behavior != CACHE_REQ_CACHE_FIRST) {
- 
-         if (!state->first_iteration) {
-             /* We're done here. */
-diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
-index 5cf7660e7..27a525f6e 100644
---- a/src/tests/cmocka/test_responder_cache_req.c
-+++ b/src/tests/cmocka/test_responder_cache_req.c
-@@ -992,6 +992,56 @@ void test_user_by_name_missing_notfound(void **state)
-     assert_true(test_ctx->dp_called);
- }
- 
-+void test_user_by_name_missing_notfound_cache_first(void **state)
-+{
-+    struct cache_req_test_ctx *test_ctx = NULL;
-+
-+    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-+    test_ctx->rctx->cache_first = true;
-+
-+    /* Mock values. */
-+    will_return(__wrap_sss_dp_get_account_send, test_ctx);
-+    mock_account_recv_simple();
-+    mock_parse_inp(users[0].short_name, NULL, ERR_OK);
-+
-+    /* Test. */
-+    run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
-+    assert_true(test_ctx->dp_called);
-+}
-+
-+void test_user_by_name_missing_notfound_full_name(void **state)
-+{
-+    struct cache_req_test_ctx *test_ctx = NULL;
-+
-+    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-+
-+    /* Mock values. */
-+    will_return(__wrap_sss_dp_get_account_send, test_ctx);
-+    mock_account_recv_simple();
-+    mock_parse_inp(users[0].short_name, TEST_DOM_NAME, ERR_OK);
-+
-+    /* Test. */
-+    run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
-+    assert_true(test_ctx->dp_called);
-+}
-+
-+void test_user_by_name_missing_notfound_cache_first_full_name(void **state)
-+{
-+    struct cache_req_test_ctx *test_ctx = NULL;
-+
-+    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-+    test_ctx->rctx->cache_first = true;
-+
-+    /* Mock values. */
-+    will_return(__wrap_sss_dp_get_account_send, test_ctx);
-+    mock_account_recv_simple();
-+    mock_parse_inp(users[0].short_name, TEST_DOM_NAME, ERR_OK);
-+
-+    /* Test. */
-+    run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
-+    assert_true(test_ctx->dp_called);
-+}
-+
- void test_user_by_name_multiple_domains_requested_domains_found(void **state)
- {
-     struct cache_req_test_ctx *test_ctx = NULL;
-@@ -4255,6 +4305,9 @@ int main(int argc, const char *argv[])
-         new_single_domain_test(user_by_name_ncache),
-         new_single_domain_test(user_by_name_missing_found),
-         new_single_domain_test(user_by_name_missing_notfound),
-+        new_single_domain_test(user_by_name_missing_notfound_cache_first),
-+        new_single_domain_test(user_by_name_missing_notfound_full_name),
-+        new_single_domain_test(user_by_name_missing_notfound_cache_first_full_name),
-         new_multi_domain_test(user_by_name_multiple_domains_found),
-         new_multi_domain_test(user_by_name_multiple_domains_notfound),
-         new_multi_domain_test(user_by_name_multiple_domains_parse),
--- 
-2.26.3
-

SOURCES/0008-utils-ignore-systemd-and-sd-pam-process-in-get_activ.patch

@@ -1,111 +0,0 @@
-From a56b8d1aaf030fea196b65545dfe207ea10bdf50 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Fri, 3 Dec 2021 13:38:44 +0100
-Subject: [PATCH] utils: ignore systemd and sd-pam process in
- get_active_uid_linux()
-
-We iterate processes in /proc to get the list of active users (users
-that has any process running). However, recent change in systemd makes
-systemd and sd-pam process ligner for few more seconds when the user has
-logged out which breaks the no-session functionality in pam responder.
-
-If user is logged in, another process then systemd and sd-pam must be
-running. Therefore we can just ignore these from the list.
-
-```
-admin     351997  0.4  0.0  22648 14636 ?        Ss   13:25   0:00 /usr/lib/systemd/systemd --user
-admin     351999  0.0  0.0 201464  7756 ?        S    13:25   0:00 (sd-pam)
-```
-
-Resolves: https://github.com/SSSD/sssd/issues/5900
-
-:fixes: Quick log out and log in did not correctly refresh
-  user's initgroups in `no_session` PAM schema due to lingering
-  systemd processes.
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/util/find_uid.c | 31 +++++++++++++++++++++++++++++--
- 1 file changed, 29 insertions(+), 2 deletions(-)
-
-diff --git a/src/util/find_uid.c b/src/util/find_uid.c
-index 38e8f6164..1b506dfc3 100644
---- a/src/util/find_uid.c
-+++ b/src/util/find_uid.c
-@@ -58,7 +58,7 @@ static void hash_talloc_free(void *ptr, void *pvt)
-     talloc_free(ptr);
- }
- 
--static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
-+static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid, bool *is_systemd)
- {
-     int ret;
-     char path[PATHLEN];
-@@ -138,6 +138,7 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
-               "close failed [%d][%s].\n", error, strerror(error));
-     }
- 
-+    /* Get uid */
-     p = strstr(buf, "\nUid:\t");
-     if (p != NULL) {
-         p += 6;
-@@ -165,6 +166,24 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
-         return EINVAL;
-     }
- 
-+    /* Get process name. */
-+    p = strstr(buf, "Name:\t");
-+    if (p == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "format error\n");
-+        return EINVAL;
-+    }
-+    p += 6;
-+    e = strchr(p,'\n');
-+    if (e == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "format error\n");
-+        return EINVAL;
-+    }
-+    if (strncmp(p, "systemd", e-p) == 0 || strncmp(p, "(sd-pam)", e-p) == 0) {
-+        *is_systemd = true;
-+    } else {
-+        *is_systemd = false;
-+    }
-+
-     *uid = num;
- 
-     return EOK;
-@@ -215,6 +234,7 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
-     struct dirent *dirent;
-     int ret, err;
-     pid_t pid = -1;
-+    bool is_systemd;
-     uid_t uid;
- 
-     hash_key_t key;
-@@ -238,7 +258,7 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
-             goto done;
-         }
- 
--        ret = get_uid_from_pid(pid, &uid);
-+        ret = get_uid_from_pid(pid, &uid, &is_systemd);
-         if (ret != EOK) {
-             /* Most probably this /proc entry disappeared.
-                Anyway, just skip it.
-@@ -248,6 +268,13 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
-             continue;
-         }
- 
-+        if (is_systemd) {
-+            /* Systemd process may linger for a while even when user.
-+             * is logged out. Lets ignore it and focus only
-+             * on non-systemd processes. */
-+            continue;
-+        }
-+
-         if (table != NULL) {
-             key.type = HASH_KEY_ULONG;
-             key.ul = (unsigned long) uid;
--- 
-2.26.3
-

SPECS/sssd.spec

@@ -18,8 +18,8 @@
 %global enable_systemtap_opt --enable-systemtap
 
 Name: sssd
-Version: 2.5.2
-Release: 2%{?dist}.4
+Version: 2.6.2
+Release: 3%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -27,15 +27,10 @@ URL: https://github.com/SSSD/sssd
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 
 ### Patches ###
-Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
-Patch0002: 0002-po-update-translations.patch
-Patch0003: 0003-ad-filter-trusted-domains.patch
-Patch0004: 0004-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch
-Patch0005: 0005-MONITOR-reduce-logs-severity-around-signalling-and-t.patch
-Patch0006: 0006-DEBUG-avoid-backtrace-dups.patch
-Patch0007: 0007-cache_req-cache_first-fix-for-fully-qualified-names.patch
-Patch0008: 0008-utils-ignore-systemd-and-sd-pam-process-in-get_activ.patch
-Patch0009: 0009-ad-add-required-cn-attribute-to-subdomain-object.patch
+Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
+Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
+Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
+Patch0004: 0004-po-update-translations.patch
 
 ### Downstream Patches ###
 
@@ -83,7 +78,7 @@ BuildRequires: openldap-devel
 BuildRequires: pam-devel
 BuildRequires: nss-devel
 BuildRequires: nspr-devel
-BuildRequires: pcre-devel
+BuildRequires: pcre2-devel
 BuildRequires: libxslt
 BuildRequires: libxml2
 BuildRequires: docbook-style-xsl
@@ -101,7 +96,6 @@ BuildRequires: gettext-devel
 BuildRequires: pkgconfig
 BuildRequires: diffstat
 BuildRequires: findutils
-BuildRequires: glib2-devel
 BuildRequires: selinux-policy-targeted
 BuildRequires: libcmocka-devel >= 1.0.0
 BuildRequires: uid_wrapper
@@ -123,8 +117,10 @@ BuildRequires: libsmbclient-devel
 BuildRequires: samba-winbind
 BuildRequires: systemtap-sdt-devel
 BuildRequires: libuuid-devel
-BuildRequires: jansson-devel
 BuildRequires: gdm-pam-extensions-devel
+BuildRequires: libunistring-devel
+BuildRequires: shadow-utils-subid-devel
+BuildRequires: po4a
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -219,13 +215,12 @@ Requires: libsss_simpleifp = %{version}-%{release}
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
+# for logger=journald support with sss_analyze
+Requires: python3-systemd
 Recommends: sssd-dbus
 
 %description tools
-Provides userspace tools for manipulating users, groups, and nested groups in
-SSSD when using id_provider = local in /etc/sssd/sssd.conf.
-
-Also provides several other administrative tools:
+Provides several administrative tools:
     * sss_debuglevel to change the debug level on the fly
     * sss_seed which pre-creates a user entry for use in kickstarts
     * sss_obfuscate for generating an obfuscated LDAP password
@@ -249,11 +244,8 @@ Requires: sssd-common = %{version}-%{release}
 %{?python_provide:%python_provide python3-sss}
 
 %description -n python3-sss
-Provides python3 module for manipulating users, groups, and nested groups in
-SSSD when using id_provider = local in /etc/sssd/sssd.conf.
-
-Also provides several other useful python3 bindings:
-    * function for retrieving list of groups user belongs to.
+Provides python3 bindings:
+    * function for retrieving list of groups user belongs to
     * class for obfuscation of passwords
 
 %package -n python3-sss-murmur
@@ -587,6 +579,7 @@ autoreconf -ivf
     --disable-rpath \
     --with-initscript=systemd \
     --with-syslog=journald \
+    --with-subid \
     --enable-sss-default-nss-plugin \
     --enable-files-domain \
     --without-python2-bindings \
@@ -607,6 +600,7 @@ unset CK_TIMEOUT_MULTIPLIER
 
 %install
 
+%py3_shebang_fix src/tools/analyzer/sss_analyze
 sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate
 
 make install DESTDIR=$RPM_BUILD_ROOT
@@ -627,6 +621,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
    $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
 
+# krb5 configuration snippet
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+
 # Create directory for cifs-idmap alternative
 # Otherwise this directory could not be owned by sssd-client
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
@@ -858,6 +856,9 @@ done
 %license COPYING
 %{_libdir}/%{name}/libsss_krb5.so
 %{_mandir}/man5/sssd-krb5.5*
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+%dir %{_datadir}/sssd/krb5-snippets
+%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
 
 %files common-pac
 %defattr(-,root,root,-)
@@ -911,6 +912,7 @@ done
 %defattr(-,root,root,-)
 %license src/sss_client/COPYING src/sss_client/COPYING.LESSER
 %{_libdir}/libnss_sss.so.2
+%{_libdir}/libsubid_sss.so
 %{_libdir}/security/pam_sss.so
 %{_libdir}/security/pam_sss_gss.so
 %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
@@ -945,6 +947,8 @@ done
 %{_sbindir}/sss_debuglevel
 %{_sbindir}/sss_seed
 %{_sbindir}/sssctl
+%{_libexecdir}/%{servicename}/sss_analyze
+%{python3_sitelib}/sssd/
 %{_mandir}/man8/sss_obfuscate.8*
 %{_mandir}/man8/sss_override.8*
 %{_mandir}/man8/sss_debuglevel.8*
@@ -1043,7 +1047,6 @@ done
 %{_unitdir}/sssd-kcm.socket
 %{_unitdir}/sssd-kcm.service
 %{_mandir}/man8/sssd-kcm.8*
-%{_libdir}/%{name}/libsss_secrets.so
 
 %pre ipa
 getent group sssd >/dev/null || groupadd -r sssd
@@ -1154,21 +1157,50 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
-* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.4
-- Resolves: rhbz#2030651 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries [rhel-8.5.0.z]
-- Resolves: rhbz#2035285 - AD Domain in the AD Forest Missing after sssd latest update [rhel-8.5.0.z]
+* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
+- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
+- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
+- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
+- Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update
+- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
 
-* Tue Dec 07 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.3
-- Resolves: rhbz#2028828 - pam responder does not call initgroups to refresh the user entry [rhel-8.5.0.z]
+* Tue Jan 04 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
+- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)
 
-* Mon Nov 29 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.2
-- Resolves: rhbz#2018440 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) [rhel-8.5.0.z]
-- Resolves: rhbz#2016923 - autofs lookups for unknown mounts are delayed for 50s [rhel-8.5.0.z]
-- Resolves: rhbz#2021499 - Make backtrace less "chatty" (avoid duplicate backtraces) [rhel-8.5.0.z]
-- Resolves: rhbz#2013379 - Lookup with fully-qualified name does not work with 'cache_first = True' [rhel-8.5.0.z]
+* Mon Dec 27 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
+- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
+- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files
+- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
+- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
+- Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf
+- Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name
+- Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry
+- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
+- Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon).
+- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
+- Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders
+- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
 
-* Mon Oct 18 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.1
-- Resolves: rhbz#2014460 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing [rhel-8.5.0.z]
+* Fri Nov 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-2
+- Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
+
+* Mon Nov 15 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-1
+- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
+- Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
+- Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator
+- Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed
+- Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb
+- Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces)
+- Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
+- Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD
+- Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline
+- Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True'
+- Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s
+- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
+- Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication.
+- Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA
+- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
+- Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing
 
 * Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
 - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]